It’s long been known that using a scraper to look for [username]@[domain] on Web pages is a known harvesting technique for spammers. Phishing attacks have taken to using valid email addresses for more targeted attacks as well. That’s why you see people doing clever tricks like displaying their email address as an image, embedding mailto links as Flash actions, or writing out addresses long form like ‘jake at jakeludington dot com’. Spam is an annoyance that is only made worse when you publicly share your address. Phishing attacks are often looking for a way to more easily compromise the network. Spammers and phishers who want to reach valid email addresses must be licking their chops at the latest Google+ author validation technique.

On Thursday, Google offered to simplify the process for proving you are the author of content on your site. In the past, you needed to add some custom HTML code to your site and follow some steps that tie your Google+ profile to your writing. All you need to do is add your work email address (which must be the same domain name as the site where your content is authored) to your Google+ profile page and change the visibility of your email address from “Only you” to “Everyone on the Web.” Make sure your email address also displays on the page where your content is authored. Click a Verify link and you can confirm that you are who you say you are.

I like the simplicity of the idea here. It’s the execution that is a mess. By forcing authors to make their email address public on their Google Profile, it makes it easy for spammers to harvest those valid email addresses.

Granted, if the author already made their email address public on the site where they publish, they have exposed themselves to spam. But making the email address public allows email harvesters to draw relationships between email addresses they previously captured and real people. Many companies are looking for solutions to lock down their email exposure, not give the bad guys a better attack vector.

Google definitely needs to make it easier for authors to verify content relationships. I’m not entirely sure why there can’t be a tie-in to existing domain verification processes in Google Analytics and Google Webmaster Tools. Allowing the Webmaster Tools account holder to add a list of valid authors seems like a no-brainer to me. If email is the best solution they can come up with, at the very least, Google should allow authors to keep those email addresses private in their profile. In the meantime, it looks like Google+ wants you to get more spam.