I've seen a few reports of this from random folks on Twitter, but now the Scott Panzer over in the Proofpoint Attack Response Center has confirmed that we have samples of spam messages that appear to be exploiting Google Maps to send spam.

The messages, which have subject lines like "[email address] sent this to you using Google Maps:" followed by some additional (possibly randomized) text, don't contain a link to a Google Map, but instead have a link to a spam payload hosted at imageshack.us.

The image spam payloads advertise old standbys like Canadian Pharmacy (you know, in case you needed a source for "cheap Viagra").

The messages seem to be exploiting a weakness in Google Maps (either an exploit that gets around Google Maps CAPTCHA or an automated way to break Google Maps CAPTCHA) that results in the message being sent from Google servers... Which means that the messages are also DKIM signed as valid Google email.

While we've not seen very high volumes of this sort of spam (yet?), I'm assured by the PARC team that Proofpoint Spam Detection now blocks any of these spam messages that may have been evading detection.