Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Mail Servers Enable Backscatter Spam

Posted by kdawson on from the ricochet-attack dept.

Mike Morris writes "Google email servers are responsible for a large volume of backscatter spam. No recipient validation is being performed for the domains googlegroups.com and blogger.com — possibly for other Google domains as well, but these two have been confirmed. (You can test this by sending an email to a bogus address in either of the domains; you'll quickly get a Google-generated bounce message.) Consequently spammers are able to launch dictionary attacks against these domains using forged envelope sender addresses. The owners of these forged addresses are then inundated with the bounce messages generated by the Google mail servers. The proper behavior would be for the mail servers to reject email traffic to non-existent users during the initial SMTP transaction. Attempts at contacting them via abuse@google.com and postmaster@google.com have gone unanswered for quite some time. Only automated responses are received which say Google isn't doing anything wrong."

27 of 344 comments (clear)

  1. Re:*goes change his gmail password* by Anonymous Coward · · Score: 5, Informative

    Did you have an active session with gmail going at the time? As in, you didn't click "log out"?

  2. Re:Inaccurate title/summary by ceejayoz · · Score: 4, Informative

    *checks*

    Hey, look. It's a kdawson article!

  3. Re:A suggestion for Gmail spam-fighting by danpat · · Score: 2, Informative

    Ever seen this list?

    http://craphound.com/spamsolutions.txt

    Please tick the appropriate boxes....

  4. Re:Inaccurate title/summary by ikkonoishi · · Score: 3, Informative

    Just because some spam is advertising does not mean that all spam is advertising. The point here would be to fill someone's inbox with bogus messages.

  5. Re:Inaccurate title/summary by NMerriam · · Score: 5, Informative

    You're being either overly literal, or trying to create a distinction where there isn't much of one.

    No, the responses don't contain an original message, nor are they commercial or anything like that, but the spammy thing about this form of backscatter is about the VOLUME and indiscriminate nature of the mail, not the content.

    This isn't being blown out of proportion at all. It's nothing like a mailing list sending a confirmation. No spammer is going to send a million messages with different forged addresses to a single email address (the subscribe address) -- that defeats the whole purpose of spamming, which is to contact DIFFERENT addresses!

    What google has done is open a wildcard on some domains so that anyone launching a dictionary attack on googlegroups.com will send a million messages TO a million different addresses FROM a million different forged addresses. Google then sends a million bounces back to a million different addresses, and if you run a domain that the spammer used as their "from", you suddenly get tens or hundreds of thousands of identical bounce messages from Google. THAT is backscatter spam -- thousands of useless messages sent to forged addresses on your domain, regardless of content. And no mail server in 2008, much less one run by a major tech company, should make that possible.

    --
    Recursive: Adj. See Recursive.
  6. Re:*goes change his gmail password* by DarkAxi0m · · Score: 3, Informative

    Facebook can do it too. As can several other social networking sites. Typically, you have to give permission to access your contacts. I think you have to give them you gmail password, or hotmail or whatever as well as permission
  7. Mod Parent Up by Anonymous Coward · · Score: 3, Informative

    This is *exactly* why I do my email separate from all other browsing. It's not even unique to Google, they're just the biggest target.

    If you want to use email securely:
    * Use 'clear private data' to wipe everything out.
    * Visit your webmail site (copy any links you want to visit to a text file for later).
    * Read/send email.
    * Log out.
    * Use 'clear private data' again.

    Anything less risks having information stolen.

  8. Re:*goes change his gmail password* by i.of.the.storm · · Score: 5, Informative

    Yeah, Facebook actually asks for your gmail password, so do other sites. A bit shady, but I trust those sites not to store it because there'd be hell to pay if anyone found out otherwise.

    --
    All your base are belong to Wii.
  9. Re:Inaccurate title/summary by FliesLikeABrick · · Score: 2, Informative

    There are a few important differences

    1) mailing list confirmations can't be used by spammers to identify existing or non-existing e-mail addresses
    2) spammers, unlike your test, will use spoofed From: headers, making the mail you got be bounced back to someone who wasn't involved in the first place
    3) yes, right now (1) isn't true for Google either, since they accept all mail, but that is indeed the problem right now, and there are stupid spammers out there who will blast thousands upon thousands of e-mails off to google to see what gets rejected (when they assume that there will be rejections during the initial SMTP conversation)

    While it isn't backscatter spam since the initial content isn't delivered, it is still backscatter and Google is still doing the wrong thing. We all know that submitters to /. often get the wrong terms (look at how often "bricked" is used wrongly... we even have a tag for it). I'd bet that more of these wrong terms are due to ignorance than to people trying to spread FUD and blow things out of proportion. Maybe it is time for a !backscatterspam tag if this bothers you so much

  10. Re:Mod Parent Up by techno-vampire · · Score: 4, Informative
    If you want to use email securely:


    Use POP3 for all your email. That way no website can ever get access to your contacts or personal data.

    --
    Good, inexpensive web hosting
  11. Re:Proper? by schon · · Score: 3, Informative

    If you send it for invalid ones, then I can assume that when you don't send it, it's a legit account. That's absurd logic.

    got a tip for you:

    spammers don't care if the addresses are valid or not

    What you describe is called a 'rumplestiltskin' attack - it's well known, and nobody has ever suggested that the best way to counter it is to start spamming people with backscatter.
  12. Re:Proper? by Artefacto · · Score: 2, Informative

    That would be the best thing to do, but it's not always trivial. In fact, sometimes it's impossible.

    I've seen e-mail setups where after the mail is sent to the servers in MX records it goes through several MTAs until it's finally delivered. In order to be possible to reject the e-mail at SMTP time, you'd have to do some kind of synchronization between the MTAs so that the MX server could know whether the addresses exist. Plus, the same domain could read users from several databases at the same time (e.g. mysql, /etc/passwd, LDAP, ...) which would complicate synchronization even more.

  13. Re:Secondary MX hosts declared bad! Film at 11. by schon · · Score: 2, Informative

    Let me repeat that: they are required to unconditionally accept mail for the domain. Bull. Fucking. Shit.

    Please show me the RFC that states you must accept email for addresses that you know are invalid.

    There is *NO* such rule. If your backup MX blindly accepts mail for every address, then it is broken. Backup (actually *any*) MX should only accept mail that it knows (or has good reason to assume) it can deliver.

    If I'm wrong, or I've missed something, please by all means correct me. Please consider yourself corrected.

    Since when is it considered bad form to send a NDR? Mu. It's bad form to send an NDR when you shouldn't have accepted the mail in the first place - which is the problem here.
  14. Re:*goes change his gmail password* by aleph42 · · Score: 3, Informative

    What kind of "music" site were you on?
    The "russian" kind? No. I think it was on http://imeem.com/ , or one of those webiste with mp3s of indy bands (amiestreet ?).

    And I'm absolutely positive I didn't give them my gmail password.
    --
    Don't take my posts literally; it's just code to control my botnet.
  15. Re:Proper? by LilGuy · · Score: 2, Informative

    Actually they do care. The verified e-mail lists are worth a LOT more than the unverified 5 million fluff lists. Especially with the advent of RBLs.

    --

    You're nothing; like me.
  16. Re:And google wonders why ... by synx · · Score: 3, Informative

    not to mention the class A/B shares - the company isn't actually answerable to shareholders!

    Besides which, google had basically no choice but to go public - the SEC rule would have require them to file financial papers as if they were public - so why not get the benefit as well?

  17. Re:Mod Parent Up by netcrusher88 · · Score: 4, Informative

    Warning: offtopic

    IMAP and MAPI are two separate protocols. IMAP is a standard protocol used for semi-connected work on folders actually hosted on a server (it can work disconnected and sync up later), whereas MAPI is a Microsoft proprietary protocol that accomplishes approximately the same thing.

    I tend to think that the name MAPI is a typical Microsoft attempt to get people to confuse (it worked, didn't it?) open, widely used standards and Microsoft proprietary crap. See also OOXML vs ODF (formerly OOXML, before Microsoft even dreamed of that acronym...)

    --
    There's an old saying that says pretty much whatever you want it to.
  18. Re:In beta by chromatic · · Score: 2, Informative

    Didn't anyone notice that Gmail is still in beta?

    Irrelevant. SMTP is not in beta.

    --
    how to invest, a novice's guide
  19. Re:*goes change his gmail password* by stephanruby · · Score: 2, Informative

    Ever happened to you? I was signing up on a music website with a gmail address, and then they asked me if I wanted to send invites to all my contacts, which magicaly appeared on their page. Even if it is apparently a common practice, I find it very disturbing.
    It may have appeared on their page, but it wasn't coming from their site -- it was coming from google. Both the list of your contacts, and the request for permission to send, was coming from google. It does NOT mean the actual music site knew the email addresses of your contacts.
  20. Re:*goes change his gmail password* by stephanruby · · Score: 4, Informative

    Ever happened to you? I was signing up on a music website with a gmail address, and then they asked me if I wanted to send invites to all my contacts, which magicaly appeared on their page. Even if it is apparently a common practice, I find it very disturbing.
    It may have appeared on their page, but it wasn't coming from their site -- it was coming from google. Both the list of your contacts, and the request for permission to send, was coming from google. It does NOT mean the actual music site knew the email addresses of your contacts.
    Here is an actual example of what I'm talking about. Log into http://www.google.com/calendar, stick this iframe in your web site, replace the left and right parenthesis with the right symbols, and see what happens.

    (iframe src="http://www.google.com/calendar/embed?title=Slashdot%20Calendar&height=250&wkst=2&bgcolor=%23FFFFFF&ctz=America%2FLos_Angeles" style=" border:solid 1px #777 " width="300" height="250" frameborder="0" scrolling="no")(/iframe)
    Assuming your calendar is marked private, having the private data from your calendar appearing within the iframe of your browser doesn't mean it's accessible by the web site hosting the iframe (nor does it mean it's accessible by the javascript outside that iframe either).
  21. Re:*goes change his gmail password* by stephanruby · · Score: 2, Informative

    Yes, this data may not be served by the site hosting the iframe, but they could have javascript that sends the data right back to them without your intervention.
    Yes, but Javascript doesn't share data between domains without pop-ing up a pretty nefarious-looking security warning (of course, if the music site had been installed as an IE extension, or a firefox extension, or a separate spyware executable, or if the user had manually turned off that default security setting, those would have been other ways to do it).

    But most likely, they showed his contacts through an iframe, and then they used google's gmail api (which is a separate thing) to ask google to send their email to his contacts. But by using google's gmail api, authentication would have been required after he clicked on that "yes". The google api is pretty clear on this. It generates a separate authentication token for every web site the user authorizes to use his data. In other words, even if I share my data from gmail with one site, I would still need to explicitly authorize and therefore generate a new token for each new site I'd want to share my data with.
  22. Re:just point it out to them more clearly. by Xenna · · Score: 2, Informative

    Won't work unless you forge the *envelope-sender".

  23. Another gmail problem, less well known by spaceman375 · · Score: 2, Informative

    I get incorrectly addressed emails every day thanx to a non-standard gmail policy that most folks don't know exists. They deliver a single email to multiple addresses without any indication that more than one person has received it. ANY email address that contains a dot will have ALL their incoming mail delivered to whoever owns that same address without dots. I get emails for a two college students who have my eddress with dots. Mine has none. Every email they get, I get a copy of. I've logged into myspace and other sites with credentials that I received in links from their emails. I get job application responses and credit card sales confirmations.
    Emails to abuse get an automated reply touting how wonderful this "feature" is. I finally setup a filter that forwards all these emails to abuse@gmail.com. They get at least a dozen every day, and haven't noticed in over a year. If you don't like someone who has a gmail account, you can legitimately register their address with a single dot added, and then fill their inbox with anything you want.

    --
    On the one hand you take life too seriously, and on the other, you do not take playful existence seriously enough. Seth
  24. MAPI != anti-IMAP by stereoroid · · Score: 4, Informative

    Actually, MAPI (Mail API) is the old Microsoft standard for mail-related communication between Windows applications. I remember using it in Windows 3, long before IMAP was widely adopted. It was later extended to MAPI/RPC for communication with Exchange servers. This is one case where anti-Microsoft paranoia isn't justified...

    --
    (this is not a .sig)
  25. RTFRFC by Anonymous Coward · · Score: 1, Informative

    While it may be the case that the internet would be a happier place if everyone agreed to avoid generating "backscatter," people seem to consistently ignore the fact that "backscatter" is not a misconfiguration but rather a strict adherence to the standard. RFC 3461 (which is responsible for outlining delivery status notification for SMTP) is pretty clear that any failure to deliver a message in which the sending MTA has not specifically set the NOTIFY parameter to not contain "FAILURE" must result in a bounce. (RFC3461 sec. 5.2.6) http://www.faqs.org/rfcs/rfc3461.html Can we really jump down google's throat for adhering to an accepted standard instead of a loosely defined "best practice" which exists in direct violation of standards?

    1. Re:RTFRFC by benyto · · Score: 2, Informative

      How is rejecting email to non-existent users in direct violation of standards?

      Additionally, the RFC you linked to defines the DSN extension. There is no requirement for an MTA to support RFC 3461. In fact Google's own MXs do not support the DSN extension:

      $nc smtp2.google.com. 25
      220 smtp.google.com ESMTP
      EHLO ME
      250-smtp.google.com Hello obfuscated hostname [obfuscated IP address], pleased to meet you
      250-ENHANCEDSTATUSCODES
      250-PIPELINING
      250-8BITMIME
      250-SIZE 20000000
      250-STARTTLS
      250-DELIVERBY
      250 HELP
      quit
      221 2.0.0 smtp.google.com closing connection

  26. Re:Mod Parent Up by techno-vampire · · Score: 2, Informative

    So what? We're not talking about keeping your email secure, we're talking about keeping websites from reading your contact list or address book. If you're using POP3 for your email, there's nothing whatsoever in your browser's history, cookies, passwords or other hiding places for those snooping sites to find, and that's what we're talking about.

    --
    Good, inexpensive web hosting