Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Mail Servers Enable Backscatter Spam

Posted by kdawson on from the ricochet-attack dept.

Mike Morris writes "Google email servers are responsible for a large volume of backscatter spam. No recipient validation is being performed for the domains googlegroups.com and blogger.com — possibly for other Google domains as well, but these two have been confirmed. (You can test this by sending an email to a bogus address in either of the domains; you'll quickly get a Google-generated bounce message.) Consequently spammers are able to launch dictionary attacks against these domains using forged envelope sender addresses. The owners of these forged addresses are then inundated with the bounce messages generated by the Google mail servers. The proper behavior would be for the mail servers to reject email traffic to non-existent users during the initial SMTP transaction. Attempts at contacting them via abuse@google.com and postmaster@google.com have gone unanswered for quite some time. Only automated responses are received which say Google isn't doing anything wrong."

14 of 344 comments (clear)

  1. Re:*goes change his gmail password* by Anonymous Coward · · Score: 5, Informative

    Did you have an active session with gmail going at the time? As in, you didn't click "log out"?

  2. Re:Inaccurate title/summary by ceejayoz · · Score: 4, Informative

    *checks*

    Hey, look. It's a kdawson article!

  3. Re:Inaccurate title/summary by ikkonoishi · · Score: 3, Informative

    Just because some spam is advertising does not mean that all spam is advertising. The point here would be to fill someone's inbox with bogus messages.

  4. Re:Inaccurate title/summary by NMerriam · · Score: 5, Informative

    You're being either overly literal, or trying to create a distinction where there isn't much of one.

    No, the responses don't contain an original message, nor are they commercial or anything like that, but the spammy thing about this form of backscatter is about the VOLUME and indiscriminate nature of the mail, not the content.

    This isn't being blown out of proportion at all. It's nothing like a mailing list sending a confirmation. No spammer is going to send a million messages with different forged addresses to a single email address (the subscribe address) -- that defeats the whole purpose of spamming, which is to contact DIFFERENT addresses!

    What google has done is open a wildcard on some domains so that anyone launching a dictionary attack on googlegroups.com will send a million messages TO a million different addresses FROM a million different forged addresses. Google then sends a million bounces back to a million different addresses, and if you run a domain that the spammer used as their "from", you suddenly get tens or hundreds of thousands of identical bounce messages from Google. THAT is backscatter spam -- thousands of useless messages sent to forged addresses on your domain, regardless of content. And no mail server in 2008, much less one run by a major tech company, should make that possible.

    --
    Recursive: Adj. See Recursive.
  5. Re:*goes change his gmail password* by DarkAxi0m · · Score: 3, Informative

    Facebook can do it too. As can several other social networking sites. Typically, you have to give permission to access your contacts. I think you have to give them you gmail password, or hotmail or whatever as well as permission
  6. Mod Parent Up by Anonymous Coward · · Score: 3, Informative

    This is *exactly* why I do my email separate from all other browsing. It's not even unique to Google, they're just the biggest target.

    If you want to use email securely:
    * Use 'clear private data' to wipe everything out.
    * Visit your webmail site (copy any links you want to visit to a text file for later).
    * Read/send email.
    * Log out.
    * Use 'clear private data' again.

    Anything less risks having information stolen.

  7. Re:*goes change his gmail password* by i.of.the.storm · · Score: 5, Informative

    Yeah, Facebook actually asks for your gmail password, so do other sites. A bit shady, but I trust those sites not to store it because there'd be hell to pay if anyone found out otherwise.

    --
    All your base are belong to Wii.
  8. Re:Mod Parent Up by techno-vampire · · Score: 4, Informative
    If you want to use email securely:


    Use POP3 for all your email. That way no website can ever get access to your contacts or personal data.

    --
    Good, inexpensive web hosting
  9. Re:Proper? by schon · · Score: 3, Informative

    If you send it for invalid ones, then I can assume that when you don't send it, it's a legit account. That's absurd logic.

    got a tip for you:

    spammers don't care if the addresses are valid or not

    What you describe is called a 'rumplestiltskin' attack - it's well known, and nobody has ever suggested that the best way to counter it is to start spamming people with backscatter.
  10. Re:*goes change his gmail password* by aleph42 · · Score: 3, Informative

    What kind of "music" site were you on?
    The "russian" kind? No. I think it was on http://imeem.com/ , or one of those webiste with mp3s of indy bands (amiestreet ?).

    And I'm absolutely positive I didn't give them my gmail password.
    --
    Don't take my posts literally; it's just code to control my botnet.
  11. Re:And google wonders why ... by synx · · Score: 3, Informative

    not to mention the class A/B shares - the company isn't actually answerable to shareholders!

    Besides which, google had basically no choice but to go public - the SEC rule would have require them to file financial papers as if they were public - so why not get the benefit as well?

  12. Re:Mod Parent Up by netcrusher88 · · Score: 4, Informative

    Warning: offtopic

    IMAP and MAPI are two separate protocols. IMAP is a standard protocol used for semi-connected work on folders actually hosted on a server (it can work disconnected and sync up later), whereas MAPI is a Microsoft proprietary protocol that accomplishes approximately the same thing.

    I tend to think that the name MAPI is a typical Microsoft attempt to get people to confuse (it worked, didn't it?) open, widely used standards and Microsoft proprietary crap. See also OOXML vs ODF (formerly OOXML, before Microsoft even dreamed of that acronym...)

    --
    There's an old saying that says pretty much whatever you want it to.
  13. Re:*goes change his gmail password* by stephanruby · · Score: 4, Informative

    Ever happened to you? I was signing up on a music website with a gmail address, and then they asked me if I wanted to send invites to all my contacts, which magicaly appeared on their page. Even if it is apparently a common practice, I find it very disturbing.
    It may have appeared on their page, but it wasn't coming from their site -- it was coming from google. Both the list of your contacts, and the request for permission to send, was coming from google. It does NOT mean the actual music site knew the email addresses of your contacts.
    Here is an actual example of what I'm talking about. Log into http://www.google.com/calendar, stick this iframe in your web site, replace the left and right parenthesis with the right symbols, and see what happens.

    (iframe src="http://www.google.com/calendar/embed?title=Slashdot%20Calendar&height=250&wkst=2&bgcolor=%23FFFFFF&ctz=America%2FLos_Angeles" style=" border:solid 1px #777 " width="300" height="250" frameborder="0" scrolling="no")(/iframe)
    Assuming your calendar is marked private, having the private data from your calendar appearing within the iframe of your browser doesn't mean it's accessible by the web site hosting the iframe (nor does it mean it's accessible by the javascript outside that iframe either).
  14. MAPI != anti-IMAP by stereoroid · · Score: 4, Informative

    Actually, MAPI (Mail API) is the old Microsoft standard for mail-related communication between Windows applications. I remember using it in Windows 3, long before IMAP was widely adopted. It was later extended to MAPI/RPC for communication with Exchange servers. This is one case where anti-Microsoft paranoia isn't justified...

    --
    (this is not a .sig)