Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Mail Servers Enable Backscatter Spam

Posted by kdawson on from the ricochet-attack dept.

Mike Morris writes "Google email servers are responsible for a large volume of backscatter spam. No recipient validation is being performed for the domains googlegroups.com and blogger.com — possibly for other Google domains as well, but these two have been confirmed. (You can test this by sending an email to a bogus address in either of the domains; you'll quickly get a Google-generated bounce message.) Consequently spammers are able to launch dictionary attacks against these domains using forged envelope sender addresses. The owners of these forged addresses are then inundated with the bounce messages generated by the Google mail servers. The proper behavior would be for the mail servers to reject email traffic to non-existent users during the initial SMTP transaction. Attempts at contacting them via abuse@google.com and postmaster@google.com have gone unanswered for quite some time. Only automated responses are received which say Google isn't doing anything wrong."

8 of 344 comments (clear)

  1. Re:*goes change his gmail password* by Anonymous Coward · · Score: 5, Informative

    Did you have an active session with gmail going at the time? As in, you didn't click "log out"?

  2. Re:Inaccurate title/summary by ceejayoz · · Score: 4, Informative

    *checks*

    Hey, look. It's a kdawson article!

  3. Re:Inaccurate title/summary by NMerriam · · Score: 5, Informative

    You're being either overly literal, or trying to create a distinction where there isn't much of one.

    No, the responses don't contain an original message, nor are they commercial or anything like that, but the spammy thing about this form of backscatter is about the VOLUME and indiscriminate nature of the mail, not the content.

    This isn't being blown out of proportion at all. It's nothing like a mailing list sending a confirmation. No spammer is going to send a million messages with different forged addresses to a single email address (the subscribe address) -- that defeats the whole purpose of spamming, which is to contact DIFFERENT addresses!

    What google has done is open a wildcard on some domains so that anyone launching a dictionary attack on googlegroups.com will send a million messages TO a million different addresses FROM a million different forged addresses. Google then sends a million bounces back to a million different addresses, and if you run a domain that the spammer used as their "from", you suddenly get tens or hundreds of thousands of identical bounce messages from Google. THAT is backscatter spam -- thousands of useless messages sent to forged addresses on your domain, regardless of content. And no mail server in 2008, much less one run by a major tech company, should make that possible.

    --
    Recursive: Adj. See Recursive.
  4. Re:*goes change his gmail password* by i.of.the.storm · · Score: 5, Informative

    Yeah, Facebook actually asks for your gmail password, so do other sites. A bit shady, but I trust those sites not to store it because there'd be hell to pay if anyone found out otherwise.

    --
    All your base are belong to Wii.
  5. Re:Mod Parent Up by techno-vampire · · Score: 4, Informative
    If you want to use email securely:


    Use POP3 for all your email. That way no website can ever get access to your contacts or personal data.

    --
    Good, inexpensive web hosting
  6. Re:Mod Parent Up by netcrusher88 · · Score: 4, Informative

    Warning: offtopic

    IMAP and MAPI are two separate protocols. IMAP is a standard protocol used for semi-connected work on folders actually hosted on a server (it can work disconnected and sync up later), whereas MAPI is a Microsoft proprietary protocol that accomplishes approximately the same thing.

    I tend to think that the name MAPI is a typical Microsoft attempt to get people to confuse (it worked, didn't it?) open, widely used standards and Microsoft proprietary crap. See also OOXML vs ODF (formerly OOXML, before Microsoft even dreamed of that acronym...)

    --
    There's an old saying that says pretty much whatever you want it to.
  7. Re:*goes change his gmail password* by stephanruby · · Score: 4, Informative

    Ever happened to you? I was signing up on a music website with a gmail address, and then they asked me if I wanted to send invites to all my contacts, which magicaly appeared on their page. Even if it is apparently a common practice, I find it very disturbing.
    It may have appeared on their page, but it wasn't coming from their site -- it was coming from google. Both the list of your contacts, and the request for permission to send, was coming from google. It does NOT mean the actual music site knew the email addresses of your contacts.
    Here is an actual example of what I'm talking about. Log into http://www.google.com/calendar, stick this iframe in your web site, replace the left and right parenthesis with the right symbols, and see what happens.

    (iframe src="http://www.google.com/calendar/embed?title=Slashdot%20Calendar&height=250&wkst=2&bgcolor=%23FFFFFF&ctz=America%2FLos_Angeles" style=" border:solid 1px #777 " width="300" height="250" frameborder="0" scrolling="no")(/iframe)
    Assuming your calendar is marked private, having the private data from your calendar appearing within the iframe of your browser doesn't mean it's accessible by the web site hosting the iframe (nor does it mean it's accessible by the javascript outside that iframe either).
  8. MAPI != anti-IMAP by stereoroid · · Score: 4, Informative

    Actually, MAPI (Mail API) is the old Microsoft standard for mail-related communication between Windows applications. I remember using it in Windows 3, long before IMAP was widely adopted. It was later extended to MAPI/RPC for communication with Exchange servers. This is one case where anti-Microsoft paranoia isn't justified...

    --
    (this is not a .sig)