Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Mail Servers Enable Backscatter Spam

Posted by kdawson on from the ricochet-attack dept.

Mike Morris writes "Google email servers are responsible for a large volume of backscatter spam. No recipient validation is being performed for the domains googlegroups.com and blogger.com — possibly for other Google domains as well, but these two have been confirmed. (You can test this by sending an email to a bogus address in either of the domains; you'll quickly get a Google-generated bounce message.) Consequently spammers are able to launch dictionary attacks against these domains using forged envelope sender addresses. The owners of these forged addresses are then inundated with the bounce messages generated by the Google mail servers. The proper behavior would be for the mail servers to reject email traffic to non-existent users during the initial SMTP transaction. Attempts at contacting them via abuse@google.com and postmaster@google.com have gone unanswered for quite some time. Only automated responses are received which say Google isn't doing anything wrong."

14 of 344 comments (clear)

  1. Comment removed by account_deleted · · Score: 5, Funny

    Comment removed based on user account deletion

  2. Re:*goes change his gmail password* by Anonymous Coward · · Score: 5, Informative

    Did you have an active session with gmail going at the time? As in, you didn't click "log out"?

  3. just point it out to them more clearally. by Anonymous Coward · · Score: 5, Interesting

    forged from: abuse@[domain]
    to: bogus@[domain]
    You have issues.

    If they have back scatter, they get it. If they don't have back scatter, they don't.

  4. Proper? by EdIII · · Score: 5, Insightful

    The proper behavior would be for the mail servers to reject email traffic to non-existent users during the initial SMTP transaction.


    Ummm, how about the only behavior .

    It never ceases to amaze me how some mail server administrators setup policies on their networks. If you are running a mail server you are THE POSTMASTER. If you don't know where it should go, or who it is supposed to be going to, how can you accept it?

    Refusing email and stopping the transaction when you do not control the domain, service the domain, or even know the mailbox user is about as obvious a policy as not relaying for domains outside of your control.

    If it is an honest mistake on the part of the sending server, acting as an agent for the user, then a simple message informing the sender that the account does not exist is a trivial matter.

    To do anything else just amazes me.
  5. Comment removed by account_deleted · · Score: 5, Funny

    Comment removed based on user account deletion

  6. A suggestion for Gmail spam-fighting by shanen · · Score: 5, Interesting

    Basically Gmail is losing value for all of us as it becomes spam
    soaked. Even their filtering is having troubles with false positives
    and false negatives--and the spam is just increasing. Therefore I
    think Google should act more aggressively to drive the spammers away
    from Gmail.

    My latest anti-spam idea is a SuperReport option. (Kind of like
    SpamCop, but not so lazy.) If you click on the SuperReport option,
    Gmail would explode the spam and try to analyze it for you to help go
    after the spammers more aggressively. Here is one approach to
    implementing it:

    The first pass analysis would be a low-cost quickie that would also
    act like a kind of CAPTCHA. This would just be an automated pass
    looking for obvious patterns like email addresses and URLs. The email
    would then be exploded and shown to the person making the report (=
    the targeted recipient of the spam AKA victim). The thoughtful
    responses for the second pass would guide the system in going after
    the spammers--making Gmail a *VERY* hostile environment for spammers
    to the point that they would stop spamming Gmail.

    For example, if the first pass analysis finds an email address in the
    header, the exploded options might be "Obvious fake, ignore",
    "Plausible fake used to improve delivery", "Apparently valid drop
    address for replies", "Possible Joe job", and "Other". (Of course
    there should be pop-up explanations for help, which would be easy if
    it's done as a radio button. Also, Google always needs to allow for
    "Other" because the spammers are so damn innovative. In the "Other"
    case, the second pass should call for an explanation of why it is
    "Other".)

    If the first pass analysis finds a URL, the exploded options should be
    things like "Drugs", "Stock scam", "Software piracy", "Loan scam",
    "419 scam", "Prostitution", "Fake merchandise", "Reputation theft",
    "Possible Joe job", and "Other". I think URLs should include a second
    radio button for "Registered Domain" (default), "Redirection",
    "Possible redirection", "Dynamic DNS routing", and "Other". (Or
    perhaps that would be another second-pass option?)

    If the first pass finds an email address in the body, the exploded
    options should include things like "Fake opt-out for address
    harvester", "419 reply path", "Joe job", and "Other".

    At the bottom of the expanded first pass analysis there should be some
    general options about the kind of spam and suggested countermeasures,
    and the submit SuperReport button. This would trigger the heavier
    second pass where Gmail's system would take these detailed results of
    the human analysis of the spam and use them to really go after the
    spammers in a more serious way. Some of the second pass stuff should
    come back to the person who received the spam for confirmation of the
    suggested countermeasures.

    Going beyond that? I think Gmail should also rate the spam reporters
    on their spam-fighting skills, and figure out how smart they are when
    they are analyzing the spam. I want to earn a "Spam Fighter First
    Class" merit badge!

    If you agree with these ideas--or have better ones, I suggest you try
    to call them to Google's attention. Google still seems to be an
    innovative and responsive company--and they claim they want to fight
    evil, too. More so if many people write to them? (I even think they
    recently implemented one of my suggestions to improve the Groups...
    However, it doesn't matter who gets credit--what matters is destroying
    the spammers.)

    --
    Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
  7. 250 Accepted by Anonymous Coward · · Score: 5, Interesting

    Yes, mail to an unknown recipient should be rejected with a 550 code during the initial SMTP dialogue. But not only that - lots of people believe that *any* message you don't intend to deliver should be rejected during the SMTP dialogue. The current fashion is to say "250 OK" and then silently delete the message later, which is wrong.

    I hate to toot my own horn here, but I wrote tarmail with this express purpose in mind (among others). GPLed and everything. Messages that you won't accept get rejected during the SMTP dialogue.

    If you don't like my MTA, then please feel free to mod this down so that others won't be needlessly bothered. But I really to believe that Tarmail is the right answer to this specific problem. Thank you for your time.

    1. Re:250 Accepted by prockcore · · Score: 5, Interesting

      The current fashion is to say "250 OK" and then silently delete the message later, which is wrong.


      Since SMTP is defective by design, this is an acceptable response. Doing anything else allows spammers to confirm valid accounts using dictionary attacks.
    2. Re:250 Accepted by fortunato · · Score: 5, Interesting

      Yes actually I have. Postfix is extremely easy to set up with SpamAssassin. It requires cutting and pasting two configuration lines if you can't understand the manual and can do a google search. I suppose you could make the pedantic argument that it's twice as hard as tarmail since tarmail requires one line.

      In fact setting up ClamAV and SpamAssassin alone is orders of magnitude more complex.

      I might argue that if you have a hard time understanding the postfix manual you have no business running a mail server.

      In any case, I wasn't trying to compare, just trying to understand why it was worth the effort of yet another SMTP server.

  8. Re:Inaccurate title/summary by NMerriam · · Score: 5, Informative

    You're being either overly literal, or trying to create a distinction where there isn't much of one.

    No, the responses don't contain an original message, nor are they commercial or anything like that, but the spammy thing about this form of backscatter is about the VOLUME and indiscriminate nature of the mail, not the content.

    This isn't being blown out of proportion at all. It's nothing like a mailing list sending a confirmation. No spammer is going to send a million messages with different forged addresses to a single email address (the subscribe address) -- that defeats the whole purpose of spamming, which is to contact DIFFERENT addresses!

    What google has done is open a wildcard on some domains so that anyone launching a dictionary attack on googlegroups.com will send a million messages TO a million different addresses FROM a million different forged addresses. Google then sends a million bounces back to a million different addresses, and if you run a domain that the spammer used as their "from", you suddenly get tens or hundreds of thousands of identical bounce messages from Google. THAT is backscatter spam -- thousands of useless messages sent to forged addresses on your domain, regardless of content. And no mail server in 2008, much less one run by a major tech company, should make that possible.

    --
    Recursive: Adj. See Recursive.
  9. Re:*goes change his gmail password* by i.of.the.storm · · Score: 5, Informative

    Yeah, Facebook actually asks for your gmail password, so do other sites. A bit shady, but I trust those sites not to store it because there'd be hell to pay if anyone found out otherwise.

    --
    All your base are belong to Wii.
  10. Re:And google wonders why ... by mingot · · Score: 5, Funny

    Wow, only on slashdot does microsoft get the blame for google being evil.

  11. Re:*goes change his gmail password* by Anonymous Coward · · Score: 5, Funny

    Strange things happen in the internet, The other day I was navigating in the internet and my wife was watching the screen, and when I was typing a url, a nasty porn site appeared as autocompleted, I swear I never visited the site. I'll show this google account problem to my wife, she might believe me now.

  12. Re:*goes change his gmail password* by Inoshiro · · Score: 5, Interesting

    You are the most trusting person here, then. Already Google admitted to being in cahoots with the NSA/FBI/CIA (etc) in providing them with data on their Google web app usage. Facebook is just as bad with their beacon source, etc.

    Seriously, I barely trust myself with my personal info -- why trust a complete stranger (or set of strangers) that are based out of a country where the gov't can just lean on a company to get private data?

    The staff at Facebook don't give two shits about privacy, otherwise all those stupid "apps" which you add to your profile wouldn't be able to spider your friends or send them stupid form letters to encourage them to allow/add them (furthering the data-mining by the app writer). Try turning the privacy settings up by disabling everything when adding an app. It won't let you, because then the app "wouldn't work" correctly.

    --
    --
    Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.