Gmail As Open-Relay Spam Server

← Back to Stories (view on slashdot.org)

Gmail As Open-Relay Spam Server

Posted by kdawson on Saturday May 10, 2008 @01:14PM from the if-you're-not-part-of-the-solution-you're-part-of-the-precipitate dept.

sveard writes of a little problem Google is having that has Gmail acting like an open relay. Compounding the issue is the fact that services such as Hotmail and Yahoo trust Gmail as a source of mail. "A recently-discovered flaw in Gmail is capable of turning Google's e-mail service into a highly effective spam machine. According to the Information Security Research Team (INSERT), Gmail is susceptible to a man-in-the-middle attack that allows a spammer to send thousands of bulk e-mails through Google's SMTP service without fear of detection. This attack bypasses both Google's identity fraud protection mechanisms and the current 500-address limit on bulk e-mail."

145 comments

doesn't stop spam, by Anonymous Coward · 2008-05-10 13:09 · Score: 2, Insightful

but is very effective against slashdot comments?
Wow, slashdot doesnt give a crap by Aranykai · 2008-05-10 13:11 · Score: 2, Informative

Apparently, no one here cares:P

But, on topic, this really isn't all the surprising. Pretty much any email server can be used as a relay in this manner, the only thing special here is that it avoids Google's current features. I expect Google will have this locked down very soon.

--
If sharing a song makes you a pirate, what do I have to share to be a ninja?
1. Re:Wow, slashdot doesnt give a crap by Midnight+Thunder · 2008-05-10 14:12 · Score: 3, Interesting
  
  Pretty much any email server can be used as a relay in this manner, the only thing special here is that it avoids Google's current features. I expect Google will have this locked down very soon.
  
  Certainly, but this can be reduced by making sure that e-mail coming from the outside world can only be sent to gmail addresses and e-mail going to the outside world requires password authentication by the sender. One issue that we are starting to see it e-mail being bounced to a different part than the one that officially sent the e-mail. Other measures that can help is only accepting e-mail from external mail servers who's name can be resolved from its address.
  
  The real problem is really deciding what is a legitimate source of e-mail, without requiring a central registry of e-mail servers or some other sort of bureaucratic process.
  
  --
  Jumpstart the tartan drive.
2. Re:Wow, slashdot doesnt give a crap by Jurily · 2008-05-10 15:26 · Score: 4, Insightful
  
  The real problem is really deciding what is a legitimate source of e-mail, without requiring a central registry of e-mail servers or some other sort of bureaucratic process. Recently I've been getting spam that convinced them that I was the sender, and even "(unknown sender)" ones. One would think that's not that hard to decide.
  
  The other problem is, Hotmail and Yahoo trusting Gmail. In the world of email, there is no such thing as a trustworthy server.
3. Re:Wow, slashdot doesnt give a crap by Lincolnshire+Poacher · 2008-05-10 19:42 · Score: 5, Insightful
  
  > The real problem is really deciding what is a legitimate
  > source of e-mail, without requiring a central registry of
  > e-mail servers or some other sort of bureaucratic process.
  
  Well that's the problem that SPF solves. Each domain owner
  creates a DNS entry that specifies which mail servers are
  permitted to send mail for that domain. When an MX receives
  a HELO it checks that the originating IP corresponds with
  the DNS entry; if not, the mail can be rejected or subjected
  to further inspection and scoring.
  
  Simple to implement, I've done it in 20 minutes for my domain
  ( 20 minutes from ``What is this project?'' to submitting the
  DNS change ).
  
  http://www.openspf.org/
4. Re:Wow, slashdot doesnt give a crap by Glonoinha · 2008-05-11 00:59 · Score: 2, Funny
  
  Or maybe Google could outsource their anti-spam efforts to these guys.
  I'm guessing giving these guys a million dollars and saying 'make spam stop globally' might just work.
  
  It's worth a try.
  
  --
  Glonoinha the MebiByte Slayer
5. Re:Wow, slashdot doesnt give a crap by Antique+Geekmeister · 2008-05-11 01:12 · Score: 2, Insightful
  
  Yes, there is such a thing. An SMTP-AUTH authenticated server works well, and it's straightforward to publish SPF records for other mail servers to filter a lot of forged email, especially the bounces you've been seeing. (SPF is worth looking up: Google does publish SPF records in their DNS.) SPF got crippled by a Microsoft 'embrace and extend' operation involving SenderID keys and mislabeling SenderID based SPF tags as plain SPF. IT got
6. Re:Wow, slashdot doesnt give a crap by LilGuy · 2008-05-11 03:51 · Score: 1
  
  It's amazing that in 2008 we still need to bring up the fact that there are simple solutions to these problems.
  
  I don't understand how there are really that many network/system admins out there that don't understand how the Internet works.
  
  --
  
  You're nothing; like me.
7. Re:Wow, slashdot doesnt give a crap by SanityInAnarchy · 2008-05-11 06:34 · Score: 1
  
  Certainly, but this can be reduced by making sure that e-mail coming from the outside world can only be sent to gmail addresses and e-mail going to the outside world requires password authentication by the sender. And, specifically, that it can only be sent to valid Gmail addresses.
  
  I've done stuff like this with Postfix, in my spare time, on my own mailserver. It's trivially easy, and it completely eliminates bounces, except in the case of mysterious internal errors -- but even then, I think it's more common for a temporary error to be returned at the SMTP layer than for the mail to actually bounce.
  
  Bounces are unnecessary, full stop.
  
  --
  Don't thank God, thank a doctor!
8. Re:Wow, slashdot doesnt give a crap by Anonymous Coward · 2008-05-12 01:24 · Score: 0
  
  Spammers have been using SPF since it was first designed - "next".
9. Re:Wow, slashdot doesnt give a crap by Anonymous Coward · 2008-05-12 13:22 · Score: 0
  
  Other measures that can help is only accepting e-mail from external mail servers who's name can be resolved from its address. Up to a point. This is the partial header of the Slashdot list server that sent my daily update email to me today:
  
  from mail.osdn.net (sshgate.ostg.com [66.35.250.15])
  
  As you can see, if I enable strict host name checking on my Postfix server, I would end up rejecting the daily Slashdot news emails I get. Many list servers HELO/EHLO with names not matching their A/MX/PTR records and most list servers don't have corresponding MX records period. Thus, two major and easy to implement spam checks are worthless.
  
  When I enable MX checking, in addition to A and PTR checking, I end up killing off half of my daily legitimate inbound email, due to the amount of list mail I receive. Using A record checks, which is what I believe you are proposing here, is something I've been doing for years and does kill a ton of spam, but it's only part of the solution.
  
  The bulk of the spam I receive today (the stuff that makes it into my inbox) is the result of "drive-by" domain registrations. In the last few months most of the spam I've received has been sent from "legit" SMTP hosts with matching A and MX records. When looking up via WHOIS, the origin domains were all registered within a few days to a week of receiving the spam.
  
  A little log testimony to the effectiveness of A/PTR and HELO hostname checking:
  
  May 12 18:00:30 greer postfix/smtpd[20333]: NOQUEUE: reject: RCPT from unknown[116.4.224.36]: 450 4.7.1 Client host rejected: cannot find your hostname, [116.4.224.36]; from= to= proto=ESMTP helo=
  
  May 12 18:22:18 greer postfix/smtpd[28081]: NOQUEUE: reject: RCPT from unknown[65.171.119.62]: 450 4.7.1 Client host rejected: cannot find your hostname, [65.171.119.62]; from= to= proto=ESMTP helo=
  
  May 12 19:53:29 greer postfix/smtpd[28159]: NOQUEUE: reject: RCPT from CPE-121-223-243-50.static.qld.bigpond.net.au[121.223.243.50]: 504 5.5.2 : Helo command rejected: need fully-qualified hostname; from= to= proto=SMTP helo=
  
  It's interesting to me that A/PTR checking on my Postfix server kills more spam than all of my RBL checks including Spamhaus. I've not done any kind of official analysis of my logs, but just a cursory browse of the log shows the bulk of the rejects due to name mismatches and very few rejected due to RBL lookups. This may very likely have more to do with the order in which the filtering is processed. I perform all my A/PTR and HELO hostname checks before doing RBL lookups.
Idiots better get off their ass by EdIII · 2008-05-10 13:13 · Score: 5, Informative

Speaking as a mail server administrator I sincerely hope that they fix this pronto. There is no way that I can just block gmail addresses from my mail server given how huge gmail already is. I literally have no choice but to ride this out and hope for the best.

I have already checked my server logs and the fun just started a little while ago. Yay!....
1. Re:Idiots better get off their ass by Anonymous Coward · 2008-05-10 13:23 · Score: 1, Insightful
  
  By riding this out, you give no incentive to actually fix anything.
2. Re:Idiots better get off their ass by lambent · 2008-05-10 13:30 · Score: 4, Interesting
  
  I can second the above statement, since I've seen the exact same traffic.
  
  Unfortunately, this sort of thing will continue to crop up. E-mail is fundamentally broken, and it's too easy to take advantage of any e-mail system. To combat spam, mail admins have had to take many unorthodox and RFC-bending practices (if not out-right ignoring RFCs all together). Otherwise, users complain about too much spam. The down side, users then complain about e-mail delays or non-deliverables. So, you get systems setting up certain ways to bypass filters for hopefully trusted domains. And then this whole new problem comes up when people figure out new ways to abuse the system, its safeguards, and hidden/implicit trusts.
  
  Ugh. At this point, I just want to turn SMTP off completely. This is a losing battle.
3. Re:Idiots better get off their ass by Baumi · 2008-05-10 13:31 · Score: 4, Insightful
  
  By riding this out, you give no incentive to actually fix anything. In theory, you're right: If all the server admins in the world united and blocked GMail, that'd send a message to Google to fix this ASAP.
  
  In practice, however, Google is likely to do just that anyway, and since there is no organized blacklisting going on, a sole action by the GP poster would most likely annoy his users while Google itself wouldn't even notice it.
  
  (Unless, of course, the GP happens to be the sysadmin for Hotmail, Yahoo! Mail or something similar - in that case: Blacklist, baby! ;-) )
4. Re:Idiots better get off their ass by firekool · 2008-05-10 13:38 · Score: 1
  
  no organized blacklisting going on
  There actually is a few providers that do just that. Like SPAMCOP. And spamassassin does this too..
5. Re:Idiots better get off their ass by mrbluze · 2008-05-10 14:03 · Score: 1
  
  But you know, coming from Google, at least we can be sure that the spam is context aware, targeted and very easy to search. If you happened to miss out on some spam, you can always look at the cache too.
  
  --
  Do it yourself, because no one else will do it yourself. [beta blockade 10-17 Feb]
6. Re:Idiots better get off their ass by Midnight+Thunder · 2008-05-10 14:19 · Score: 4, Interesting
  
  E-mail is fundamentally broken, and it's too easy to take advantage of any e-mail system.
  
  I hear this being said over and over again. The problem is that no one has been able to provide a solution to resolved the problem. There have been suggestions, but doing so without penalizing the small guy is hard. Do we require certificates and if we do how can we ensure that it will be 100% fool proof? Do we only accept e-mail that hasn't been relayed or only accept mail from white listed relays, or create rules for them, if relays are to be tolerated in certain conditions?
  
  --
  Jumpstart the tartan drive.
7. Re:Idiots better get off their ass by Kent+Recal · 2008-05-10 14:36 · Score: 3, Interesting
  
  I think what GP meant when he said E-mail is fundamentally broken is that SMTP is fundamentally broken.
  
  There are trivial technical solutions for the spam problem if only we could get rid of SMTP.
  Ofcourse "we" can't but my hopes are that google may do it eventually. They could roll out a new system on a large enough scale to actually make it stick.
8. Re:Idiots better get off their ass by pembo13 · 2008-05-10 14:42 · Score: 1, Funny
  
  How about blocking all emails from gmail servers not coming from an @gmail.com address?
  
  --
  "Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
9. Re:Idiots better get off their ass by Robotech_Master · 2008-05-10 14:49 · Score: 4, Informative
  
  Problem with this is that a lot of people (myself included) use gmail for the ease of use, but prefer to keep their own email address as the return address for various reasons.
  
  --
  Editor Emeritus and Senior Writer, TeleRead.org
10. Re:Idiots better get off their ass by martin-boundary · 2008-05-10 15:04 · Score: 3, Insightful
  
  That's not a problem. That's what the Reply-To: field is for.
11. Re:Idiots better get off their ass by EdIII · 2008-05-10 15:06 · Score: 3, Insightful
  
  Heh. Bwahahahah... *cough*
  
  SpamCop and SpamHaus blocking Google? How do they say it... When Pigs Fly?
  
  People that use both of those services, free and paying customers alike, rely on them automatically managing their lists. I am sure, and I am certainly adding myself to this, that "we" don't expect these services to add Hotmail, GMail, Yahoo, etc. You can also toss Comcast, AT&T, Time Warner's Roadrunner, Cox, etc. to the list too.
  
  Unfortunately, there is such a thing as being too big to blacklist. I don't know how many millions of customers that it starts at, but GMail passed whatever mark that was a long time ago.
  
  Organized blacklisting only applies to much much smaller entities.
12. Re:Idiots better get off their ass by schon · 2008-05-10 15:08 · Score: 5, Insightful
  
  There are trivial technical solutions for the spam problem if only we could get rid of SMTP. No, there aren't.
  
  Spam exists because there are sociopaths who want to steal resources from others. There is *NO* technical solution to this. If your SMTP replacement allows anyone to contact anyone else, it will allow spammers to contact anyone.
  
  Spam is a social problem, not a technical one. There is no such thing as a technical solution to a social problem.
13. Re:Idiots better get off their ass by martin-boundary · 2008-05-10 15:11 · Score: 4, Interesting
  
  Why do people say this? SMTP is not broken. It's a low level protocol which works pretty damn well. What people should concentrate on is building higher layers on top of SMTP and RFC2822, rather than complaining about SMTP itself.
  This is like complaining that wheels don't protect against being rained on, so cars should be redesigned from scratch.
14. Re:Idiots better get off their ass by EdIII · 2008-05-10 15:14 · Score: 4, Informative
  
  That sounds logical but it won't work.
  
  The spammers don't care about what their FROM and REPLYTO fields actually say. Since this is a man-in-the-middle attack they could put practically anything with a @gmail.com in those fields and it will render your solution ineffective.
  
  The real problem with this exploit is that it bypasses all of Google's security measures and anything I could do on my end would only verify that the email actually came from a real Google mail server and from a Google email user. So then I can only rely on SPAM filtering based on content which is not as effective as we would all like it to be.
15. Re:Idiots better get off their ass by njcoder · 2008-05-10 15:20 · Score: 2, Informative
  
  Google also has Google Apps which allows you to use your own domain name with GMail.
  
  --
  Open Source Java DAO Generator
16. Re:Idiots better get off their ass by Robotech_Master · 2008-05-10 15:23 · Score: 1
  
  It is when you're sending out your resume and want something a bit more professional-looking on the header than "robotech master at gmail.com"
  
  --
  Editor Emeritus and Senior Writer, TeleRead.org
17. Re:Idiots better get off their ass by Henry+V+.009 · 2008-05-10 15:26 · Score: 1
  
  Then why is the spam problem so much bigger than the telemarketer or junk fax problem? Surely there is some technical aspect to this "social problem."
18. Re:Idiots better get off their ass by jrp2 · 2008-05-10 15:31 · Score: 3, Informative
  
  "How about blocking all emails from gmail servers not coming from an @gmail.com address?"
  
  Won't work.
  
  There are boatloads of people and companies using Google with their own domains. Google Apps, Google Enterprise, etc.
  
  Also, many of the spammers are using gmail addresses. Remember, they don't care about return emails, they just drive people to their websites.
  
  --
  The only athletic sport I ever mastered was backgammon - Douglas William Jerrold
19. Re:Idiots better get off their ass by Paradise+Pete · 2008-05-10 15:42 · Score: 4, Insightful
  
  Then why is the spam problem so much bigger than the telemarketer or junk fax problem?
  Cost, plain and simple. The fundamental way to reduce spam is to make it cost more to do. Of course actually figuring out a good way to do that is left as an exercise for the reader.
20. Re:Idiots better get off their ass by martin-boundary · 2008-05-10 15:50 · Score: 2, Interesting
  
  If you've already shelled out for a vanity domain, then you're better off sending your mail directly from your hosting provider's mail servers. It's trivial to forward a copy to your gmail account if you like, and you won't be caught out when gmail change details of their free service etc. in the future.
21. Re:Idiots better get off their ass by Chandon+Seldon · 2008-05-10 16:28 · Score: 4, Insightful
  
  Spam is a social problem, not a technical one. There is no such thing as a technical solution to a social problem.
  
  That's generally true.
  The problem is that SMTP makes it drastically worse than it needs to be with a push model. The spammer can send a million messages, and they've all already been accepted by the destination server before anyone has a chance to complain.
  If it were a notification / pull model then when someone complained the ISP could pull the spammer's plug for a TOS violation before most of the messages in his first batch were delivered. Sure, that doesn't kill the spam problem utterly dead - but it does mean that current spam management resources could keep it down to well under 90% of all email.
  
  --
  -- The act of censorship is always worse than whatever is being censored. Always.
22. Re:Idiots better get off their ass by JWSmythe · 2008-05-10 17:01 · Score: 2, Interesting
  
  Well, there are a lot of people who do alternative things.
  
  On a few mail installations I've done, it watches for abusers, and blocks them with firewall rules, based on other detections including SpamAssassin.
  
  So even my own mail system would block gmail if it detects enough spam coming from them. The threshold is high enough to not false, and low enough to stop most of the badguys. On a typical server (~50k msg/day) something like 1500 get blocked daily, with no complaints that real mail is being blocked.
  
  If Google is sending spam out, it's very likely they'll be tripped up by thousands of networks world wide, who have their own precautions in place like I do.
  
  --
  Serious? Seriousness is well above my pay grade.
23. Re:Idiots better get off their ass by schon · 2008-05-10 17:08 · Score: 3, Insightful
  
  Then why is the spam problem so much bigger than the telemarketer or junk fax problem? Because we have laws regulating them, which (amazingly enough) is how society deals with social problems.
  
  Thank you for illustrating my point.
24. Re:Idiots better get off their ass by techno-vampire · 2008-05-10 17:54 · Score: 1
  
  Do we only accept e-mail that hasn't been relayed
  
  I have my own domain, but don't host it myself. My email goes through my hosting company's smtp server, with my address @ my domain. I'm sure there are thousands, if not tens of thousands of other legitmate users like me doing the same thing. If you block all mail that's been relayed, none of us will be able to get email to you. There must be a better way...
  
  --
  Good, inexpensive web hosting
25. Re:Idiots better get off their ass by mea_culpa · 2008-05-10 18:02 · Score: 1
  
  I'm not sure if Spamhaus is any respector of ISP. They have blacklisted some (not all as they run many) of Cox's SMTP servers on numerous occasions, and I'm sure they have done the same to other ISPs as well. If enough spam is coming from an IP it can and likely will get blacklisted. Cox just assigns a new IP to the blacklisted server and gets around it while dealing with the blacklists to get their old ip removed. Dealing with millions of customers where more than half probably have no security software running it is no surprise that this happens. Note: I'm not claiming I know how Spamhaus works internally, just my observations. I'm assuming that much of what goes on there is automated.
  When I hear a complaint from someone getting mail refused to a hotmail account. I check the IP in the message headers of the returned mail of which MTA tried to communicate with hotmail and check it against Spamhaus and find it blacklisted. Calling the ISP tech support does nothing as there is no way to reach any NOC personnel from a call center nor does the support rep have any clue what Spamhaus or blacklists are. The admins in the NOC eventually correct the problem sometimes in as long as a day or two. Meanwhile users just have to resend their message and hope it goes through a different MTA within their ISP.
  If Gmail gets blacklisted they will probably do the same, I'm sure they have much more than one MTA.
26. Re:Idiots better get off their ass by Niten · 2008-05-10 18:58 · Score: 3, Insightful
  
  If it were a notification / pull model then when someone complained the ISP could pull the spammer's plug for a TOS violation before most of the messages in his first batch were delivered.
  The thing is that we can already achieve the same effect through a combination of greylisting and a trustworthy blacklist: an unknown (non-whitelisted) sender cannot deliver messages immediately, and if they're one of the few spammers who will retry deliver after a temporary failure, then by that time odds are that they will have been blacklisted.
  
  Sure, it's possible that a pull model might prove slightly more effective even so, but neither model will ever kill spam dead. And "possibly slightly better at dealing with spam, but probably just the same" isn't nearly enough to justify uprooting the world's entire email infrastructure.
27. Re:Idiots better get off their ass by flyingfsck · 2008-05-10 19:18 · Score: 1
  
  Exactly, there are lots of people out there who have to be able to receive mail from people they don't know yet. Impede that feature and you impede business.
  
  --
  Excuse me, but please get off my Pennisetum Clandestinum, eh!
28. Re:Idiots better get off their ass by Anonymous Coward · 2008-05-10 19:32 · Score: 0
  
  Or just use this.
29. Re:Idiots better get off their ass by Arancaytar · 2008-05-10 19:48 · Score: 1
  
  Next headline on Slashdot: "Microsoft blocks Gmail!"
  
  First Youtube and then that. Indeed.
30. Re:Idiots better get off their ass by masonc · 2008-05-10 20:21 · Score: 2, Interesting
  
  We are required to pay $10 or so per year to maintain a domain name. If we had to pay $10/year to register an SMTP server, spam would be virtually eliminated, as it would require being up front about operating a mail server. All that would have to happen would be to only accept mail from registered mail servers for the domain they are registered for.
  Spambots would not function any more. I don't know why this is so difficult to put in place.
  
  --
  CM www.cometenergysystems.com Blog: http://caribbeanrenewable.blogspot.com/
31. Re:Idiots better get off their ass by Ed+Avis · 2008-05-10 21:07 · Score: 1
  
  SMTP does what it was designed to do, but that may no longer be what we want.
  
  --
  -- Ed Avis ed@membled.com
32. Re:Idiots better get off their ass by justleavealonemmmkay · 2008-05-10 21:20 · Score: 0, Troll
  
  Who the fuck in his right mind would use Google for his company emails ?
33. Re:Idiots better get off their ass by Anonymous Coward · 2008-05-10 21:31 · Score: 0
  
  You are absolutely right, don't bend rfcs to stop spam. Require the sending party to adhere to them strictly is enough to stop most. The only problem is that there are a lot of misconfigured legitimate servers out there.
34. Re:Idiots better get off their ass by DougBTX · 2008-05-10 21:36 · Score: 3, Insightful
  
  before anyone has a chance to complain.
  All it takes is a spammer to use his distributed botnet to post thousands of complaints about legitimate email, and you're back to filtering push requests. You're also assuming that the spammer only has one plug to pull.
35. Re:Idiots better get off their ass by Anonymous Coward · 2008-05-10 21:42 · Score: 0
  
  im glad that I iptables -> -j DROP googles/gmail smtp servers a year ago...
36. Re:Idiots better get off their ass by Antique+Geekmeister · 2008-05-10 21:52 · Score: 2, Interesting
  
  We have a *good* law on junk fax. It's very clear: unsolicited fax are illegal. We have very poor laws against telemarketers, laws aimed to permit telemarketers to continue to keep bothering you until you formally tell them to stop. There are some laws against spam, but they're extremely badly written.
  
  Simply extending the junk fax law to cover email spam would be easy. The money saved in dealing with people's incoming spam would be more than enough to do the necessary enforcement of the laws, with such a clear law provided. Unfortunately, the efforts to expand this law have inevitably been blocked by the Direct Marketing Association.
37. Re:Idiots better get off their ass by dreamchaser · 2008-05-10 22:56 · Score: 1
  
  "There is no way that I can just block gmail addresses from my mail server given how huge gmail already is"
  
  Why is that exactly? I'm not flaming, I'm genuinely curious. Every business I do work with has their own email system, and the thought of someone using Gmail for business use give me goosebumps so I am not sure blocking it would impact most organizations all that much.
  
  I asked because I don't know why you couldn't temporarily block it. If everyone did then Google would be motivated to fix the problem a lot faster.
38. Re:Idiots better get off their ass by jonbryce · 2008-05-10 23:01 · Score: 1
  
  I think the answer has to be to invent a completely new messaging system where we learn from the mistakes in email, and don't bother about backwards compatibility.
  
  People would get whatever certificates etc they need from their messaging provider which would be a similar person to their existing email provider.
  
  The problem of course is persuading people to use it, and people won't use it if nobody else is using it.
39. Re:Idiots better get off their ass by jonbryce · 2008-05-10 23:05 · Score: 1
  
  apps.google.com lets you set up gmail on your own domain name. You will be blocking all those people.
  
  Also, for people in England, you will have to allow googlemail.com. Google isn't allowed to use gmail here as someone else owns the trademark.
40. Re:Idiots better get off their ass by v(*_*)vvvv · 2008-05-11 00:10 · Score: 2, Interesting
  
  Just to add some perspective:
  The problem is that no one has been able to provide a solution ... is, by definition, precisely why:
  E-mail is fundamentally broken In other words, it is fundamentally broken, because it is fundamentally unfixable.
  
  Interestingly however, I would like to argue for the exact opposite. The original intent and nature of email was to be completely open. The fact that it is so *perfect* at being open has made it *impossible* to close parts of it that are no longer desired.
  
  As problem solvers we like to think we can solve problems with solutions, but this is a case where we are trying to break a perfect solution. Now, *that* can be difficult.
  
  The inventors of email deserve high praise. Too bad they aren't getting residuals from the spam and anti-spam industry. (don't forget, people are paid to fight spam too, so even good people are getting paid).
41. Re:Idiots better get off their ass by EdIII · 2008-05-11 00:17 · Score: 2, Insightful
  
  If you are running a hosting business that specifically does hosted exchange services, hosted terminal server sessions, etc. you cannot tell your clients that they are unable to communicate with somebody, especially a major email provider such as GMail.
  
  The customer does not care about Google and Relaying or any other techno gobbletly gook. They only care that email was being blocked. It is not even a GMail specific thing either. It can be ANYBODY not being able to communicate to them, real or imagined, and it becomes a problem.
  
  If I was the email administrator for an organization, then maybe I could just do it and get away with it citing security concerns.
  
  Good question though.
42. Re:Idiots better get off their ass by rdebath · 2008-05-11 00:39 · Score: 1
  
  At which point I'll give you a present, half a million spam messages through a botnet advertising your business.
  Or at least I might if I were on the same continent.
43. Re:Idiots better get off their ass by dreamchaser · 2008-05-11 01:11 · Score: 1
  
  Thanks for the reply. That makes perfect sense. I just received word that our organization has blocked Gmail until further notice but we can afford to do so.
44. Re:Idiots better get off their ass by emacs_abuser · 2008-05-11 01:59 · Score: 1
  
  Then why is the spam problem so much bigger than the telemarketer or junk fax problem? Surely there is some technical aspect to this "social problem."
  
  The only technical aspect is that's it's easier to send spam. I agree 100% with the idea that it's a social problem. The same amoral people that do telemarketing and junk faxes are doing spam. It's really a sad statement about the ethics of some members of society.
45. Re:Idiots better get off their ass by Kent+Recal · 2008-05-11 02:07 · Score: 1
  
  Yes there are technical solutions and they're not even hard to implement.
  
  One trivial approach would be mandatory message signing (cryptographic identity) combined with challenge/response.
  Whenever someone wants to mail you for the first time your mail server would, depending on your preference, either ask them to solve a captcha or you to permit mail from that sender.
  
  From that point on the sending identity would be on your whitelist and you could exchange mail freely.
  
  This can be built today, on top of freely available technology such as PGP/SMIME, without changing e-mail semantics (Push-model) at all.
  Ofcourse this can be optimized further and there quite a few other options that would work equally well.
  
  The social aspect playing a role here is the chicken/egg problem or "how to offer a transition-path". It's not happening because we cannot replace all existing SMTP infrastructure over night. If we could then the problem would already be solved.
46. Re:Idiots better get off their ass by Spatial · 2008-05-11 03:17 · Score: 1
  
  Spam is a social problem, not a technical one.
  
  Yes, the problem is social. It's not just the spammers though - what about the people who actually make it profitable for them to spam? It boggles the mind, but there must be people who buy their wares or they wouldn't push them so hard. The stupid are always a problem.
47. Re:Idiots better get off their ass by Jaime2 · 2008-05-11 06:24 · Score: 1
  
  HashCash http://www.hashcash.org/
  
  It penalizes the big guys instead of the small guys, that's why it hasn't taken off. Also, no one seems to want to promote any solution that doesn't put somebody in control of something.
48. Re:Idiots better get off their ass by Kent+Recal · 2008-05-11 09:23 · Score: 1
  
  If the spam-problem could be solved by tacking a few layers on top of SMTP then why has nobody done it yet?
  I can tell you why: because it's not that easy.
  
  The fundamental building blocks for any technical solution to the spam problem are sender identity and challenge/response. Neither can be implemented on top of SMTP. Neither can be implemented as an extension to SMTP without incompatible changes to the protocol semantics.
  
  If you want to insist that SMTP is "not broken" then please present your solution for reliable, yet spam-resistant, bounce messages.
49. Re:Idiots better get off their ass by martin-boundary · 2008-05-11 12:03 · Score: 1
  
  If the spam-problem could be solved by tacking a few layers on top of SMTP then why has nobody done it yet? I can tell you why: because it's not that easy.
  I disagree. The problem simply is not well defined. Everybody claims the spam problem is slightly different, and nobody agrees what spam actually is and what spam isn't. That's why it hasn't been "solved" to everybody's satisfaction. There are plenty of partial solutions for specific issues that specific people have, and for many people the problem is already "solved".
  The fundamental building blocks for any technical solution to the spam problem are sender identity and challenge/response. Neither can be implemented on top of SMTP. Neither can be implemented as an extension to SMTP without incompatible changes to the protocol semantics.
  No. SMTP is a store and forward protocol, think of it kind of like TCP but with mail messages instead of packets. Sender identity is irrelevant as is challenge/response for reliable message delivery, which is what SMTP is all about. In fact, both those methods reduce the reliability of message delivery, and are therefore bad.
  You can add sender identity and challenge response at a higher level, namely controlled by the mail software and encoded in the text of the messages.
  If you want to insist that SMTP is "not broken" then please present your solution for reliable, yet spam-resistant, bounce messages.
  I think you misunderstand the meaning of "not broken". It means that there's no need to present a solution for an imaginary problem.
  The problem you seem to be worried about is social: how does a person X control what persons Y,Z, etc. can send them? There are plenty of working solutions for different aspects of that already, but if you're looking for a simple one size fits all solution, you won't find one simply because the spam problem is not well defined.
50. Re:Idiots better get off their ass by lambent · 2008-05-11 12:20 · Score: 1
  
  Oh, I agree completely it would be a terribly unfair mess, and that there's not really any clear way to fix it. Being one of the little guys, i'm more than aware of that.
  
  That being said, however, I'm still in favour of turning off SMTP. It may be an extreme and irrational solution, but what we have now isn't really SMTP anymore, anyway. E-mail is a horrible drain on power, bandwidth, and support resources. Estimates vary, but maybe 75%-95% of all e-mail traffic is worthless; we're throwing money away by supporting it. Not to mention what a popular infection vector it is for malware.
  
  The problem is that we're trying to shoe-horn solutions onto a base protocol that was never designed to accomodate them. I think, quite realistically, if we turned off e-mail NOW, we'd have a better ability to design a solution to the problem, without having to support all the legacy junk that is already in place.
51. Re:Idiots better get off their ass by Kent+Recal · 2008-05-11 13:05 · Score: 1
  
  Sorry, I disagree. The term "spam" is very well defined, you can look it up in pretty much every dictionary.
  For 99% of us spam is defined as: Stupid advertisement that I have never requested.
  
  Yes, there are corner cases but claiming that the problem is not well defined not only ignores years of research into that area, it also ignores common sense.
  No. SMTP is a store and forward protocol, think of it kind of like TCP but with mail messages instead of packets. Sender identity is irrelevant as is challenge/response for reliable message delivery, which is what SMTP is all about. In fact, both those methods reduce the reliability of message delivery, and are therefore bad.
  
  Well, then let me put it differently. SMTP is fit for it's initial purpose (reliable message delivery) but that doesn't match today's requirements. Today we want more than reliability, we want a way to decide *who* is allowed to communicate with us. This requirement cannot be layered on top of SMTP.
  You can add sender identity and challenge response at a higher level, namely controlled by the mail software and encoded in the text of the messages.
  
  Wrong. Plenty of half-baked C/R systems (TDMA and the ilk) do what you propose and try to solve it all at the MUA-level. All of them fall down on at least one inherent property of the SMTP protocol: Bounce messages. There is no way to distinguish between legit and (possibly maliciously) forged bounce-notices. Thus as of today it's an all or nothing decision: Do you want to know when your message didn't reach your recipient and cope with the extra spam or do you choose to not care and at the same time give up the very property (reliability) that you praise SMTP for?
  
  This only reinforces the adoption problem. If there was a solution that worked perfectly then it would likely spread like fire (with plugins for all popular MUAs) and people would soon forget that spam ever existed. But there is no such solution, only half-baked hacks that may or may not work to some degree. Worse yet, these hacks do nothing to reduce the load on our networks and servers. They only mask the problem instead of solving it.
  
  Again, a true solution needs to be implemented at both the MTA and the MUA level. There are some tricky problems to tackle surrounding legit group communications (mailing lists) but they are solvable with sender identity.
  
  Finally, I can easily outline a spam-resistant system:
  
  * The sender identity is computed by the MUA (based on a password)
  and stored as a private key that is portable to any other MUA.
  
  * Message signing is mandatory. No MTA accepts unsigned messages.
  
  * The destination MTA keeps a whitelist of allowed senders for each recipient.
  Unknown senders are either challenged with a captcha or the recipient is
  asked for authorization. Ofcourse a recipient can also pro-actively
  whitelist specific senders or domains.
  
  * Wrt bounces: Each sent message contains a cryptographic cookie (added by the MUA)
  that expires after a user-defined interval. Bounces must quote this cookie or will
  be silently discarded by the receiving MUA.
  
  Feel free to explain how you would model these properties on top of SMTP.
  Also feel free to point out flaws. I wrote this up in under 10 minutes but am very convinced that a bullet-proof spec could be drafted in a day or two. Only problem: It's not compatible to SMTP. There's not even a remotely sane migration-path from SMTP. Which I'll take as proof that SMTP is broken for today's requirements.
  
  So, was that well defined enough? :-)
52. Re:Idiots better get off their ass by martin-boundary · 2008-05-11 14:21 · Score: 1
  
  For 99% of us spam is defined as: Stupid advertisement that I have never requested.
  Yes, that's one definition useful for individual users, but not very useful for mail admins. In particular, it leads to inconsistent spam definitions at the level of an organization, because as the number of people increases, the number and types of emails wanted by some (=ham) and not wanted by others (=spam) increases.
  
  Yes, there are corner cases but claiming that the problem is not well defined not only ignores years of research into that area, it also ignores common sense.
  I don't think so, I happen to have followed the research into that area for years and there's no real consensus. The legal people have one type of definition, the machine learning people have a completely different one, the mail admins have yet another.
  
  Well, then let me put it differently. SMTP is fit for it's initial purpose (reliable message delivery) but that doesn't match today's requirements. Today we want more than reliability, we want a way to decide *who* is allowed to communicate with us. This requirement cannot be layered on top of SMTP.
  Why do you say that? A message can carry authentic information about who is sending the message, for example by signing a message cryptographically. The well known practical problem is that people don't agree about how to create and deploy cryptographic identity systems, but that has nothing to do with email and is certainly unrelated to SMTP.
  Moreover, the issue of *who* is a chimera, because spammers can hijack people's legitimate identity (by taking over their PCs) and use that: even if you had a 100% foolproof identity check, you'd get unwanted messages (spam) because legitimate senders were sending the spam.
  
  Wrong. Plenty of half-baked C/R systems (TDMA and the ilk) do what you propose and try to solve it all at the MUA-level.
  I didn't propose it, I said that's the place where it should be done, not the SMTP system. In case you want to know, my personal view is to merely filter silently at the recipient's MUA.
  
  Thus as of today it's an all or nothing decision: Do you want to know when your message didn't reach your recipient and cope with the extra spam or do you choose to not care and at the same time give up the very property (reliability) that you praise SMTP for?
  As of today, you _know_ that the recipient received the message or not if all the intervening SMTP servers follow the RFCs. That's my point, the SMTP system isn't broken, it works. Sometimes, servers and delivery systems don't follow the rules, and that's a source of problems.
  
  This only reinforces the adoption problem. If there was a solution that worked perfectly then it would likely spread like fire (with plugins for all popular MUAs) and people would soon forget that spam ever existed. But
  Again, perfectly for what? The legal people are only interested in UBE, but draw the line at religious or political spam for example. The economics people believe that spam is a question of pricing, ie spam in an absolute sense doesn't exist. The users want to not see messages they don't like, but two random users are inconsistent about what messages they want to see or not, and a single user can be inconsistent over several months or years. The admins don't care about the type of content, but care about the huge processing and storage costs associated with spam.
  If your definition is spam="what I don't want to see", the solution is a MUA level filter that you train yourself. Many people want others to train such filters for them, and then you're back to the problem of inconsistency. Two users have different personal spam definitions, so it is mathematically impossible to have a single set of rules with works for both arbitrarily well
53. Re:Idiots better get off their ass by Kent+Recal · 2008-05-11 15:05 · Score: 1
  
  I'll try to keep this short:
  
  1. Admins would not have to keep the identity lists at the MTA up to date. The users do that themselves (their MUA interfaces with the MTA).
  
  2. Trying to implement all this at the MUA level would mean adoption problems (chicken/egg) and networks/servers still bogged down with garbage traffic.
  
  3. The individual definition of spam doesn't matter. Every user grows their own whitelist which would live primarily in the MUA (maybe bundled with that private key file for easy export) and automatically sync to any last-hop MTA that the user chooses. I would imagine this synchronization to be weaved transparently into the equivalents of today's POP/IMAP protocols. You are free to whitelist that viagra-guy, that will have no influence on *my* whitelist.
  
  4. Identity theft would be a very small problem because a whitelist entry can ofcourse be revoked at any time. Furthermore a hijacked identity only enables the spammer to reach recipients that have whitelisted this identity and likely only once. That's too much effort for too little reward, most spammers wouldn't bother.
  
  5. Normal Mailing lists are a no-brainer. The list-serv has an identity, too. Whitelist that and you're good to go. Ofcourse there remains the problem of spammers signing up and spamming the list. This cannot be solved, only mitigated through moderation, due to the nature of the beast.
  
  I think our opinions don't differ all that much. I'm proposing a technical solution across MUA/MTA that would work 100% with zero false positives but cannot realistically be deployed "any time soon(tm)". You're proposing a technical solution at the MUA only that works today but can never get better than around 90% accuracy and has occassional false positives.
  
  You say the latter should be good enough. I say: No, we could do better, if only we could get rid of SMTP in a day. :-)
54. Re:Idiots better get off their ass by Dekortage · 2008-05-11 21:53 · Score: 1
  
  One trivial approach would be mandatory message signing (cryptographic identity) combined with challenge/response. Whenever someone wants to mail you for the first time your mail server would, depending on your preference, either ask them to solve a captcha or you to permit mail from that sender.
  While challenge/response is a sure-fire solution to spam technologically, it utterly fails on the social level. Most people HATE challenge/response. Many web sites specifically state that their operators will not process mail challenges. (For example, this guy, who is not exactly technologically inept -- you may disagree with him, but he's not inept.) I've worked on anti-spam development teams that have tackled this on several angles, and there is simply no way of getting people to accept challenge/response on a wide scale. It's too irritating.
  
  --
  $nice = $webHosting + $domainNames + $sslCerts
55. Re:Idiots better get off their ass by Kent+Recal · 2008-05-11 23:21 · Score: 1
  
  I think you're confusing the half-baked challenge solutions of today with what a properly designed solution could do.
  Yes, C/R is annoying when you have to sift through your mailbox to separate spam from Challenges. When they look like any other E-Mail with not even a standard formatting to identify them. When the procedure varies between clicking a link, replying or even quoting some gibberish text from the mail (oh and don't get it wrong or it won't work), etc.
  
  C/R would be widely accepted if you think more of the way skype does it. A simple dialog box, one click, done.
  This is the kind of integration I'm thinking of and I'm pretty convinced that even people like Mr.Pogue would happily accept it if it reduces their spam input to zero.
  
  I for one would highly prefer to skim over, at worst, a dozen challenges a day if that saves me from scanning my spam box with thousands of mails regularly to look for false positives...
56. Re:Idiots better get off their ass by Dekortage · 2008-05-12 00:10 · Score: 3, Interesting
  
  Yes, C/R is annoying when you have to sift through your mailbox to separate spam from Challenges. When they look like any other E-Mail with not even a standard formatting to identify them. When the procedure varies between clicking a link, replying or even quoting some gibberish text from the mail (oh and don't get it wrong or it won't work), etc.
  
  C/R is annoying because people want their messages to be delivered, without additional work. It's not even that I have to scan a spambox, or that they look like any other e-mail. It's that I have do to ONE MORE THING to have the message delivered. If this had been the way e-mail worked originally, then people might accept it; but now, everyone is used to sending e-mail and having it arrive without interruption (generally speaking).
  C/R would be widely accepted if you think more of the way skype does it. A simple dialog box, one click, done. This is the kind of integration I'm thinking of and I'm pretty convinced that even people like Mr. Pogue would happily accept it if it reduces their spam input to zero.
  
  Respectfully, I'm pretty convinced that it will not work unless the spam problem becomes so excessively bad that people are willing to change their e-mail habits. We are not yet to that point, thanks to all the other half-baked anti-spam solutions out there.
  
  --
  $nice = $webHosting + $domainNames + $sslCerts
57. Re:Idiots better get off their ass by Anonymous Coward · 2008-05-12 00:21 · Score: 0
  
  Having a trustworthy mail transfer protocol where you cannot repudiate having sent a message would be a start.
  
  Right now, social solutions cannot work, because society cannot punish the sender of an email, for fear of punishing the wrong person.
  
  SMTP needs to be replaced, and no spf and domain keys do not do enough, they're a good, smtp-compatible step, but the flaws in smtp are too big for them to fix by themselves
58. Re:Idiots better get off their ass by Anonymous Coward · 2008-05-12 00:31 · Score: 0
  
  Then why is the spam problem so much bigger than the telemarketer or junk fax problem? Because we have laws regulating them, which (amazingly enough) is how society deals with social problems. And because it's very difficult for anyone to enforce laws when dealing with a near instant world-wide medium.
59. Re:Idiots better get off their ass by Kent+Recal · 2008-05-12 01:04 · Score: 1
  
  C/R is annoying because people want their messages to be delivered, without additional work. It's not even that I have to scan a spambox, or that they look like any other e-mail. It's that I have do to ONE MORE THING to have the message delivered. If this had been the way e-mail worked originally, then people might accept it; but now, everyone is used to sending e-mail and having it arrive without interruption (generally speaking).
  
  Well, I guess we have to agree to disagree. "Without additional work" is ignoring the work that we all have to spend on spamfiltering. And the risk of mail getting lost in someone's spam-folder or a company's misconfigured spamfilter. Have you tried to send a mail directly from a dynamic ip DSL/cable uplink recently?
  Respectfully, I'm pretty convinced that it will not work unless the spam problem becomes so excessively bad that people are willing to change their e-mail habits. We are not yet to that point, thanks to all the other half-baked anti-spam solutions out there.
  
  A matter of perception and the way you use e-mail. The spam problem may be mostly hidden to a gmail user exchanging the occassional mail with friends & family. People who depend on receiving cold contacts or who just deal with a lot of mail regularly will (by my expirience) mostly agree that the spam problem couldn't get much worse than it is today. Furthermore my proposed system (or most other working solutions) wouldn't even require that much of a change in the user expirience. Basically the user would be asked (instantly by his MUA) to solve a captcha for any recipient that he's sending to for the first time. Yes, it is an extra step but a very small effort when compared to today's spam fighting tactics.
  
  I must say I'm pretty surprised about how many people seem to be satisfied with the current state of affairs here.
  Remember that over 90%(!) of all e-mail is spam. Now consider how much that eats into the productivity of a country or the human species as a whole.
60. Re:Idiots better get off their ass by Dekortage · 2008-05-12 01:38 · Score: 1
  
  Yes, we'll have to disagree. It is alright.
  ...the risk of mail getting lost in someone's spam-folder or a company's misconfigured spamfilter...
  
  This risk is not solved by C/R, unfortunately.
  People who depend on receiving cold contacts or who just deal with a lot of mail regularly will (by my expirience) mostly agree that the spam problem couldn't get much worse than it is today.
  
  I've been sending and receiving e-mails for nearly 30 years, I have more than a dozen e-mail accounts and hundreds more e-mail addresses (think Zoemail-style keyed addressing), and I work in a position that receives and sends "cold contact" e-mails on a daily basis. With filters and other ID-based solutions, my daily spam level is extremely low -- on the level of 2-3 spams delivered each day out of thousands sent to me. Deleting this level of spam is not a problem. So yeah, I agree it can't get worse, but now that we've had the problem for a long time, we have found ways of minimizing its impact to the point of acceptability. (Who actually gets 9 spams in their in-box for every 1 real message?)
  Aside: even if all the mail apps adopted a common C/R mechanism right this minute, it would take a long time for people to upgrade to it, and accept it. And since it is not far from being a CAPTCHA for email, I expect it would be cracked relatively quickly.
  
  --
  $nice = $webHosting + $domainNames + $sslCerts
61. Re:Idiots better get off their ass by ahodgson · 2008-05-12 07:59 · Score: 1
  
  and there is simply no way of getting people to accept challenge/response on a wide scale
  
  Sending C/R challenges to forged senders IS SPAM. Offloading your problem onto everyone else is not solving it.
62. Re:Idiots better get off their ass by martin-boundary · 2008-05-12 13:53 · Score: 1
  
  Quick reply, since the slashdot story is already long stale :)
  1. Admins would not have to keep the identity lists at the MTA up to date. The users do that themselves (their MUA interfaces with the MTA).
  They'll already balk at just keeping any identity list for each user, let alone an updated one :) However, a filtering setup within a MUA is a kind of identity list already.
  3. The individual definition of spam doesn't matter.
  It does if you expect admins to do some filtering work for the users, it does if you expect lawyers to shut spammers down, etc. It only doesn't matter if you expect users to manage their own mail, but that's what many of them are complaining about in the first place. Many users don't want to even specify what they think is spam, but still expect others to get it right on their behalf ...
  4. Identity theft would be a very small problem because a whitelist entry can ofcourse be revoked at any time.
  On the contrary it's a huge problem. There are millions of PCs hijacked for spam ("botnets") and credit card fraud, etc. Say you have a million hijacked mail identities, and each time you use one up over night, the next morning the user is conscientious (year right:) and replaces their identity. That still means you can spam one million nights with impunity, or half a million days and nights.
  Every type of whitelisting scheme is vulnerable to this problem. The most practical defence is to ask ISPs to monitor their user's traffic, but in turn that requires a definition of what traffic is spam and what isn't. Since there's no common definition ...
  5. Normal Mailing lists are a no-brainer. The list-serv has an identity, too. Whitelist that and you're good to go. Ofcourse there remains the
  Again, for a system which is supposed to solve the spam problem you're expecting too much work from users. They don't want to sit down and whitelist each new address they communicate with. It's a geek solution for people like us only ;-)
  Last point: if you personally haven't tried a filter like POPFile or SpamBayes already, it's worth looking into it.
  Personal trainable filters achieve around 99% false negatives (spam caught) with about 0.1% false positives (ham lost). These are real statistics from NIST.
  Next, do the math: how many ham messages does a person get a day? Say 5-20. That means the number of legitimate messages lost in one year is between 1 and 8, and the number of spams getting through is about 1 in a hundred. Not too shabby.
Whitelists don't work. by techno-vampire · 2008-05-10 13:18 · Score: 5, Insightful

This flaw is valuable because it's clear proof that whitelists don't work. No domain is above suspicion when it comes to sending spam. About the only real use the domain can be is as an adjustment to your filters. Done properly, mail from gmail.com is marked as less likely to be spam than mail from cyberpromo.com, but it's still checked.

--
Good, inexpensive web hosting
1. Re:Whitelists don't work. by hedwards · 2008-05-10 15:09 · Score: 2, Interesting
  
  It's not really evidence of that. There have always been ways for enterprising cyber criminals to engage in this sort of activity, it just happens to be more difficult than it used to be.
  
  A proper white list shouldn't include sites which are likely to be insecure, and it shouldn't grant a completely free pass either. Whitelisted domains do still get submitted to checks on well secured servers. DKIM and SPF being pretty much mandatory these days, as well as virus scanning and spam rating as well.
  
  Really the point of white listing isn't the white list itself, but rather the domains which are blacklisted or not listed at all. Whitelisting is just a means of filtering out as many known bad domains as possible before using more expensive scanning and verification technology.
  
  The other bit about this is that very few people want to get mail from every @gmail.com address or @hotmail.com etc., most people just care about the specific people that they know, and a domain whitelist isn't going to be too useful in that quest. The better choice for most personal correspondence is to just put individual addresses on the whitelist.
2. Re:Whitelists don't work. by techno-vampire · 2008-05-10 16:08 · Score: 1
  
  Whitelisted domains do still get submitted to checks on well secured servers.
  
  If so, then what's the use having them? A whitelist is supposed to be a list of trusted addresses or domains, isn't it? If you still have to run them through your spam filter, isn't it a waste of time having one?
  
  Whitelisting is just a means of filtering out as many known bad domains as possible before using more expensive scanning and verification technology.
  
  No, that's not what a whitelist is for. That's a blacklist you're describing. Don't confuse the two.
  
  --
  Good, inexpensive web hosting
3. Re:Whitelists don't work. by DougBTX · 2008-05-10 21:44 · Score: 1
  
  If so, then what's the use having them? A whitelist is supposed to be a list of trusted addresses or domains, isn't it?
  Think of it more as a light-grey list. It's saying that emails sent from a whitelisted server get a +1 probably-not-spam vote when the email's spam rating is evaluated.
4. Re:Whitelists don't work. by techno-vampire · 2008-05-12 06:25 · Score: 1
  
  Yes. Of course. That's about all a whitelist is good for. Checking it first and then sending everything that passes it through the spam filters is a waste of time, and that's what the original post was suggesting. We may just have a misunderstanding of what the other's thinking of here.
  
  --
  Good, inexpensive web hosting
Chronologically impaired? by Anonymous Coward · 2008-05-10 13:20 · Score: 2, Informative

Did anyone else notice that this story appeared AFTER the story above it? I almost missed the story entirely.
1. Re:Chronologically impaired? by calebt3 · 2008-05-10 13:31 · Score: 1
  
  Yes. I wondered about that...
2. Re:Chronologically impaired? by psxman · 2008-05-10 13:32 · Score: 1
  
  Thank you for that, I thought I was going nuts for a minute.
DeBunking? by bobwrit · 2008-05-10 13:22 · Score: 0

Well, this ruins GMail's major argument. nNw all they have left is "You get 2 GB of storage".

--
-- (this is a sig) My Computer Programming Forumhttp://www.programers.co.nr/
1. Re:DeBunking? by peragrin · 2008-05-10 13:29 · Score: 4, Insightful
  
  last I checked it was 6.5 gigs of storage.
  
  i figure google will have this locked down soon enough though. It's not like they won't notice the sudden burst of traffic. Some guy is going to be working hard tonight.
  
  --
  i thought once I was found, but it was only a dream.
2. Re:DeBunking? by Baumi · 2008-05-10 13:36 · Score: 2, Informative
  
  Well, this ruins GMail's major argument. AFAIK, "We're no spam relay" has never been touted as a major feature of GMail. Why should they do that? No major webmail provider would intenionally do such a thing. (Which, of course, doesn't porevent bugs and screw-ups as, apparently, in this case.)
3. Re:DeBunking? by osu-neko · 2008-05-10 13:37 · Score: 3, Interesting
  
  Well, this ruins GMail's major argument. nNw all they have left is "You get 2 GB of storage".
  Huh? What argument are you refering to, and how does this ruin it?
  
  The only "argument" I can think you might be refering to is that, by using Gmail, you avoid having to see a lot of spam due to their excellent spam filterings. This doesn't ruin that argument in any way. In fact, since it primary impacts sites like Yahoo and Hotmail (who will see more spam if they continue to whitelist Gmail), it strengthens it. You're now see even less spam using Gmail, comparatively speaking.
  
  --
  "Convictions are more dangerous enemies of truth than lies."
4. Re:DeBunking? by bobwrit · 2008-05-10 13:42 · Score: 0
  
  Not no spam relay, it was no-to-little spam.
  
  --
  -- (this is a sig) My Computer Programming Forumhttp://www.programers.co.nr/
5. Re:DeBunking? by amRadioHed · 2008-05-10 14:13 · Score: 2
  
  Right, so why does that argument no longer apply? I just checked my gmail account and there is as little to no spam as always.
  
  --
  We hope your rules and wisdom choke you / Now we are one in everlasting peace
Interesting... by Animaether · 2008-05-10 13:28 · Score: 5, Informative

...was "a little while ago" on thursday?

Because that's when the existence of the vulnerability was already known, at least. The people who figured it out aren't telling the world how to do it (I'm sure clever people can figure it out), and are / were waiting for Google to fix it first.

http://ece.uprm.edu/~andre/insert/gmail.html

You might be seeing plain ol' spam from gmail; it's been having its share of problems with spammers since both captcha crack -and- before that by manual sign-up, simply -because- everybody trusted gmail (what, with the forced SMS/Text Message sign-up, invite-only, etc. preceding).
1. Re:Interesting... by Anonymous Coward · 2008-05-10 19:56 · Score: 0
  
  The solution for this problem is really easy, either:
  1. Google should ensure that the destination email address is authenticated, by sending confirmation email *BEFORE* email starts being forwarded, which is typical and has been done by many email provider like yahoo or
  2. Limit on how many times someone can change his/her email forwarding per day.
  
  No need for captcha, etc.
Re:Blacklist gmail by XanC · 2008-05-10 13:55 · Score: 3, Funny

Yes, who would do business with such an entity. Probably about as many as would trust their business hosting to a company who declares its home page to be XHTML 1.1 but then serves it as text/html. Not to mention the 88 validation errors.

The point is you can't jump straight for the "nuclear" option. Although to be honest I wouldn't use such a Web host.
Re:yeah by mrbluze · 2008-05-10 13:56 · Score: 1

im not really surprised that you're not really surprised

--
Do it yourself, because no one else will do it yourself. [beta blockade 10-17 Feb]
Re:Blacklist gmail by KGIII · 2008-05-10 13:59 · Score: 2, Insightful

I think that the problem may be that there are still too many people who believe the jargon... "Do no evil." (Or something to that effect at any rate...)

--
"So long and thanks for all the fish."
Re:Blacklist gmail by ibmjones · 2008-05-10 14:00 · Score: 1

I don't know what company you work for that allows you to get away with this, but blaming other people is the last thing you do when you communicate to your users or customers. Even if it is Google's fault, blocking them is going to hurt your customers - and consequently yourself.
parent, INSIGHTFUL? by wamatt · 2008-05-10 14:19 · Score: 3, Insightful

What planet are you from? No self respecting ISP in the world would try pull that.

You going to go an make some ideological bullshit point and piss all over your customers when it's not going to make the slightest difference to Google.

Go right ahead!
You should have known by OMNIpotusCOM · 2008-05-10 14:20 · Score: 3, Funny

It's just a beta guys. There's going to be bugs in the system =)
I noticed as a user... yesterday by ma1wrbu5tr · 2008-05-10 14:22 · Score: 1, Redundant

I noticed that gmail load times increased significantly during a few periods yesterday afternoon. After the most recent gmail flaw, I wondered if it was something like this.
I hope they fix it soon, as some have already stated. Sheesh, and we just implemented the new SPAM filter...what am I going to do about gmail addys?

--
Why can't we go back to using jumpers to configure slot adapter cards? Why? I say!
Re:Blacklist gmail by MadnessASAP · 2008-05-10 14:23 · Score: 1

Declaring XHTML and setting MIME-type to text/html is perfectly valid. As for 88 errors, just about any reasonably sized webpage will turn up plenty of errors, 88 sounds like a pretty small number compared to some webpages.

--
I may agree with what you say, but I will defend to the death your right to face the consequences of saying it.
natural limits to schadenfreude by Anonymous Coward · 2008-05-10 14:35 · Score: 0

On one hand, I feel the natural urge for a Nelson-like "Ha-ha" as the mighty Google monolith screws up. On the other hand, I ph33r mightily; my employer runs a lot of mail servers and this is the sort of thing that, if it happened to us, could really damage our company. Man, if I weren't up tinkering with code anyway, I'd be lying awake worrying that I've missed something that would enable the spammers to do the same to us...
Re:Blacklist gmail by XanC · 2008-05-10 14:45 · Score: 1

Sorry, that's wrong: http://www.w3.org/TR/xhtml-media-types/#summary

The only time you should serve XHTML as text/html is when it's XHTML 1.0, with special care taken to keep backward compatibility in mind.

And as for 88 errors, well, if you're not going to be valid, why declare a document type? This isn't difficult stuff. That's 88 more errors than there should be.
Re:Blacklist gmail by Anonymous Coward · 2008-05-10 14:49 · Score: 2, Interesting

You might wanna check this:Why are you blacklisting Gmail?
DUH!!! by venuspcs · 2008-05-10 14:55 · Score: 1

Fuck I should go work for INSERT...I knew about this "bug" "feature" "flaw" "exploit" or whatever you want to call it the dayum day they started allowing POP...I actually tested it then and it worked and it has worked almost every day since.
Re:Two AC one cup? by Anonymous Coward · 2008-05-10 14:56 · Score: 0

canna' beat-a beta
Re:standing on the edge of the abyss... by Anonymous Coward · 2008-05-10 14:59 · Score: 0

Has it ever occurred to anyone that there might be some sort of code buried in there, with the random capitalization being a marker of some sort?

That's the only excuse I can think of for the unintelligible crap that's repeatedly getting posted to /. Otherwise, I think there are at least 2 or 3 Slashdotters who are skipping their meds.
Funny thing... by bruno.fatia · 2008-05-10 15:11 · Score: 2, Insightful

Google having an open security-breach doesn't make even to the hundrieth commentary after a few hours.. I wonder how much time it would take to break that mark if the service in question was, say, Microsoft's Hotmail.
Re:Blacklist gmail by MadnessASAP · 2008-05-10 15:13 · Score: 1

Well you've got me, although I still standby my opinion that 88 errors is acceptable especially given that todays browsers aren't even standards compliant and allowances must be made for misbehaviour.

--
I may agree with what you say, but I will defend to the death your right to face the consequences of saying it.
Re:Blacklist gmail by Anonymous Coward · 2008-05-10 15:13 · Score: 0

look kids, it's a frontpage developer!
They'll fix it if it gets enough bad publicity by Animats · 2008-05-10 15:24 · Score: 5, Insightful

Bad publicity made Google fix their open redirector for URLs. Bad publicity will make them fix this.
GMail ought to go back to cell phone authentication for new accounts. Since their capcha was broken, they've become a favorite of spammers.
Blogspot is also a spam haven. Most blogspot blogs are spam, and they can be used as a form of open redirector. Look for spams like: "An IWC watch is a uniquely handcrafted time piece ... http://rexefute51720.blogspot.com/"
Complain loudly, publicly, and often. Google needs to take stronger steps to avoid being a spam conduit.
1. Re:They'll fix it if it gets enough bad publicity by Lincolnshire+Poacher · 2008-05-10 20:03 · Score: 3, Insightful
  
  > Bad publicity made Google fix their open redirector for
  > URLs. Bad publicity will make them fix this
  
  Your optimism is like a ray of Sunlight in a dark world, but I
  fear it is misplaced.
  
  Many USENET groups are virtually unreadable today because of the
  torrent of spam posting originating from Google Groups accounts.
  Thousands of users have submitted precise spam reports to Google,
  quoting the article-IDs. Result? None. Consequence? USENETters
  start to block any and all Google Groups postings
  ( though http://improve-usenet.org/ seems to have died )
  
  Without the pressure of blacklisting, I do not think that Google
  will be inclined to address the mail spam problem either. It only
  affects third parties at present, so why expend resources fixing
  it when there is no immediate benefit to their users?
2. Re:They'll fix it if it gets enough bad publicity by SickHumour · 2008-05-10 20:26 · Score: 2, Informative
  
  GMail ought to go back to cell phone authentication for new accounts.
  I'm not sure if there's something similar in the US, but in South Africa I can get a mobile SIM card with a phone number capable of receiving calls and text messages for less than the equivalent of US$0.30. They're usually around the checkout counters at large retailers and the number activates automatically in less than 10 minute. It's well-known here that they are used by fraudsters when they want to do any phone-based verification.
  Luckily we can tell which numbers are mobile numbers by the first three digits, which is why it's common here to request a land line number for phone verification. Unfortunately, texting to a land line is tricky.
3. Re:They'll fix it if it gets enough bad publicity by MMC+Monster · 2008-05-10 21:52 · Score: 1
  
  I agree that they should go back to cell phone authentication.
  
  While everyone doesn't have a cell, it really fits into the demographic of people using gmail.
  
  --
  Help! I'm a slashdot refugee.
4. Re:They'll fix it if it gets enough bad publicity by Tadu · 2008-05-10 23:47 · Score: 1
  
  GMail ought to go back to cell phone authentication for new accounts.
  The problem is that cell phone authentification was only available in small, somewhat irrelevant parts of the world. But invitation based authentification worked quite well.
kdawson by Gewalt · 2008-05-10 15:49 · Score: 0, Flamebait

kdawson, as open troll /. spamer

--
Modding Trolls +1 inciteful since 1999
Bad Publicity? Ya THink? by hyades1 · 2008-05-10 17:13 · Score: 1

Goddamned bastards have everything I send to my girlfriend from Google labeled as spam. The IT guy at her firm is a douche bag, but in this case it looks like he might be right.
Google needs to clean up its act.

--
I've calculated my velocity with such exquisite precision that I have no idea where I am.
Current limit by professorfalcon · 2008-05-10 18:06 · Score: 1

the current 500-address limit

Is this an advertised feature of Gmail?
1. Re:Current limit by Aladrin · 2008-05-10 23:00 · Score: 1
  
  I don't know what you mean by 'advertised', but it is listed in the help documentation. It's quite a pain in the rear for businesses trying to legitimately use a Google Apps-hosted domain to send mail to thousands of customers. It's one of the very few things we dislike about the service.
  
  --
  "If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
Re:Blacklist gmail by taylortbb · 2008-05-10 18:23 · Score: 1

I would disagree, 0 errors are acceptable. And I don't just do website design as a hobby, I run a business doing it.

Without standards you can't have real competition in the browser market, and it makes it harder to make websites. It's also not hard to write sites that have 0 errors.
well look at that by luigi517 · 2008-05-10 18:33 · Score: 1

just got one of the emails i think well s**t the spam freeness could only last so long i guess
Just a Proof of Concept by qazwart · 2008-05-10 18:40 · Score: 1

This article doesn't say that Google *is* being used for massive Spam. It's just a proof of concept. Google is aware of this issue, and they may have this fixed before Monday. Then again, this could be something endemic to SMTP, and would happen with any server. It's just that an gmail address is considered free from spam, so it is completely trusted.

The major problem with spam is quite simple: Spam is dirt cheap. I can send out a million spam messages for nothing. As long as I can do that, almost nothing will stop spam. You put on a technical control, and I'll have incentive to break it. The only way to prevent spam is to go to a sender pays model. The amount can be trivial (a very small fraction of a cent), and could be covered as part of your standard ISP agreement, but becomes substantial when you send out a million messages.

That won't get rid of all unsolicited commercial email, but it will get rid of the bulk of the scum. Of course, I am not sure how you'd go from a SMTP model to a new pay-for-sending model. And, what if a spammer steals someone's account (by maybe planting some sort of malware on someone's PC)?
Re:Blacklist gmail by mikeage · 2008-05-10 18:45 · Score: 3, Funny

How about 10 errors?

http://validator.w3.org/check?verbose=1&uri=http://www.taylorbyrnes.org/

--
-- Is "Sig" copyrighted by www.sig.com?
Re:Blacklist gmail by Antique+Geekmeister · 2008-05-10 21:54 · Score: 0, Offtopic

Oh, my. Blaming other people is quite common: take a look at the SCO lawsuits blaming Linux for their losses in sales.
Re:Blacklist gmail by Antique+Geekmeister · 2008-05-10 21:57 · Score: 1

I've previously blocked aol.com and hotmail.com entirely from corporate mail servers, because for the amount of money wasted providing filtering servers and wasting technical person time explaining to users that it was spam or worms, we could hire a phone team to handle any irate clients who had trouble reaching us, and keep my users from having their time wasted indirectly.

The policy came up at review meetings, and was accepted company wide in several environments.
Internet Laws mean little... by FranTaylor · 2008-05-11 00:05 · Score: 1

When we have a global Internet and free wireless.
Re:Blacklist gmail by megabeck42 · 2008-05-11 00:06 · Score: 1

> Yes, who would do business with such an entity. Probably about as many as would trust their business hosting to a company who declares its home page to be XHTML 1.1 but then serves it as text/html. Not to mention the 88 validation errors.

teknopurge, you just got served.

--
fnord.
Re:Bad Publicity? Ya THink? by Culture20 · 2008-05-11 00:09 · Score: 2, Funny

Goddamned bastards have everything I send to my girlfriend from Google labeled as spam. Maybe you should stop sending her emails on how to maximize her rod?
Ok, this is how it works.. by BlueParrot · 2008-05-11 00:24 · Score: 2, Insightful

In a system where the sender initiates information transfer ( such as in e-mail) you have the following problem:

"If you want everybody to to be able to contact you, then you will receive information you do not want."

Conversely, if you have a system where the recipient requests information ( such as for web-pages ) then you have the following problem:

"I you want everybody to be able to get information about yourself, then people you don't like could collect information about you."

There's no way around these very simple facts, the best you can do is to change what you expect from the service. As an example e-mail spam would be rapidly defeated if you limited yourself to only receive information from sources you have approved in advance, but that is to limited for most people. Because we want our friends to be able to give our e-mail addresses to their friends if they have something nice to tell us. Therefore we will get e-mails we don't want. If you want to change this you have to either change your expectations of what e-mail should do, or you have to change the behavior of people sending out spam. The easiest way to do the latter is to penalize business who do it.
Re:Blacklist gmail by farker+haiku · 2008-05-11 01:05 · Score: 1

to be fair, most of that is from two typos. if he fixes the h4 tags, everything is good.

<h4>Red is Nagivation</h3>
<h4>CISPCA</h3>

--
Your sig(k) has been stolen. There is a puff of smoke!
Re:Bad Publicity? Ya THink? by Antique+Geekmeister · 2008-05-11 01:15 · Score: 1

Are you sure your 'girlfriend' doesn't think it's 'unsolicited'? It might be a hint that your mail looks like fraudulent advertising.
Gmail - Spam? by nicatronTg · 2008-05-11 02:21 · Score: 1

All this will is show that the internet is insecure, no matter what company runs an app, it can always be exploited.

--
hxxp://nthegreat.co.nr
whitelisting is inherently wrong. by awpoopy · 2008-05-11 04:20 · Score: 2, Insightful

whitelisting a domain, email address or ip address means that you are trusting someone else to make sure their message server (and accompanying mail admin) is doing things right. There's also the possibility, due to pressure from your boss, you're allowing a known spam machine to send you mail and then it's up to you to regex out the spam. Whitelisting allows otherwise blockable items through. Email and webhosting rule #1: "You get what you pay for." If you're using something free to do business, you are sharing machines used by a thousand other computers. How many of those thousand other computers are running some form of a compromised/infected (read: microsoft) computer? Hotmail is a petri-dish. The pretty blue and green colors are symbolic. Yeah, you can quote that.

--
I say things which affects my Karma negatively. (and I don't care) For instance; All religion is false.
Re:Blacklist gmail by teknopurge · 2008-05-11 13:58 · Score: 1

Unfortunately much of the code is autogenerated by a 3rd-party billing system that has invalid embedded HTML in their php variables and code. We don't have access to the source and have made due the best we can. Besides the invalid HTML, the system is good at what it does and is a mature application from a functional standpoint.

On our list of priorities the web-site w3 validation is right below our next marketing effort.

Regards,

--
Website Hosting
Re:Bad Publicity? Ya THink? by hyades1 · 2008-05-11 17:21 · Score: 1

No, we checked all the obvious stuff. And her company isn't one of those that tries to stop employees from receiving personal e-mail, either.

--
I've calculated my velocity with such exquisite precision that I have no idea where I am.
Re:Blacklist gmail by Anonymous Coward · 2008-05-12 00:16 · Score: 0

That doesn't make it any less funny.

People in glass houses shouldn't throw stones.

Self-righteous prick.
Silly question by HTH+NE1 · 2008-05-12 06:35 · Score: 3, Funny

Does the Information Security Research Team make any memorabilia coins? I imagine an INSERT coin would be quite desirable.

--
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
Re:Blacklist gmail by taylortbb · 2008-05-22 14:09 · Score: 1

I stand by my point that 0 errors are acceptable, hence why it has been corrected. I'll admit you got me there, I made a typo on that one page and it wasn't valid. I actually wish browsers would follow the standard for XML and stop parsing once an error is encountered. I would have noticed without someone pointing it out or waiting until I re-checked it for standards compliance.
Re:Blacklist gmail by taylortbb · 2008-05-22 14:12 · Score: 1

I don't think I'm a self righteous prick for making a mistake. I strive for 0 errors (all my other pages were valid), and I correct errors as soon as I'm aware of them. I will come out and state that my website had an unacceptable number of errors. I'd be a self righteous prick if I thought it was okay for my page to have the 2 typos (which produced 10 errors), but not for other people to have errors. Mistakes happen, it's the people that think they don't need to be fixed I disagree with.