Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gmail As Open-Relay Spam Server

Posted by kdawson on from the if-you're-not-part-of-the-solution-you're-part-of-the-precipitate dept.

sveard writes of a little problem Google is having that has Gmail acting like an open relay. Compounding the issue is the fact that services such as Hotmail and Yahoo trust Gmail as a source of mail. "A recently-discovered flaw in Gmail is capable of turning Google's e-mail service into a highly effective spam machine. According to the Information Security Research Team (INSERT), Gmail is susceptible to a man-in-the-middle attack that allows a spammer to send thousands of bulk e-mails through Google's SMTP service without fear of detection. This attack bypasses both Google's identity fraud protection mechanisms and the current 500-address limit on bulk e-mail."

10 of 145 comments (clear)

  1. Wow, slashdot doesnt give a crap by Aranykai · · Score: 2, Informative

    Apparently, no one here cares:P

    But, on topic, this really isn't all the surprising. Pretty much any email server can be used as a relay in this manner, the only thing special here is that it avoids Google's current features. I expect Google will have this locked down very soon.

    --
    If sharing a song makes you a pirate, what do I have to share to be a ninja?
  2. Idiots better get off their ass by EdIII · · Score: 5, Informative

    Speaking as a mail server administrator I sincerely hope that they fix this pronto. There is no way that I can just block gmail addresses from my mail server given how huge gmail already is. I literally have no choice but to ride this out and hope for the best.

    I have already checked my server logs and the fun just started a little while ago. Yay!....

    1. Re:Idiots better get off their ass by Robotech_Master · · Score: 4, Informative

      Problem with this is that a lot of people (myself included) use gmail for the ease of use, but prefer to keep their own email address as the return address for various reasons.

      --
      Editor Emeritus and Senior Writer, TeleRead.org
    2. Re:Idiots better get off their ass by EdIII · · Score: 4, Informative

      That sounds logical but it won't work.

      The spammers don't care about what their FROM and REPLYTO fields actually say. Since this is a man-in-the-middle attack they could put practically anything with a @gmail.com in those fields and it will render your solution ineffective.

      The real problem with this exploit is that it bypasses all of Google's security measures and anything I could do on my end would only verify that the email actually came from a real Google mail server and from a Google email user. So then I can only rely on SPAM filtering based on content which is not as effective as we would all like it to be.

    3. Re:Idiots better get off their ass by njcoder · · Score: 2, Informative

      Google also has Google Apps which allows you to use your own domain name with GMail.

      --
      Open Source Java DAO Generator
    4. Re:Idiots better get off their ass by jrp2 · · Score: 3, Informative

      "How about blocking all emails from gmail servers not coming from an @gmail.com address?"

      Won't work.

      There are boatloads of people and companies using Google with their own domains. Google Apps, Google Enterprise, etc.

      Also, many of the spammers are using gmail addresses. Remember, they don't care about return emails, they just drive people to their websites.

      --
      The only athletic sport I ever mastered was backgammon - Douglas William Jerrold
  3. Chronologically impaired? by Anonymous Coward · · Score: 2, Informative

    Did anyone else notice that this story appeared AFTER the story above it? I almost missed the story entirely.

  4. Interesting... by Animaether · · Score: 5, Informative

    ...was "a little while ago" on thursday?

    Because that's when the existence of the vulnerability was already known, at least. The people who figured it out aren't telling the world how to do it (I'm sure clever people can figure it out), and are / were waiting for Google to fix it first.

    http://ece.uprm.edu/~andre/insert/gmail.html

    You might be seeing plain ol' spam from gmail; it's been having its share of problems with spammers since both captcha crack -and- before that by manual sign-up, simply -because- everybody trusted gmail (what, with the forced SMS/Text Message sign-up, invite-only, etc. preceding).

  5. Re:DeBunking? by Baumi · · Score: 2, Informative

    Well, this ruins GMail's major argument. AFAIK, "We're no spam relay" has never been touted as a major feature of GMail. Why should they do that? No major webmail provider would intenionally do such a thing. (Which, of course, doesn't porevent bugs and screw-ups as, apparently, in this case.)
  6. Re:They'll fix it if it gets enough bad publicity by SickHumour · · Score: 2, Informative

    GMail ought to go back to cell phone authentication for new accounts.

    I'm not sure if there's something similar in the US, but in South Africa I can get a mobile SIM card with a phone number capable of receiving calls and text messages for less than the equivalent of US$0.30. They're usually around the checkout counters at large retailers and the number activates automatically in less than 10 minute. It's well-known here that they are used by fraudsters when they want to do any phone-based verification.

    Luckily we can tell which numbers are mobile numbers by the first three digits, which is why it's common here to request a land line number for phone verification. Unfortunately, texting to a land line is tricky.