Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gmail As Open-Relay Spam Server

Posted by kdawson on from the if-you're-not-part-of-the-solution-you're-part-of-the-precipitate dept.

sveard writes of a little problem Google is having that has Gmail acting like an open relay. Compounding the issue is the fact that services such as Hotmail and Yahoo trust Gmail as a source of mail. "A recently-discovered flaw in Gmail is capable of turning Google's e-mail service into a highly effective spam machine. According to the Information Security Research Team (INSERT), Gmail is susceptible to a man-in-the-middle attack that allows a spammer to send thousands of bulk e-mails through Google's SMTP service without fear of detection. This attack bypasses both Google's identity fraud protection mechanisms and the current 500-address limit on bulk e-mail."

4 of 145 comments (clear)

  1. Idiots better get off their ass by EdIII · · Score: 5, Informative

    Speaking as a mail server administrator I sincerely hope that they fix this pronto. There is no way that I can just block gmail addresses from my mail server given how huge gmail already is. I literally have no choice but to ride this out and hope for the best.

    I have already checked my server logs and the fun just started a little while ago. Yay!....

    1. Re:Idiots better get off their ass by Robotech_Master · · Score: 4, Informative

      Problem with this is that a lot of people (myself included) use gmail for the ease of use, but prefer to keep their own email address as the return address for various reasons.

      --
      Editor Emeritus and Senior Writer, TeleRead.org
    2. Re:Idiots better get off their ass by EdIII · · Score: 4, Informative

      That sounds logical but it won't work.

      The spammers don't care about what their FROM and REPLYTO fields actually say. Since this is a man-in-the-middle attack they could put practically anything with a @gmail.com in those fields and it will render your solution ineffective.

      The real problem with this exploit is that it bypasses all of Google's security measures and anything I could do on my end would only verify that the email actually came from a real Google mail server and from a Google email user. So then I can only rely on SPAM filtering based on content which is not as effective as we would all like it to be.

  2. Interesting... by Animaether · · Score: 5, Informative

    ...was "a little while ago" on thursday?

    Because that's when the existence of the vulnerability was already known, at least. The people who figured it out aren't telling the world how to do it (I'm sure clever people can figure it out), and are / were waiting for Google to fix it first.

    http://ece.uprm.edu/~andre/insert/gmail.html

    You might be seeing plain ol' spam from gmail; it's been having its share of problems with spammers since both captcha crack -and- before that by manual sign-up, simply -because- everybody trusted gmail (what, with the forced SMS/Text Message sign-up, invite-only, etc. preceding).