Slashdot Mirror
Gmail As Open-Relay Spam Server
sveard writes of a little problem Google is having that has Gmail acting like an open relay. Compounding the issue is the fact that services such as Hotmail and Yahoo trust Gmail as a source of mail. "A recently-discovered flaw in Gmail is capable of turning Google's e-mail service into a highly effective spam machine. According to the Information Security Research Team (INSERT), Gmail is susceptible to a man-in-the-middle attack that allows a spammer to send thousands of bulk e-mails through Google's SMTP service without fear of detection. This attack bypasses both Google's identity fraud protection mechanisms and the current 500-address limit on bulk e-mail."
but is very effective against slashdot comments?
This flaw is valuable because it's clear proof that whitelists don't work. No domain is above suspicion when it comes to sending spam. About the only real use the domain can be is as an adjustment to your filters. Done properly, mail from gmail.com is marked as less likely to be spam than mail from cyberpromo.com, but it's still checked.
Good, inexpensive web hosting
By riding this out, you give no incentive to actually fix anything.
last I checked it was 6.5 gigs of storage.
i figure google will have this locked down soon enough though. It's not like they won't notice the sudden burst of traffic. Some guy is going to be working hard tonight.
i thought once I was found, but it was only a dream.
In practice, however, Google is likely to do just that anyway, and since there is no organized blacklisting going on, a sole action by the GP poster would most likely annoy his users while Google itself wouldn't even notice it.
(Unless, of course, the GP happens to be the sysadmin for Hotmail, Yahoo! Mail or something similar - in that case: Blacklist, baby!
I think that the problem may be that there are still too many people who believe the jargon... "Do no evil." (Or something to that effect at any rate...)
"So long and thanks for all the fish."
What planet are you from? No self respecting ISP in the world would try pull that.
You going to go an make some ideological bullshit point and piss all over your customers when it's not going to make the slightest difference to Google.
Go right ahead!
That's not a problem. That's what the Reply-To: field is for.
Heh. Bwahahahah... *cough*
SpamCop and SpamHaus blocking Google? How do they say it... When Pigs Fly?
People that use both of those services, free and paying customers alike, rely on them automatically managing their lists. I am sure, and I am certainly adding myself to this, that "we" don't expect these services to add Hotmail, GMail, Yahoo, etc. You can also toss Comcast, AT&T, Time Warner's Roadrunner, Cox, etc. to the list too.
Unfortunately, there is such a thing as being too big to blacklist. I don't know how many millions of customers that it starts at, but GMail passed whatever mark that was a long time ago.
Organized blacklisting only applies to much much smaller entities.
Spam exists because there are sociopaths who want to steal resources from others. There is *NO* technical solution to this. If your SMTP replacement allows anyone to contact anyone else, it will allow spammers to contact anyone.
Spam is a social problem, not a technical one. There is no such thing as a technical solution to a social problem.
Google having an open security-breach doesn't make even to the hundrieth commentary after a few hours.. I wonder how much time it would take to break that mark if the service in question was, say, Microsoft's Hotmail.
Bad publicity made Google fix their open redirector for URLs. Bad publicity will make them fix this.
GMail ought to go back to cell phone authentication for new accounts. Since their capcha was broken, they've become a favorite of spammers.
Blogspot is also a spam haven. Most blogspot blogs are spam, and they can be used as a form of open redirector. Look for spams like: "An IWC watch is a uniquely handcrafted time piece ... http://rexefute51720.blogspot.com/"
Complain loudly, publicly, and often. Google needs to take stronger steps to avoid being a spam conduit.
The other problem is, Hotmail and Yahoo trusting Gmail. In the world of email, there is no such thing as a trustworthy server.
Cost, plain and simple. The fundamental way to reduce spam is to make it cost more to do. Of course actually figuring out a good way to do that is left as an exercise for the reader.
That's generally true.
The problem is that SMTP makes it drastically worse than it needs to be with a push model. The spammer can send a million messages, and they've all already been accepted by the destination server before anyone has a chance to complain.
If it were a notification / pull model then when someone complained the ISP could pull the spammer's plug for a TOS violation before most of the messages in his first batch were delivered. Sure, that doesn't kill the spam problem utterly dead - but it does mean that current spam management resources could keep it down to well under 90% of all email.
-- The act of censorship is always worse than whatever is being censored. Always.
Thank you for illustrating my point.
The thing is that we can already achieve the same effect through a combination of greylisting and a trustworthy blacklist: an unknown (non-whitelisted) sender cannot deliver messages immediately, and if they're one of the few spammers who will retry deliver after a temporary failure, then by that time odds are that they will have been blacklisted.
Sure, it's possible that a pull model might prove slightly more effective even so, but neither model will ever kill spam dead. And "possibly slightly better at dealing with spam, but probably just the same" isn't nearly enough to justify uprooting the world's entire email infrastructure.
> The real problem is really deciding what is a legitimate
> source of e-mail, without requiring a central registry of
> e-mail servers or some other sort of bureaucratic process.
Well that's the problem that SPF solves. Each domain owner
creates a DNS entry that specifies which mail servers are
permitted to send mail for that domain. When an MX receives
a HELO it checks that the originating IP corresponds with
the DNS entry; if not, the mail can be rejected or subjected
to further inspection and scoring.
Simple to implement, I've done it in 20 minutes for my domain
( 20 minutes from ``What is this project?'' to submitting the
DNS change ).
http://www.openspf.org/
before anyone has a chance to complain.
All it takes is a spammer to use his distributed botnet to post thousands of complaints about legitimate email, and you're back to filtering push requests. You're also assuming that the spammer only has one plug to pull.If you are running a hosting business that specifically does hosted exchange services, hosted terminal server sessions, etc. you cannot tell your clients that they are unable to communicate with somebody, especially a major email provider such as GMail.
The customer does not care about Google and Relaying or any other techno gobbletly gook. They only care that email was being blocked. It is not even a GMail specific thing either. It can be ANYBODY not being able to communicate to them, real or imagined, and it becomes a problem.
If I was the email administrator for an organization, then maybe I could just do it and get away with it citing security concerns.
Good question though.
In a system where the sender initiates information transfer ( such as in e-mail) you have the following problem:
"If you want everybody to to be able to contact you, then you will receive information you do not want."
Conversely, if you have a system where the recipient requests information ( such as for web-pages ) then you have the following problem:
"I you want everybody to be able to get information about yourself, then people you don't like could collect information about you."
There's no way around these very simple facts, the best you can do is to change what you expect from the service. As an example e-mail spam would be rapidly defeated if you limited yourself to only receive information from sources you have approved in advance, but that is to limited for most people. Because we want our friends to be able to give our e-mail addresses to their friends if they have something nice to tell us. Therefore we will get e-mails we don't want. If you want to change this you have to either change your expectations of what e-mail should do, or you have to change the behavior of people sending out spam. The easiest way to do the latter is to penalize business who do it.
Yes, there is such a thing. An SMTP-AUTH authenticated server works well, and it's straightforward to publish SPF records for other mail servers to filter a lot of forged email, especially the bounces you've been seeing. (SPF is worth looking up: Google does publish SPF records in their DNS.) SPF got crippled by a Microsoft 'embrace and extend' operation involving SenderID keys and mislabeling SenderID based SPF tags as plain SPF. IT got
whitelisting a domain, email address or ip address means that you are trusting someone else to make sure their message server (and accompanying mail admin) is doing things right. There's also the possibility, due to pressure from your boss, you're allowing a known spam machine to send you mail and then it's up to you to regex out the spam. Whitelisting allows otherwise blockable items through. Email and webhosting rule #1: "You get what you pay for." If you're using something free to do business, you are sharing machines used by a thousand other computers. How many of those thousand other computers are running some form of a compromised/infected (read: microsoft) computer? Hotmail is a petri-dish. The pretty blue and green colors are symbolic. Yeah, you can quote that.
I say things which affects my Karma negatively. (and I don't care) For instance; All religion is false.