Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gmail As Open-Relay Spam Server

Posted by kdawson on from the if-you're-not-part-of-the-solution-you're-part-of-the-precipitate dept.

sveard writes of a little problem Google is having that has Gmail acting like an open relay. Compounding the issue is the fact that services such as Hotmail and Yahoo trust Gmail as a source of mail. "A recently-discovered flaw in Gmail is capable of turning Google's e-mail service into a highly effective spam machine. According to the Information Security Research Team (INSERT), Gmail is susceptible to a man-in-the-middle attack that allows a spammer to send thousands of bulk e-mails through Google's SMTP service without fear of detection. This attack bypasses both Google's identity fraud protection mechanisms and the current 500-address limit on bulk e-mail."

16 of 145 comments (clear)

  1. Whitelists don't work. by techno-vampire · · Score: 5, Insightful

    This flaw is valuable because it's clear proof that whitelists don't work. No domain is above suspicion when it comes to sending spam. About the only real use the domain can be is as an adjustment to your filters. Done properly, mail from gmail.com is marked as less likely to be spam than mail from cyberpromo.com, but it's still checked.

    --
    Good, inexpensive web hosting
  2. Re:DeBunking? by peragrin · · Score: 4, Insightful

    last I checked it was 6.5 gigs of storage.

    i figure google will have this locked down soon enough though. It's not like they won't notice the sudden burst of traffic. Some guy is going to be working hard tonight.

    --
    i thought once I was found, but it was only a dream.
  3. Re:Idiots better get off their ass by Baumi · · Score: 4, Insightful

    By riding this out, you give no incentive to actually fix anything. In theory, you're right: If all the server admins in the world united and blocked GMail, that'd send a message to Google to fix this ASAP.

    In practice, however, Google is likely to do just that anyway, and since there is no organized blacklisting going on, a sole action by the GP poster would most likely annoy his users while Google itself wouldn't even notice it.

    (Unless, of course, the GP happens to be the sysadmin for Hotmail, Yahoo! Mail or something similar - in that case: Blacklist, baby! ;-) )
  4. parent, INSIGHTFUL? by wamatt · · Score: 3, Insightful

    What planet are you from? No self respecting ISP in the world would try pull that.

    You going to go an make some ideological bullshit point and piss all over your customers when it's not going to make the slightest difference to Google.

    Go right ahead!

  5. Re:Idiots better get off their ass by martin-boundary · · Score: 3, Insightful

    That's not a problem. That's what the Reply-To: field is for.

  6. Re:Idiots better get off their ass by EdIII · · Score: 3, Insightful

    Heh. Bwahahahah... *cough*

    SpamCop and SpamHaus blocking Google? How do they say it... When Pigs Fly?

    People that use both of those services, free and paying customers alike, rely on them automatically managing their lists. I am sure, and I am certainly adding myself to this, that "we" don't expect these services to add Hotmail, GMail, Yahoo, etc. You can also toss Comcast, AT&T, Time Warner's Roadrunner, Cox, etc. to the list too.

    Unfortunately, there is such a thing as being too big to blacklist. I don't know how many millions of customers that it starts at, but GMail passed whatever mark that was a long time ago.

    Organized blacklisting only applies to much much smaller entities.

  7. Re:Idiots better get off their ass by schon · · Score: 5, Insightful

    There are trivial technical solutions for the spam problem if only we could get rid of SMTP. No, there aren't.

    Spam exists because there are sociopaths who want to steal resources from others. There is *NO* technical solution to this. If your SMTP replacement allows anyone to contact anyone else, it will allow spammers to contact anyone.

    Spam is a social problem, not a technical one. There is no such thing as a technical solution to a social problem.
  8. They'll fix it if it gets enough bad publicity by Animats · · Score: 5, Insightful

    Bad publicity made Google fix their open redirector for URLs. Bad publicity will make them fix this.

    GMail ought to go back to cell phone authentication for new accounts. Since their capcha was broken, they've become a favorite of spammers.

    Blogspot is also a spam haven. Most blogspot blogs are spam, and they can be used as a form of open redirector. Look for spams like: "An IWC watch is a uniquely handcrafted time piece ... http://rexefute51720.blogspot.com/"

    Complain loudly, publicly, and often. Google needs to take stronger steps to avoid being a spam conduit.

    1. Re:They'll fix it if it gets enough bad publicity by Lincolnshire+Poacher · · Score: 3, Insightful

      > Bad publicity made Google fix their open redirector for
      > URLs. Bad publicity will make them fix this

      Your optimism is like a ray of Sunlight in a dark world, but I
      fear it is misplaced.

      Many USENET groups are virtually unreadable today because of the
      torrent of spam posting originating from Google Groups accounts.
      Thousands of users have submitted precise spam reports to Google,
      quoting the article-IDs. Result? None. Consequence? USENETters
      start to block any and all Google Groups postings
        ( though http://improve-usenet.org/ seems to have died )

      Without the pressure of blacklisting, I do not think that Google
      will be inclined to address the mail spam problem either. It only
      affects third parties at present, so why expend resources fixing
      it when there is no immediate benefit to their users?

  9. Re:Wow, slashdot doesnt give a crap by Jurily · · Score: 4, Insightful

    The real problem is really deciding what is a legitimate source of e-mail, without requiring a central registry of e-mail servers or some other sort of bureaucratic process. Recently I've been getting spam that convinced them that I was the sender, and even "(unknown sender)" ones. One would think that's not that hard to decide.

    The other problem is, Hotmail and Yahoo trusting Gmail. In the world of email, there is no such thing as a trustworthy server.
  10. Re:Idiots better get off their ass by Paradise+Pete · · Score: 4, Insightful
    Then why is the spam problem so much bigger than the telemarketer or junk fax problem?

    Cost, plain and simple. The fundamental way to reduce spam is to make it cost more to do. Of course actually figuring out a good way to do that is left as an exercise for the reader.

  11. Re:Idiots better get off their ass by Chandon+Seldon · · Score: 4, Insightful

    Spam is a social problem, not a technical one. There is no such thing as a technical solution to a social problem.

    That's generally true.

    The problem is that SMTP makes it drastically worse than it needs to be with a push model. The spammer can send a million messages, and they've all already been accepted by the destination server before anyone has a chance to complain.

    If it were a notification / pull model then when someone complained the ISP could pull the spammer's plug for a TOS violation before most of the messages in his first batch were delivered. Sure, that doesn't kill the spam problem utterly dead - but it does mean that current spam management resources could keep it down to well under 90% of all email.

    --
    -- The act of censorship is always worse than whatever is being censored. Always.
  12. Re:Idiots better get off their ass by schon · · Score: 3, Insightful

    Then why is the spam problem so much bigger than the telemarketer or junk fax problem? Because we have laws regulating them, which (amazingly enough) is how society deals with social problems.

    Thank you for illustrating my point.

  13. Re:Idiots better get off their ass by Niten · · Score: 3, Insightful

    If it were a notification / pull model then when someone complained the ISP could pull the spammer's plug for a TOS violation before most of the messages in his first batch were delivered.

    The thing is that we can already achieve the same effect through a combination of greylisting and a trustworthy blacklist: an unknown (non-whitelisted) sender cannot deliver messages immediately, and if they're one of the few spammers who will retry deliver after a temporary failure, then by that time odds are that they will have been blacklisted.

    Sure, it's possible that a pull model might prove slightly more effective even so, but neither model will ever kill spam dead. And "possibly slightly better at dealing with spam, but probably just the same" isn't nearly enough to justify uprooting the world's entire email infrastructure.

  14. Re:Wow, slashdot doesnt give a crap by Lincolnshire+Poacher · · Score: 5, Insightful

    > The real problem is really deciding what is a legitimate
    > source of e-mail, without requiring a central registry of
    > e-mail servers or some other sort of bureaucratic process.

    Well that's the problem that SPF solves. Each domain owner
    creates a DNS entry that specifies which mail servers are
    permitted to send mail for that domain. When an MX receives
    a HELO it checks that the originating IP corresponds with
    the DNS entry; if not, the mail can be rejected or subjected
    to further inspection and scoring.

    Simple to implement, I've done it in 20 minutes for my domain
    ( 20 minutes from ``What is this project?'' to submitting the
    DNS change ).

    http://www.openspf.org/

  15. Re:Idiots better get off their ass by DougBTX · · Score: 3, Insightful

    before anyone has a chance to complain.

    All it takes is a spammer to use his distributed botnet to post thousands of complaints about legitimate email, and you're back to filtering push requests. You're also assuming that the spammer only has one plug to pull.