Gmail As Open-Relay Spam Server

sveard writes of a little problem Google is having that has Gmail acting like an open relay. Compounding the issue is the fact that services such as Hotmail and Yahoo trust Gmail as a source of mail. "A recently-discovered flaw in Gmail is capable of turning Google's e-mail service into a highly effective spam machine. According to the Information Security Research Team (INSERT), Gmail is susceptible to a man-in-the-middle attack that allows a spammer to send thousands of bulk e-mails through Google's SMTP service without fear of detection. This attack bypasses both Google's identity fraud protection mechanisms and the current 500-address limit on bulk e-mail."

Whitelists don't work.

[techno-vampire]

This flaw is valuable because it's clear proof that whitelists don't work. No domain is above suspicion when it comes to sending spam. About the only real use the domain can be is as an adjustment to your filters. Done properly, mail from gmail.com is marked as less likely to be spam than mail from cyberpromo.com, but it's still checked.

Re:DeBunking?

[peragrin]

last I checked it was 6.5 gigs of storage.

i figure google will have this locked down soon enough though. It's not like they won't notice the sudden burst of traffic. Some guy is going to be working hard tonight.

Re:Idiots better get off their ass

[Baumi]

By riding this out, you give no incentive to actually fix anything. In theory, you're right: If all the server admins in the world united and blocked GMail, that'd send a message to Google to fix this ASAP.

In practice, however, Google is likely to do just that anyway, and since there is no organized blacklisting going on, a sole action by the GP poster would most likely annoy his users while Google itself wouldn't even notice it.

(Unless, of course, the GP happens to be the sysadmin for Hotmail, Yahoo! Mail or something similar - in that case: Blacklist, baby! ;-) )

Re:Idiots better get off their ass

[schon]

There are trivial technical solutions for the spam problem if only we could get rid of SMTP. No, there aren't.

Spam exists because there are sociopaths who want to steal resources from others. There is *NO* technical solution to this. If your SMTP replacement allows anyone to contact anyone else, it will allow spammers to contact anyone.

Spam is a social problem, not a technical one. There is no such thing as a technical solution to a social problem.

They'll fix it if it gets enough bad publicity

[Animats]

Bad publicity made Google fix their open redirector for URLs. Bad publicity will make them fix this.

GMail ought to go back to cell phone authentication for new accounts. Since their capcha was broken, they've become a favorite of spammers.

Blogspot is also a spam haven. Most blogspot blogs are spam, and they can be used as a form of open redirector. Look for spams like: "An IWC watch is a uniquely handcrafted time piece ... http://rexefute51720.blogspot.com/"

Complain loudly, publicly, and often. Google needs to take stronger steps to avoid being a spam conduit.

Re:Wow, slashdot doesnt give a crap

[Jurily]

The real problem is really deciding what is a legitimate source of e-mail, without requiring a central registry of e-mail servers or some other sort of bureaucratic process. Recently I've been getting spam that convinced them that I was the sender, and even "(unknown sender)" ones. One would think that's not that hard to decide.

The other problem is, Hotmail and Yahoo trusting Gmail. In the world of email, there is no such thing as a trustworthy server.

Re:Idiots better get off their ass

[Paradise+Pete]

Then why is the spam problem so much bigger than the telemarketer or junk fax problem?

Cost, plain and simple. The fundamental way to reduce spam is to make it cost more to do. Of course actually figuring out a good way to do that is left as an exercise for the reader.

Re:Idiots better get off their ass

[Chandon+Seldon]

Spam is a social problem, not a technical one. There is no such thing as a technical solution to a social problem.

That's generally true.

The problem is that SMTP makes it drastically worse than it needs to be with a push model. The spammer can send a million messages, and they've all already been accepted by the destination server before anyone has a chance to complain.

If it were a notification / pull model then when someone complained the ISP could pull the spammer's plug for a TOS violation before most of the messages in his first batch were delivered. Sure, that doesn't kill the spam problem utterly dead - but it does mean that current spam management resources could keep it down to well under 90% of all email.

Re:Wow, slashdot doesnt give a crap

[Lincolnshire+Poacher]

> The real problem is really deciding what is a legitimate
> source of e-mail, without requiring a central registry of
> e-mail servers or some other sort of bureaucratic process.

Well that's the problem that SPF solves. Each domain owner
creates a DNS entry that specifies which mail servers are
permitted to send mail for that domain. When an MX receives
a HELO it checks that the originating IP corresponds with
the DNS entry; if not, the mail can be rejected or subjected
to further inspection and scoring.

Simple to implement, I've done it in 20 minutes for my domain
( 20 minutes from ``What is this project?'' to submitting the
DNS change ).

http://www.openspf.org/