Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gmail As Open-Relay Spam Server

Posted by kdawson on from the if-you're-not-part-of-the-solution-you're-part-of-the-precipitate dept.

sveard writes of a little problem Google is having that has Gmail acting like an open relay. Compounding the issue is the fact that services such as Hotmail and Yahoo trust Gmail as a source of mail. "A recently-discovered flaw in Gmail is capable of turning Google's e-mail service into a highly effective spam machine. According to the Information Security Research Team (INSERT), Gmail is susceptible to a man-in-the-middle attack that allows a spammer to send thousands of bulk e-mails through Google's SMTP service without fear of detection. This attack bypasses both Google's identity fraud protection mechanisms and the current 500-address limit on bulk e-mail."

4 of 145 comments (clear)

  1. Whitelists don't work. by techno-vampire · · Score: 5, Insightful

    This flaw is valuable because it's clear proof that whitelists don't work. No domain is above suspicion when it comes to sending spam. About the only real use the domain can be is as an adjustment to your filters. Done properly, mail from gmail.com is marked as less likely to be spam than mail from cyberpromo.com, but it's still checked.

    --
    Good, inexpensive web hosting
  2. Re:Idiots better get off their ass by schon · · Score: 5, Insightful

    There are trivial technical solutions for the spam problem if only we could get rid of SMTP. No, there aren't.

    Spam exists because there are sociopaths who want to steal resources from others. There is *NO* technical solution to this. If your SMTP replacement allows anyone to contact anyone else, it will allow spammers to contact anyone.

    Spam is a social problem, not a technical one. There is no such thing as a technical solution to a social problem.
  3. They'll fix it if it gets enough bad publicity by Animats · · Score: 5, Insightful

    Bad publicity made Google fix their open redirector for URLs. Bad publicity will make them fix this.

    GMail ought to go back to cell phone authentication for new accounts. Since their capcha was broken, they've become a favorite of spammers.

    Blogspot is also a spam haven. Most blogspot blogs are spam, and they can be used as a form of open redirector. Look for spams like: "An IWC watch is a uniquely handcrafted time piece ... http://rexefute51720.blogspot.com/"

    Complain loudly, publicly, and often. Google needs to take stronger steps to avoid being a spam conduit.

  4. Re:Wow, slashdot doesnt give a crap by Lincolnshire+Poacher · · Score: 5, Insightful

    > The real problem is really deciding what is a legitimate
    > source of e-mail, without requiring a central registry of
    > e-mail servers or some other sort of bureaucratic process.

    Well that's the problem that SPF solves. Each domain owner
    creates a DNS entry that specifies which mail servers are
    permitted to send mail for that domain. When an MX receives
    a HELO it checks that the originating IP corresponds with
    the DNS entry; if not, the mail can be rejected or subjected
    to further inspection and scoring.

    Simple to implement, I've done it in 20 minutes for my domain
    ( 20 minutes from ``What is this project?'' to submitting the
    DNS change ).

    http://www.openspf.org/