Slashdot Mirror
Gmail As Open-Relay Spam Server
sveard writes of a little problem Google is having that has Gmail acting like an open relay. Compounding the issue is the fact that services such as Hotmail and Yahoo trust Gmail as a source of mail. "A recently-discovered flaw in Gmail is capable of turning Google's e-mail service into a highly effective spam machine. According to the Information Security Research Team (INSERT), Gmail is susceptible to a man-in-the-middle attack that allows a spammer to send thousands of bulk e-mails through Google's SMTP service without fear of detection. This attack bypasses both Google's identity fraud protection mechanisms and the current 500-address limit on bulk e-mail."
I can second the above statement, since I've seen the exact same traffic.
Unfortunately, this sort of thing will continue to crop up. E-mail is fundamentally broken, and it's too easy to take advantage of any e-mail system. To combat spam, mail admins have had to take many unorthodox and RFC-bending practices (if not out-right ignoring RFCs all together). Otherwise, users complain about too much spam. The down side, users then complain about e-mail delays or non-deliverables. So, you get systems setting up certain ways to bypass filters for hopefully trusted domains. And then this whole new problem comes up when people figure out new ways to abuse the system, its safeguards, and hidden/implicit trusts.
Ugh. At this point, I just want to turn SMTP off completely. This is a losing battle.
Huh? What argument are you refering to, and how does this ruin it?
The only "argument" I can think you might be refering to is that, by using Gmail, you avoid having to see a lot of spam due to their excellent spam filterings. This doesn't ruin that argument in any way. In fact, since it primary impacts sites like Yahoo and Hotmail (who will see more spam if they continue to whitelist Gmail), it strengthens it. You're now see even less spam using Gmail, comparatively speaking.
"Convictions are more dangerous enemies of truth than lies."
Pretty much any email server can be used as a relay in this manner, the only thing special here is that it avoids Google's current features. I expect Google will have this locked down very soon.
Certainly, but this can be reduced by making sure that e-mail coming from the outside world can only be sent to gmail addresses and e-mail going to the outside world requires password authentication by the sender. One issue that we are starting to see it e-mail being bounced to a different part than the one that officially sent the e-mail. Other measures that can help is only accepting e-mail from external mail servers who's name can be resolved from its address.
The real problem is really deciding what is a legitimate source of e-mail, without requiring a central registry of e-mail servers or some other sort of bureaucratic process.
Jumpstart the tartan drive.
E-mail is fundamentally broken, and it's too easy to take advantage of any e-mail system.
I hear this being said over and over again. The problem is that no one has been able to provide a solution to resolved the problem. There have been suggestions, but doing so without penalizing the small guy is hard. Do we require certificates and if we do how can we ensure that it will be 100% fool proof? Do we only accept e-mail that hasn't been relayed or only accept mail from white listed relays, or create rules for them, if relays are to be tolerated in certain conditions?
Jumpstart the tartan drive.
I think what GP meant when he said E-mail is fundamentally broken is that SMTP is fundamentally broken.
There are trivial technical solutions for the spam problem if only we could get rid of SMTP.
Ofcourse "we" can't but my hopes are that google may do it eventually. They could roll out a new system on a large enough scale to actually make it stick.
You might wanna check this:Why are you blacklisting Gmail?
It's not really evidence of that. There have always been ways for enterprising cyber criminals to engage in this sort of activity, it just happens to be more difficult than it used to be.
A proper white list shouldn't include sites which are likely to be insecure, and it shouldn't grant a completely free pass either. Whitelisted domains do still get submitted to checks on well secured servers. DKIM and SPF being pretty much mandatory these days, as well as virus scanning and spam rating as well.
Really the point of white listing isn't the white list itself, but rather the domains which are blacklisted or not listed at all. Whitelisting is just a means of filtering out as many known bad domains as possible before using more expensive scanning and verification technology.
The other bit about this is that very few people want to get mail from every @gmail.com address or @hotmail.com etc., most people just care about the specific people that they know, and a domain whitelist isn't going to be too useful in that quest. The better choice for most personal correspondence is to just put individual addresses on the whitelist.
This is like complaining that wheels don't protect against being rained on, so cars should be redesigned from scratch.
Well, there are a lot of people who do alternative things.
On a few mail installations I've done, it watches for abusers, and blocks them with firewall rules, based on other detections including SpamAssassin.
So even my own mail system would block gmail if it detects enough spam coming from them. The threshold is high enough to not false, and low enough to stop most of the badguys. On a typical server (~50k msg/day) something like 1500 get blocked daily, with no complaints that real mail is being blocked.
If Google is sending spam out, it's very likely they'll be tripped up by thousands of networks world wide, who have their own precautions in place like I do.
Serious? Seriousness is well above my pay grade.
We are required to pay $10 or so per year to maintain a domain name. If we had to pay $10/year to register an SMTP server, spam would be virtually eliminated, as it would require being up front about operating a mail server. All that would have to happen would be to only accept mail from registered mail servers for the domain they are registered for.
Spambots would not function any more. I don't know why this is so difficult to put in place.
CM www.cometenergysystems.com Blog: http://caribbeanrenewable.blogspot.com/
We have a *good* law on junk fax. It's very clear: unsolicited fax are illegal. We have very poor laws against telemarketers, laws aimed to permit telemarketers to continue to keep bothering you until you formally tell them to stop. There are some laws against spam, but they're extremely badly written.
Simply extending the junk fax law to cover email spam would be easy. The money saved in dealing with people's incoming spam would be more than enough to do the necessary enforcement of the laws, with such a clear law provided. Unfortunately, the efforts to expand this law have inevitably been blocked by the Direct Marketing Association.
Interestingly however, I would like to argue for the exact opposite. The original intent and nature of email was to be completely open. The fact that it is so *perfect* at being open has made it *impossible* to close parts of it that are no longer desired.
As problem solvers we like to think we can solve problems with solutions, but this is a case where we are trying to break a perfect solution. Now, *that* can be difficult.
The inventors of email deserve high praise. Too bad they aren't getting residuals from the spam and anti-spam industry. (don't forget, people are paid to fight spam too, so even good people are getting paid).
C/R is annoying because people want their messages to be delivered, without additional work. It's not even that I have to scan a spambox, or that they look like any other e-mail. It's that I have do to ONE MORE THING to have the message delivered. If this had been the way e-mail worked originally, then people might accept it; but now, everyone is used to sending e-mail and having it arrive without interruption (generally speaking).
Respectfully, I'm pretty convinced that it will not work unless the spam problem becomes so excessively bad that people are willing to change their e-mail habits. We are not yet to that point, thanks to all the other half-baked anti-spam solutions out there.
$nice = $webHosting + $domainNames + $sslCerts