Gmail As Open-Relay Spam Server

sveard writes of a little problem Google is having that has Gmail acting like an open relay. Compounding the issue is the fact that services such as Hotmail and Yahoo trust Gmail as a source of mail. "A recently-discovered flaw in Gmail is capable of turning Google's e-mail service into a highly effective spam machine. According to the Information Security Research Team (INSERT), Gmail is susceptible to a man-in-the-middle attack that allows a spammer to send thousands of bulk e-mails through Google's SMTP service without fear of detection. This attack bypasses both Google's identity fraud protection mechanisms and the current 500-address limit on bulk e-mail."

Re:Idiots better get off their ass

[lambent]

I can second the above statement, since I've seen the exact same traffic.

Unfortunately, this sort of thing will continue to crop up. E-mail is fundamentally broken, and it's too easy to take advantage of any e-mail system. To combat spam, mail admins have had to take many unorthodox and RFC-bending practices (if not out-right ignoring RFCs all together). Otherwise, users complain about too much spam. The down side, users then complain about e-mail delays or non-deliverables. So, you get systems setting up certain ways to bypass filters for hopefully trusted domains. And then this whole new problem comes up when people figure out new ways to abuse the system, its safeguards, and hidden/implicit trusts.

Ugh. At this point, I just want to turn SMTP off completely. This is a losing battle.

Re:DeBunking?

[osu-neko]

Well, this ruins GMail's major argument. nNw all they have left is "You get 2 GB of storage".

Huh? What argument are you refering to, and how does this ruin it?

The only "argument" I can think you might be refering to is that, by using Gmail, you avoid having to see a lot of spam due to their excellent spam filterings. This doesn't ruin that argument in any way. In fact, since it primary impacts sites like Yahoo and Hotmail (who will see more spam if they continue to whitelist Gmail), it strengthens it. You're now see even less spam using Gmail, comparatively speaking.

Re:Wow, slashdot doesnt give a crap

[Midnight+Thunder]

Pretty much any email server can be used as a relay in this manner, the only thing special here is that it avoids Google's current features. I expect Google will have this locked down very soon.

Certainly, but this can be reduced by making sure that e-mail coming from the outside world can only be sent to gmail addresses and e-mail going to the outside world requires password authentication by the sender. One issue that we are starting to see it e-mail being bounced to a different part than the one that officially sent the e-mail. Other measures that can help is only accepting e-mail from external mail servers who's name can be resolved from its address.

The real problem is really deciding what is a legitimate source of e-mail, without requiring a central registry of e-mail servers or some other sort of bureaucratic process.

Re:Idiots better get off their ass

[Midnight+Thunder]

E-mail is fundamentally broken, and it's too easy to take advantage of any e-mail system.

I hear this being said over and over again. The problem is that no one has been able to provide a solution to resolved the problem. There have been suggestions, but doing so without penalizing the small guy is hard. Do we require certificates and if we do how can we ensure that it will be 100% fool proof? Do we only accept e-mail that hasn't been relayed or only accept mail from white listed relays, or create rules for them, if relays are to be tolerated in certain conditions?

Re:Idiots better get off their ass

[Kent+Recal]

I think what GP meant when he said E-mail is fundamentally broken is that SMTP is fundamentally broken.

There are trivial technical solutions for the spam problem if only we could get rid of SMTP.
Ofcourse "we" can't but my hopes are that google may do it eventually. They could roll out a new system on a large enough scale to actually make it stick.

Re:Idiots better get off their ass

[martin-boundary]

Why do people say this? SMTP is not broken. It's a low level protocol which works pretty damn well. What people should concentrate on is building higher layers on top of SMTP and RFC2822, rather than complaining about SMTP itself.

This is like complaining that wheels don't protect against being rained on, so cars should be redesigned from scratch.

Re:Idiots better get off their ass

[Dekortage]

Yes, C/R is annoying when you have to sift through your mailbox to separate spam from Challenges. When they look like any other E-Mail with not even a standard formatting to identify them. When the procedure varies between clicking a link, replying or even quoting some gibberish text from the mail (oh and don't get it wrong or it won't work), etc.

C/R is annoying because people want their messages to be delivered, without additional work. It's not even that I have to scan a spambox, or that they look like any other e-mail. It's that I have do to ONE MORE THING to have the message delivered. If this had been the way e-mail worked originally, then people might accept it; but now, everyone is used to sending e-mail and having it arrive without interruption (generally speaking).

C/R would be widely accepted if you think more of the way skype does it. A simple dialog box, one click, done. This is the kind of integration I'm thinking of and I'm pretty convinced that even people like Mr. Pogue would happily accept it if it reduces their spam input to zero.

Respectfully, I'm pretty convinced that it will not work unless the spam problem becomes so excessively bad that people are willing to change their e-mail habits. We are not yet to that point, thanks to all the other half-baked anti-spam solutions out there.