Slashdot Mirror
Gmail As Open-Relay Spam Server
sveard writes of a little problem Google is having that has Gmail acting like an open relay. Compounding the issue is the fact that services such as Hotmail and Yahoo trust Gmail as a source of mail. "A recently-discovered flaw in Gmail is capable of turning Google's e-mail service into a highly effective spam machine. According to the Information Security Research Team (INSERT), Gmail is susceptible to a man-in-the-middle attack that allows a spammer to send thousands of bulk e-mails through Google's SMTP service without fear of detection. This attack bypasses both Google's identity fraud protection mechanisms and the current 500-address limit on bulk e-mail."
but is very effective against slashdot comments?
Apparently, no one here cares:P
But, on topic, this really isn't all the surprising. Pretty much any email server can be used as a relay in this manner, the only thing special here is that it avoids Google's current features. I expect Google will have this locked down very soon.
If sharing a song makes you a pirate, what do I have to share to be a ninja?
Speaking as a mail server administrator I sincerely hope that they fix this pronto. There is no way that I can just block gmail addresses from my mail server given how huge gmail already is. I literally have no choice but to ride this out and hope for the best.
I have already checked my server logs and the fun just started a little while ago. Yay!....
This flaw is valuable because it's clear proof that whitelists don't work. No domain is above suspicion when it comes to sending spam. About the only real use the domain can be is as an adjustment to your filters. Done properly, mail from gmail.com is marked as less likely to be spam than mail from cyberpromo.com, but it's still checked.
Good, inexpensive web hosting
Did anyone else notice that this story appeared AFTER the story above it? I almost missed the story entirely.
Well, this ruins GMail's major argument. nNw all they have left is "You get 2 GB of storage".
-- (this is a sig) My Computer Programming Forumhttp://www.programers.co.nr/
A few years ago, while browsing around the library downtown, I had to take a piss. As I entered the john, a big beautiful all-American football hero type, about twenty five, came out of one of the booths. I stood at the urinal looking at him out of the corner of my eye as he washed his hands. He didn't once look at me. He was "straight" and married -- and in any case I was sure I wouldn't have a chance with him.
As soon as he left, I darted into the booth he'd vacated, hoping there might be a lingering smell of shit and even a seat still warm from his sturdy young ass. I found not only the smell but the shit itself. He'd forgotten to flush. And what a treasure he had left behind. Three or four beautiful specimens floated in the bowl. It apparently had been a fairly dry, constipated shit, for all were fat, stiff, and ruggedly textured. The real prize was a great feast of turd -- a nine inch gastrointestinal triumph as thick as a man's wrist. I knelt before the bowl, inhaling the rich brown fragrance and wondered if I should obey the impulse building up inside me. I'd always been a heavy rimmer and had lapped up more than one little clump of shit, but that had been just an inevitable part of eating ass and not an end in itself.
Of course I'd had jerkoff fantasies of devouring great loads of it (what rimmer hasn't?), but I had never done it. Now, here I was, confronted with the most beautiful five-pound turd I'd ever feasted my eyes on, a sausage fit to star in any fantasy and one I knew to have been hatched from the asshole of the world's handsomest young stud.
Why not? I plucked it from the bowl, holding it with both hands to keep it from breaking.
I lifted it to my nose. It smelled like rich, ripe limburger (horrid, but thrilling), yet had the consistency of cheddar. What is cheese anyway but milk turning to shit without the benefit of a digestive tract? I gave it a lick and found that it tasted better then it smelled. I've found since then that shit nearly almost does. I hesitated no longer. I shoved the fucking thing as far into my mouth as I could get it and sucked on it like a big brown cock, beating my meat like a madman. I wanted to completely engulf it and bit off a large chunk, flooding my mouth with the intense, bittersweet flavor. To my delight I found that while the water in the bowl had chilled the outside of the turd, it was still warm inside. As I chewed I discovered that it was filled with hard little bits of something I soon identified as peanuts. He hadn't chewed them carefully and they'd passed through his body virtually unchanged. I ate it greedily, sending lump after peanutty lump sliding scratchily down my throat. My only regret was the donor of this feast wasn't there to wash it down with his piss. I soon reached a terrific climax. I caught my cum in the cupped palm of my hand and drank it down. Believe me, there is no more delightful combination of flavors than the hot sweetness of cum with the rich bitterness of shit. Afterwards I was sorry that I hadn't made it last longer. But then I realized that I still had a lot of fun in store for me. There was still a clutch of virile turds left in the bowl. I tenderly fished them out, rolled them into my hankercheif, and stashed them in my briefcase.
In the week to come I found all kinds of ways to eat the shit without bolting it right down. Once eaten it's gone forever unless you want to filch it third hand out of your own asshole -- not an unreasonable recourse in moments of desperation or simple boredom.
I stored the turds in the refrigerator when I was not using them but within a week they were all gone.
The last one I held in my mouth without chewing, letting it slowly dissolve. I had liquid shit trickling down my throat for nearly four hours. I must have had six orgasms in the process. I often think of that lovely young guy dropping solid gold out of his sweet, pink asshole every day, never knowing what joy it could, and at least once did,bring to a grateful shiteater.
...was "a little while ago" on thursday?
Because that's when the existence of the vulnerability was already known, at least. The people who figured it out aren't telling the world how to do it (I'm sure clever people can figure it out), and are / were waiting for Google to fix it first.
http://ece.uprm.edu/~andre/insert/gmail.html
You might be seeing plain ol' spam from gmail; it's been having its share of problems with spammers since both captcha crack -and- before that by manual sign-up, simply -because- everybody trusted gmail (what, with the forced SMS/Text Message sign-up, invite-only, etc. preceding).
Seriously. Who cares how "huge" they are - if they are incapable of providing reasonable levels of security and administration then they need to be blacklisted. If users start to complain, have a pre-written response stating why the BL was done.
This is unacceptable. Who cares if it's google, our servers don't deserve this garbage. Punish Google on the BLs until they fix their systems. End of story.
Regards,
Website Hosting
im not realy surprised
**Ommited as a courtesy to Google**
& shaking our fists at the creators. it's all in the manual. there's also such quaint one liners as; the meek shall inherit (what's left of) the earth, do not dismay, & a host of other day by day reminders of what may happen here. most of us seem to be content to continue pretending that everything is just ducky. see you on the other side of it? you can be more helpful than you might have imagined. there are still some choices. if they do not suit you, consider the likely results of continuing to follow the corepirate nazi hypenosys story LIEn, whereas anything of relevance is replaced almost instantly with pr ?firm? scriptdead mindphuking propaganda or 'celebrity' trivia 'foam'. meanwhile; don't forget to get a little more oxygen on yOUR brain, & look up in the sky from time to time, starting early in the day. there's lots going on up there.
http://news.yahoo.com/s/ap/20071229/ap_on_sc/ye_climate_records;_ylt=A0WTcVgednZHP2gB9wms0NUE
http://news.yahoo.com/s/afp/20080108/ts_alt_afp/ushealthfrancemortality;_ylt=A9G_RngbRIVHsYAAfCas0NUE
http://www.nytimes.com/2007/12/31/opinion/31mon1.html?em&ex=1199336400&en=c4b5414371631707&ei=5087%0A
is it time to get real yet? A LOT of energy is being squandered in attempts to keep US in the dark. in the end (give or take a few 1000 years), the creators will prevail (world without end, etc...), as it has always been. the process of gaining yOUR release from the current hostage situation may not be what you might think it is. butt of course, most of US don't know, or care what a precarious/fatal situation we're in. for example; the insidious attempts by the felonious corepirate nazi execrable to block the suns' light, interfering with a requirement (sunlight) for us to stay healthy/alive. it's likely not good for yOUR health/memories 'else they'd be bragging about it? we're intending for the whoreabully deceptive (they'll do ANYTHING for a bit more monIE/power) felons to give up/fail even further, in attempting to control the 'weather', as well as a # of other things/events.
http://video.google.com/videosearch?hl=en&q=video+cloud+spraying
dictator style micro management has never worked (for very long). it's an illness. tie that with life0cidal aggression & softwar gangster style bullying, & what do we have? a greed/fear/ego based recipe for disaster. meanwhile, you can help to stop the bleeding (loss of life & limb);
http://www.cnn.com/2007/POLITICS/12/28/vermont.banning.bush.ap/index.html
the bleeding must be stopped before any healing can begin. jailing a couple of corepirate nazi hired goons would send a clear message to the rest of the world from US. any truthful look at the 'scorecard' would reveal that we are a society in decline/deep doo-doo, despite all of the scriptdead pr ?firm? generated drum beating & flag waving propaganda that we are constantly bombarded with. is it time to get real yet? please consider carefully ALL of yOUR other 'options'. the creators will prevail. as it has always been.
corepirate nazi execrable costs outweigh benefits
(Score:-)mynuts won, the king is a fink)
by ourselves on everyday 24/7
as there are no benefits, just more&more death/debt & disruption. fortunately there's an 'army' of light bringers, coming yOUR way. the little ones/innocents must/will be protected. after the big flash, ALL of yOUR imaginary 'borders' may blur a bit? for each of the creators' innocents harmed in any way, there is a debt that must/will be repaid by you/us, as the perpetrators/minions of unprecedented evile, will not be available. 'vote' with (what's left in) yOUR wallet, & by your behaviors. help bring an end to unprecedented evile's manifestation through yOUR owned felonious corepirate nazi glowbull warmongering execrable. some of US should consider ourselves somewhat fortunate to be among those scheduled to survive after the big flash/implementation of the creators' wwwildly popular planet/population rescue initiative/mandate. it's right in the
well to be fair, MS needs that one.
What planet are you from? No self respecting ISP in the world would try pull that.
You going to go an make some ideological bullshit point and piss all over your customers when it's not going to make the slightest difference to Google.
Go right ahead!
It's just a beta guys. There's going to be bugs in the system =)
I noticed that gmail load times increased significantly during a few periods yesterday afternoon. After the most recent gmail flaw, I wondered if it was something like this.
I hope they fix it soon, as some have already stated. Sheesh, and we just implemented the new SPAM filter...what am I going to do about gmail addys?
Why can't we go back to using jumpers to configure slot adapter cards? Why? I say!
Yeah.. the subject says it all
On one hand, I feel the natural urge for a Nelson-like "Ha-ha" as the mighty Google monolith screws up. On the other hand, I ph33r mightily; my employer runs a lot of mail servers and this is the sort of thing that, if it happened to us, could really damage our company. Man, if I weren't up tinkering with code anyway, I'd be lying awake worrying that I've missed something that would enable the spammers to do the same to us...
Fuck I should go work for INSERT...I knew about this "bug" "feature" "flaw" "exploit" or whatever you want to call it the dayum day they started allowing POP...I actually tested it then and it worked and it has worked almost every day since.
Google having an open security-breach doesn't make even to the hundrieth commentary after a few hours.. I wonder how much time it would take to break that mark if the service in question was, say, Microsoft's Hotmail.
Bad publicity made Google fix their open redirector for URLs. Bad publicity will make them fix this.
GMail ought to go back to cell phone authentication for new accounts. Since their capcha was broken, they've become a favorite of spammers.
Blogspot is also a spam haven. Most blogspot blogs are spam, and they can be used as a form of open redirector. Look for spams like: "An IWC watch is a uniquely handcrafted time piece ... http://rexefute51720.blogspot.com/"
Complain loudly, publicly, and often. Google needs to take stronger steps to avoid being a spam conduit.
kdawson, as open troll /. spamer
Modding Trolls +1 inciteful since 1999
Goddamned bastards have everything I send to my girlfriend from Google labeled as spam. The IT guy at her firm is a douche bag, but in this case it looks like he might be right.
Google needs to clean up its act.
I've calculated my velocity with such exquisite precision that I have no idea where I am.
Is this an advertised feature of Gmail?
just got one of the emails i think well s**t the spam freeness could only last so long i guess
This article doesn't say that Google *is* being used for massive Spam. It's just a proof of concept. Google is aware of this issue, and they may have this fixed before Monday. Then again, this could be something endemic to SMTP, and would happen with any server. It's just that an gmail address is considered free from spam, so it is completely trusted.
The major problem with spam is quite simple: Spam is dirt cheap. I can send out a million spam messages for nothing. As long as I can do that, almost nothing will stop spam. You put on a technical control, and I'll have incentive to break it. The only way to prevent spam is to go to a sender pays model. The amount can be trivial (a very small fraction of a cent), and could be covered as part of your standard ISP agreement, but becomes substantial when you send out a million messages.
That won't get rid of all unsolicited commercial email, but it will get rid of the bulk of the scum. Of course, I am not sure how you'd go from a SMTP model to a new pay-for-sending model. And, what if a spammer steals someone's account (by maybe planting some sort of malware on someone's PC)?
When we have a global Internet and free wireless.
In a system where the sender initiates information transfer ( such as in e-mail) you have the following problem:
"If you want everybody to to be able to contact you, then you will receive information you do not want."
Conversely, if you have a system where the recipient requests information ( such as for web-pages ) then you have the following problem:
"I you want everybody to be able to get information about yourself, then people you don't like could collect information about you."
There's no way around these very simple facts, the best you can do is to change what you expect from the service. As an example e-mail spam would be rapidly defeated if you limited yourself to only receive information from sources you have approved in advance, but that is to limited for most people. Because we want our friends to be able to give our e-mail addresses to their friends if they have something nice to tell us. Therefore we will get e-mails we don't want. If you want to change this you have to either change your expectations of what e-mail should do, or you have to change the behavior of people sending out spam. The easiest way to do the latter is to penalize business who do it.
Are you sure your 'girlfriend' doesn't think it's 'unsolicited'? It might be a hint that your mail looks like fraudulent advertising.
All this will is show that the internet is insecure, no matter what company runs an app, it can always be exploited.
hxxp://nthegreat.co.nr
whitelisting a domain, email address or ip address means that you are trusting someone else to make sure their message server (and accompanying mail admin) is doing things right. There's also the possibility, due to pressure from your boss, you're allowing a known spam machine to send you mail and then it's up to you to regex out the spam. Whitelisting allows otherwise blockable items through. Email and webhosting rule #1: "You get what you pay for." If you're using something free to do business, you are sharing machines used by a thousand other computers. How many of those thousand other computers are running some form of a compromised/infected (read: microsoft) computer? Hotmail is a petri-dish. The pretty blue and green colors are symbolic. Yeah, you can quote that.
I say things which affects my Karma negatively. (and I don't care) For instance; All religion is false.
No, we checked all the obvious stuff. And her company isn't one of those that tries to stop employees from receiving personal e-mail, either.
I've calculated my velocity with such exquisite precision that I have no idea where I am.
Does the Information Security Research Team make any memorabilia coins? I imagine an INSERT coin would be quite desirable.
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?