Gmail As Open-Relay Spam Server

← Back to Stories (view on slashdot.org)

Gmail As Open-Relay Spam Server

Posted by kdawson on Saturday May 10, 2008 @01:14PM from the if-you're-not-part-of-the-solution-you're-part-of-the-precipitate dept.

sveard writes of a little problem Google is having that has Gmail acting like an open relay. Compounding the issue is the fact that services such as Hotmail and Yahoo trust Gmail as a source of mail. "A recently-discovered flaw in Gmail is capable of turning Google's e-mail service into a highly effective spam machine. According to the Information Security Research Team (INSERT), Gmail is susceptible to a man-in-the-middle attack that allows a spammer to send thousands of bulk e-mails through Google's SMTP service without fear of detection. This attack bypasses both Google's identity fraud protection mechanisms and the current 500-address limit on bulk e-mail."

32 of 145 comments (clear)

Idiots better get off their ass by EdIII · 2008-05-10 13:13 · Score: 5, Informative

Speaking as a mail server administrator I sincerely hope that they fix this pronto. There is no way that I can just block gmail addresses from my mail server given how huge gmail already is. I literally have no choice but to ride this out and hope for the best.

I have already checked my server logs and the fun just started a little while ago. Yay!....
1. Re:Idiots better get off their ass by lambent · 2008-05-10 13:30 · Score: 4, Interesting
  
  I can second the above statement, since I've seen the exact same traffic.
  
  Unfortunately, this sort of thing will continue to crop up. E-mail is fundamentally broken, and it's too easy to take advantage of any e-mail system. To combat spam, mail admins have had to take many unorthodox and RFC-bending practices (if not out-right ignoring RFCs all together). Otherwise, users complain about too much spam. The down side, users then complain about e-mail delays or non-deliverables. So, you get systems setting up certain ways to bypass filters for hopefully trusted domains. And then this whole new problem comes up when people figure out new ways to abuse the system, its safeguards, and hidden/implicit trusts.
  
  Ugh. At this point, I just want to turn SMTP off completely. This is a losing battle.
2. Re:Idiots better get off their ass by Baumi · 2008-05-10 13:31 · Score: 4, Insightful
  
  By riding this out, you give no incentive to actually fix anything. In theory, you're right: If all the server admins in the world united and blocked GMail, that'd send a message to Google to fix this ASAP.
  
  In practice, however, Google is likely to do just that anyway, and since there is no organized blacklisting going on, a sole action by the GP poster would most likely annoy his users while Google itself wouldn't even notice it.
  
  (Unless, of course, the GP happens to be the sysadmin for Hotmail, Yahoo! Mail or something similar - in that case: Blacklist, baby! ;-) )
3. Re:Idiots better get off their ass by Midnight+Thunder · 2008-05-10 14:19 · Score: 4, Interesting
  
  E-mail is fundamentally broken, and it's too easy to take advantage of any e-mail system.
  
  I hear this being said over and over again. The problem is that no one has been able to provide a solution to resolved the problem. There have been suggestions, but doing so without penalizing the small guy is hard. Do we require certificates and if we do how can we ensure that it will be 100% fool proof? Do we only accept e-mail that hasn't been relayed or only accept mail from white listed relays, or create rules for them, if relays are to be tolerated in certain conditions?
  
  --
  Jumpstart the tartan drive.
4. Re:Idiots better get off their ass by Kent+Recal · 2008-05-10 14:36 · Score: 3, Interesting
  
  I think what GP meant when he said E-mail is fundamentally broken is that SMTP is fundamentally broken.
  
  There are trivial technical solutions for the spam problem if only we could get rid of SMTP.
  Ofcourse "we" can't but my hopes are that google may do it eventually. They could roll out a new system on a large enough scale to actually make it stick.
5. Re:Idiots better get off their ass by Robotech_Master · 2008-05-10 14:49 · Score: 4, Informative
  
  Problem with this is that a lot of people (myself included) use gmail for the ease of use, but prefer to keep their own email address as the return address for various reasons.
  
  --
  Editor Emeritus and Senior Writer, TeleRead.org
6. Re:Idiots better get off their ass by martin-boundary · 2008-05-10 15:04 · Score: 3, Insightful
  
  That's not a problem. That's what the Reply-To: field is for.
7. Re:Idiots better get off their ass by EdIII · 2008-05-10 15:06 · Score: 3, Insightful
  
  Heh. Bwahahahah... *cough*
  
  SpamCop and SpamHaus blocking Google? How do they say it... When Pigs Fly?
  
  People that use both of those services, free and paying customers alike, rely on them automatically managing their lists. I am sure, and I am certainly adding myself to this, that "we" don't expect these services to add Hotmail, GMail, Yahoo, etc. You can also toss Comcast, AT&T, Time Warner's Roadrunner, Cox, etc. to the list too.
  
  Unfortunately, there is such a thing as being too big to blacklist. I don't know how many millions of customers that it starts at, but GMail passed whatever mark that was a long time ago.
  
  Organized blacklisting only applies to much much smaller entities.
8. Re:Idiots better get off their ass by schon · 2008-05-10 15:08 · Score: 5, Insightful
  
  There are trivial technical solutions for the spam problem if only we could get rid of SMTP. No, there aren't.
  
  Spam exists because there are sociopaths who want to steal resources from others. There is *NO* technical solution to this. If your SMTP replacement allows anyone to contact anyone else, it will allow spammers to contact anyone.
  
  Spam is a social problem, not a technical one. There is no such thing as a technical solution to a social problem.
9. Re:Idiots better get off their ass by martin-boundary · 2008-05-10 15:11 · Score: 4, Interesting
  
  Why do people say this? SMTP is not broken. It's a low level protocol which works pretty damn well. What people should concentrate on is building higher layers on top of SMTP and RFC2822, rather than complaining about SMTP itself.
  This is like complaining that wheels don't protect against being rained on, so cars should be redesigned from scratch.
10. Re:Idiots better get off their ass by EdIII · 2008-05-10 15:14 · Score: 4, Informative
  
  That sounds logical but it won't work.
  
  The spammers don't care about what their FROM and REPLYTO fields actually say. Since this is a man-in-the-middle attack they could put practically anything with a @gmail.com in those fields and it will render your solution ineffective.
  
  The real problem with this exploit is that it bypasses all of Google's security measures and anything I could do on my end would only verify that the email actually came from a real Google mail server and from a Google email user. So then I can only rely on SPAM filtering based on content which is not as effective as we would all like it to be.
11. Re:Idiots better get off their ass by jrp2 · 2008-05-10 15:31 · Score: 3, Informative
  
  "How about blocking all emails from gmail servers not coming from an @gmail.com address?"
  
  Won't work.
  
  There are boatloads of people and companies using Google with their own domains. Google Apps, Google Enterprise, etc.
  
  Also, many of the spammers are using gmail addresses. Remember, they don't care about return emails, they just drive people to their websites.
  
  --
  The only athletic sport I ever mastered was backgammon - Douglas William Jerrold
12. Re:Idiots better get off their ass by Paradise+Pete · 2008-05-10 15:42 · Score: 4, Insightful
  
  Then why is the spam problem so much bigger than the telemarketer or junk fax problem?
  Cost, plain and simple. The fundamental way to reduce spam is to make it cost more to do. Of course actually figuring out a good way to do that is left as an exercise for the reader.
13. Re:Idiots better get off their ass by Chandon+Seldon · 2008-05-10 16:28 · Score: 4, Insightful
  
  Spam is a social problem, not a technical one. There is no such thing as a technical solution to a social problem.
  
  That's generally true.
  The problem is that SMTP makes it drastically worse than it needs to be with a push model. The spammer can send a million messages, and they've all already been accepted by the destination server before anyone has a chance to complain.
  If it were a notification / pull model then when someone complained the ISP could pull the spammer's plug for a TOS violation before most of the messages in his first batch were delivered. Sure, that doesn't kill the spam problem utterly dead - but it does mean that current spam management resources could keep it down to well under 90% of all email.
  
  --
  -- The act of censorship is always worse than whatever is being censored. Always.
14. Re:Idiots better get off their ass by schon · 2008-05-10 17:08 · Score: 3, Insightful
  
  Then why is the spam problem so much bigger than the telemarketer or junk fax problem? Because we have laws regulating them, which (amazingly enough) is how society deals with social problems.
  
  Thank you for illustrating my point.
15. Re:Idiots better get off their ass by Niten · 2008-05-10 18:58 · Score: 3, Insightful
  
  If it were a notification / pull model then when someone complained the ISP could pull the spammer's plug for a TOS violation before most of the messages in his first batch were delivered.
  The thing is that we can already achieve the same effect through a combination of greylisting and a trustworthy blacklist: an unknown (non-whitelisted) sender cannot deliver messages immediately, and if they're one of the few spammers who will retry deliver after a temporary failure, then by that time odds are that they will have been blacklisted.
  
  Sure, it's possible that a pull model might prove slightly more effective even so, but neither model will ever kill spam dead. And "possibly slightly better at dealing with spam, but probably just the same" isn't nearly enough to justify uprooting the world's entire email infrastructure.
16. Re:Idiots better get off their ass by DougBTX · 2008-05-10 21:36 · Score: 3, Insightful
  
  before anyone has a chance to complain.
  All it takes is a spammer to use his distributed botnet to post thousands of complaints about legitimate email, and you're back to filtering push requests. You're also assuming that the spammer only has one plug to pull.
17. Re:Idiots better get off their ass by Dekortage · 2008-05-12 00:10 · Score: 3, Interesting
  
  Yes, C/R is annoying when you have to sift through your mailbox to separate spam from Challenges. When they look like any other E-Mail with not even a standard formatting to identify them. When the procedure varies between clicking a link, replying or even quoting some gibberish text from the mail (oh and don't get it wrong or it won't work), etc.
  
  C/R is annoying because people want their messages to be delivered, without additional work. It's not even that I have to scan a spambox, or that they look like any other e-mail. It's that I have do to ONE MORE THING to have the message delivered. If this had been the way e-mail worked originally, then people might accept it; but now, everyone is used to sending e-mail and having it arrive without interruption (generally speaking).
  C/R would be widely accepted if you think more of the way skype does it. A simple dialog box, one click, done. This is the kind of integration I'm thinking of and I'm pretty convinced that even people like Mr. Pogue would happily accept it if it reduces their spam input to zero.
  
  Respectfully, I'm pretty convinced that it will not work unless the spam problem becomes so excessively bad that people are willing to change their e-mail habits. We are not yet to that point, thanks to all the other half-baked anti-spam solutions out there.
  
  --
  $nice = $webHosting + $domainNames + $sslCerts
Whitelists don't work. by techno-vampire · 2008-05-10 13:18 · Score: 5, Insightful

This flaw is valuable because it's clear proof that whitelists don't work. No domain is above suspicion when it comes to sending spam. About the only real use the domain can be is as an adjustment to your filters. Done properly, mail from gmail.com is marked as less likely to be spam than mail from cyberpromo.com, but it's still checked.

--
Good, inexpensive web hosting
Interesting... by Animaether · 2008-05-10 13:28 · Score: 5, Informative

...was "a little while ago" on thursday?

Because that's when the existence of the vulnerability was already known, at least. The people who figured it out aren't telling the world how to do it (I'm sure clever people can figure it out), and are / were waiting for Google to fix it first.

http://ece.uprm.edu/~andre/insert/gmail.html

You might be seeing plain ol' spam from gmail; it's been having its share of problems with spammers since both captcha crack -and- before that by manual sign-up, simply -because- everybody trusted gmail (what, with the forced SMS/Text Message sign-up, invite-only, etc. preceding).
Re:DeBunking? by peragrin · 2008-05-10 13:29 · Score: 4, Insightful

last I checked it was 6.5 gigs of storage.

i figure google will have this locked down soon enough though. It's not like they won't notice the sudden burst of traffic. Some guy is going to be working hard tonight.

--
i thought once I was found, but it was only a dream.
Re:DeBunking? by osu-neko · 2008-05-10 13:37 · Score: 3, Interesting

Well, this ruins GMail's major argument. nNw all they have left is "You get 2 GB of storage".
Huh? What argument are you refering to, and how does this ruin it?

The only "argument" I can think you might be refering to is that, by using Gmail, you avoid having to see a lot of spam due to their excellent spam filterings. This doesn't ruin that argument in any way. In fact, since it primary impacts sites like Yahoo and Hotmail (who will see more spam if they continue to whitelist Gmail), it strengthens it. You're now see even less spam using Gmail, comparatively speaking.

--
"Convictions are more dangerous enemies of truth than lies."
Re:Blacklist gmail by XanC · 2008-05-10 13:55 · Score: 3, Funny

Yes, who would do business with such an entity. Probably about as many as would trust their business hosting to a company who declares its home page to be XHTML 1.1 but then serves it as text/html. Not to mention the 88 validation errors.

The point is you can't jump straight for the "nuclear" option. Although to be honest I wouldn't use such a Web host.
Re:Wow, slashdot doesnt give a crap by Midnight+Thunder · 2008-05-10 14:12 · Score: 3, Interesting

Pretty much any email server can be used as a relay in this manner, the only thing special here is that it avoids Google's current features. I expect Google will have this locked down very soon.

Certainly, but this can be reduced by making sure that e-mail coming from the outside world can only be sent to gmail addresses and e-mail going to the outside world requires password authentication by the sender. One issue that we are starting to see it e-mail being bounced to a different part than the one that officially sent the e-mail. Other measures that can help is only accepting e-mail from external mail servers who's name can be resolved from its address.

The real problem is really deciding what is a legitimate source of e-mail, without requiring a central registry of e-mail servers or some other sort of bureaucratic process.

--
Jumpstart the tartan drive.
parent, INSIGHTFUL? by wamatt · 2008-05-10 14:19 · Score: 3, Insightful

What planet are you from? No self respecting ISP in the world would try pull that.

You going to go an make some ideological bullshit point and piss all over your customers when it's not going to make the slightest difference to Google.

Go right ahead!
You should have known by OMNIpotusCOM · 2008-05-10 14:20 · Score: 3, Funny

It's just a beta guys. There's going to be bugs in the system =)
They'll fix it if it gets enough bad publicity by Animats · 2008-05-10 15:24 · Score: 5, Insightful

Bad publicity made Google fix their open redirector for URLs. Bad publicity will make them fix this.
GMail ought to go back to cell phone authentication for new accounts. Since their capcha was broken, they've become a favorite of spammers.
Blogspot is also a spam haven. Most blogspot blogs are spam, and they can be used as a form of open redirector. Look for spams like: "An IWC watch is a uniquely handcrafted time piece ... http://rexefute51720.blogspot.com/"
Complain loudly, publicly, and often. Google needs to take stronger steps to avoid being a spam conduit.
1. Re:They'll fix it if it gets enough bad publicity by Lincolnshire+Poacher · 2008-05-10 20:03 · Score: 3, Insightful
  
  > Bad publicity made Google fix their open redirector for
  > URLs. Bad publicity will make them fix this
  
  Your optimism is like a ray of Sunlight in a dark world, but I
  fear it is misplaced.
  
  Many USENET groups are virtually unreadable today because of the
  torrent of spam posting originating from Google Groups accounts.
  Thousands of users have submitted precise spam reports to Google,
  quoting the article-IDs. Result? None. Consequence? USENETters
  start to block any and all Google Groups postings
  ( though http://improve-usenet.org/ seems to have died )
  
  Without the pressure of blacklisting, I do not think that Google
  will be inclined to address the mail spam problem either. It only
  affects third parties at present, so why expend resources fixing
  it when there is no immediate benefit to their users?
Re:Wow, slashdot doesnt give a crap by Jurily · 2008-05-10 15:26 · Score: 4, Insightful

The real problem is really deciding what is a legitimate source of e-mail, without requiring a central registry of e-mail servers or some other sort of bureaucratic process. Recently I've been getting spam that convinced them that I was the sender, and even "(unknown sender)" ones. One would think that's not that hard to decide.

The other problem is, Hotmail and Yahoo trusting Gmail. In the world of email, there is no such thing as a trustworthy server.
Re:Blacklist gmail by mikeage · 2008-05-10 18:45 · Score: 3, Funny

How about 10 errors?

http://validator.w3.org/check?verbose=1&uri=http://www.taylorbyrnes.org/

--
-- Is "Sig" copyrighted by www.sig.com?
Re:Wow, slashdot doesnt give a crap by Lincolnshire+Poacher · 2008-05-10 19:42 · Score: 5, Insightful

> The real problem is really deciding what is a legitimate
> source of e-mail, without requiring a central registry of
> e-mail servers or some other sort of bureaucratic process.

Well that's the problem that SPF solves. Each domain owner
creates a DNS entry that specifies which mail servers are
permitted to send mail for that domain. When an MX receives
a HELO it checks that the originating IP corresponds with
the DNS entry; if not, the mail can be rejected or subjected
to further inspection and scoring.

Simple to implement, I've done it in 20 minutes for my domain
( 20 minutes from ``What is this project?'' to submitting the
DNS change ).

http://www.openspf.org/
Silly question by HTH+NE1 · 2008-05-12 06:35 · Score: 3, Funny

Does the Information Security Research Team make any memorabilia coins? I imagine an INSERT coin would be quite desirable.

--
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?