RSSFlaw lets spammers use Gmail for sending bulk e-mail
By Michael Hatamoto | Published May 12, 2008, 3:58 PM
The persistent battle against junk e-mail is already difficult, with 95% of messages sent being spam, but a vulnerability in Gmail could inadvertently worsen the problem until fixed.
The Information Security Research Team (INSERT) has helped to uncover a security flaw that transforms Google's popular Gmail service into a spam machine by turning the Google SMTP servers into open SMTP replays.
Many e-mail providers use a blacklist to block the IP addresses of known spammers, while whitelisted addresses can send e-mails that pass through the filters freely. This can cause major problems if the system of a trusted provider such as Google is compromised and its users able to send spam.
The proof of concept (PoC) test attack used by INSERT allowed the group to use a single Gmail account to send a bulk e-mail to 4,000 people in a six-hour time frame, with no limitations to stop the group from sending more messages. Google typically has a cap of 500 e-mail addresses as a bulk e-mail limit.
The final part of the experiment included sending e-mails from blacklisted IP addresses on the INSERT network to MX servers used by Yahoo and Hotmail and then sending similar messages through the Gmail servers instead. Messages sent to the Yahoo and Hotmail e-mail addresses through blacklisted IPs were much more likely to get blocked, while e-mails sent through the Gmail servers were able to successfully reach their target inboxes.
INSERT has not fully published details of the vulnerability so that Google can have time to fix the problem.
"To our best knowledge this is the first public description of this vulnerability and also the first proof of concept attack. Google has already been notified about this issue ad we are waiting their position to release further details," the group wrote in its advisory.
Google has yet to respond to the published INSERT report, but it's not the first time flaws in Gmail have been exploited to the benefit of spammers. In February, security research firm WebSense discovered that Gmail's CAPTCHA signup test had been compromised, enabling spam bots to register with the service.
Ok.. I admit I have a problem with Google and it's constant attempts to track for ads your movements on the net but the below quote frankly made me laugh because I don't trust google:
"This can cause major problems if the system of a trusted provider such as Google is compromised and its users able to send spam."
Also, to the person that mention that their business account was run through Yahoo, I must admit this surprises me because most business have an internal email system and, god knows, I trust Yahoo even less than Google.
Score: 0
"turning the Google SMTP servers into open SMTP replays"
I guess it should be "relays", not "replays"
Score: 0
I am not surprised. I have noticed lately that almost all craigslist spam is from gmail accounts.
Score: 0
MMMmm... Normally, I would not respond to something like this, I am not a Google fan but for business most of my client's use Gmail. So, I got an account. I visit Gmail about once a week, then a couple of days ago it exploded with SPAM. Usually there is about 1 or 2 pieces there that are JUNK. Nevertheless, one would think that Google would have been on top of this. To think, I was invited into this...
Score: 0
Speaking of gmail spam, my gmail account has marked legit mail as spam on average 6 times a year since I got it. This means the spam filter is fairly useless, as I still have to weed through all my spam to find any legit mail that it may have captured.
I don't have to do this for my work account or my yahoo account. Shameful.
Score: 0