Print this article  |  E-mail this article  |  Comment on this article

Flaw lets spammers use Gmail for sending bulk e-mail

By Michael Hatamoto, BetaNews

May 12, 2008, 3:58 PM

The persistent battle against junk e-mail is already difficult, with 95% of messages sent being spam, but a vulnerability in Gmail could inadvertently worsen the problem until fixed.

The Information Security Research Team (INSERT) has helped to uncover a security flaw that transforms Google's popular Gmail service into a spam machine by turning the Google SMTP servers into open SMTP replays.

Many e-mail providers use a blacklist to block the IP addresses of known spammers, while whitelisted addresses can send e-mails that pass through the filters freely. This can cause major problems if the system of a trusted provider such as Google is compromised and its users able to send spam.

The proof of concept (PoC) test attack used by INSERT allowed the group to use a single Gmail account to send a bulk e-mail to 4,000 people in a six-hour time frame, with no limitations to stop the group from sending more messages. Google typically has a cap of 500 e-mail addresses as a bulk e-mail limit.

The final part of the experiment included sending e-mails from blacklisted IP addresses on the INSERT network to MX servers used by Yahoo and Hotmail and then sending similar messages through the Gmail servers instead. Messages sent to the Yahoo and Hotmail e-mail addresses through blacklisted IPs were much more likely to get blocked, while e-mails sent through the Gmail servers were able to successfully reach their target inboxes.

INSERT has not fully published details of the vulnerability so that Google can have time to fix the problem.

"To our best knowledge this is the first public description of this vulnerability and also the first proof of concept attack. Google has already been notified about this issue ad we are waiting their position to release further details," the group wrote in its advisory.

Google has yet to respond to the published INSERT report, but it's not the first time flaws in Gmail have been exploited to the benefit of spammers. In February, security research firm WebSense discovered that Gmail's CAPTCHA signup test had been compromised, enabling spam bots to register with the service.

Add a Comment (6 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

Name (required):

E-mail (required):

Enter Your Comment:

By Realist

posted May 28, 2008 - 3:14 PM

My gmail address which forwards to my Comcast address was blocked yesterday by Comcast and I had to call deep into blacklist tech support to get a tier of 30 Google server IP's which included my address unblocked.

Last night my brother in law sent me a failure notice he got back from Hotmail when trying to send from his gmail address.

So...things are pretty difficult out there right now for Gmail and it's spam problem.

Score: 0

By tscar13

edited May 13, 2008 - 2:19 PM

Ok.. I admit I have a problem with Google and it's constant attempts to track for ads your movements on the net but the below quote frankly made me laugh because I don't trust google:
"This can cause major problems if the system of a trusted provider such as Google is compromised and its users able to send spam."

Also, to the person that mention that their business account was run through Yahoo, I must admit this surprises me because most business have an internal email system and, god knows, I trust Yahoo even less than Google.

Score: 0

By Second Shadow

posted May 13, 2008 - 12:11 AM

"turning the Google SMTP servers into open SMTP replays"
I guess it should be "relays", not "replays"

Score: 0

By dougggg

posted May 12, 2008 - 6:15 PM

I am not surprised. I have noticed lately that almost all craigslist spam is from gmail accounts.

Score: 0

By FmlyRnn

posted May 12, 2008 - 4:48 PM

MMMmm... Normally, I would not respond to something like this, I am not a Google fan but for business most of my client's use Gmail. So, I got an account. I visit Gmail about once a week, then a couple of days ago it exploded with SPAM. Usually there is about 1 or 2 pieces there that are JUNK. Nevertheless, one would think that Google would have been on top of this. To think, I was invited into this...

Score: 0

By mjm01010101

posted May 12, 2008 - 4:22 PM

Speaking of gmail spam, my gmail account has marked legit mail as spam on average 6 times a year since I got it. This means the spam filter is fairly useless, as I still have to weed through all my spam to find any legit mail that it may have captured.

I don't have to do this for my work account or my yahoo account. Shameful.

Score: 0

Oct 11 - 11:16 AM ET Things left unsaid, in a recent interview with Sony's CEO

Oct 11 - 11:03 AM ET EU regulations block Italian ISPs from blocking Pirate Bay

Oct 11 - 10:55 AM ET Making it to Apple's App Store by staying out of court

Oct 10 - 7:43 PM ET Wal-Mart changes its mind, leaves existing DRM servers up

Oct 10 - 7:05 PM ET Hands on: An amateur photographer tests out Adobe's latest Lightroom

Oct 10 - 6:52 PM ET Mobile service providers brace for the economic storm

Oct 10 - 6:24 PM ET Apple warns users about bad Nvidia graphics chips

Oct 10 - 4:21 PM ET New Norton Vista tool trades UAC for online feedback

Oct 10 - 3:23 PM ET Verizon Wireless to raise fees for service-related texts

Oct 10 - 3:04 PM ET BlackBerry Bold sales halted in UK