Flaw turns Gmail into spamming machine

A "serious security flaw" in Gmail turns Google's e-mail service into a spamming machine, according to a recent security report.

INSERT, the Information Security Research Team, has created a proof of concept that exploits the "trust hierarchy" that exists between mail service providers. By exploiting a flaw in the way Google forwards messages, a spammer can send thousands of bulk e-mails through Google's SMTP service, bypassing Google's 500-address bulk e-mail limit and identity fraud protections.

The report notes that with the rising volume of spam, e-mail providers have turned to whitelists and blacklists to help root out IP addresses of known spammers. Because Gmail falls into the trusted-whitelist category, messages are allowed "carte blanche" to bypass spam filtering.

INSERT's report notes that no extraordinary Internet expertise is necessary to exploit the flaw:

In this regard, this document presents a vulnerability report and a proof-of-concept attack that demonstrate how anyone with no special Internet access privileges other than being able to connect to SMTP (TCP port 25) and HTTP (TCP port 80) servers is able to exploit a single Gmail account in order to be granted nearly unrestricted access to Google's massive whitelisted SMTP relay infrastructure.

Google has offered no official comment on the report.

This isn't the first Google tool to appeal to spammers. In April, my colleague Elinor Mills reported that spammers were now using Google Calendar.

[Anon-Y-mous]

They must be running a server with some flawed M$ code somwehere on it. There is no way Google would have their own code that could be explotied in any way.

[Anon-Y-mous]

[s]They must have a server running M$ code because there is no way Google could have their system compromised if it was entirely their own code. They write perfect code. What has the world come to?[/s]

[Trerro]

"By exploiting a flaw in the way Google forwards messages, a spammer can send thousands of bulk e-mails through Google's SMTP service, bypassing both Google's 500-address limit on bulk e-mail."

So it bypasses both the addres limit and



and what? :P

[Trerro]

"By exploiting a flaw in the way Google forwards messages, a spammer can send thousands of bulk e-mails through Google's SMTP service, bypassing both Google's 500-address limit on bulk e-mail."

So it bypasses both the address limit and.

Uhhh... and what? :P

[mojojam]

Dang, they must have hired some microsoft programmers.

[stevenmusil]

Oops! oh the perils of being my own editor. Thanks for pointing out the omission. I meant to say that the flaw bypassed the identity fraud protections.

[bj1126]

Yeah this has been going on for a while. Google has basically said they are doing nothing wrong but man is it getting annoying.

[rcrusoe]

Is this the first major Google goof? It will be interesting to see how fast they can respond to this. The fact that a lot of schools and a growing number of companies are using Google Apps is a big incentive to jump on this.

[someguy999]

The irony that this comes on the same time as news.com is trumpeting how "Google gains on Microsoft with hosted security offering" If anyone wondered about why there is skepticism about security appliances in the cloud... this is it.

[happyguy77]

Wow, Google really set up a nice spamming tool then. As-is, Gmail already screws with email headers on outbound GMail messages, so if a spammer sends spam from a GMail address there's no way to track them back to their IP address. Thanks, Google!

[benjaminstraight]

Boo!