On CNET: CNN's 'hologram' was horrendous
BNET Business Network:
BNET
TechRepublic
ZDNet

May 9th, 2008

Gmail can be used as “Spam Bazooka”

Posted by Garett Rogers @ 7:46 am

Categories: Gmail

Tags: Google Inc., Google Gmail, Vulnerability, Spam, E-mail Providers, Security, Internet, Garett Rogers

INSERT, the Information Security Research Team, has sucessfully created a proof of concept exploiting the “trust hierarchy” that exists between mail service providers. Taking advantage of the way Gmail forwards messages, the team was able to send 4000 messages in a short period of time from a single account without any countermeasures taken by Google.

Using Google as an open email relay is highly desierable for spammers because Gmail is trusted by most email providers — making messages sent though Gmail immune to most spam filtering.

Since the messages are delivered by Google’s own servers, an attack based on this flaw is able to bypass all spam filters that are based on the blacklist / whitelist concept. We were able to confirm that this vulnerability is indeed exploitable by crafting a proof of concept attack that allowed us to send forged email messages unrestrictedly through Google’s server infrastructure.

There has been no official comment by Google on this matter yet, but I’m hoping the problem will be resolved in short order. The vulnerability isn’t as serious as past ones that exposed contact lists, or let attackers steal cookies, but that shouldn’t stop it from being high priority.

For more details on this vulnerability, you can read the draft paper by INSERT here.

Garett Rogers is employed as a programmer for iQmetrix, which specializes in retail management software for the wireless industry. See his full profile and disclosure of his industry affiliations.

  • Talkback
  • Most Recent of 7 Talkback(s)
Why people continue to use Google's services,
signature «Loverock Davidson» informs us, «is beyond [him]». Along with much else, to judge from his appearances on this forum. Others more fortunate, however, do seem to possess the wherewithall to g... (Read the rest)
Posted by: mhenriday Posted on: 05/13/08 You are currently: Logged In | Log out
Not just Gmail! See Backscatter FYI _dietrich   | 05/09/08
Vital that this Gmail vulnerability is fixed, mhenriday   | 05/09/08
RE: Gmail can be used as Loverock Davidson   | 05/09/08
Pfffffffffft. _dietrich   | 05/09/08
Why people continue to use Google's services, mhenriday   | 05/13/08
Still a beta service genericman   | 05/10/08
if you try this in python, gmail stops you using it as a mail relay. stevey_d   | 05/10/08

What do you think?

6 Trackbacks

The URI to TrackBack this entry is:
http://blogs.zdnet.com/Google/wp-trackback.php?p=1036

  • Gmail can be used as “Spam Bazooka” by ZDNet's Garett Rogers ...
    Gmail can be used as “Spam Bazooka” by ZDNet's Garett Rogers -- INSERT, the Information Security Research Team, has sucessfully created a proof of concept exploiting the “trust hierarchy” that exists between mail service providers. ...

    Trackback by Linux Vortex — May 11, 2008 @ 5:18 am

  • Google Mail flaw makes Open Relay
    Google Mail’s servers have a security flaw which could allow spammers to send unlimited amounts of spam. Given that most other providers trust gmail, this means that lots of spam could get through due to google being whitelisted. ...

    Trackback by Murky.org — May 11, 2008 @ 10:38 am

  • Google Can Send Spam
    For those who are so loyal to Page and Brin that they can't let go of their Gmail accounts. I've got some news for you. QUOTE. INSERT, the Information Security Research Team, has sucessfully created a proof of concept exploiting the ...

    Trackback by Trap17 - Latest Topics — May 13, 2008 @ 3:07 pm

  • More on Google's conflict of interest in protecting G-mail users ...
    Garett Rogers of ZDnet has a good post on how "Gmail can be used as a "Spam Bazooka"". This real and increasing Google security problem provides even more evidence to my recent posts of why Google is increasingly being targeted and ...

    Trackback by The Precursor Blog by Scott Cleland - Forward Thinking At The Nexus Of Policy, Markets And Change — May 13, 2008 @ 4:30 pm

  • Google Mail flaw makes Open Relay
    Google Mail’s servers have a security flaw which could allow spammers to send unlimited amounts of spam. Given that most other providers trust gmail, this means that lots of spam could get through due to google being whitelisted. I don’t *think* it affects the security of arbitrary accounts on gmail, so for individual users, no action is needed.

    Trackback by Anonymous — June 26, 2008 @ 3:08 am

  • Gmail can be used as “Spam Bazooka”
    that exists between mail service providers. Taking advantage of the way Gmail forwards messages, the team was able to send 4000 messages in a short period of time from a single account… Original post by Security News items, Blog posts on ZDNet and Wordpress Niche Blogs by Wordpress Niche Blogs

    Trackback by Anonymous — June 26, 2008 @ 3:08 am

Essential Topics Click Here

Enterprise Mobility

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

All-in-One Printers

advertisement
Click Here