Security flaw turns Gmail into open-relay server
By
Joel Hruska Published: May 10, 2008 - 01:15PM CT
A recently-discovered flaw in Gmail is capable of turning Google's e-mail service into a highly effective spam machine.
According to the Information Security Research Team (INSERT), Gmail is susceptible to a man-in-the-middle attack that allows a spammer to send thousands of bulk e-mails through Google's SMTP service without fear of detection. This attack bypasses both Google's identity fraud protection mechanisms and the current 500-address limit on bulk e-mail.
A flaw in Gmail that allows spammers to send a potentially unlimited number of messages is definitely a problem, but there's another, external factor that could exacerbate any potential spam attack. As the volume of spam has risen—it currently accounts for 95 percent of all e-mail traffic—many e-mail providers have adopted whitelists and blacklists as a first line of defense against the flood. An e-mail from
johdoe@awinnerisyou.com (or the corresponding IP address block) may be automatically blocked by any given e-mail service, while an e-mail from a trusted, authenticated source such as Gmail is automatically allowed through the gateway. E-mail providers regularly use multi-level filtering services, any of which might detect that the forged Gmail missive is actually spam, but the message has cleared a substantial hurdle that would have otherwise barred it from delivery.
E-mail that originates from Google, it seems, is particularly well-regarded by both Yahoo and Hotmail. The INSERT team tested the degree of trust between the three major e-mail providers by sending spam messages to Yahoo and Hotmail using two sources. In the first test, messages were sent from personal systems whose IP addresses had been blacklisted by Yahoo and Hotmail. The second test consisted of sending the exact same message via the Gmail flaw that INSERT discovered.
The difference was significant. E-mail sent to Yahoo and Hotmail from a blacklisted IP didn't even necessarily reach the account's spam box, while forged e-mail sent via Gmail always arrived in the intended account's inbox. The goal here is not to condemn trusted-source filtering as bad, but to emphasize how a security flaw in a single product or service can ripple through an ecosystem. Google will likely act quickly to close this particular loophole, but Yahoo and Hotmail might want to read their Russian proverbs a little more closely.
doveryai, no proveryai (Trust, but Verify) remains an eternally good idea.
http://arstechnica.com/news.ars/post...ay-server.html
Security flaw turns Gmail into open-relay server
Linear Mode
