Security flaw turns Gmail into open-relay server

I can see that this is a good proof of concept for sending forged messages via Gmail, and that Gmail has better delivery to Hotmail and Yahoo than blacklisted IP addresses. The first part is interesting, but the second part shouldn’t be surprising to anyone.

I have a couple of issues with their testing methodology. They claim that they could send unlimited messages but they only actually sent 4,000 over 6 hours. Plus they sent them only to their own test accounts, which means that none of the messages were ever reported to Gmail, Hotmail, or Yahoo as spam.

Now, I may be incorrect on this, but I think Gmail does individual RCPT TO:s no matter how many recipients are on a message they are delivering. So I have to question how much more effective this method would be for a spammer than just posting to their webmail interface as usual. It might appear to be better based on their tests, but their tests are not accurate reproductions of a real spam attack.

First, there’s the lack of user complaints. And bounces. And spamtrap hits. A real spam attack would generate some number of those and they would aid in detection.

Second, they only sent to their own test addresses, but they don’t account for personal level filtering that might be present in real user accounts.

Third, the more recipients on a single spam message, the less randomized the content will be over the entire campaign. That will actually make it easier to detect.

The current attacks on large webmail providers make use of thousands of freshly created accounts because the providers can quickly action individual accounts. Since they had to omit the details of the vulnerability, which was the right thing to do, I’m not sure whether the actions the provider would take on the compromised account as soon as it started generating bounces/complaints/spamtrap hits would effectively stop it or not.

Sausage, anonymous contributer

11 May 2008
10:58

About me

a friendly linkblog covering email technology, spam prevention, "deliverability," and related topics.

Box of Meat is not associated with any particular company or organization.

Lijit Search

Hate the web? Get your daily Box of Meat delivered by newfangled electronic mail!

www.flickr.com

More Meat!

Box of Meat is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.