May 9th, 2008
Gmail can be used as "Spam Bazooka"
INSERT, the Information Security Research Team, has sucessfully created a proof of concept exploiting the “trust hierarchy” that exists between mail service providers. Taking advantage of the way Gmail forwards messages, the team was able to send 4000 messages in a short period of time from a single account without any countermeasures taken by Google.
Using Google as an open email relay is highly desierable for spammers because Gmail is trusted by most email providers — making messages sent though Gmail immune to most spam filtering.
Since the messages are delivered by Google’s own servers, an attack based on this flaw is able to bypass all spam filters that are based on the blacklist / whitelist concept. We were able to confirm that this vulnerability is indeed exploitable by crafting a proof of concept attack that allowed us to send forged email messages unrestrictedly through Google’s server infrastructure.
There has been no official comment by Google on this matter yet, but I’m hoping the problem will be resolved in short order. The vulnerability isn’t as serious as past ones that exposed contact lists, or let attackers steal cookies, but that shouldn’t stop it from being high priority.
For more details on this vulnerability, you can read the draft paper by INSERT here.
Garett Rogers is employed as a programmer for iQmetrix, which specializes in retail management software for the wireless industry.
See his full profile and disclosure of his industry affiliations.
Subscribe to Googling Google via Email alerts or RSS.
