Computer Crime Research Center


Flaw turns Gmail into spamming machine

Date: May 12, 2008
By: Steven Musil

A "serious security flaw" in Gmail turns Google's e-mail service into a spamming machine, according to a recent security report.

INSERT, the Information Security Research Team, has created a proof of concept that exploits the "trust hierarchy" that exists between mail service providers. By exploiting a flaw in the way Google forwards messages, a spammer can send thousands of bulk e-mails through Google's SMTP service, bypassing both Google's 500-address limit on bulk e-mail.

The report notes that with the rising volume of spam, e-mail providers have turned to whitelists and blacklists to help root out IP addresses of known spammers. Because, Gmail falls into the trusted whitelist category, messages are allowed "carte blanche" to bypass spam filtering.

Since the messages are delivered by Google's own servers, an attack based on this flaw is able to bypass all spam filters that are based on the blacklist / whitelist concept. We were able to confirm that this vulnerability is indeed exploitable by crafting a proof of concept attack that allowed us to send forged email messages unrestrictedly through Google's server infrastructure.

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo