Security Hole Turns Gmail Into a Spam Machine
Posted May 11th, 2008 by admin_huliq
Here is what the report on email security says.
This vulnerability enables an attacker to bypass blacklist/whitelist based email filters and freely forge all fields in an email message by having Google’s SMTP servers tricked into functioning as open SMTP relays. We were able to confirm that this vulnerability is indeed exploitable by assembling a proof of concept (PoC) attack that allowed us to use one single Gmail account to send bulk messages to more than 4,000 email targets (which surpasses Gmail’s 500 messages limit for bulk messages).
Part of the protection against spam attacks uses whitelisting and blacklisting, and INSERT's test showed that Gmail accounts get special treatment from both Hotmail and Yahoo!, which just goes to show this vulnerability could be more severe than it would first appear.
The third part of our experiment was designed to asses (sic) the trust relationship between Gmail and other third parties' email providers. This way, we have open test accounts in two of the other major free email providers: Yahoo and Hotmail. The experiment consisted of sending spam/forged messages from blacklisted IP addresses (our computers) directly to Hotmail's and Yahoo's MX servers and of sending the same messages using our PoC program (i.e. though Gmail's servers). We were able to confirm that indeed messages sent through Gmail's infrastructure had special treatment by Hotmail and Yahoo. Some messages would not even reach the spam box when sent directly, while when relayed through Google's servers by using our program the messages were promptly delivered directly to the victim's inbox.
So, despite the fact that the IP addresses were blacklisted, when relayed through Google's servers, they were received just fine. In this case, too much trust = a big problem, well, at least when exacerbated by this vulnerability.
However, vulnerabilities exist everywhere, so should "special treatment' of this nature take place? Something for providers like Microsoft and Yahoo! - and others - to keep in mind.
Source: by Tech Ex
View Related News
Login or Join Huliq today!
Pictures for this story
- Dark Knight Sequel To Star Matthew Lesko as Riddler?915
- Sandra Sibi Blazic Is Reported Source Of Bale Arrest829
- Rights group ANONYMOUS, dismantling Scientology cult, march in San Diego PRIDE Parade532
- Jordan's Queen Rania Creates a You Tube Channel351
- Nader Releases Letter To Conyers On Impeachment Hearing313
- Rushmore Drive: Search Engine For African Americans268
- Kodak Being Pushy In Best Buy214
- Rights group ANONYMOUS, dismantling Scientology cult, march in San Diego PRIDE Parade15
- Nader Releases Letter To Conyers On Impeachment Hearing13
- Rushmore Drive: Search Engine For African Americans7
- Improvement in antidepressant-related sexual dysfunction in women7
- Washington Mutual: What's Another $3.3 Billion?6
- Nagorno Karabakh Says It Has Proved Right for Existence6
- Housing Bill Meets Bush's Dropped Opposition6