Flaw lets spammers use Gmail for sending bulk e-mail
The persistent battle against junk e-mail is already difficult, with 95% of messages sent being spam, but a vulnerability in Gmail could inadvertently worsen the problem until fixed.
The Information Security Research Team (INSERT) has helped to uncover a security flaw that transforms Google's popular Gmail service into a spam machine by turning the Google SMTP servers into open SMTP replays.
Many e-mail providers use a blacklist to block the IP addresses of known spammers, while whitelisted addresses can send e-mails that pass through the filters freely. This can cause major problems if the system of a trusted provider such as Google is compromised and its users able to send spam.
The proof of concept (PoC) test attack used by INSERT allowed the group to use a single Gmail account to send a bulk e-mail to 4,000 people in a six-hour time frame, with no limitations to stop the group from sending more messages. Google typically has a cap of 500 e-mail addresses as a bulk e-mail limit.
The final part of the experiment included sending e-mails from blacklisted IP addresses on the INSERT network to MX servers used by Yahoo and Hotmail and then sending similar messages through the Gmail servers instead. Messages sent to the Yahoo and Hotmail e-mail addresses through blacklisted IPs were much more likely to get blocked, while e-mails sent through the Gmail servers were able to successfully reach their target inboxes.
INSERT has not fully published details of the vulnerability so that Google can have time to fix the problem.
"To our best knowledge this is the first public description of this vulnerability and also the first proof of concept attack. Google has already been notified about this issue ad we are waiting their position to release further details," the group wrote in its advisory.
Google has yet to respond to the published INSERT report, but it's not the first time flaws in Gmail have been exploited to the benefit of spammers. In February, security research firm WebSense discovered that Gmail's CAPTCHA signup test had been compromised, enabling spam bots to register with the service.