Security flaw turns Gmail into spam open-relay server

A recently-discovered flaw in Google's very popular email service is capable of turning Gmail into an effective spam machine. According to the Information Security Research Team (INSERT) the flaw allows a spammer to send thousands of bulk e-mails through Google's servers without fear of detection. This attack bypasses both Google's identity fraud protection mechanisms and the current 500-address limit on bulk e-mail.

The worry is not just that the flaw allows spammers to send a potentially unlimited number of messages, it is also the trustworthiness given Gmail by other e-mail providers could exacerbate any potential spam attack.

Spam currently accounts for 95 percent of all e-mail traffic and many e-mail providers have adopted whitelists and blacklists as a first line of defence against the flood. An e-mail from a known spamming domain (or the corresponding IP address block) may be automatically blocked by any given e-mail service, while an e-mail from a trusted, authenticated source such as Gmail is automatically allowed through the gateway.

Most e-mail providers use multi-level filtering services, which might detect that the forged Gmail message is spam, but the message will have cleared a substantial hurdle that would have otherwise stopped it. Messages originating from Google, it seems are well-regarded by both Yahoo and Hotmail. The INSERT team tested the degree of trust between the three major e-mail providers by sending spam messages to Yahoo and Hotmail using two sources. In the first test, messages were sent from personal systems whose IP addresses had been blacklisted by Yahoo and Hotmail. The second test consisted of sending the exact same message via the Gmail flaw that INSERT discovered.

The difference was significant. E-mail sent to Yahoo and Hotmail from a blacklisted IP didn't even necessarily reach the account's spam box, while forged e-mail sent via Gmail always arrived. That is not to say that trusted-source filtering is bad, but it demonstrate how a security flaw in a single product or service can ripple through an ecosystem.

It is being reported the flaw is still present at the time of this post.

(credit to the Arstechnica report)