According to research by the Information Security Research Team (INSERT), a flaw in Google's email service makes it vulnerable to becoming a mass spam generator. The research is part of an ongoing study on the "trust hierarchy" that exists within the email system.
The glitch is such it can allow one single Gmail account to send bulk messages to more than 4,000 email accounts, a number that surpasses Gmail's 500 messages limit for bulk messages.
The study explains that IP addresses of spam offenders are blacklisted, while those of known (good) sources are exonerated. This way, messages from blacklisted IPs are rejected even before they enter the system, while white-listed addresses are granted Carte blanche to bypass most filters.
The study (chunks of which are omitted in the public report as a courtesy to Google) states that anyone with no special Internet access privileges other than being able to connect to SMTP (TCP port 25) and HTTP (TCP port 80) servers can exploit a Gmail account in order to be granted near-unrestricted access to Google's white-listed SMTP relay service.
The vulnerability enables a hacker to bypass these blacklist/white-list based email filters and freely forge all fields in an email message by having Google's SMTP servers tricked into functioning as open SMTP relays.
During the testing, the researchers limited the number of bulk messages sent to 4,000+. However, they said there were no counter-measures to suggest that they could not have sent more messages than that -- which means they could have sent thousands of/an unlimited number of messages to other email accounts. Google is yet to comment on this issue.
Email
Print
