More details on the “GMail forwarding hole”

Those INSERT guys who’ve been talking about a GMail security hole allowing spammers to relay spam, have released more previous-redacted details here. (thanks to the MailChannels blog for pointing that out.)

In essence, the attack works by allowing a spammer to set the “forward to” address in GMail to point at a target address, send a spam to the GMail account, then change the “forward to” address to the next target and repeat.

My response:

  1. it’d be trivial for Google to impose stringent rate limits on “forward to” address changes, and I’d be surprised if they haven’t already.

  2. ditto rate-limiting on the rate of forwarding messages for each GMail account.

  3. as they say in the paper — if Google required up-front confirmation of the target address before forwarding any mail, that would also cut this out neatly.

  4. It’s worth noting that GMail’s outbound servers may be whitelisted by some recipient sites, others are treating them negatively — word on the anti-spam “street” is that GMail is becoming a festering pit of 419 scammers these days.

This entry was posted in Uncategorized and tagged , , , , . Bookmark the permalink. Both comments and trackbacks are currently closed.

10 Comments

  1. Matt Sergeant
    Posted May 28, 2008 at 15:15 | Permalink

    Well, this didn’t appear yet on the MailChannels blog, so I figure I’d post it here…

    I’m a bit mystified why this is getting so much press. Well not totally, but I’m surprised the finders of this “exploit” aren’t being lambasted harder. Frankly it’s not an exploit at all, and it’s not a security hole. And it’s certainly not an open proxy. It requires a gmail account, thus it’s not “open”.

    So, the supposed hole here is that spammers can create gmail accounts and spam any address from them. Err, duh! They can do that ANYWAY!!! So this is just a harder way for them to do that. OMG. The SKY IS FALLING.

    Sorry. Bit of a sense of humour failure there :-)

  2. Posted May 28, 2008 at 16:08 | Permalink

    I agree, it seems to have received a lot of press for a rather minor issue. I read it as allowing spammers to evade Google’s current set of rate limits on outbound mail. But that will only last until Google fix their systems to rate limit this stuff too…

  3. Vivek Khera
    Posted May 28, 2008 at 16:45 | Permalink

    Well, I use gmail via their Google Apps service to host my personal family domain name. All my email is forwarded through google (and anti-spam filtered amazingly well, I might add) to my own mail server at my office.

    If google were to rate limit the forwarded mail, I likely would get shut down or delayed mail given the number of public mailing lists I participate in (anti-spam lists, freebsd lists, postgres lists, apache/perl lists, etc.) multiplied by the volume on these lists.

    I think the right thing to do is verify the forwarding address before permitting mail to be forwarded to it.

    I really hope google does something to abate their use as a spam spewing vector; it will be of great pain to me personally to move my domain yet again to another service if mail stops flowing.

  4. Matt Sergeant
    Posted May 28, 2008 at 16:50 | Permalink

    For sure. Either verify or rate limit how often it can be changed. Either way I don’t see this ever becoming a huge spam vector.

  5. Posted May 28, 2008 at 17:02 | Permalink

    Matt: As I’m sure you’re well familiar, the press often picks up on irrelevant stories. Ever since Google claimed they would “do no evil,” any even slight hint of evil make for exciting reading.

  6. Posted May 29, 2008 at 17:48 | Permalink

    Gmail has lots of “nice” quirks One colleague constantly gets emails intended for someone else. And the way they anonymise the source IPs is incredibly annoying (and dangerous)

  7. Mitchell Doris
    Posted June 2, 2008 at 23:25 | Permalink

    Matt,

    I see your point, but you seem to be missing something. Gmail has measures to impose limits to the mumber of messages an account can send and also to the process of personalizing sender information. Though it might seem simple to acomplish this thing those guys from ISNERT did, what they have shown is that those protections that google has simply don’t work. In other words, it is possible to send any amount of messages and to spoof the sender info in any way the attacker wants with just one Gmail account! I consider that a security problem for sure.

    Have youread the report? Sending mesages the way they describe will even get a SPF-SUCCESS response.

    A spammer can definately gather google accounts to send SPAM like you said, that’s not new, but the spammer will need to gather lots of accounts to send any significant number of messages, and he won’t even be able to spoof the the sender (and definately not with SPF success), unless he does this thing INSERT has pointed out.

    I won’t argue about the press having this much attention to this particular problem, but it is time for Google to start doing somethin about their systems instead of just ignoring those issues, and this press attention definately helps on that.

  8. Matt Sergeant
    Posted June 2, 2008 at 23:36 | Permalink

    Oh, I most definitely agree about google needing to step up to take care of its abuse issues, and I’ve been one of the most vocal people about that in the press (do a google news search for my name, you’ll see).

    Let me put it another way – spammers aren’t using this. It’s a trivial thing if they wanted to, but they are not. Why? Because the accounts are up for grabs for free, so creating thousands even millions of them is trivial for them. They’re already doing it. Places are talking about blocking all gmail IPs already because of the MASSIVE spam problems coming from there – and none of it is using this exploit.

    Also it is effectively rate limited simply by the speed with which you can modify the forwarding address. While the limits may not be as strict as the regular posting limits, they are still there, in effect.

  9. Dave
    Posted June 6, 2008 at 19:35 | Permalink

    I use gmail to forward email from my company and then use pop to pull it down. This has been the best SPAM filter. However, we’re starting to see this in our email server logs:

    06:06 07:49 SMTP-(4e7500000a90e76b) 421-4.7.0 [xx.xx.xx.xxx] Our system has detected an unusual amount of 06:06 07:49 SMTP-(4e7500000a90e76b) 421-4.7.0 unsolicited mail originating from your IP address. To protect 06:06 07:49 SMTP-(4e7500000a90e76b) 421-4.7.0 our users from spam, mail sent from your IP address has been 06:06 07:49 SMTP-(4e7500000a90e76b) 421-4.7.0 temporarily blocked. Please visit http://www.google.com/mail/help/bulk_mail.html to review our Bulk Email Senders Guidelines.

    Looks like all the SPAM they are filtering out for my company is starting to count against the email server forwarding the email and not the email server that originally sent it. This email server is not spamming gmail, but the email I forward is showing up at gmail like it is. Not sure if this is just greylisting or a complete block, seems some email still get through. I thought this was a clever way of filtering my email when I first heard about it, but now I’m trying to find another way.

    Anyone having this issue? Do you have access to the email server logs doing the forward?

  10. Posted June 9, 2008 at 15:30 | Permalink

    Dave, you’re being tempfailed — I agree, it looks like gmail ascribes the reputation for the spam to your IP, instead of the spammer’s IP. I don’t think there’s anything you can do about it, aside from not forwarding spam to gmail.

    You could try installing SpamAssassin on a low-sensitivity threshold setting, just to cut out the “easy 80%” of the spam, and forward the rest to gmail…