A study by Roaring Penguin has discovered that during the past three weeks, the amount of spam originating from Gmail has risen sharply while spam originating from Yahoo and Hotmail remained flat or dipped slightly. Experts say this huge rise in spam is thanks to the cracking of Google’s CAPTCHA system. Spammers came up with an OCR scanner that was smart enough to read it and as a result were able to create large numbers of accounts to spam with.

Read the rest of this entry »

According to a report by the Information Security Research Team, Google’s GMail service could potentially be turned into a giant spam machine thanks to a flaw that essentially renders it an open relay server. The flaw allows anyone with the ability to connect to SMTP port 25 and HTTP port 80 to exploit a GMail account and gain access to Google’s white-listed SMTP relay service.

Since Google has such a good reputation, most ISPs have white-listed the GMail domain and its IPs. A hacker exploiting the flaw would enjoy the benefits of that and be able to spam with no worries of being blocked. What’s more, they would also be free of GMails 500 message limit for bulk emails and be able to send thousands. INSERT’s test attack allowed them to spam over 4,000 email addresses in just 6 hours.

          “To our best knowledge this is the first public description of this vulnerability and also the first proof of concept attack. Google has already been notified about this issue ad we are waiting their position to release further details,” the group wrote in its advisory.

Google has not yet commented on the group’s report. This is not the first time spammers have had a field day with Google. In February it was revealed that their CAPTCHA system had been cracked, and recently reports of spammers exploiting Google Calendar have begun to surface.

According to Slashdot, Google’s mail servers appear to be responsible for sending large amounts of backscatter. They don’t perform any recipient validation for the googlegroups and blogger.com domains (and presumably their other domains as well), allowing spammers to launch large-scale dictionary attacks against them using forged headers and envelope sender addresses. This results in the owners of those forged addresses getting huge amounts of bounce messages when the spam hits non-existent users on Google’s domains. Most correctly set up mail servers don’t generate such bounce messages. Tell that to Google’s mail server! Botnets love mail servers like this and will go to town on them, commencing an unrelenting barrage of spam.

Most ISPs won’t hesitate to place a block on any IP that receives complaints of backscatter, and that can cause big headaches for innocent people. There are even reports of businesses having entire mail servers wiped out due to backscatter.

What Google should be doing is rejecting traffic to bogus users during the SMTP transaction. Several techniques can be used to do this:

• Recipient validation
• Reject senders on dynamic black lists
• Reject. email from servers senders that do not have a reverse DNS entry

Unfortunately Google is doing none of them. Slashdot also reports that emails sent to abuse@google.com and postmaster@google.com went unanswered except for a canned response that didn’t address the situation.

It’s very surprising that Google, whose Gmail program has been widely praised for its spam controls, would have such badly misconfigured mail servers. Ironically, those same spam controls have reportedly been blacklisting Google themselves. According to an article on newswireless.net, Gmail placed a user’s Google Alerts in his spam folder. Ah that wacky Google!

For more information, the website DontBounceSpam.org has an extensive list of resources and tips for server admins and end users on how to fight backscatter and reduce overall spam.