‘One Gmail account can resist spam from small botnet’
Two security researchers have managed to exploit Gmail’s smtp servers as open relays through an exploit that has not yet been made public. In this way, a large amount of mail could be sent outside of spam filters.
Insert’s two researchers, Pablo Ximenes and André dos Santos, wrote a proof of concept exploit to exploit Gmail’s forwarding capabilities. abuse. The vulnerability could be used to send a large amount of spam through Gmail’s servers, bypassing spam filters. According to Ximenes and Dos Santos, the exploit allows one Gmail account to do the work of a small botnet. The exact details of the attack were not disclosed by the researchers, as they want to enable Google to plug the leak.
With the exploit, the security researchers managed to exploit a vulnerability in Gmail’s mail forwarding: during mail forwarding, Gmail does not check the mail headers and leaves falsified data intact. The poc exploit takes advantage of this flaw and allowed the researchers to forward emails containing forged data to as many addresses as they wanted. The usual limit of 500 e-mails that Google uses for sending large amounts of mail was passed: the program stopped after sending more than four thousand e-mails.
By using Google’s smtp servers, the e-mails sent by the researchers also received a trusted status with the mail servers of other providers. This is due to the large amount of spam circulating: spam filters are not applied to all e-mails, but only to some. Much email is judged based on the provider’s trust level: trusted senders are added to a whitelist, while spam sources are blacklisted. The researchers took advantage of Gmail’s whitelist status to deliver their spam to test accounts at Yahoo and Hotmail. That trust between providers turned out to go so far that Ximenes and Dos Santos managed to send spam from their blacklisted IP addresses to Yahoo and Hot addresses with their poc, which arrived neatly in their respective inboxes. However, when the spam was sent without using the exploit, the email did not arrive.
The speed at which the spam or, if desired, phishing messages were sent was an average of eleven emails per minute. The Insert staff, however, argue that abusing multiple Gmail accounts would approach the capacity of a botnet. Google has been made aware of the vulnerability in their forwarding configuration, but the vulnerability has not yet been reported on the relevant Google blogs.