FW: Exploiting Google MX servers as Open SMTP Relays

[Michael Scheidell <sc...@secnap.net>]

fyi: post in bugtraq.  You may wish to look for and remove any whitelists
based on google, googlegroups, or gmail accounts until google fixes this.

-- 
Michael Scheidell, CTO
>|SECNAP Network Security
Winner 2008 Network Products Guide Hot Companies
FreeBSD SpamAssassin Ports maintainer

------ Forwarded Message
> From: <pa...@upr.edu>
> Date: 7 May 2008 20:37:46 -0000
> To: <bu...@securityfocus.com>
> Subject: Exploiting Google MX servers as Open SMTP Relays
> 
> 
> Vulnerability Report:
> 
> As part of our recent work on the trust hierarchy that exists among email
> providers throughout the Internet, we have uncovered a serious security flaw
> in Ggoogle's free email service, Gmail. This vulnerability exposes Google's
> email servers in a way that allows an attacker to use them as open spam and
> phishing relays. This issue is related to the risk of a malicious user abusing
> Gmail's email forwarding functionality. This is possible because Gmail's email
> forwarding functionality does not impose proper security restrictions during
> its setup process and can be easily subverted. By exploiting this problem an
> attacker can send unlimited spam and phishing (i.e. forged) email messages
> that are delivered by Google's very own SMTP servers. Since the messages are
> delivered by Google's own servers, an attack based on this flaw is able to
> bypass all spam filters that are based on the blacklist / whitelist concept.
> We were able to confirm that this vulnerability is indeed exploitable b
>  y crafting a proof of concept attack that allowed us to send any number of
> forged email messages without restriction through Google's server
> infrastructure. We have also verified that this flaw allows attackers to
> bypass spam filters by using our method to send messages that are usually
> flagged as spam. While sending these messages directly from our network in the
> traditional way had the messages classified as spam, by sending the very same
> messages using our exploit, the messages were delivered directly to the
> victim's inbox, thus bypassing filters.
> 
> Impact:
> 
> All email providers that offer Google's SMTP servers any special level of
> trust (e.g. whitelist status) are vulnerable.
> 
> Disclosure:
> We have contacted Google about this issue and are waiting for their position
> before releasing further details.
> 
> For more information, visit our homepage:
> http://ece.uprm.edu/~andre/insert
> 
> 
> Regards, 
> 
> 
> Pablo Ximenes, André dos Santos
> 
> INSERT - Information Security Research Team
> University of PR at Mayaguez (UPRM), USA
> State University of Ceará (UECE), Brazil
> 
> pablo.ximenes@upr.edu, andre@dossantos.org
> 

------ End of Forwarded Message

_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.spammertrap.com
_________________________________________________________________________

Re: FW: Exploiting Google MX servers as Open SMTP Relays

[Matus UHLAR - fantomas <uh...@fantomas.sk>]

> On Sat, May 10, 2008 19:48, Joseph Brennan wrote:
> > --On Saturday, May 10, 2008 9:57 AM -0400 Michael Scheidell
> > <sc...@secnap.net> wrote:
> >> fyi: post in bugtraq.  You may wish to look for and remove any whitelists
> >> based on google, googlegroups, or gmail accounts until google fixes this.
> > I was surprised to hear that anyone gave whitelist status to free
> > email services to begin with!

On 10.05.08 20:39, Benny Pedersen wrote:
> thats why i use def_whitelist_auth to free domains and whitelist_auth to
> specificaly known persons that i know
> 
> then adjust the whitelist score to get only non spam throught

I don't even do that... default whitelist has score of -15 which is quite
enough to pass much of spam that goes through. 

Yes I can change the score to e.g. -10 or -5...
and I even wonder why there are so much of domains on default whitelist
(luckily not much of FPs)
-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
On the other hand, you have different fingers. 

Re: FW: Exploiting Google MX servers as Open SMTP Relays

[Benny Pedersen <me...@junc.org>]

On Sat, May 10, 2008 19:48, Joseph Brennan wrote:
> --On Saturday, May 10, 2008 9:57 AM -0400 Michael Scheidell
> <sc...@secnap.net> wrote:
>> fyi: post in bugtraq.  You may wish to look for and remove any whitelists
>> based on google, googlegroups, or gmail accounts until google fixes this.
> I was surprised to hear that anyone gave whitelist status to free
> email services to begin with!

thats why i use def_whitelist_auth to free domains and whitelist_auth to
specificaly known persons that i know

then adjust the whitelist score to get only non spam throught


Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098

Re: FW: Exploiting Google MX servers as Open SMTP Relays

[Joseph Brennan <br...@columbia.edu>]

--On Saturday, May 10, 2008 9:57 AM -0400 Michael Scheidell 
<sc...@secnap.net> wrote:

> fyi: post in bugtraq.  You may wish to look for and remove any whitelists
> based on google, googlegroups, or gmail accounts until google fixes this.


I was surprised to hear that anyone gave whitelist status to free
email services to begin with!

Joseph Brennan
Columbia University Information Technology