Showing posts with label gmail. Show all posts
Showing posts with label gmail. Show all posts

Tuesday, May 27, 2008

Update on Gmail spam exploit


A couple of weeks ago I made a blog post based on a SecurityFocus vulnerability report suggesting that Gmail smtp servers could be abused by spammers. At the time, the exact details of the attack were not disclosed to give Google an opportunity to respond to the claims.

Since then, the INSERT security team have released the details of the attack including a proof of concept program for demonstration. The key point is that it's trivial to setup any e-mail address to Auto Forward messages to.

The idea is that a spammer could send a message from a blacklisted IP to a Gmail account they've setup to be a spam cannon. Then they would just need to mark the received message as not spam to allow that message to be forwarded in the future. After that, the blacklisted IP can send to the Gmail spam cannon address and have a script automate changes to the forwarding e-mail address to change the spam victim. In that way the spam message can could be relayed from Google's servers to other mailservers, possibly bypassing anti-spam filtering due to whitelists.

Posted by David Cawley at 4:48 PM 2 comments Links to this post

Labels: , , ,

Wednesday, April 9, 2008

Sender Authentication, Gmail abuse, IPv6 ... Discuss!

Lately, I've been thinking about several related issues:

  • The challenges and effectiveness of sender authentication and reputation filtering.
  • The rise of Gmail spam and MessageLabs subsequent attempt to throttle it now that Gmail's Captcha is broken.
  • The issue of IPv6 reputation as raised by Cloudmark.
How are these issues related?

Anti-spam systems have steadily improved their ability to identify and block known spam senders.However, this is having a significant impact on the value of legitimate addresses.

Authentication, reputation systems, computational challenge, and traffic shaping share an “Achilles Heel.” They dramatically increase the value of hijacking legitimate servers. If the spammers hijack legitimate email servers or domains their messages will get through because they are now coming from legitimate senders. We see this all the time with spam from all sorts of legitimate sites but we've also seen a jump in spam from Gmail since their account creation Captcha mechanism has been cracked. What if all my mail is hosted on Gmail? How do recipients distinguish all these hosted senders? Can centralized reputation systems be expanded to track reputation at the individual sender level? Do we want them to?

As Cloudmark suggests in the interview, if we ever get to IPv6 , reputation will be compromised as far as spam protection goes. There will be so many addresses we'll be back to every spammer being an unknown sender. Reputation filtering will fail unless hard authentication is also widely adopted to enable recipients to reject mail not coming from known legitimate senders.

Along with increasingly aggressive treatment for unknown senders, spam protections will need to implement greater restrictions and careful scrutiny of webmail providers offering free accounts, especially those with automated account creation. There will also be a greater need for IT administrators to protect their systems from hijacking.

Posted by David Whitehead at 11:44 AM 7 comments Links to this post

Labels: , , , , , , , , , , ,

Wednesday, November 28, 2007

Google Caches Virus Popup

This evening I was looking at some of the spam found in my Gmail Spam folder. I started using Google Search to see if I could correlate some websites related to the spam. I did find some interesting things, such as the bad English "recorded for security purpose", found on one spam-related website, is copied across several spam-related sites. I was looking for some casual correlation to hopefully find some bad IP addresses not found in one of the top RBL sites, such as Spamhaus. Alas, Spamhaus had me beat. It knew them all.

But then I found something rather interesting. I came across a website with a pop-up, trying to get me to download a Windows executable file.



In order for this to work I'd have to click on the fake dialogue button "Continue". Then a real dialogue with an option for "Save As" appears, I download it, open it, and enjoy using my new virus. Okay, so nothing new and exciting there. It's a pretty simple website trying to con me into running their malicious code.

Now I was curious how many duplicate pages out there had the same pop-up, so I did a search for the text "You need to download new version of Video ActiveX Object to play this video file.".

I clicked on the first result.



But the page was gone.



I was really looking forward to that virus pop-up. Never mind, maybe Google Cache can help me out.





Excellent! The spammer took down the webpage linking to their exploit code, but luckily Google Cache was able to save a copy of the page, which popped-up the "Save As" dialogue, so I can now download it and enjoying start using my new virus, as it silently rips through my machine, stealing my personal data and emailing spam around world.

I uploaded this file to the Kaspersky Virus Scanner and it was identified as being "infected by Trojan-Downloader.Win32.Zlob.eob".

Oh no, I just realized. This exploit is not platform independent and will not run on my machine. It only runs on Windows and I'm using Ubuntu Linux. I guess I'll have to keep googling...

Posted by Phil Whelan at 10:16 AM 0 comments Links to this post

Labels: , , , , , , , , , , , ,

Subscribe to: Posts (Atom)