Skip to content

Update on Gmail spam exploit

By David Cawley | 1 minute read

A couple of weeks ago I made a blog post based on a SecurityFocus vulnerability report suggesting that Gmail smtp servers could be abused by spammers. At the time, the exact details of the attack were not disclosed to give Google an opportunity to respond to the claims.

Since then, the INSERT security team have released the details of the attack including a proof of concept program for demonstration. The key point is that it’s trivial to setup any e-mail address to Auto Forward messages to.

The idea is that a spammer could send a message from a blocklisted IP to a Gmail account they’ve setup to be a spam cannon. Then they would just need to mark the received message as not spam to allow that message to be forwarded in the future. After that, the blocklisted IP can send to the Gmail spam cannon address and have a script automate changes to the forwarding e-mail address to change the spam victim. In that way the spam message can could be relayed from Google’s servers to other mailservers, possibly bypassing anti-spam filtering due to whitelists.

Cut your support tickets and make customers happier