Security flaw in Gmail can turn server in a spam machine
May 12, 2008 1 Comment
INSERT, the Information Security Research Team, has created a proof of concept that exploits Google’s SMTP service bypassing Google’s 500-address bulk e-mail limit and identity fraud protections.
This vulnerability enables an attacker to bypass blacklist/whitelist based email filters and freely forge all fields in an email message by having Google’s SMTP servers tricked into functioning as open SMTP relays. We were able to confirm that this vulnerability is indeed exploitable by assembling a proof of concept (PoC) attack that allowed us to use one single Gmail account to send bulk messages to more than 4,000 email targets (which surpasses Gmail’s 500 messages limit for bulk messages)