Gmail As Open-Relay Spam Server

sveard writes of a little problem Google is having that has Gmail acting like an open relay. Compounding the issue is the fact that services such as Hotmail and Yahoo trust Gmail as a source of mail. "A recently-discovered flaw in Gmail is capable of turning Google's e-mail service into a highly effective spam machine. According to the Information Security Research Team (INSERT), Gmail is susceptible to a man-in-the-middle attack that allows a spammer to send thousands of bulk e-mails through Google's SMTP service without fear of detection. This attack bypasses both Google's identity fraud protection mechanisms and the current 500-address limit on bulk e-mail."

doesn't stop spam,

[Anonymous Coward]

but is very effective against slashdot comments?

You should have known

[OMNIpotusCOM]

It's just a beta guys. There's going to be bugs in the system =)

Wow, slashdot doesnt give a crap

[Aranykai]

Apparently, no one here cares:P

But, on topic, this really isn't all the surprising. Pretty much any email server can be used as a relay in this manner, the only thing special here is that it avoids Google's current features. I expect Google will have this locked down very soon.

Re:Wow, slashdot doesnt give a crap

[Midnight Thunder]

Pretty much any email server can be used as a relay in this manner, the only thing special here is that it avoids Google's current features. I expect Google will have this locked down very soon.

Certainly, but this can be reduced by making sure that e-mail coming from the outside world can only be sent to gmail addresses and e-mail going to the outside world requires password authentication by the sender. One issue that we are starting to see it e-mail being bounced to a different part than the one that officially sent the e-mail. Other measures that can help is only accepting e-mail from external mail servers who's name can be resolved from its address.

The real problem is really deciding what is a legitimate source of e-mail, without requiring a central registry of e-mail servers or some other sort of bureaucratic process.

Re:Wow, slashdot doesnt give a crap

[Jurily]

The real problem is really deciding what is a legitimate source of e-mail, without requiring a central registry of e-mail servers or some other sort of bureaucratic process.

Recently I've been getting spam that convinced them that I was the sender, and even "(unknown sender)" ones. One would think that's not that hard to decide.

The other problem is, Hotmail and Yahoo trusting Gmail. In the world of email, there is no such thing as a trustworthy server.

Re:

[Antique Geekmeister]

Yes, there is such a thing. An SMTP-AUTH authenticated server works well, and it's straightforward to publish SPF records for other mail servers to filter a lot of forged email, especially the bounces you've been seeing. (SPF is worth looking up: Google does publish SPF records in their DNS.) SPF got crippled by a Microsoft 'embrace and extend' operation involving SenderID keys and mislabeling SenderID based SPF tags as plain SPF. IT got

Re:Wow, slashdot doesnt give a crap

[Lincolnshire Poacher]

> The real problem is really deciding what is a legitimate
> source of e-mail, without requiring a central registry of
> e-mail servers or some other sort of bureaucratic process.

Well that's the problem that SPF solves. Each domain owner
creates a DNS entry that specifies which mail servers are
permitted to send mail for that domain. When an MX receives
a HELO it checks that the originating IP corresponds with
the DNS entry; if not, the mail can be rejected or subjected
to further inspection and scoring.

Simple to implement, I've done it in 20 minutes for my domain
( 20 minutes from ``What is this project?'' to submitting the
DNS change ).

http://www.openspf.org/ [openspf.org]

Re:

[LilGuy]

It's amazing that in 2008 we still need to bring up the fact that there are simple solutions to these problems.

I don't understand how there are really that many network/system admins out there that don't understand how the Internet works.

Re:

[Glonoinha]

Or maybe Google could outsource their anti-spam efforts to these guys [theregister.co.uk].
I'm guessing giving these guys a million dollars and saying 'make spam stop globally' might just work.

It's worth a try.

Re:

[SanityInAnarchy]

Certainly, but this can be reduced by making sure that e-mail coming from the outside world can only be sent to gmail addresses and e-mail going to the outside world requires password authentication by the sender.

And, specifically, that it can only be sent to valid Gmail addresses.

I've done stuff like this with Postfix, in my spare time, on my own mailserver. It's trivially easy, and it completely eliminates bounces, except in the case of mysterious internal errors -- but even then, I think it's more common for a temporary error to be returned at the SMTP layer than for the mail to actually bounce.

Bounces are unnecessary, full stop.

Idiots better get off their ass

[EdIII]

Speaking as a mail server administrator I sincerely hope that they fix this pronto. There is no way that I can just block gmail addresses from my mail server given how huge gmail already is. I literally have no choice but to ride this out and hope for the best.

I have already checked my server logs and the fun just started a little while ago. Yay!....

Re:

[Anonymous Coward]

By riding this out, you give no incentive to actually fix anything.

Re:Idiots better get off their ass

[Baumi]

By riding this out, you give no incentive to actually fix anything.

In theory, you're right: If all the server admins in the world united and blocked GMail, that'd send a message to Google to fix this ASAP.

In practice, however, Google is likely to do just that anyway, and since there is no organized blacklisting going on, a sole action by the GP poster would most likely annoy his users while Google itself wouldn't even notice it.

(Unless, of course, the GP happens to be the sysadmin for Hotmail, Yahoo! Mail or something similar - in that case: Blacklist, baby! ;-) )

Re:

[firekool]

no organized blacklisting going on

There actually is a few providers that do just that. Like SPAMCOP. And spamassassin does this too..

Re:Idiots better get off their ass

[EdIII]

Heh. Bwahahahah... *cough*

SpamCop and SpamHaus blocking Google? How do they say it... When Pigs Fly?

People that use both of those services, free and paying customers alike, rely on them automatically managing their lists. I am sure, and I am certainly adding myself to this, that "we" don't expect these services to add Hotmail, GMail, Yahoo, etc. You can also toss Comcast, AT&T, Time Warner's Roadrunner, Cox, etc. to the list too.

Unfortunately, there is such a thing as being too big to blacklist. I don't know how many millions of customers that it starts at, but GMail passed whatever mark that was a long time ago.

Organized blacklisting only applies to much much smaller entities.

Re:

[JWSmythe]

Well, there are a lot of people who do alternative things.

On a few mail installations I've done, it watches for abusers, and blocks them with firewall rules, based on other detections including SpamAssassin.

So even my own mail system would block gmail if it detects enough spam coming from them. The threshold is high enough to not false, and low enough to stop most of the badguys. On a typical server (~50k msg/day) something like 1500 get blocked daily, with no complaints th

Re:

[Arancaytar]

Next headline on Slashdot: "Microsoft blocks Gmail!"

First Youtube and then that. Indeed.

Interesting...

[Animaether]

...was "a little while ago" on thursday?

Because that's when the existence of the vulnerability was already known, at least. The people who figured it out aren't telling the world how to do it (I'm sure clever people can figure it out), and are / were waiting for Google to fix it first.

http://ece.uprm.edu/~andre/insert/gmail.html [uprm.edu]

You might be seeing plain ol' spam from gmail; it's been having its share of problems with spammers since both captcha crack -and- before that by manual sign-up, simply -because- everybody trusted gmail (what, with the forced SMS/Text Message sign-up, invite-only, etc. preceding).

Re:Idiots better get off their ass

[lambent]

I can second the above statement, since I've seen the exact same traffic.

Unfortunately, this sort of thing will continue to crop up. E-mail is fundamentally broken, and it's too easy to take advantage of any e-mail system. To combat spam, mail admins have had to take many unorthodox and RFC-bending practices (if not out-right ignoring RFCs all together). Otherwise, users complain about too much spam. The down side, users then complain about e-mail delays or non-deliverables. So, you get systems setting up certain ways to bypass filters for hopefully trusted domains. And then this whole new problem comes up when people figure out new ways to abuse the system, its safeguards, and hidden/implicit trusts.

Ugh. At this point, I just want to turn SMTP off completely. This is a losing battle.

Re:Idiots better get off their ass

[Midnight Thunder]

E-mail is fundamentally broken, and it's too easy to take advantage of any e-mail system.

I hear this being said over and over again. The problem is that no one has been able to provide a solution to resolved the problem. There have been suggestions, but doing so without penalizing the small guy is hard. Do we require certificates and if we do how can we ensure that it will be 100% fool proof? Do we only accept e-mail that hasn't been relayed or only accept mail from white listed relays, or create rules for them, if relays are to be tolerated in certain conditions?

Re:Idiots better get off their ass

[Kent Recal]

I think what GP meant when he said E-mail is fundamentally broken is that SMTP is fundamentally broken.

There are trivial technical solutions for the spam problem if only we could get rid of SMTP.
Ofcourse "we" can't but my hopes are that google may do it eventually. They could roll out a new system on a large enough scale to actually make it stick.

Re:Idiots better get off their ass

[schon]

There are trivial technical solutions for the spam problem if only we could get rid of SMTP.

No, there aren't.

Spam exists because there are sociopaths who want to steal resources from others. There is *NO* technical solution to this. If your SMTP replacement allows anyone to contact anyone else, it will allow spammers to contact anyone.

Spam is a social problem, not a technical one. There is no such thing as a technical solution to a social problem.

Re:

[Henry V .009]

Then why is the spam problem so much bigger than the telemarketer or junk fax problem? Surely there is some technical aspect to this "social problem."

Re:Idiots better get off their ass

[Paradise Pete]

Then why is the spam problem so much bigger than the telemarketer or junk fax problem?

Cost, plain and simple. The fundamental way to reduce spam is to make it cost more to do. Of course actually figuring out a good way to do that is left as an exercise for the reader.

Re:Idiots better get off their ass

[schon]

Then why is the spam problem so much bigger than the telemarketer or junk fax problem?

Because we have laws regulating them, which (amazingly enough) is how society deals with social problems.

Thank you for illustrating my point.

Re:

[Antique Geekmeister]

We have a *good* law on junk fax. It's very clear: unsolicited fax are illegal. We have very poor laws against telemarketers, laws aimed to permit telemarketers to continue to keep bothering you until you formally tell them to stop. There are some laws against spam, but they're extremely badly written.

Simply extending the junk fax law to cover email spam would be easy. The money saved in dealing with people's incoming spam would be more than enough to do the necessary enforcement of the laws, with such a cl

Internet Laws mean little...

[FranTaylor]

When we have a global Internet and free wireless.

Re:Idiots better get off their ass

[Chandon Seldon]

Spam is a social problem, not a technical one. There is no such thing as a technical solution to a social problem.

That's generally true.

The problem is that SMTP makes it drastically worse than it needs to be with a push model. The spammer can send a million messages, and they've all already been accepted by the destination server before anyone has a chance to complain.

If it were a notification / pull model then when someone complained the ISP could pull the spammer's plug for a TOS violation before most of the messages in his first batch were delivered. Sure, that doesn't kill the spam problem utterly dead - but it does mean that current spam management resources could keep it down to well under 90% of all email.

Re:Idiots better get off their ass

[Niten]

If it were a notification / pull model then when someone complained the ISP could pull the spammer's plug for a TOS violation before most of the messages in his first batch were delivered.

The thing is that we can already achieve the same effect through a combination of greylisting and a trustworthy blacklist: an unknown (non-whitelisted) sender cannot deliver messages immediately, and if they're one of the few spammers who will retry deliver after a temporary failure, then by that time odds are that they will have been blacklisted.

Sure, it's possible that a pull model might prove slightly more effective even so, but neither model will ever kill spam dead. And "possibly slightly better at dealing with spam, but probably just the same" isn't nearly enough to justify uprooting the world's entire email infrastructure.

Re:

[DougBTX]

before anyone has a chance to complain.

All it takes is a spammer to use his distributed botnet to post thousands of complaints about legitimate email, and you're back to filtering push requests. You're also assuming that the spammer only has one plug to pull.

Re:

[flyingfsck]

Exactly, there are lots of people out there who have to be able to receive mail from people they don't know yet. Impede that feature and you impede business.

Re:

[masonc]

We are required to pay $10 or so per year to maintain a domain name. If we had to pay $10/year to register an SMTP server, spam would be virtually eliminated, as it would require being up front about operating a mail server. All that would have to happen would be to only accept mail from registered mail servers for the domain they are registered for.
Spambots would not function any more. I don't know why this is so difficult to put in place.

Re:

[Kent Recal]

Yes there are technical solutions and they're not even hard to implement.

One trivial approach would be mandatory message signing (cryptographic identity) combined with challenge/response.
Whenever someone wants to mail you for the first time your mail server would, depending on your preference, either ask them to solve a captcha or you to permit mail from that sender.

From that point on the sending identity would be on your whitelist and you could exchange mail freely.

This can be built today, on top of freely

Re:

[Dekortage]

One trivial approach would be mandatory message signing (cryptographic identity) combined with challenge/response. Whenever someone wants to mail you for the first time your mail server would, depending on your preference, either ask them to solve a captcha or you to permit mail from that sender.

While challenge/response is a sure-fire solution to spam technologically, it utterly fails on the social level. Most people HATE challenge/response. Many web sites specifically state that their operators will not

Re:

[Kent Recal]

I think you're confusing the half-baked challenge solutions of today with what a properly designed solution could do.
Yes, C/R is annoying when you have to sift through your mailbox to separate spam from Challenges. When they look like any other E-Mail with not even a standard formatting to identify them. When the procedure varies between clicking a link, replying or even quoting some gibberish text from the mail (oh and don't get it wrong or it won't work), etc.

C/R would be widely accepted if you think more

Re:Idiots better get off their ass

[Dekortage]

Yes, C/R is annoying when you have to sift through your mailbox to separate spam from Challenges. When they look like any other E-Mail with not even a standard formatting to identify them. When the procedure varies between clicking a link, replying or even quoting some gibberish text from the mail (oh and don't get it wrong or it won't work), etc.

C/R is annoying because people want their messages to be delivered, without additional work. It's not even that I have to scan a spambox, or that they look like any other e-mail. It's that I have do to ONE MORE THING to have the message delivered. If this had been the way e-mail worked originally, then people might accept it; but now, everyone is used to sending e-mail and having it arrive without interruption (generally speaking).

C/R would be widely accepted if you think more of the way skype does it. A simple dialog box, one click, done. This is the kind of integration I'm thinking of and I'm pretty convinced that even people like Mr. Pogue would happily accept it if it reduces their spam input to zero.

Respectfully, I'm pretty convinced that it will not work unless the spam problem becomes so excessively bad that people are willing to change their e-mail habits. We are not yet to that point, thanks to all the other half-baked anti-spam solutions out there.

Re:

[Kent Recal]

C/R is annoying because people want their messages to be delivered, without additional work. It's not even that I have to scan a spambox, or that they look like any other e-mail. It's that I have do to ONE MORE THING to have the message delivered. If this had been the way e-mail worked originally, then people might accept it; but now, everyone is used to sending e-mail and having it arrive without interruption (generally speaking).

Well, I guess we have to agree to disagree. "Without additional work" is ign

Re:

[Dekortage]

Yes, we'll have to disagree. It is alright.

...the risk of mail getting lost in someone's spam-folder or a company's misconfigured spamfilter...

This risk is not solved by C/R, unfortunately.

People who depend on receiving cold contacts or who just deal with a lot of mail regularly will (by my expirience) mostly agree that the spam problem couldn't get much worse than it is today.

I've been sending and receiving e-mails for nearly 30 years, I have more than a dozen e-mail accounts and hundreds more e-mail

Re:

[ahodgson]

and there is simply no way of getting people to accept challenge/response on a wide scale

Sending C/R challenges to forged senders IS SPAM. Offloading your problem onto everyone else is not solving it.

Re:Idiots better get off their ass

[martin-boundary]

Why do people say this? SMTP is not broken. It's a low level protocol which works pretty damn well. What people should concentrate on is building higher layers on top of SMTP and RFC2822, rather than complaining about SMTP itself.

This is like complaining that wheels don't protect against being rained on, so cars should be redesigned from scratch.

Re:

[Kent Recal]

If the spam-problem could be solved by tacking a few layers on top of SMTP then why has nobody done it yet?
I can tell you why: because it's not that easy.

The fundamental building blocks for any technical solution to the spam problem are sender identity and challenge/response. Neither can be implemented on top of SMTP. Neither can be implemented as an extension to SMTP without incompatible changes to the protocol semantics.

If you want to insist that SMTP is "not broken" then please present your solution for

Re:

[martin-boundary]

If the spam-problem could be solved by tacking a few layers on top of SMTP then why has nobody done it yet? I can tell you why: because it's not that easy.

I disagree. The problem simply is not well defined. Everybody claims the spam problem is slightly different, and nobody agrees what spam actually is and what spam isn't. That's why it hasn't been "solved" to everybody's satisfaction. There are plenty of partial solutions for specific issues that specific people have, and for many people the

Re:

[Kent Recal]

Sorry, I disagree. The term "spam" is very well defined, you can look it up in pretty much every dictionary.
For 99% of us spam is defined as: Stupid advertisement that I have never requested.

Yes, there are corner cases but claiming that the problem is not well defined not only ignores years of research into that area, it also ignores common sense.

No. SMTP is a store and forward protocol, think of it kind of like TCP but with mail messages instead of packets. Sender identity is irrelevant as is challenge/res

Re:

[martin-boundary]

For 99% of us spam is defined as: Stupid advertisement that I have never requested.

Yes, that's one definition useful for individual users, but not very useful for mail admins. In particular, it leads to inconsistent spam definitions at the level of an organization, because as the number of people increases, the number and types of emails wanted by some (=ham) and not wanted by others (=spam) increases.

Yes, there are corner cases but claiming that the problem is not well defined not only i

Re:

[Kent Recal]

I'll try to keep this short:

1. Admins would not have to keep the identity lists at the MTA up to date. The users do that themselves (their MUA interfaces with the MTA).

2. Trying to implement all this at the MUA level would mean adoption problems (chicken/egg) and networks/servers still bogged down with garbage traffic.

3. The individual definition of spam doesn't matter. Every user grows their own whitelist which would live primarily in the MUA (maybe bundled with that private key file for easy export) and a

Re:

[martin-boundary]

Quick reply, since the slashdot story is already long stale :)

1. Admins would not have to keep the identity lists at the MTA up to date. The users do that themselves (their MUA interfaces with the MTA).

They'll already balk at just keeping any identity list for each user, let alone an updated one :) However, a filtering setup within a MUA is a kind of identity list already.

3. The individual definition of spam doesn't matter.

It does if you expect admins to do some filtering work for the users

Re:

[techno-vampire]

Do we only accept e-mail that hasn't been relayed

I have my own domain, but don't host it myself. My email goes through my hosting company's smtp server, with my address @ my domain. I'm sure there are thousands, if not tens of thousands of other legitmate users like me doing the same thing. If you block all mail that's been relayed, none of us will be able to get email to you. There must be a better way...

Re:

[jonbryce]

I think the answer has to be to invent a completely new messaging system where we learn from the mistakes in email, and don't bother about backwards compatibility.

People would get whatever certificates etc they need from their messaging provider which would be a similar person to their existing email provider.

The problem of course is persuading people to use it, and people won't use it if nobody else is using it.

Re:

[v(*_*)vvvv]

Just to add some perspective:

The problem is that no one has been able to provide a solution

... is, by definition, precisely why:

E-mail is fundamentally broken

In other words, it is fundamentally broken, because it is fundamentally unfixable.

Interestingly however, I would like to argue for the exact opposite. The original intent and nature of email was to be completely open. The fact that it is so *perfect* at being open has made it *impossible* to close parts of it that are no longer desired.

As problem solvers we like to think we can solve problems with solutions, but this is a case where we are

Re:

[Jaime2]

HashCash http://www.hashcash.org/ [hashcash.org]

It penalizes the big guys instead of the small guys, that's why it hasn't taken off. Also, no one seems to want to promote any solution that doesn't put somebody in control of something.

Re:

[pembo13]

How about blocking all emails from gmail servers not coming from an @gmail.com address?

Re:Idiots better get off their ass

[Robotech_Master]

Problem with this is that a lot of people (myself included) use gmail for the ease of use, but prefer to keep their own email address as the return address for various reasons.

Re:Idiots better get off their ass

[martin-boundary]

That's not a problem. That's what the Reply-To: field is for.

Re:

[martin-boundary]

If you've already shelled out for a vanity domain, then you're better off sending your mail directly from your hosting provider's mail servers. It's trivial to forward a copy to your gmail account if you like, and you won't be caught out when gmail change details of their free service etc. in the future.

Re:Idiots better get off their ass

[EdIII]

That sounds logical but it won't work.

The spammers don't care about what their FROM and REPLYTO fields actually say. Since this is a man-in-the-middle attack they could put practically anything with a @gmail.com in those fields and it will render your solution ineffective.

The real problem with this exploit is that it bypasses all of Google's security measures and anything I could do on my end would only verify that the email actually came from a real Google mail server and from a Google email user. So then I can only rely on SPAM filtering based on content which is not as effective as we would all like it to be.

Re:

[njcoder]

Google also has Google Apps which allows you to use your own domain name with GMail.

Re:Idiots better get off their ass

[jrp2]

"How about blocking all emails from gmail servers not coming from an @gmail.com address?"

Won't work.

There are boatloads of people and companies using Google with their own domains. Google Apps, Google Enterprise, etc.

Also, many of the spammers are using gmail addresses. Remember, they don't care about return emails, they just drive people to their websites.

Re:

[jonbryce]

apps.google.com lets you set up gmail on your own domain name. You will be blocking all those people.

Also, for people in England, you will have to allow googlemail.com. Google isn't allowed to use gmail here as someone else owns the trademark.

Re:

[dreamchaser]

"There is no way that I can just block gmail addresses from my mail server given how huge gmail already is"

Why is that exactly? I'm not flaming, I'm genuinely curious. Every business I do work with has their own email system, and the thought of someone using Gmail for business use give me goosebumps so I am not sure blocking it would impact most organizations all that much.

I asked because I don't know why you couldn't temporarily block it. If everyone did then Google would be motivated to fix the problem

Re:

[EdIII]

If you are running a hosting business that specifically does hosted exchange services, hosted terminal server sessions, etc. you cannot tell your clients that they are unable to communicate with somebody, especially a major email provider such as GMail.

The customer does not care about Google and Relaying or any other techno gobbletly gook. They only care that email was being blocked. It is not even a GMail specific thing either. It can be ANYBODY not being able to communicate to them, real or imagined, a

Re:

[dreamchaser]

Thanks for the reply. That makes perfect sense. I just received word that our organization has blocked Gmail until further notice but we can afford to do so.

Whitelists don't work.

[techno-vampire]

This flaw is valuable because it's clear proof that whitelists don't work. No domain is above suspicion when it comes to sending spam. About the only real use the domain can be is as an adjustment to your filters. Done properly, mail from gmail.com is marked as less likely to be spam than mail from cyberpromo.com, but it's still checked.

Re:

[hedwards]

It's not really evidence of that. There have always been ways for enterprising cyber criminals to engage in this sort of activity, it just happens to be more difficult than it used to be.

A proper white list shouldn't include sites which are likely to be insecure, and it shouldn't grant a completely free pass either. Whitelisted domains do still get submitted to checks on well secured servers. DKIM and SPF being pretty much mandatory these days, as well as virus scanning and spam rating as well.

Really the po

Re:

[techno-vampire]

Whitelisted domains do still get submitted to checks on well secured servers.

If so, then what's the use having them? A whitelist is supposed to be a list of trusted addresses or domains, isn't it? If you still have to run them through your spam filter, isn't it a waste of time having one?

Whitelisting is just a means of filtering out as many known bad domains as possible before using more expensive scanning and verification technology.

No, that's not what a whitelist is for. That's a blacklist you'

Re:

[techno-vampire]

Yes. Of course. That's about all a whitelist is good for. Checking it first and then sending everything that passes it through the spam filters is a waste of time, and that's what the original post was suggesting. We may just have a misunderstanding of what the other's thinking of here.

Chronologically impaired?

[Anonymous Coward]

Did anyone else notice that this story appeared AFTER the story above it? I almost missed the story entirely.

Re:

[calebt3]

Yes. I wondered about that...

Re:

[psxman]

Thank you for that, I thought I was going nuts for a minute.

Funny thing...

[bruno.fatia]

Google having an open security-breach doesn't make even to the hundrieth commentary after a few hours.. I wonder how much time it would take to break that mark if the service in question was, say, Microsoft's Hotmail.

They'll fix it if it gets enough bad publicity

[Animats]

Bad publicity made Google fix their open redirector for URLs. Bad publicity will make them fix this.

GMail ought to go back to cell phone authentication for new accounts. Since their capcha was broken, they've become a favorite of spammers.

Blogspot is also a spam haven. Most blogspot blogs are spam, and they can be used as a form of open redirector. Look for spams like: "An IWC watch is a uniquely handcrafted time piece ... http://rexefute51720.blogspot.com/ [blogspot.com]"

Complain loudly, publicly, and often. Google needs to take stronger steps to avoid being a spam conduit.

Re:

[Lincolnshire Poacher]

> Bad publicity made Google fix their open redirector for
> URLs. Bad publicity will make them fix this

Your optimism is like a ray of Sunlight in a dark world, but I
fear it is misplaced.

Many USENET groups are virtually unreadable today because of the
torrent of spam posting originating from Google Groups accounts.
Thousands of users have submitted precise spam reports to Google,
quoting the article-IDs. Result? None. Consequence? USENETters
start to block any and all Google Groups postings
( thou

Re:

[SickHumour]

GMail ought to go back to cell phone authentication for new accounts.

I'm not sure if there's something similar in the US, but in South Africa I can get a mobile SIM card with a phone number capable of receiving calls and text messages for less than the equivalent of US$0.30. They're usually around the checkout counters at large retailers and the number activates automatically in less than 10 minute. It's well-known here that they are used by fraudsters when they want to do any phone-based verification.

Luckily we can tell which numbers are mobile numbers by the first th

Re:

[MMC Monster]

I agree that they should go back to cell phone authentication.

While everyone doesn't have a cell, it really fits into the demographic of people using gmail.

Bad Publicity? Ya THink?

[hyades1]

Goddamned bastards have everything I send to my girlfriend from Google labeled as spam. The IT guy at her firm is a douche bag, but in this case it looks like he might be right.

Google needs to clean up its act.

Re:

[Culture20]

Goddamned bastards have everything I send to my girlfriend from Google labeled as spam.

Maybe you should stop sending her emails on how to maximize her rod?

Re:

[Antique Geekmeister]

Are you sure your 'girlfriend' doesn't think it's 'unsolicited'? It might be a hint that your mail looks like fraudulent advertising.

Re:

[hyades1]

No, we checked all the obvious stuff. And her company isn't one of those that tries to stop employees from receiving personal e-mail, either.

Just a Proof of Concept

[qazwart]

This article doesn't say that Google *is* being used for massive Spam. It's just a proof of concept. Google is aware of this issue, and they may have this fixed before Monday. Then again, this could be something endemic to SMTP, and would happen with any server. It's just that an gmail address is considered free from spam, so it is completely trusted.

The major problem with spam is quite simple: Spam is dirt cheap. I can send out a million spam messages for nothing. As long as I can do that, almost nothing w

Ok, this is how it works..

[BlueParrot]

In a system where the sender initiates information transfer ( such as in e-mail) you have the following problem:

"If you want everybody to to be able to contact you, then you will receive information you do not want."

Conversely, if you have a system where the recipient requests information ( such as for web-pages ) then you have the following problem:

"I you want everybody to be able to get information about yourself, then people you don't like could collect information about you."

There's no way around these very simple facts, the best you can do is to change what you expect from the service. As an example e-mail spam would be rapidly defeated if you limited yourself to only receive information from sources you have approved in advance, but that is to limited for most people. Because we want our friends to be able to give our e-mail addresses to their friends if they have something nice to tell us. Therefore we will get e-mails we don't want. If you want to change this you have to either change your expectations of what e-mail should do, or you have to change the behavior of people sending out spam. The easiest way to do the latter is to penalize business who do it.

whitelisting is inherently wrong.

[awpoopy]

whitelisting a domain, email address or ip address means that you are trusting someone else to make sure their message server (and accompanying mail admin) is doing things right. There's also the possibility, due to pressure from your boss, you're allowing a known spam machine to send you mail and then it's up to you to regex out the spam. Whitelisting allows otherwise blockable items through. Email and webhosting rule #1: "You get what you pay for." If you're using something free to do business, you are sh

Silly question

[HTH NE1]

Does the Information Security Research Team make any memorabilia coins? I imagine an INSERT coin would be quite desirable.

Re:DeBunking?

[peragrin]

last I checked it was 6.5 gigs of storage.

i figure google will have this locked down soon enough though. It's not like they won't notice the sudden burst of traffic. Some guy is going to be working hard tonight.

Re:

[Baumi]

Well, this ruins GMail's major argument.

AFAIK, "We're no spam relay" has never been touted as a major feature of GMail. Why should they do that? No major webmail provider would intenionally do such a thing. (Which, of course, doesn't porevent bugs and screw-ups as, apparently, in this case.)

Re:

[amRadioHed]

Right, so why does that argument no longer apply? I just checked my gmail account and there is as little to no spam as always.

Re:

[osu-neko]

Well, this ruins GMail's major argument. nNw all they have left is "You get 2 GB of storage".

Huh? What argument are you refering to, and how does this ruin it?

The only "argument" I can think you might be refering to is that, by using Gmail, you avoid having to see a lot of spam due to their excellent spam filterings. This doesn't ruin that argument in any way. In fact, since it primary impacts sites like Yahoo and Hotmail (who will see more spam if they continue to whitelist Gmail), it strengthens it. You're now see even less spam using Gmail, comparatively speaking.

Re:Blacklist gmail

[XanC]

Yes, who would do business with such an entity. Probably about as many as would trust their business hosting to a company who declares its home page to be XHTML 1.1 but then serves it as text/html. Not to mention the 88 validation errors.

The point is you can't jump straight for the "nuclear" option. Although to be honest I wouldn't use such a Web host.

Re:

[Antique Geekmeister]

I've previously blocked aol.com and hotmail.com entirely from corporate mail servers, because for the amount of money wasted providing filtering servers and wasting technical person time explaining to users that it was spam or worms, we could hire a phone team to handle any irate clients who had trouble reaching us, and keep my users from having their time wasted indirectly.

The policy came up at review meetings, and was accepted company wide in several environments.

Re:

[megabeck42]

> Yes, who would do business with such an entity. Probably about as many as would trust their business hosting to a company who declares its home page to be XHTML 1.1 but then serves it as text/html. Not to mention the 88 validation errors.

teknopurge, you just got served.

Re:

[teknopurge]

Unfortunately much of the code is autogenerated by a 3rd-party billing system that has invalid embedded HTML in their php variables and code. We don't have access to the source and have made due the best we can. Besides the invalid HTML, the system is good at what it does and is a mature application from a functional standpoint.

On our list of priorities the web-site w3 validation is right below our next marketing effort.

Regards,

Re:

[XanC]

Sorry, that's wrong: http://www.w3.org/TR/xhtml-media-types/#summary [w3.org]

The only time you should serve XHTML as text/html is when it's XHTML 1.0, with special care taken to keep backward compatibility in mind.

And as for 88 errors, well, if you're not going to be valid, why declare a document type? This isn't difficult stuff. That's 88 more errors than there should be.

Re:

[taylortbb]

I would disagree, 0 errors are acceptable. And I don't just do website design as a hobby, I run a business doing it.

Without standards you can't have real competition in the browser market, and it makes it harder to make websites. It's also not hard to write sites that have 0 errors.

Re:Blacklist gmail

[mikeage]

How about 10 errors?

http://validator.w3.org/check?verbose=1&uri=http://www.taylorbyrnes.org/ [w3.org]

Re:

[farker haiku]

to be fair, most of that is from two typos. if he fixes the h4 tags, everything is good.

<h4>Red is Nagivation</h3>
<h4>CISPCA</h3>

Re:

[taylortbb]

I stand by my point that 0 errors are acceptable, hence why it has been corrected. I'll admit you got me there, I made a typo on that one page and it wasn't valid. I actually wish browsers would follow the standard for XML and stop parsing once an error is encountered. I would have noticed without someone pointing it out or waiting until I re-checked it for standards compliance.

Re:

[taylortbb]

I don't think I'm a self righteous prick for making a mistake. I strive for 0 errors (all my other pages were valid), and I correct errors as soon as I'm aware of them. I will come out and state that my website had an unacceptable number of errors. I'd be a self righteous prick if I thought it was okay for my page to have the 2 typos (which produced 10 errors), but not for other people to have errors. Mistakes happen, it's the people that think they don't need to be fixed I disagree with.

Re:

[KGIII]

I think that the problem may be that there are still too many people who believe the jargon... "Do no evil." (Or something to that effect at any rate...)

parent, INSIGHTFUL?

[wamatt]

What planet are you from? No self respecting ISP in the world would try pull that.

You going to go an make some ideological bullshit point and piss all over your customers when it's not going to make the slightest difference to Google.

Go right ahead!

Re:

[Anonymous Coward]

You might wanna check this:Why are you blacklisting Gmail? [dsbl.org]

Re:

[mrbluze]

im not really surprised that you're not really surprised

Re:

[Aladrin]

I don't know what you mean by 'advertised', but it is listed in the help documentation. It's quite a pain in the rear for businesses trying to legitimately use a Google Apps-hosted domain to send mail to thousands of customers. It's one of the very few things we dislike about the service.