Bugtraq mailing list archives

Re: Exploiting Google MX servers as Open SMTP Relays

From: "Todd T. Fries" <todd () fries net>
Date: Sat, 10 May 2008 13:04:42 -0500

Yes this is very frustrating.

The details are not so hard to guess.  Unless this post is different,
anyone can send an email to a nonexistent user at a google service and
they accept it and bounce back to the envelope recipient. *sigh*.

We are going back to the stone age by copying qmails default stupidity.

This is doing very much harm.

I would even go as far as to say that Google is making a business case for
its latest purchase, postini, in a very evil way, every second this proble
goes unsolved.

*sigh*
-- 
Todd Fries .. todd () fries net

 _____________________________________________
|                                             \  1.636.410.0632 (voice)
| Free Daemon Consulting, LLC                 \  1.405.227.9094 (voice)
| http://FreeDaemonConsulting.com             \  1.866.792.3418 (FAX)
| "..in support of free software solutions."  \  1.700.227.9094 (IAXTEL)
|                                             \          250797 (FWD)
 \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
                                                 
              37E7 D3EB 74D0 8D66 A68D  B866 0326 204E 3F42 004A
                        http://todd.fries.net/pgp.txt

Penned by Michael Scheidell on 20080510  9:55.32, we have:
| 
| 
| > From: <pablo.ximenes () upr edu>
| > Date: 7 May 2008 20:37:46 -0000
| > To: <bugtraq () securityfocus com>
| > Subject: Exploiting Google MX servers as Open SMTP Relays
| > 
| > 
| > Vulnerability Report:
| > 
| > As part of our recent work on the trust hierarchy that exists among email
| > providers throughout the Internet, we have uncovered a serious security flaw
| > in Ggoogle's free email service, Gmail.
| > 
| > Disclosure:
| > We have contacted Google about this issue and are waiting for their position
| > before releasing further details.
| > 
| 
| Don't hold our breath.. I have tried to get them to close this very hole for
| maybe a year now.
| 
| (see/'google' for posts in bugtraq and spamassassin users group showing
| headers from unrelated domains sending spam through google mail servers..
| They ignore the emails to abuse () google com)
| 
| 
| -- 
| Michael Scheidell, CTO
| >|SECNAP Network Security
| Winner 2008 Network Products Guide Hot Companies
| FreeBSD SpamAssassin Ports maintainer
| 
| _________________________________________________________________________
| This email has been scanned and certified safe by SpammerTrap(r). 
| For Information please see http://www.spammertrap.com
| _________________________________________________________________________

Current thread:

Exploiting Google MX servers as Open SMTP Relays pablo . ximenes (May 07)
- Re: Exploiting Google MX servers as Open SMTP Relays Michael Scheidell (May 10)
  - Re: Exploiting Google MX servers as Open SMTP Relays Todd T. Fries (May 10)
    - Re: Exploiting Google MX servers as Open SMTP Relays Todd T. Fries (May 10)
    - Re: Exploiting Google MX servers as Open SMTP Relays Lamont Granquist (May 12)
    - Re: Exploiting Google MX servers as Open SMTP Relays Clifton Royston (May 12)
    - Re: Exploiting Google MX servers as Open SMTP Relays Bojan Zdrnja (May 12)
- Re: Exploiting Google MX servers as Open SMTP Relays Gadi Evron (May 10)
- <Possible follow-ups>
- Re: Re: Exploiting Google MX servers as Open SMTP Relays pablo . ximenes (May 12)
- Re: Re: Re: Exploiting Google MX servers as Open SMTP Relays pablo . ximenes (May 21)