The spammers just never give up, and here’s another trick the email security guys probably didn’t see coming.
Researchers at the appropriately-named INSERT (as in ‘man-in-the-middle’) were able to exploit an unnamed flaw that allowed them to bypass Google’s mail-sending limits, sending 4000+ messages from a single Gmail account. It’s POC, proof-of-concept, but still a gaping hole for all that.
According to the security boffins at INSERT, it turns out that Yahoo and Hotmail tend to trust Gmail email traffic (that is, applying fewer security filters to it), as you might assume they would; Gmail is a pioneer of spam-filtering, and rated as successful at stopping the scourge. It’s one of those invisible things called a ‘trust hierarchy’ that makes the email experience for ordinary users ‘just work’.
So the messages appeared to be given special treatment by its sibling mail services, and were passed on, apparently unfiltered, simply because they had snuck through the Gmail system. Should Yahoo and Hotmail spot that a single Gmail account is spouting spam? Probably.
This flaw isn’t as obvious as the recent breaking of the Google CAPTCHA system, but it demonstrates a part of the same spam ecosystem. Break CAPTCHA to create spam accounts to act as spam relays; break whitelisting to get those messages through trust-based filtering.
None of this affects the corporate email firewall directly – they won’t trust email from any of those services automatically unless they are using a third-party filtering system that does. The indirect effect is simply the cost of services needed to filter the spam created by these accounts. I suppose we already know about that.
Nevertheless, the rise of ‘free’ email has turned out to be anything but and the bill is still turning up on the desks of the wrong people.