Researchers See Gmail “Spam And Phishing Threat”

    May 12, 2008

So long as it winds up in the trashcan, spam isn’t too much of a problem for end users.  Yet security researchers have discovered a way in which spammers could use Gmail to send a massive number of messages straight into inboxes.

The Information Security Research Team (INSERT) came across a problem and wrote, "We were able to confirm that this vulnerability is indeed exploitable by assembling a proof of concept (PoC) attack that allowed us to use one single Gmail account to send bulk messages to more than 4,000 email targets (which surpasses Gmail’s 500 messages limit for bulk messages)."

INSERT's Report
 INSERT’s Report

The team later continued, "Additionally, we were able to use this vulnerability to forward messages that originally were classified as spam directly to a victim’s inbox effectively bypassing filters."

Details remain fuzzy – in huge, all-capital letters, the phrase "omitted as a courtesy to Google" appears throughout INSERT’s report.  Still, spammers delight in anything-you-can-do-I-can-do-better displays, so even if the public doesn’t pick up on what took place, some element may.

This development comes as the latest part of a discouraging pattern: in the last three months, Gmail’s traditional and audio captchas have both been broken.  But on the bright side, Google’s Matt Cutts recently shared some of what his company knows about different types of spam.