Those INSERT guys who’ve been talking about a GMail security hole allowing spammers to relay spam, have released more previous-redacted details here. (thanks to the MailChannels blog for pointing that out.)
In essence, the attack works by allowing a spammer to set the "forward to" address in GMail to point at a target address, send a spam to the GMail account, then change the "forward to" address to the next target and repeat.
My response:
-
it’d be trivial for Google to impose stringent rate limits on "forward to" address changes, and I’d be surprised if they haven’t already.
-
ditto rate-limiting on the rate of forwarding messages for each GMail account.
-
as they say in the paper — if Google required up-front confirmation of the target address before forwarding any mail, that would also cut this out neatly.
-
It’s worth noting that GMail’s outbound servers may be whitelisted by some recipient sites, others are treating them negatively — word on the anti-spam "street" is that GMail is becoming a festering pit of 419 scammers these days.