Wednesday, December 12, 2007

Spammers Penetrate Gmail Spam Filters

I've discussed this in the past, but there are serious security issues with GMail, namely that the email forwarding ability allows spammers to redirect directly into a users inbox. The trick pretty much works best for Gmail accounts, whereby Google puts less scrutiny on emails sent within it's system compared to those sent by third-party email services like hotmail/live, yahoo etc.

Here's how it works:

Using Gmail to Bypass Spam Filters

  1. Spammer creates a new gmail account with a random, but credible looking name.

  2. Spammer whitelists their spam address in the account - so that their messages will always go to the inbox.

  3. The spammer then uses GMail's email forwarding setting to forward all emails to a target's address. This means all messages sent to the spam email will be forwarded off to the victim's address.

  4. Spammer does this for all their spam targets (mass-creates 1 gmail account for each victim).
  5. Spammer than sends their spam emails out to all the gmail addresses they created, which then gets forwarded off to the targets address.

What Happens?

Basically, the spammer gets a list of Gmail users to spam, and then mass-creates gmail accounts that will auto-forward all emails to users on the list. The spammer then sends their spam emails to the gmail accounts, which forward off the email and bypass the spam filter all together. The victim gets the spam message delivered straight to their inbox, because Google thinks that they forwarded the email to themselves and because its all handled within Google's own platform, there's less scrutiny put on it.

How Can Google Fix This?

Simple! Google should make users confirm the email address they wish to forward emails to, as it will ensure that you can only auto-forward emails to an account you own or control.