Google Mail can distribute spam
Researchers from the American-Brazilian Information Security Research Team (INSERT) have discovered a vulnerability in Google's Gmail email service that allows Gmail accounts to be used to send unlimited quantities of spam. Messages sent using the web interface can usually be sent to a maximum of 500 users, but the researchers claim to have sent emails to more than 4000 recipients simultaneously using their proof of concept program. They succeeded in assigning arbitrary sender addresses to their messages. Any blacklist-based spam filters on recipients' mail servers would fail to block these messages, as they appear to originate from the generally trusted Google service.
Without detailing the procedure further, the researchers state that they made use of Gmail's forwarding function, and the process requires more than one computer with access to TCP ports 25 (SMTP) and 80 (HTTP). The researchers used a single Gmail account for their tests and succeeded in sending eleven messages per minute. A user controlling multiple accounts could easily achieve the output of a small botnet. According to INSERT, Google has been informed of the vulnerability. The team does not intend to publish further details until a response has been received from Google.