fyi: post in bugtraq. You may wish to look for and remove any whitelists
based on google, googlegroups, or gmail accounts until google fixes this.

Michael Scheidell, CTO
>|SECNAP Network Security

Winner 2008 Network Products Guide Hot Companies
FreeBSD SpamAssassin Ports maintainer

------ Forwarded Message
> From:
> Date: 7 May 2008 20:37:46 -0000
> To:
> Subject: Exploiting Google MX servers as Open SMTP Relays
> Vulnerability Report:
> As part of our recent work on the trust hierarchy that exists among email
> providers throughout the Internet, we have uncovered a serious security f=

> in Ggoogle's free email service, Gmail. This vulnerability exposes Google=

> email servers in a way that allows an attacker to use them as open spam a=

> phishing relays. This issue is related to the risk of a malicious user ab=

> Gmail's email forwarding functionality. This is possible because Gmail's =

> forwarding functionality does not impose proper security restrictions dur=

> its setup process and can be easily subverted. By exploiting this problem=

> attacker can send unlimited spam and phishing (i.e. forged) email message=

> that are delivered by Google's very own SMTP servers. Since the messages =

> delivered by Google's own servers, an attack based on this flaw is able t=

> bypass all spam filters that are based on the blacklist / whitelist conce=

> We were able to confirm that this vulnerability is indeed exploitable b
> y crafting a proof of concept attack that allowed us to send any number =

> forged email messages without restriction through Google's server
> infrastructure. We have also verified that this flaw allows attackers to
> bypass spam filters by using our method to send messages that are usually
> flagged as spam. While sending these messages directly from our network i=

n the
> traditional way had the messages classified as spam, by sending the very =

> messages using our exploit, the messages were delivered directly to the
> victim's inbox, thus bypassing filters.
> Impact:
> All email providers that offer Google's SMTP servers any special level of
> trust (e.g. whitelist status) are vulnerable.
> Disclosure:
> We have contacted Google about this issue and are waiting for their posit=

> before releasing further details.
> For more information, visit our homepage:
> Regards,=20
> Pablo Ximenes, Andr=E9 dos Santos
> INSERT - Information Security Research Team
> University of PR at Mayaguez (UPRM), USA
> State University of Cear=E1 (UECE), Brazil

------ End of Forwarded Message

__________________________________________________ _______________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see
__________________________________________________ _______________________