“Gmail is susceptible to a man-in-the-middle attack that allows a spammer to send thousands of bulk e-mails through Google’s SMTP service without fear of detection. This attack bypasses both Google’s identity fraud protection mechanisms and the current 500-address limit on bulk e-mail. ”
The ortinal article points out: “As of 3:00 PM today 5/12/2008, the flaw we have reported remains unpatched and exploitable. We have ran a new experiment where we were able to use our attack to send 2,000 messages using one Gmail account.
We would like to clarify to the security community that we have contacted Google about the issue more than a week ago and no response was provided despite our clear intent of cooperation regarding this matter.”
styshop.com and fly6666.com are scams. Both somehow hijacked my gmail account, but Gmail removes the Sender’s Origin IP, which makes tracking the breach difficult.
Sorry guys. All my gmail contacts just got spammed again, courtesy of something calling itself styshop.com. It’s the same thing that happened January 1, but that time the company was using fly6688.com. They’re the same vile organization, and I still don’t know how they perpetrate their crimes.
In both cases the message actually was sent via my gmail account. Not a forged header, but really sent via my account. That means that either
- the jerks have a trojan app running on one of my machines, or
- the jerks have hacked into my gmail account.
I’m guessing it’s (2) because (I think) the only machine on the network with gmail credentials is a new laptop. But then (1) is also a candidate since I’ve changed my password since the last bomb.
But, I can’t tell because gmail stripping off the senders’ origin IP. Boo, gmail
GMAIL SHOULDN’T STRIP OFF SENDER’S ORIGIN IP.
Received: by 10.70.78.7 with HTTP; Wed, 14 May 2008 09:58:15 -0700 (PDT) Message-ID: Date: Thu, 15 May 2008 00:58:15 +0800 From: "Israel LHeureux" Reply-To: email@example.com To: firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, "firstname.lastname@example.org"
Yahoo includes “Received: from IP”
This makes it easy to see where the message originated. Yea! yahoo!
From Bessie Wilkes Mon Jan 18 19:14:07 2038 Return-Path: Authentication-Results: mta293.mail.mud.yahoo.com from=yahoo.com; domainkeys=neutral (no sig) Received: from 18.104.22.168 (HELO mta293.mail.mud.yahoo.com) (22.214.171.124) by mta293.mail.mud.yahoo.com with SMTP; Mon, 21 Apr 2008 02:43:31 -0700 Received: from 126.96.36.199 by ; Mon, 21 Apr 2008 06:34:04 -0300 Message-ID: From: "Bessie Wilkes" Reply-To: "Bessie Wilkes" To: email@example.com Subject: Top high-quality meds- Cialis,Viagra Online Date: Tue, 19 Jan 38 03:14:07 GMT
With Yahoo mail, I can see that the sender’s origin IP (188.8.131.52) and use whois to trace that IP back to Hanaro telcom in Seoul, Korea.
With Gmail, I see that mail was originated…by HTTP.
k thx bye.
Change my password again. Look for trojans again. I just wish gmail would give me satisfaction.
In the spirit of Derek Trotter (411Eater) I’ve also contacted the gentlemen at the site “tomtom” firstname.lastname@example.org He’s currently helping me with a DVD player, but I suspect the transaction won’t actually go though.
Hey tools, knock it off:
styshop.com is registered by wei li (email@example.com) . No address
fly6688.com is registered by wang le (firstname.lastname@example.org) +299.1087625690 West Century Boulevard Inglewood, CA 16783 Los Angeles, MI 85052-8119
forestdj168.com is registerd by wang tao (email@example.com) +1.12017752711 washington, WA 07322