A flaw in how Google mangles message body Message Body headers permits attackers to forge their sender identities, making it seem that their e-mail messages originate on Gmail servers. Apparently, other big webmail providers trust Gmail, so messages originating there are given less of a chance to fall into spam traps. This means, in practice, that spam sent by exploiting this flaw has (much) better chance to reach its intended destination. Ironically, Gmail processes headers to try and avoid such issues.
This is not the first flaw of its kind, nor will it be the last.
However, it serves well as an example of an underlying problem: SMTP (the service and protocol used for e-mail sending) was not designed with sender authentication in mind, nor is it secure in any sense. In fact, the very feature used in this attack – that servers are required to bounce undeliverable messages back to their senders, so that the sender may know when a message has not reached its intended destination, is an example. There is no way (in the SMTP protocol) for a server to ascertain the identity of the sender, so servers bounce undeliverable messages to the e-mail address listed in the Reply-to: header, _regardless_ of where it might be.
The various hacks and workarounds employed by mail server administrators (such as Google) to deal with such problems are just that – hacks. While deviating from the SMTP standard, they do nothing to address the underlying problem, but add complexity (and thus potential
vulnerabilities) in the process.
What’s more, people seem to be unable to agree on what spam really is – to some it’s just unsolicited commercial messages, to others pleas for alms or religious exhortations may also be spam.
Intelligent, user-trainable mail filtering agents at every MUA (mail user agent) are, so far, the only solid solution the tech community has been able to come up with. The only questions are: ‘When will people finally accept that filtering is properly done at the recipient?’ and ‘How smart can we really make those agents?”