A "serious security flaw" in Gmail turns Google’s e-mail service into a spamming machine, according to a recent security report.
INSERT, the Information Security Research Team, has created a proof of concept that exploits the "trust hierarchy" that exists between mail service providers. By exploiting a flaw in the way Google forwards email messages, a spammer can send thousands of bulk e-mails through Google’s SMTP service, bypassing Google’s 500-address bulk e-mail limit and identity fraud protections.
Since email providers like Gmail are "auto-whitelisted" by ISPs and blocklist providers, the spam messages sent from Gmail are not looked upon with suspicion by many anti-spam technologies, which further magnifies the risk.
The INSERT report suggests that it does not require a rocket scientist to exploit this flaw:
In this regard, this document presents a vulnerability report and a proof of concept attack that demonstrate how anyone with no special internet access privileges other than being able to connect to SMTP (TCP port 25) and HTTP (TCP port 80) servers is able to exploit a single Gmail Account in order to be granted nearly unrestricted access to Google’s massive white-listed SMTP relay infrastructure
At the time of this writing, Google has not offered any official comment.