• The Gmail SMTP Relay Service Exploit

    Home » Forums » Cyber Security Information and Advisories » Code Red – Security/Privacy advisories » The Gmail SMTP Relay Service Exploit

    • This topic has 6 replies, 4 voices, and was last updated 3 years ago.
    Author
    Topic
    Alex5723
    AskWoody Plus
    May 3, 2022 at 2:12 am #2443520

    https://www.avanan.com/blog/the-gmail-smtp-relay-service-exploit

    ..An SMTP relay service can be a valuable service for organizations that like to send out mass emails. Essentially, businesses use SMTP relay services–of which there are many– to send marketing messages to a vast database of users without being blocklisted. Utilizing trusted SMTP relay services ensures messages get delivered…

    However, these relay services have a flaw. Within Gmail, any Gmail tenant can use it to spoof any other Gmail tenant. That means that a hacker can use the service to easily spoof legitimate brands and send out phishing and malware campaigns. When the security service sees avanan.com coming into the inbox, and it’s a real IP address from Gmail’s IP, it starts to look more legitimate…

    Attack

    In this attack, hackers are taking advantage of Google’s SMTP Relay service to send spoofed emails.

    Hackers can utilize any Gmail tenant, from small companies to large, popular corporations. This works when DMARC=reject is not set up.

    Once spoofed, they can send out phishing emails that are more likely to get into the inbox, as it leverages the inherent trust of legitimate brands.

    Once in the inbox, hackers hope that end-users will click on a malicious link or download a malicious document, to steal credentials. ..

    Prevent spam, spoofing & phishing with Gmail authentication

    Set up SPF, DKIM & DMARC for your organization

    • This topic was modified 3 years ago by Alex5723.
    • This topic was modified 3 years ago by Alex5723.
    2 users thanked author for this post.
    OscarCP, windbg
    Reply | Quote
    Viewing 1 reply thread
    Author
    Replies
    • OscarCP
      Member
      May 3, 2022 at 2:45 pm #2443655

      Thanks, Alex. This may explain a lot:

      I have found already two cases where I received an email that looked perfectly OK, supposedly from a trustworthy organization I have dealings with, but they look suspicious because they were unusual in what they were contacting me about.

      The first time was one email I started a thread about here recently, supposedly from  AOL (don’t ask), my email provider. It looked OK but made no sense to me, given what I do. More recently, it was a letter from a technical publication in my own professional field, sent to my NASA address, asking me to join their board of editors. This in itself is not that unusual, although this was not from a publisher of a journal I subscribe to. But when clicking on a link to find out more about this, one of my browser’s protective addons put up a dire warning that the site was not safe, something that, if the email were legitimately from the alleged sender, it should never had happened.

      So I backed away double-quick and immediately scanned the SSD with both  Intego, my AV, and Malwarebytes, with negative results. Everything seems to be still normal, but it looks like it was a close one.

      Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

      MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
      Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
      macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

      1 user thanked author for this post.
      Alex5723
      Reply | Quote
    • Paul T
      AskWoody MVP
      May 4, 2022 at 3:27 am #2443878

      That is a very poor article, more click bait than info.

      It assumes, without stating, that a bad guy has managed to authenticate with the SMTP relay. This is not possible if the relay uses standard security practices, unless a machine at the sender has been compromised, in which case the whole article is moot.

      cheers, Paul

      1 user thanked author for this post.
      OscarCP
      Reply | Quote
      • OscarCP
        Member
        May 4, 2022 at 10:38 am #2443994

        The thing is that, however this is being done, it also raises the important issue that receiving phishing emails so very realistically made that one has to be a bit paranoid to suspect they are phishing bait fakes, this is actually happening now (and may be it is a new thing); as those examples of my own recent experiences in my previous comment seem to illustrate.

        Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

        MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
        Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
        macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

        Reply | Quote
        • Paul T
          AskWoody MVP
          May 4, 2022 at 10:51 am #2443999

          It’s (very) old news. Open relays were a thing 30 years ago, nothing has changed.

          cheers, Paul

          Reply | Quote
          • OscarCP
            Member
            May 4, 2022 at 11:01 am #2444003

            But it does not have to be done using open relays. There may be other ways to do this. That was my point. Someone in another thread mentioned taking legitimate business emails, making copies (emails being files after all) and “repurposing” them to make very convincing phishing bait.

            Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

            MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
            Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
            macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

            Reply | Quote
            • PKCano
              Manager
              May 4, 2022 at 11:31 am #2444010
              OscarCP wrote:

              But it does not have to be done using open relays. There may be other ways to do this.

              But THIS thread is about SMTP Relay Service Exploit, NOT “other ways to do this.”

              Reply | Quote
    Viewing 1 reply thread
    Reply To: The Gmail SMTP Relay Service Exploit

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information:




DON'T MISS OUT!
Subscribe to the Free Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

View the Forum

  • Recent Replies
  • My Replies
  • My Active Topics
  • New Posts in the Last day
  • Private Messages
  • Knowledge Base
  • How to use the Forums
  • All Forums

    • Recent Topics

    My Profile

    May 2025
    S M T W T F S
     123
    45678910
    11121314151617
    18192021222324
    25262728293031

    Remembering Woody

     

    Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.

    Mastodon profile for DefConPatch
    Mastodon profile for AskWoody

     

    Home About FAQ Posts & Privacy Forums My Account
    Register Free Newsletter Plus Membership Gift Certificates MS-DEFCON Alerts

    Copyright ©2004-2025 by AskWoody Tech LLC. All Rights Reserved.