Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

gmail pipe character inconsistencies and fun

From: "com|com pipecharacter" <pipecharacter () gmail com>
Date: Sun, 4 Oct 2009 10:53:08 -0400
Gmail will not let you send email to an email address with a | in it. It
just goes directly to /dev/null. For good reason - it doesn't belong in an
email address. It will not let you create an email address that uses it, and
if you use google apps, you can't create a "group" or mailing list with it
in it.

For some reason google's smtp servers are more than willing to accept an
email from (or to) an email address with the pipe character in it. So if you
start sending someone annoying emails to someone from an email address like
"com|buggingyou () example com", they might try to send your emails straight to
the trash. So they click on the downward arrow in the top right, click on
"filter messages like this", see "com|buggingyou () example com" in the "From:"
field, click on "Next Step >>", delete it, and create filter. Now a huge
chunk of their email will go into the trash. If they clicked "Also apply
this filter to ...", they even delete a huge chunk of the email they already
had.

If course there is a search in the last step, but if you have it filled up
with your junk email they might never even notice what they are doing.

Is this a huge security flaw? Of course not. It still shouldn't exist. The
truth is it doesn't concern me at all.

What really bothers me is what I said above, that you can also send TO an
email address with a pipe character in it. I use a catchall on my google
apps domain, and I control spam by taking all of the fake email addresses
spammers have generated and create an empty mailing list with those names.
Now their spam gets rejected by the smtp servers, and they know they aren't
getting anywhere. My spam box tends to stay empty.

That is, until a spammer started sending email to an email address with | in
it. I can't do anything to stop them. Google is impossible to talk to, so I
had to create a fake vulnerability to get people outside google interested
in it. The original "vulnerability" I talked about does exist, and I'm sure
people could have some fun with it.

Which reminds me, here is another "vulnerability". If you want to spam
someone with a google apps domain and a catchall, they can't block you if
you send email to an email address with a | in it!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: