The Information Security Research Team, a joint research group effort of the University of PR at Mayaguez (USA) and the State University of Ceara (Brazil), has revealed a whopper of a problem for Google and for the Internet in general.

The team has found a vulnerability in Gmail, Google's free mail system, that allows a spammer to send unlimited and unfiltered messages through Google's SMTP servers. Google imposes no limits on the number of messages sent through this method, and INSERT claims that any message header contents can be forged using it.

The real problem here is not that you can send spam, but that it comes through Google's SMTP servers. Server-based reputation is one of the principal methods by which e-mail is filtered. Known bad servers are blacklisted and known good servers are whitelisted. Google's servers are not only likely to be assumed as good, but their high volume argues for whitelisting them so as to lower the filtering load.

INSERT says that it contacted Google a week ago about it and has received no response. The disclosure omits details of the vulnerability, but that will change this weekend when the team presents at SBSEG'2008 and reveals all. Watch out for more news on this soon.