Using XOAUTH SMTP triggers a suspicious account activity report

43 views
Skip to first unread message

Philippe Laval

unread,
Sep 8, 2011, 4:46:31 AM9/8/11
to google-app...@googlegroups.com
Our application uses a 3 legged XOAUTH authorization to send emails from our Gmail users account  through SMTP.
It worked very well until yesterday. However since  yesterday, our users are told that Google has detected suspicious account activity and they are forced to change their password.

Does that mean that 
- XOAUTH SMTP API should no longer be used to send mail on behalf of a user? 
- we're not using the service as it should be used (we have reproduced the problem by sending one single mail, so it's not a volume issue)?
- it's a bug on Gmail side?

As it's a real annoyance to our users, we have stopped using this API until further news.

Thanks,

Philippe Laval, CEO, Kwaga
WriteThat.Name keeps my address book up-to-date
 

Jay Lee

unread,
Sep 8, 2011, 9:07:08 AM9/8/11
to google-app...@googlegroups.com
Hi Philippe,

  Could you share some example code that you are using to send messages? What is the normal volume going out via SMTP XOAuth for users? (I saw your comment about 1 single email triggering the suspicious activity but the volume might still be important).

  What are the message contents and who are the messages being sent to?

Jay

Philippe Laval

unread,
Sep 8, 2011, 9:26:37 AM9/8/11
to google-app...@googlegroups.com
Hi Jay,

We use it as a referral tool. The user enter one of several friend's emails and we send the following email:

Subject: WriteThat.Name has updated your contact in my address book
Body:
I have just updated your contact in my address book thanks to WriteThat.Name, I think you should try it.
>>WriteThat.Name automatically updates your Gmail/Google Apps address book.
Get started here.
For more info on WriteThat.Name, there is a short video here.
- The Kwaga Team on behalf of philipp...@gmail.com 
Sent to xx...@gmail.com

On average a user refers 1 to 20 emails. And on best days, we sent 100 mails spread on 10 users.

The service run on AWS:
Received: from 174.129.194.51 (ec2-174-129-194-51.compute-1.amazonaws.com [174.129.194.51])
       by mx.google.com with ESMTPS id a8sm2112451vdj.24.2011.09.08.01.12.58
       (version=TLSv1/SSLv3 cipher=OTHER);
       Thu, 08 Sep 2011 01:12:59 -0700 (PDT)

Here is a code excerpt (just the connection, after it's standard SMTP) :

try {

switch (account.getAuthType()) {

case OAUTH_3LEGGED:

props.put("mail.smtp.ehlo""true");

props.put("mail.smtp.auth""false");

props.put("mail.smtp.starttls.enable""true");

props.put("mail.smtp.starttls.required""true");

props.put("mail.smtp.sasl.enable""false");

props.put(XoauthSaslClientFactory.OAUTH_TOKEN_PROP, account.getAccessToken());

props.put(XoauthSaslClientFactory.OAUTH_TOKEN_SECRET_PROP, account.getAccessSecret());

props.put(XoauthSaslClientFactory.CONSUMER_KEY_PROP"kwaga.com");

props.put(XoauthSaslClientFactory.CONSUMER_SECRET_PROP"XXXXXXXXXXXXXXX");

props.put(XoauthSaslClientFactory.OAUTH_TYPE, OAuthType.THREE_LEGGED_OAUTH);

session = Session.getInstance(props);

auth = OAuthType.THREE_LEGGED_OAUTH;

consumer = new OAuthConsumer(null"kwaga.com""XXXXXXXXXXXXXXX"null);

break;

case OAUTH_2LEGGED:

props.put("mail.smtp.ehlo""true");

props.put("mail.smtp.auth""false");

props.put("mail.smtp.starttls.enable""true");

props.put("mail.smtp.starttls.required""true");

props.put("mail.smtp.sasl.enable""false");

props.put(XoauthSaslClientFactory.OAUTH_TOKEN_PROP, account.getAccessToken());

props.put(XoauthSaslClientFactory.OAUTH_TOKEN_SECRET_PROP"");

props.put(XoauthSaslClientFactory.CONSUMER_KEY_PROP, account.getAccessToken());

props.put(XoauthSaslClientFactory.CONSUMER_SECRET_PROP, account.getAccessSecret());

props.put(XoauthSaslClientFactory.OAUTH_TYPE, OAuthType.TWO_LEGGED_OAUTH);

session = Session.getInstance(props);

auth = OAuthType.TWO_LEGGED_OAUTH;

consumer = new OAuthConsumer(null, account.getAccessToken(), account.getAccessSecret(), null);

break;

default:

throw new KwagaPersistException("Unsuported AuthType " + account.getAuthType());

}


session.setDebug(true);


final URLName unusedUrlName = null;

SMTPTransport transport = new SMTPTransport(session, unusedUrlName);


// If the password is non-null, SMTP tries to do AUTH LOGIN.

final String emptyPassword = null;

transport.connect("smtp.gmail.com", 587, account.getMailAddress(), emptyPassword);


byte[] saslResponse = XoauthSaslResponseBuilder.buildResponse(account.getMailAddress(), XoauthProtocol.SMTP, account.getAccessToken(), account.getAccessSecret(), consumer, auth);


saslResponse = BASE64EncoderStream.encode(saslResponse);

transport.issueCommand("AUTH XOAUTH " + new String(saslResponse), 235);

result.setSession(session);

result.setTransport(transport);

return result;

catch (Exception e) {

logger.error("Cannot connect to OAuth SMTP : " + e.getMessage());

return null;

}


}



 
--
Philippe Laval, CEO, Kwaga

--
You received this message because you are subscribed to the Google Groups "Google Apps Domain Information and Management APIs" group.
To view this discussion on the web visit https://groups.google.com/d/msg/google-apps-mgmt-apis/-/SZ5UNcysu2EJ.

To post to this group, send email to google-app...@googlegroups.com.
To unsubscribe from this group, send email to google-apps-mgmt...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-apps-mgmt-apis?hl=en.

Jay Lee

unread,
Sep 8, 2011, 10:22:28 AM9/8/11
to google-app...@googlegroups.com
Hi Philippe,

  I wonder if it's the fact that the SMTP connections are coming from AWS IP Addresses. Google may be seeing lot's of hijacked accounts accessed via SMTP from AWS IP Addresses and thus assuming (incorrectly of course) that your apps traffic means the account may have been hijacked. Can you try running the code on your local network and see if that produces the same suspicious account activity reports for users who have never gotten the message before?

Jay

Philippe Laval

unread,
Sep 8, 2011, 10:43:25 AM9/8/11
to google-app...@googlegroups.com
Yes, you've nailed it. We tried from our local network and it worked fine. What can we do? We are always sending from the same set of fixed IP if that helps.

--
Philippe 




Jay

--
You received this message because you are subscribed to the Google Groups "Google Apps Domain Information and Management APIs" group.
To view this discussion on the web visit https://groups.google.com/d/msg/google-apps-mgmt-apis/-/LcIiFZMoDRcJ.

Andy "Rufus" Rothfusz

unread,
Sep 8, 2011, 11:50:22 AM9/8/11
to google-app...@googlegroups.com
Hi Philippe,

Now that you've narrowed the problem down, you can get more specific Google support for Gmail in the Gmail forums:

Regards,

/Rufus

Rufus

unread,
Sep 13, 2011, 2:31:22 PM9/13/11
to Google Apps Domain Information and Management APIs
For reference, the conversation has continued here:
http://groups.google.com/group/google-mail-xoauth-tools/browse_thread/thread/c0e97f555a286ded
Reply all
Reply to author
Forward
0 new messages