> And anyway, this seems to be a case where the genuine > operator of an e-mail domain is failing to correctly > authenticate submissions by their own users, which no > amount of 3rd party automation (other than blacklisting > the failing provider, in this case gmail) could stop. Yeah, I'm guessing there was a vulnerability in one of the other Google services, and that Google service was allowed to make web-based email submissions on behalf of the user. Classic injection and failure to validate sessions or parameters... I'm also guessing Google fixed it because it has stopped. Jeff
