People’s Gmail Accounts Appear to Be Sending Out Spam

Megalith

24-bit/48kHz
Joined
Aug 20, 2006
Messages
13,000
Google’s engineering teams have acknowledged an issue in which certain Gmail accounts are sending out spam. At least some of these accounts had two-factor authentication enabled, and despite changing passwords, users found that the spamming continued.

We are aware of a spam campaign impacting a small subset of Gmail users and have actively taken measures to protect against it. This attempt involved forged email headers that made it appear as if users were receiving emails from themselves, which also led to those messages erroneously appearing in the Sent folder.
 
This happened to me. Updated my PW and added the two factor authentication. Hopefully not an issue going forward.
 
Saw these show up in my inbox too.

PS Megalith the link to the discussion from the main page post doesn't point here, just opens the original front page post again in a new window.


same here, only one item so far, and its been sent to numerous other emails....something to do with the government wanting to help me.... lolz ya k....sure..... and yep, discussion link points directly back to the news post / article....

anywho I submitted feedback via gmail to them, hopefully they can rectify this
 
Happened to me as well, as of this morning they are going straight into my spam folder.
 
I got hit by this too, but after reviewing the security info in the emails it was apparent that the from address was forged. The emails were not signed by Google and also not sent by a Google mail server.
 
At least they do something about it rather than kill the service like m$ did with hotmail/outlook. Still funny that m$ hasnt fixed outlook, almost every 6 months on queue my password mysteriously changes for it.

Oh well nothing pertinent going there anymore so dont care
 
I'm affected by this. Changed my password just in case my shit got hacked. Good to know I'm not the only one.
 
Hit me too. First saw them in my Primary tab but as others have said, they are now going into spam. And I even have 2-factor.
 
Forging email headers has been around for quite some time; I'm surprised it's still a thing, especially by way of gmail.

Probably a lot of folks out there who haven't ever seen a full email header, especially a full, forged email header.

That issue will never be fixed just like caller ID spoofing. For email headers you have to have ever server actually be configured to check that the sender really has permission to send from that IP. Which requires all mail servers deployments being setup to report that. Good luck getting both sides to spend the time and effort on that.
 
That issue will never be fixed just like caller ID spoofing. For email headers you have to have ever server actually be configured to check that the sender really has permission to send from that IP. Which requires all mail servers deployments being setup to report that. Good luck getting both sides to spend the time and effort on that.

I was giving a lesson to some co-workers a few weeks ago about various type's of spoofs when the day before I got an email with a forged header and yep, of course it had an attachment. I recognized it right away for what it was and gmail had actually put it in spam(which I look at regularly). It was a great example of showing people how easy it can be to get fooled and infect a system.
 
Affected me too. I reset the password and reported it to google. Thank God they addressed it quick because the alerts were annoying.
 
which also led to those messages erroneously appearing in the Sent folder

yeah gmail doesnt seem to have actual folders, but "tags" that are applied to an email to make it appear to be in another folder
 
This happened to me. Updated my PW and added the two factor authentication. Hopefully not an issue going forward.

This attempt involved forged email headers that made it appear as if users were receiving emails from themselves, which also led to those messages erroneously appearing in the Sent folder.

This makes it sound to me like accounts were never compromised, so changing your password would not have made a difference.

These were just emails sent with intentionally incorrect email headers, and Gmail apparently trusts (or trusted) email headers enough to use that as a basis for determining whether or not an email belongs in your sent folder.

So, someone used a bad email client to send an email to you, but edited the sent field so it was your own email address.

Gmail then received the email, saw your own email in the sender field, and sorted it into the "sent" folder, making it appear as if your account had been compromised and used to send these emails.

A silly mistake on Googles part, but a mostly harmless one.
 
I was giving a lesson to some co-workers a few weeks ago about various type's of spoofs when the day before I got an email with a forged header and yep, of course it had an attachment. I recognized it right away for what it was and gmail had actually put it in spam(which I look at regularly). It was a great example of showing people how easy it can be to get fooled and infect a system.

I sent an email once to my boss from himself to show him how this works.

Affected me too. I reset the password and reported it to google. Thank God they addressed it quick because the alerts were annoying.

doesn't matter if they aren't coming from you but is your address being spoofed.
 
This makes it sound to me like accounts were never compromised, so changing your password would not have made a difference.

These were just emails sent with intentionally incorrect email headers, and Gmail apparently trusts (or trusted) email headers enough to use that as a basis for determining whether or not an email belongs in your sent folder.

So, someone used a bad email client to send an email to you, but edited the sent field so it was your own email address.

Gmail then received the email, saw your own email in the sender field, and sorted it into the "sent" folder, making it appear as if your account had been compromised and used to send these emails.

A silly mistake on Googles part, but a mostly harmless one.

Agreed. Though I did the PW switch as a knee jerk reaction to seeing the emails in my inbox as I didn't know this was a widespread problem yet.
 
That issue will never be fixed just like caller ID spoofing. For email headers you have to have ever server actually be configured to check that the sender really has permission to send from that IP. Which requires all mail servers deployments being setup to report that. Good luck getting both sides to spend the time and effort on that.

This has been a problem for a long time. Most big mail services won't even accept mail from domains without an SPF record to do an rDNS check against. So I'm not sure how these spoofed emails are getting to anyone's inboxes. I have those records for my exchange server I run at home, so it's not some impossible task only large companies can do.

I can't believe there are still mail servers out there that accept mail from domains that don't pass the rDNS check. Shit should get silently bounced, or all directed to a quarantine mailbox.
 
This has been a problem for a long time. Most big mail services won't even accept mail from domains without an SPF record to do an rDNS check against. So I'm not sure how these spoofed emails are getting to anyone's inboxes. I have those records for my exchange server I run at home, so it's not some impossible task only large companies can do.

I can't believe there are still mail servers out there that accept mail from domains that don't pass the rDNS check. Shit should get silently bounced, or all directed to a quarantine mailbox.

oh, not saying it is impossible. Just that it requires more than snapping your fingers so most can't be bothered.
 
Back
Top