It's not you, it's Big G: Sneaky spammers slip strangers spoofed spam, swamp Gmail sent files

Not a bug, we're told: It's a feature. Really


Updated Google has confirmed spammers can not only send out spoofed emails that appear to have been sent by Gmail users, but said messages also appear in those users' sent mail folders.

The Chocolate Factory on Monday told The Register that someone has indeed created and sent spam with forged email headers. These not only override the send address, so that it appears a legit Gmail user sent the message, but it also mysteriously shows up in that person's sent box as if they had typed it and emitted themselves. In turn, the messages would also appear in their inboxes as sent mail.

Punters have been noticing and reporting the problem for a few days on Google's Gmail help forum. In each case, users said that messages they never wrote were showing up in their folders.

walled garden

Google to add extra Gmail security … by building a walled garden

READ MORE

While using fake headers to disguise the source of spam emails is nothing new, it is very unusual for a copy of those messages to appear as sent mail. This, understandably, led netizens to worry their accounts had been hijacked.

"It started around 7:30 EST for me. Emails going to inbox and sent email folder," writes one affected Gmail user. "Appear to have been sent by me. Changed password several times and didn't change anything."

Google says there has been no breach in this case. Rather, someone has been spoofing email headers.

"We have actively taken measures to protect against a spam campaign that impacted a small subset of Gmail users. This attempt involved forged email headers that made it appear as if users were receiving emails from themselves, which also led to those messages erroneously appearing in the Sent folder," a Google repo said.

"We have identified and reclassified all offending emails as spam, and have no reason to believe any accounts were compromised as part of this incident. If you happen to notice a suspicious email, we encourage you to report it as spam."

How exactly the spammer was able to not only spoof the headers but also make the messages appear in mail boxes of the faked sender is a mystery. We've asked the Mountain View ads giant for clarification on this, but at the time of publication have yet to hear back.

Thanks to Reg reader Jason Croghan for the tip. ®

Updated to add

According to experts, there isn't anything too serious to worry about here, and Google was not in any way hacked or compromised. Rather, this is one of the basic functions of Gmail that, in this case, is being abused by annoying scumbags.

A technical staff member at Spamhaus, who wished to remain anonymous, told The Register that messages fall into the sent box when the person being spoofed is BCC'ed with the spam. Gmail notices that the BCC'd user was also listed as the sender, thanks to the spoofed header, and in an attempt to tidy things up, puts the message into the sent pile. In a legitimate context, this is a nice way to avoid inbox clutter – in this case, however, it tricks folks into thinking they have been hacked.

"Gmail has a feature that causes email received, with a From: that contains the Gmail user, to be placed in the sent box," the Spamhaus staffer explained.

"You don't see this very often, but I can explain why Gmail does it – it's a desirable feature in their context, but it can be confusing to people who aren't expecting it."

In summary: there's no bug, no breach, and nothing to be afraid of. Just another spam run, albeit with an irritating, and confusing, twist.

Similar topics

Broader topics


Other stories you might like

  • End of the road for biz living off free G Suite legacy edition
    Firms accustomed to freebies miffed that web giant's largess doesn't last

    After offering free G Suite apps for more than a decade, Google next week plans to discontinue its legacy service – which hasn't been offered to new customers since 2012 – and force business users to transition to a paid subscription for the service's successor, Google Workspace.

    "For businesses, the G Suite legacy free edition will no longer be available after June 27, 2022," Google explains in its support document. "Your account will be automatically transitioned to a paid Google Workspace subscription where we continue to deliver new capabilities to help businesses transform the way they work."

    Small business owners who have relied on the G Suite legacy free edition aren't thrilled that they will have to pay for Workspace or migrate to a rival like Microsoft, which happens to be actively encouraging defectors. As noted by The New York Times on Monday, the approaching deadline has elicited complaints from small firms that bet on Google's cloud productivity apps in the 2006-2012 period and have enjoyed the lack of billing since then.

    Continue reading
  • I was fired for blowing the whistle on cult's status in Google unit, says contractor
    The internet giant, a doomsday religious sect, and a lawsuit in Silicon Valley

    A former Google video producer has sued the internet giant alleging he was unfairly fired for blowing the whistle on a religious sect that had all but taken over his business unit. 

    The lawsuit demands a jury trial and financial restitution for "religious discrimination, wrongful termination, retaliation and related causes of action." It alleges Peter Lubbers, director of the Google Developer Studio (GDS) film group in which 34-year-old plaintiff Kevin Lloyd worked, is not only a member of The Fellowship of Friends, the exec was influential in growing the studio into a team that, in essence, funneled money back to the fellowship.

    In his complaint [PDF], filed in a California Superior Court in Silicon Valley, Lloyd lays down a case that he was fired for expressing concerns over the fellowship's influence at Google, specifically in the GDS. When these concerns were reported to a manager, Lloyd was told to drop the issue or risk losing his job, it is claimed. 

    Continue reading
  • Google recasts Anthos with hitch to AWS Outposts
    If at first you don't succeed, change names and try again

    Google Cloud's Anthos on-prem platform is getting a new home under the search giant’s recently announced Google Distributed Cloud (GDC) portfolio, where it will live on as a software-based competitor to AWS Outposts and Microsoft Azure Stack.

    Introduced last fall, GDC enables customers to deploy managed servers and software in private datacenters and at communication service provider or on the edge.

    Its latest update sees Google reposition Anthos on-prem, introduced back in 2020, as the bring-your-own-server edition of GDC. Using the service, customers can extend Google Cloud-style management and services to applications running on-prem.

    Continue reading

Biting the hand that feeds IT © 1998–2022