Updated Google has confirmed spammers can not only send out spoofed emails that appear to have been sent by Gmail users, but said messages also appear in those users' sent mail folders.
The Chocolate Factory on Monday told The Register that someone has indeed created and sent spam with forged email headers. These not only override the send address, so that it appears a legit Gmail user sent the message, but it also mysteriously shows up in that person's sent box as if they had typed it and emitted themselves. In turn, the messages would also appear in their inboxes as sent mail.
Punters have been noticing and reporting the problem for a few days on Google's Gmail help forum. In each case, users said that messages they never wrote were showing up in their folders.
Google to add extra Gmail security … by building a walled gardenREAD MORE
While using fake headers to disguise the source of spam emails is nothing new, it is very unusual for a copy of those messages to appear as sent mail. This, understandably, led netizens to worry their accounts had been hijacked.
"It started around 7:30 EST for me. Emails going to inbox and sent email folder," writes one affected Gmail user. "Appear to have been sent by me. Changed password several times and didn't change anything."
Google says there has been no breach in this case. Rather, someone has been spoofing email headers.
"We have actively taken measures to protect against a spam campaign that impacted a small subset of Gmail users. This attempt involved forged email headers that made it appear as if users were receiving emails from themselves, which also led to those messages erroneously appearing in the Sent folder," a Google repo said.
"We have identified and reclassified all offending emails as spam, and have no reason to believe any accounts were compromised as part of this incident. If you happen to notice a suspicious email, we encourage you to report it as spam."
How exactly the spammer was able to not only spoof the headers but also make the messages appear in mail boxes of the faked sender is a mystery. We've asked the Mountain View ads giant for clarification on this, but at the time of publication have yet to hear back.
Thanks to Reg reader Jason Croghan for the tip. ®
Updated to add
According to experts, there isn't anything too serious to worry about here, and Google was not in any way hacked or compromised. Rather, this is one of the basic functions of Gmail that, in this case, is being abused by annoying scumbags.
A technical staff member at Spamhaus, who wished to remain anonymous, told The Register that messages fall into the sent box when the person being spoofed is BCC'ed with the spam. Gmail notices that the BCC'd user was also listed as the sender, thanks to the spoofed header, and in an attempt to tidy things up, puts the message into the sent pile. In a legitimate context, this is a nice way to avoid inbox clutter – in this case, however, it tricks folks into thinking they have been hacked.
"Gmail has a feature that causes email received, with a From: that contains the Gmail user, to be placed in the sent box," the Spamhaus staffer explained.
"You don't see this very often, but I can explain why Gmail does it – it's a desirable feature in their context, but it can be confusing to people who aren't expecting it."
In summary: there's no bug, no breach, and nothing to be afraid of. Just another spam run, albeit with an irritating, and confusing, twist.