It's not you, it's Big G: Sneaky spammers slip strangers spoofed spam, swamp Gmail sent files

Not a bug, we're told: It's a feature. Really

Updated Google has confirmed spammers can not only send out spoofed emails that appear to have been sent by Gmail users, but said messages also appear in those users' sent mail folders.

The Chocolate Factory on Monday told The Register that someone has indeed created and sent spam with forged email headers. These not only override the send address, so that it appears a legit Gmail user sent the message, but it also mysteriously shows up in that person's sent box as if they had typed it and emitted themselves. In turn, the messages would also appear in their inboxes as sent mail.

Punters have been noticing and reporting the problem for a few days on Google's Gmail help forum. In each case, users said that messages they never wrote were showing up in their folders.

walled garden

Google to add extra Gmail security … by building a walled garden


While using fake headers to disguise the source of spam emails is nothing new, it is very unusual for a copy of those messages to appear as sent mail. This, understandably, led netizens to worry their accounts had been hijacked.

"It started around 7:30 EST for me. Emails going to inbox and sent email folder," writes one affected Gmail user. "Appear to have been sent by me. Changed password several times and didn't change anything."

Google says there has been no breach in this case. Rather, someone has been spoofing email headers.

"We have actively taken measures to protect against a spam campaign that impacted a small subset of Gmail users. This attempt involved forged email headers that made it appear as if users were receiving emails from themselves, which also led to those messages erroneously appearing in the Sent folder," a Google repo said.

"We have identified and reclassified all offending emails as spam, and have no reason to believe any accounts were compromised as part of this incident. If you happen to notice a suspicious email, we encourage you to report it as spam."

How exactly the spammer was able to not only spoof the headers but also make the messages appear in mail boxes of the faked sender is a mystery. We've asked the Mountain View ads giant for clarification on this, but at the time of publication have yet to hear back.

Thanks to Reg reader Jason Croghan for the tip. ®

Updated to add

According to experts, there isn't anything too serious to worry about here, and Google was not in any way hacked or compromised. Rather, this is one of the basic functions of Gmail that, in this case, is being abused by annoying scumbags.

A technical staff member at Spamhaus, who wished to remain anonymous, told The Register that messages fall into the sent box when the person being spoofed is BCC'ed with the spam. Gmail notices that the BCC'd user was also listed as the sender, thanks to the spoofed header, and in an attempt to tidy things up, puts the message into the sent pile. In a legitimate context, this is a nice way to avoid inbox clutter – in this case, however, it tricks folks into thinking they have been hacked.

"Gmail has a feature that causes email received, with a From: that contains the Gmail user, to be placed in the sent box," the Spamhaus staffer explained.

"You don't see this very often, but I can explain why Gmail does it – it's a desirable feature in their context, but it can be confusing to people who aren't expecting it."

In summary: there's no bug, no breach, and nothing to be afraid of. Just another spam run, albeit with an irritating, and confusing, twist.

Similar topics

Broader topics

Other stories you might like

  • Robotics and 5G to spur growth of SoC industry – report
    Big OEMs hogging production and COVID causing supply issues

    The system-on-chip (SoC) side of the semiconductor industry is poised for growth between now and 2026, when it's predicted to be worth $6.85 billion, according to an analyst's report. 

    Chances are good that there's an SoC-powered device within arm's reach of you: the tiny integrated circuits contain everything needed for a basic computer, leading to their proliferation in mobile, IoT and smart devices. 

    The report predicting the growth comes from advisory biz Technavio, which looked at a long list of companies in the SoC market. Vendors it analyzed include Apple, Broadcom, Intel, Nvidia, TSMC, Toshiba, and more. The company predicts that much of the growth between now and 2026 will stem primarily from robotics and 5G. 

    Continue reading
  • Deepfake attacks can easily trick live facial recognition systems online
    Plus: Next PyTorch release will support Apple GPUs so devs can train neural networks on their own laptops

    In brief Miscreants can easily steal someone else's identity by tricking live facial recognition software using deepfakes, according to a new report.

    Sensity AI, a startup focused on tackling identity fraud, carried out a series of pretend attacks. Engineers scanned the image of someone from an ID card, and mapped their likeness onto another person's face. Sensity then tested whether they could breach live facial recognition systems by tricking them into believing the pretend attacker is a real user.

    So-called "liveness tests" try to authenticate identities in real-time, relying on images or video streams from cameras like face recognition used to unlock mobile phones, for example. Nine out of ten vendors failed Sensity's live deepfake attacks.

    Continue reading
  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading

Biting the hand that feeds IT © 1998–2022