back to article It's not you, it's Big G: Sneaky spammers slip strangers spoofed spam, swamp Gmail sent files

Google has confirmed spammers can not only send out spoofed emails that appear to have been sent by Gmail users, but said messages also appear in those users' sent mail folders. The Chocolate Factory on Monday told The Register that someone has indeed created and sent spam with forged email headers. These not only override the …

  1. ratfox

    I assume that Gmail does something "clever" so that emails that are not strictly sent from the mail account, but that appear to the rest of the world to be coming from that mail account, end up showing in the Sent folder. Some kind of "feature" to let you send emails from a third-party system.

  2. Notas Badoff

    To be or not to be - let Google decide?

    "If you happen to notice a suspicious email, we encourage you to report it as spam." ? ! ?

    I'm supposed to report myself as a spammer? But you'll not _really_ mark me as a spammer? Bayes won't _really_ drop my future emails into the gutter? That's a *lot* of trust they're asking for in their hour of need.

    1. Anonymous Coward
      Anonymous Coward

      Re: To be or not to be - let Google decide?

      If you report obvious spam that claims to be from HMRC, you don’t expect Her Maj to get onto the naughty list, do you?

      Spam identification has to look a bit deeper than the trivially spoofable “From” header.

      1. Anonymous Coward
        Anonymous Coward

        Re: Spam identification has to look a bit deeper

        Yeah, not like Google would make a mistake! That'd be like putting mail you didn't send in your sent mail folder.

        Trusting Google to do anything other than make money from ads is misguided at best. They have a bottom line now, and giving you free email isn't lucrative. If they accidentally mark you as a spammer, and you're not a member of the royal family or otherwise famous, then what exactly does it cost them?

      2. Fred Flintstone Gold badge

        Re: To be or not to be - let Google decide?

        If you report obvious spam that claims to be from HMRC, you don’t expect Her Maj to get onto the naughty list, do you?

        .. except that Googly email CAN indeed come from HMRC in one of the most astonishingly stupid decisions ever (admittedly amongst many, but let's stay on topic for once):

        $ dig +short mx digital.hmrc.gov.uk

        20 ALT2.ASPMX.L.GOOGLE.COM.

        30 ALT4.ASPMX.L.GOOGLE.COM.

        20 ALT1.ASPMX.L.GOOGLE.COM.

        30 ALT3.ASPMX.L.GOOGLE.COM.

        10 ASPMX.L.GOOGLE.COM.

        Sadly, this is really not a joke - feel free to try yourself. It appears UK government "innovation" equals "let's hand uncontrolled entities very personal data on our citizens and see if they can do something we can then brag about". After all, it sort of worked for the NHS..

  3. EvaQ
    Holmes

    "a small subset of Gmail users" ... really?

    "a small subset of Gmail users" ... what a coincidence then that it happened to my GF and me ... we were both in the "small subset"?

    1. sabroni Silver badge
      Boffin

      Re: it happened to my GF and me

      How many gmail users do you think there are? It's a fuck sight more than 2......

    2. Adam 52 Silver badge

      Re: "a small subset of Gmail users" ... really?

      You and your girlfriend are likely to have given your email addresses to an overlapping set of potential spammers, so you aren't independent samples.

  4. This post has been deleted by its author

  5. Pascal

    Small subset my arse!

    > "We have actively taken measures to protect against a spam campaign that impacted a small subset of Gmail users."

    I had dozens of them. They came complete with a (brand new I assume) banner stating that "We can't confirm that you sent this message or not, headers may have been forged".

    They have since updated the banner to say the message "seems to be a fake bounces reply to a message I didn't actually send".

    From inspecting the message source it seems they spoofed a lot of things, including Message-ID formatted google-style that might have been what tricked Google.

  6. Anonymous Coward
    Anonymous Coward

    It's an old spammer trick to assume that your mail system won't reject an address from which you have sent at some point. It can be construed as an email loopback test.

    1. Anonymous Coward
      Anonymous Coward

      I'd say it can be construed as "a fucked up system that doesn't do it's job properly" as it doesn't seem to be able to correctly identify the origin of messages sent within the system. That you can make part of the Gmail system "smarts" think someone else sent an email so it gets categorised into their sent folder speaks volumes.

      1. Anonymous Coward
        Anonymous Coward

        "system that doesn't do it's[sic] job properly"

        TL;DR: That would be email. Forged headers are a thing, 'nuff said.

        According to GMail, [somewhere_i_used_to_admin].org sends lots of spam, so it put a regular legit message (forwarded from PayPal, with a few comments added!) into my Spam box with the banner saying so. AC says they have to look at more than just the header, but I rather doubt they did that time.

        The sad thing is, there were a few bounces that landed in the .org's inbox from a previous forged-sender spam-- but that address *cannot* send, it is not an account on the system, it has no password to need changing. It merely forwards everything to a real account, so we knew it never sent anything-- but G doesn't know that.

        The original [broken] system is the whole broken "killer app" of the previous millennium, which trusts everyone.

  7. Donn Bly

    It doesn't have to be a BCC

    In the web applications I develop I routinely use a gmail account for non-critical notifications instead of my "normal" email - things like a specific spot in the code was reached, backups ran, etc. I use gmail for this purpose because it is cheap (free) and trivial to do - and if I sent them though my own server I would have to set up separate accounts, establish passwords (since NO mail is relayed without authentication) etc -- while Gmail happily accepts inbound mail without authentication even from IP addresses that lack a reverse PTR record.

    Since the "from" and "to" address are the same on these messages they show up in the "sent" folder, and always have. Unlike a traditional mail server that only puts mail in the sent folder that is actually sent, Google appears to put all messages in one bucket and treat the sent folder as just another "smart folder" with the "from" email address as a filter.

    I hope whatever "fix" they put in place to combat this particular type of spam doesn't outright block messages with the same to/from address or I am going to have to change a whole bunch of programs.

    1. Anonymous Coward
      Anonymous Coward

      "while Gmail happily accepts inbound mail without authentication"

      Ehm, that's what every SMTP server does when it receives an email which is sent to one of the addresses it handles.... otherwise delivering mail would be quite difficult if each and every SMTP server should be configured with an accounts for authenticating each and every server in the world...

      1. Anonymous Coward
        Anonymous Coward

        Re: "while Gmail happily accepts inbound mail without authentication"

        Obviously you didn't bother to read the entire sentence, let alone the paragraph.

        Of *COURSE* a mail server receives mail for mailboxes handled by itself without authentication, but most don't do it for IP addresses that lack a reverse PTR record, and *NO* email server should accept a message for a mailbox that it does not service without authentication.

  8. JassMan
    Trollface

    WTF? nothing to be afraid of?

    "According to experts, there isn't anything too serious to worry about here, and Google was not in way hacked or compromised."

    Just send me these "expert's" addresses and we'll see how long they keep their jobs after they send a few racist and sexist mails to celebrities. And it must be them that sent those mails since there is proof in their <sent mail>.

    1. Anonymous Coward
      Anonymous Coward

      Re: WTF? nothing to be afraid of?

      Nice try, but it doesn't work that way.

      With Gmail all mail is essentially is in essentially one folder, but individual messages can be assigned tags. One tag you might assign is your immediate family, another might be newsletters. While "inbox" is a default tag, some that they try to assign automatically are "promos", "updates", "social", and (of course) "spam".

      The idea is that there is a single index for all messages in your account, allowing you to search all of your messages easily and efficiently. It also allows you to assign multiple tags to a message, so that it can exist in multiple "folders" without duplication.

      What you see as a "sent folder" is really nothing more than a "view" of the data filtered by a sending address equal to your own. As in SQL, a view is not a separate table -- it is just another way of looking at the data.

      It is a different way of organizing data than what you are used to using, and like any model it has both its advantages and disadvantages.

      As to your scenario, the message would be in their inbox as well as their "sent" but a trivial look at the message headers would reveal that they didn't in fact send it. Your message would have a "Delivered To:" header that a message they had originated wouldn't have. Google may be brain-dead on some things, but they don't allow unauthenticated relay - as such the message the message that the "celebrities" received wouldn't have originated from Google and probably wouldn't make it past their spam filters.

      1. Anonymous Coward
        Anonymous Coward

        "With Gmail all mail is essentially is in essentiall"

        Exactly. GMail design is flawed. It's basically an indexed view of your messages, and it looks the indexing can be deceived. A RDBMS would be much more robust - an SQL view is a different thing, and you can deduplicate messages in far better ways than using "tags" - a RDBMS would use unique primary keys.

        This is a bug, a real bug, and a symptom of the flawed design. Also, it looks it doesn't check headers with accounts and allows this kind of spoofing.

        1. Anonymous Coward
          Anonymous Coward

          Re: "With Gmail all mail is essentially is in essentiall"

          What makes you think that "sent" is anything more than a pre-defined SQL query of "from == me"?

          I've seen these emails's headers, and it would be extremely difficult for automation to determine that they're spoofed.

          This is not a bug, but a desirable feature to many of gmail's customers, because it allows all email that a gmail user sends with a from of user@gmail.com, whether it be physically through gmail's infrastructure or otherwise, to appear in the same "virtual box". With many gmail users, their outbound email never goes through gmail at all.

          The only "bug" in this scenario is that gmail's spam infrastructure didn't block it. No filters are perfect, no matter how hard anyone tries.

    2. thefrizz

      Re: WTF? nothing to be afraid of?

      As an expert myself, I'd just point at the full headers, and say "See? Didn't come from me".

      We're long past believing From: lines. Aren't we? Gmail's "sent box" feature can be easily demonstrated, can't it?

  9. Aitor 1

    bug

    It is clearly a bug. If not, a horrible design.

  10. Oh Homer
    Mushroom

    Once again, Google pissing all over RFC standards

    I still remember with horror the day that Google assimilated the Deja News archive.

    There are articles I posted years ago, that I still have a local archived copy of, which Google Groups apparently believes never existed, even when I search explicitly by Message-ID. Navigating threads in Google Groups is like driving through Paris.

    Now it seems Google has also fubared email, by storing incoming emails in the sent mail folder.

    Frankly the only reason I even have a Gmail account is because of Android, or to be more precise because of Google Play. Oh, and they also roped me in when they assimilated YouTube then forced users to "connect" their YouTube and Gmail accounts.

    1. Mister Goldiloxx

      Re: Once again, Google pissing all over RFC standards

      Deja News was awesome!

    2. veti Silver badge

      Re: Once again, Google pissing all over RFC standards

      It's the other way round - they store sent emails in the inbox. Or rather, they store all emails in one big folder. When you "change folders', all that really changes is the filter applied to your view.

      I don't know if that violates any RFCs, but nobody seems to have noticed until now.

      1. eldakka

        Re: Once again, Google pissing all over RFC standards

        It's either a bug in how email is handled or a bug in the filter.

        If a filter on 'sent' email is merely a filter that looks for text in the header of the email that is something like "display if header $from_account = $this_account" then it is an incorrect filter.

        There should be a specific tag assigned to the email when the send action is performed, and the filter should be on that tag, not on random text in the email header that - literally - anyone sending an email can put in the header.

        There could be legal implications in this sort of bug. If you want to implicate someone in a criminal conspiracy, you can point at their sent emails in their email box - that I crafted to appear there - and say "hey look, they sent an email to ISIS, it's in their gmail sent folder, with agreement to participate in a terror attack".

        1. Anonymous Coward
          Anonymous Coward

          Re: Once again, Google pissing all over RFC standards

          @eldakka

          "There could be legal implications in this sort of bug. If you want to implicate someone in a criminal conspiracy,..."

          Now that its widely known, expect blackmail attempts. Now shakedowns for browsing for inappropriate pictures etc, can have evidence of your behavior. More likely something like " hey you sent me this revolting email, I'll send it on to the plods if you don't pay me you do know that your legally liable for what comes from you, deleting your gmail account wont help cause nothings deleted if the plods know what to look for.

    3. Nick Kew
      Flame

      Re: Once again, Google pissing all over RFC standards

      Glad someone else remembers Dejanews and laments its fate.

      But the day you lament doesn't figure in my recollection. It happened incrementally in small stages: a boiling frog story. Thus at no point did the community stand up and say "we can't lose this, let's create a new one".

      Google Groups was a land grab: Enclosure of the Commons. Now Facebook owns more of that space, and the Commons are something a few irrelevant old-timers like you and me lament.

    4. thefrizz

      Re: Once again, Google pissing all over RFC standards

      What RFC standard? There are no RFCs about mailbox formats and representations.

  11. cantankerous swineherd

    email: just say no.

    1. Tim99 Silver badge
      Coat

      email:Gmail: just say no. FTFY

  12. Anonymous Coward
    Anonymous Coward

    It IS a major risk..

    Let's do the for profit run here, as this offers a prime entrapment target:

    1 - send email with dodgy content

    2 - subpoena the sender so they have to cough up "sent folder"

    3 - use that as evidence they DID send it*

    4 - profit!

    WTF were they thinking allowing an email in that originates outside their system? Were they high?

    * Sadly, for most IT illiterates this really is enough - would be interested to see the mail headers in such email.

    1. Anonymous Coward
      Anonymous Coward

      Re: It IS a major risk..

      And of course it doesn't matter if the case is dismissed because after the right accusation, bolstered with some fake evidence, that will be someone's job/career/life pretty much down the toilet because of the 'no smoke without fire' thing.

      This isn't some trivial bug or feature, this is a significant fuckup which has the potential to cast doubt on any case that has at some point relied on gmail-sourced evidence.

    2. Anonymous Coward
      Anonymous Coward

      Re: It IS a major risk..

      Your 4th step is incorrect, and you missed the 5th:

      4 your victim is competent enough, or hires someone competent enough to read the full headers and prove that the email didn't come from them, and in fact came from you

      5) you go to jail for criminal mischief.

      I've seen the full mail headers from these, both from the gmail user's perspective and the non-gmail user's perspective. It's pretty obvious.

      The tool being used to send this junk is smart enough to spoof google headers to make it look like it came from google ... except for one minor detail: The copies that the non-gmail recipients see have the email apparently traverse google, then some entirely unrelated site, then hit the recipient. The unrelated site is the real source. Gmail users see an email that seemed to traverse google, then the unrelated site and then traverse gmail _again_ to get to them. There were about 35 different sources, and we're dealing with those <evil grin>.

  13. dominicr

    DMARC prevents spoofing

    If Gmail used DMARC 'p=reject' then this wouldn't happen or at least its impact would be minimal since any mailsever that respects DMARC would block these fake emails on arrival - including all the major services (even Gmail itself). Gmail's DMARC policy remains 'p=none' - so really they have only themselves to blame, and it will continue to happen. Yahoo by contrast use p=reject - so do facebook, paypal, linkedin, twitter, pinterest...

    1. thefrizz

      Re: DMARC prevents spoofing

      If Gmail used DMARC "p-reject", tens of thousands of their users (including many small to medium sized businesses) would have a big problem. These gmail users send email asymmetrically. Some or all of their outbound email is through infrastructure unrelated to gmail, but all of their received email is via gmail.

      1. veti Silver badge

        Re: DMARC prevents spoofing

        Then those users would have to come up with some new processes, clearly.

        One of Gmail's key selling points is its spam filtering. That's nice and all, but it puts Google in an ambivalent position. They have an active disincentive to fight spam, because every spam message people see is a reminder of how much better they are than the competition in this important area.

        Adopting actual standards is no part of their plan. Google didn't get where it is today by doing things the same way as everyone else.

  14. onefang

    This is the same bug that Google has called a feature since day one, I filed a bug report about that many years ago, as did others, but Google claimed it's a feature, wont fix.

    In my case things that I send to a mailing list, got classified as sent email by Gmail on the way out, which is fair enough, but also get classified as sent email on the way in. So I don't get to see my own emails in mailing lists. I have to subscribe two gmail addresses to each mailing list, one write only, one read only. Or just move all my old mailing lists off gmail, something I really should pull my finger out and get finished.

  15. John 61
    Coat

    This is nothing new

    It happened to me several years ago on Yahoo, when the internet was shiny and new.

    Apologies for being a bit late.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like