Gmail users receive mysterious spam messages from themselves
You have undoubtedly seen your fair share of spam in your inbox over the years. Nowadays, however, services like Gmail and Outlook.com have implemented sophisticated filters that automatically classify unwanted messages in the trash. That’s why a recent spam incident has left Gmail users scratching their heads.
Messages suddenly appeared that clearly should have been marked as spam. Their content was sufficiently transparent. Those who ended up in my inbox (which you can see below) claimed to offer an easy way to turn $ 10 into $ 100,000 through Bitcoin investing.
However, there is something different about this spam campaign. While the sender’s name shows up as “Making Money,” Gmail reported that I actually sent the messages to myself.
This is certainly not the case. So why did Gmail think I did it?
Whoever hides behind these spam messages benefits from the “bounce”. Most mail servers will simply reject a suspected spam email if they cannot deliver the message to the intended recipient. Others, however, will “resend” the message to the sender’s address.
Armed with this knowledge, a spammer sends messages to a fake recipient’s email address (much like intentionally calling a disconnected phone number) that they know will cause a bounce. When the mail server returns the email, it is delivered to the intended target: the sender of the message. Remember, spammers have hundreds of millions of valid email addresses that they can target.
The result is a message in your inbox that appears to have sent it to you. None of the Gmail users who received these messages did, of course. No Gmail password has been stolen. No Gmail account has been hacked.
So how did a spammer trick Gmail into thinking you emailed yourself? By spoofing the header information in the message. They insert your email address and forward it to an SMTP (outgoing mail) server which doesn’t bother to verify who is sending a message.
A system called DMARC was created to prevent this kind of spoofing in 2012. It’s very easy for administrators to implement, but here we are six years later and there are still plenty of mail servers suitable for scams.
In a statement, Google said it was “aware of a spam campaign affecting a small subset of Gmail users and has actively taken steps to protect against it.” I haven’t seen a new post for over 24 hours after seeing four in two days.