Noticed I was getting emails being sent from myself. More worringly was the emails appeared in my SENT folder. For 5mins I was freaking out thinking I was hacked, because I didnt think spoofing emails would show up in MY "sent" folder.
But I run 2FA, long complex unique password etc. I treat OpSec really highly. I checked all Google security settings, no unauthorised access, no apps using my account etc. Still did a password reset "just in case".
However one interesting part is after about 4 hours the emails automatically became marked as "spam" - and they disappeared from my "sent" folder simulatenously.
So it would seem the likely issue is someone worked out a way around the "Spam" setting for Gmail - and a by-product of not flagging spoofed emails as spam is Gmail marks them as "Sent" by you in the labels.
I think this is exactly what is going on. Gmail doesn't use IMAP folders in the traditional sense, it uses labels. For something to appear in your "Sent" folder, it only has to show your email address as the sender. Since it's quite common for spammers to use your email address as the "From" in spam messages sent to you, Gmail automatically throws it in your Sent "folder" by way of a label.
I freaked out at first when my Fastmail account started getting spammed seemingly by my old Gmail account (I no longer use Gmail but I kept the account active and forwarded to Fastmail to catch anyone I forgot to update with the new address). I logged into Gmail and immediately changed my password, made sure I didn't have any third party app access, and turned on 2FA.
After seeing this HN piece and reading through the first few messages in the Google product forum, I realized it was typical spam that was breaking through Google's spam filter and freaking everyone out due to Google's handling of the Sent folder/label.
Same too. The odd thing for me is that the client address (from the original text) was an AWS address. Only two appeared in the main inbox. More were sent straight to spam.
They appeared just after I turned on my AWS instance briefly. So I thought it was related.
wow... reading this thread is scary. Google is a joke; my humble advice would be to close your accounts and pay for a better service, life Fastmail or Protonmail.
Don't freak out about them being in your Sent folder. Remember that Gmail doesn't have "traditional" mail folders -- just a huge pile of all your e-mail messages with "labels" attached to them. Apparently Google decides that if the From: address is yours, then you "sent" the message.
Note that in SMTP there are two "from addresses": the envelope sender (which you don't see) and the "From:" address/header (which you do see) that everyone is familiar with. In most (but not all) legitimate e-mail, they will be the same.
In these cases, your e-mail address is being used in the "From:" and "To:" headers but a different address is being used in the envelope sender (which is the one that the MTA uses).
Google does seem to be checking SPF correctly (i.e., according to RFC, which says to use the envelope sender) -- since (it seems that) the result of check_host should be "softfail" and the RFC says that one "SHOULD NOT" reject a message based on that... but Google apparently logged "pass". Odd.
---
ETA: See a comment from ryan-c below about the funky "exists:" mechanism in Telus' SPF record; it explains why check_host() passed.
> In most (but not all) legitimate e-mail, they will be the same.
Just to be clear, most automated emails from major providers have them different. This is because, while the From header is shown to the user, the envelope sender is sent bounces.
So companies like Google, SendGrid (used by GitHub), and MailChimp set up special "bounce handler" addresses as the envelope sender to detect if there's a problem sending you email.
"Paste the raw source of an email into the form on the front page. The email will then be parsed, decoded, separated into its various MIME parts, and displayed in an easy to view fashion. Image attachments will be displayed as images. HTML parts will be rendered in webkit (with javascript and plugins disabled) and then also displayed as an image. IP addresses in headers and message bodies will be identified and highlighted along with a flag representing their origin country. Hostnames and email addresses will also be identified and highlighted."
Whenever I get a weird/suspicious email the first thing I do is look at the source but the amount of info in there (and different encodings) can make it hard to grasp what's going on.
Seth Vargo here from Google. Thank you all for taking the time to report the issue, and thank you for your patience as we fix it. Our engineering teams are aware of this issue and they are working to resolve it as quickly as possible. You should no longer see new spam messages appear in your sent box, and existing spam messages will be automatically removed over the next few days.
Perhaps you could encourage them (on our behalf) to write up a blog post afterwards? I know that many folks here would be curious to hear how they "resolve" this particular instance -- which effectively depends on a third-party with a misconfigured SPF record -- short of switching to "p=reject".
My house mate has had the same issue today on both of his Google accounts. He is both the sender and recipient and there were several other nonsensical email addresses being CC'd in.
SMTP headers show the emails are relayed from Telus. I'll provide the SMTP headers when I get home.
= = =
No unauthorised attempts to log in from third party sources, seperate passwords and MFA on both services.
It doesn't seem to me that the accounts have been compromised, instead the emails are spoofed. They have all been forwarded from Telus.com. The forum OP posted shows everyone else has the same issue.
Both accounts were sending hundreds of emails today and Google flagged the emails as likely having not been sent by him, but still did not place them in an appropriate spam filters and allowed them through to his inbox?
Edit:
= = = = =
I won't bother adding my headers now, the others that have even added theirs are almost identical to our own, here's a snippet of some one who posted below:
SPF and DMARC results
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of [email protected] designates 69.64.35.11 as permitted sender)
[email protected];
dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from gown.ShoppingBrew.com (ec2-13-58-85-245.us-east-2.compute.amazonaws.com. )
by mx.google.com with ESMTP id n59-v6si5794010qtd.116.2018.04.20.00.37.14
for <<[email protected]>>;
Received-SPF: softfail (google.com: domain of transitioning [email protected] does not designate 69.64.35.11 as permitted sender) client-ip=13.58.85.245;
This is spoofed email, with you also being the recipient as far as I can tell... Am I missing anything else in this matter? If not, this isn't new.
EDIT from below:
"If I remember correctly, if you are the recipient of an email from "yourself" Google automatically puts it in the sent items label as well."
People are reporting these messages are in their sent mail folder!
Now it's possible that gmail makes it looks like it was "sent mail" if it receives a message "from you" even if you didn't send it, but it's also possible that google has been hacked in a big way.
And some of the people reporting this are knowledgeable people who know what spoofing is, and who have good unique passwords and two-factor enabled.
Most people don't realize some services you "Logged into with Google" can also send emails in your name. I didn't come across anyone checking authorized apps in that thread. While this appears to be a spoofing issue, I suggest pruning the list of authorized apps frequently: https://support.google.com/accounts/answer/3466521?hl=en
Most people "don't realize" that because it's totally false. Only holders of specific OAuth scopes can use the Gmail API. The "basic account info" access that login with Google grants is not sufficient.
I'm not sure how they would fix that, assuming that's even a bug. The email protocol is completely unverified, anyone can send the header they please, including spoofed From: headers. The GMail client itself even allows it, when you compose a new email you can change the "From" to anything. That's actually a rather useful feature when you have several addresses redirecting to one gmail address.
So it's not so simple. You could use DMARC to tell mail servers which honor DMARC to drop all e-mails that have @gmail.com addresses that don't come from gmail.com servers. In fact, this is how @google.com e-mail addresses are treated, and I believe this is a setting which G-Suite administrators can set up for their domains.
BUT. It comes with a downside. Suppose you want to send e-mail from your Linux laptop, or from a Linux mail server you control, without hard-coding your account password in a text file so you can send e-mail via a GMail server. Or suppose you want to subscribe to a mailing list which rewrites the subject line to include the mailing list name. DMARC breaks all of this. Horribly. So yes, it's more secure, but it comes with a massive cost.
What this means, for example, is I recommend people who work at Google, and who want to interact with either IETF mailing lists or the Linux-kernel mailing lists at vger.kernel.org to send their patches and PULL requests using their @gmail.com address. If they send it using their @google.com address, the same security settings that will prevent this spammers from "faking" e-mails that didn't come from gmail servers, will also break git send-email (unless you want to save your password into at text file --- which is against policy and common sense) and it will break traditional mailing lists.
"This may be a spoofed message" Google says, I clicked spam even though it's from myself. It was to me and a bunch of other emails. Wasn't in my sent folder though and no one else has accessed my account.
"Sexy Girls Asian Girls Looking for US Men" is the subject and says it's sent from "----------------- via telus.com"
Really odd, seems to be some ISP in Canada and I live in the USA... Wonder how they got my email.
Telus is a phone/ISP company, they're pretty much uninvolved other then the ability to send emails from a @gmail.com address for their customers needs. Spammers are just utilizing that for malicious purposes with spoofed headers. As for how they got your email, the spammers could very well be working from the US too, Telus is just a tool. But then again on the internet boundaries matter less and they could be halfway across the world and got your email from a random online leaked list.
I woke up this morning to several new labels in my gmail to delete all emails for "bank" "card" "paypal" etc, and paypal was hacked with purchases.
But my gmail has zero new logins, my 2fa wasn't triggered, etc.
How does a hacker create labels to delete my email but not register a login attempt or trigger my 2fa? I wish I was able to contact google.
EDIT: my only guess was accessing my PC where logins are saved, but I sleep in the same room and I don't think ninja spies broke in. Remote login? Seems farfetched.
The emails are spoofed. The bug is Google is labeling emails with "Sent Mail" because "from:" header matches your email.
I think the "bug" was that not all "Received-SPF" headers are not correctly checked (only first one was checked). However, I'm not even sure if this is a bug since I'm not sure if their migration of emails into G Suite will work if they start not trusting "from: header.
The real bug is probably that email is not marked as spam :)
I had some of these earlier today as well. Mine wasn't from telus however, it was from some .science account. I use a password manager and have 2FA enabled, but I quickly switched my password just to make sure. Sure enough, a few hours later I got another one, for about 5 in total. They seemed to have stopped however.
If you have a suspicious or spoofed email and you want people to analyze what happened, it helps a lot if you include the full headers. To do this in gmail, open the menu and pick "Show Original". Particularly useful are the lines that start with "Received:".
This strategy seems odd. If they had simply omitted the spoofed sending email address from the To:/(B)cc lines, we'd never had seen them in our inboxes... right? Why call early attention to yourself?
Maybe that’s part of the technique to trip up Google’s spam filters, as Google might have assumed that spammers would never bcc the sender and thus treat such mails as more likely to be legitimate.
[+] [-] laurencei|8 years ago|reply
Noticed I was getting emails being sent from myself. More worringly was the emails appeared in my SENT folder. For 5mins I was freaking out thinking I was hacked, because I didnt think spoofing emails would show up in MY "sent" folder.
But I run 2FA, long complex unique password etc. I treat OpSec really highly. I checked all Google security settings, no unauthorised access, no apps using my account etc. Still did a password reset "just in case".
However one interesting part is after about 4 hours the emails automatically became marked as "spam" - and they disappeared from my "sent" folder simulatenously.
So it would seem the likely issue is someone worked out a way around the "Spam" setting for Gmail - and a by-product of not flagging spoofed emails as spam is Gmail marks them as "Sent" by you in the labels.
Seems this was flagged as a security risk over a year ago - and Google declined to fix? https://www.zdnet.com/article/spammers-delight-gmail-weirdly...
[+] [-] morganvachon|8 years ago|reply
I freaked out at first when my Fastmail account started getting spammed seemingly by my old Gmail account (I no longer use Gmail but I kept the account active and forwarded to Fastmail to catch anyone I forgot to update with the new address). I logged into Gmail and immediately changed my password, made sure I didn't have any third party app access, and turned on 2FA.
After seeing this HN piece and reading through the first few messages in the Google product forum, I realized it was typical spam that was breaking through Google's spam filter and freaking everyone out due to Google's handling of the Sent folder/label.
[+] [-] Screwtellus|8 years ago|reply
https://www.telus.com/en/support/article/ccts-and-cprst-feed...
[+] [-] wincy|8 years ago|reply
[+] [-] laurencei|8 years ago|reply
[+] [-] emmelaich|8 years ago|reply
They appeared just after I turned on my AWS instance briefly. So I thought it was related.
[+] [-] jjhb94|8 years ago|reply
[+] [-] kome|8 years ago|reply
[+] [-] jlgaddis|8 years ago|reply
Note that in SMTP there are two "from addresses": the envelope sender (which you don't see) and the "From:" address/header (which you do see) that everyone is familiar with. In most (but not all) legitimate e-mail, they will be the same.
In these cases, your e-mail address is being used in the "From:" and "To:" headers but a different address is being used in the envelope sender (which is the one that the MTA uses).
Google does seem to be checking SPF correctly (i.e., according to RFC, which says to use the envelope sender) -- since (it seems that) the result of check_host should be "softfail" and the RFC says that one "SHOULD NOT" reject a message based on that... but Google apparently logged "pass". Odd.
---
ETA: See a comment from ryan-c below about the funky "exists:" mechanism in Telus' SPF record; it explains why check_host() passed.
[+] [-] notriddle|8 years ago|reply
Just to be clear, most automated emails from major providers have them different. This is because, while the From header is shown to the user, the envelope sender is sent bounces.
So companies like Google, SendGrid (used by GitHub), and MailChimp set up special "bounce handler" addresses as the envelope sender to detect if there's a problem sending you email.
https://en.m.wikipedia.org/wiki/Variable_envelope_return_pat...
[+] [-] berg01|8 years ago|reply
Bad design, period.
[+] [-] mike-cardwell|8 years ago|reply
https://www.parsemail.org
From my about page:
"Paste the raw source of an email into the form on the front page. The email will then be parsed, decoded, separated into its various MIME parts, and displayed in an easy to view fashion. Image attachments will be displayed as images. HTML parts will be rendered in webkit (with javascript and plugins disabled) and then also displayed as an image. IP addresses in headers and message bodies will be identified and highlighted along with a flag representing their origin country. Hostnames and email addresses will also be identified and highlighted."
[+] [-] timvdalen|8 years ago|reply
Whenever I get a weird/suspicious email the first thing I do is look at the source but the amount of info in there (and different encodings) can make it hard to grasp what's going on.
I'll definitely use this in the future!
[+] [-] sethvargo|8 years ago|reply
Seth Vargo here from Google. Thank you all for taking the time to report the issue, and thank you for your patience as we fix it. Our engineering teams are aware of this issue and they are working to resolve it as quickly as possible. You should no longer see new spam messages appear in your sent box, and existing spam messages will be automatically removed over the next few days.
[+] [-] jlgaddis|8 years ago|reply
[+] [-] appleiigs|8 years ago|reply
[+] [-] dawnerd|8 years ago|reply
[+] [-] ocdtrekkie|8 years ago|reply
[+] [-] tomkwong|8 years ago|reply
[+] [-] FuckOffNeemo|8 years ago|reply
SMTP headers show the emails are relayed from Telus. I'll provide the SMTP headers when I get home.
= = =
No unauthorised attempts to log in from third party sources, seperate passwords and MFA on both services.
It doesn't seem to me that the accounts have been compromised, instead the emails are spoofed. They have all been forwarded from Telus.com. The forum OP posted shows everyone else has the same issue.
Both accounts were sending hundreds of emails today and Google flagged the emails as likely having not been sent by him, but still did not place them in an appropriate spam filters and allowed them through to his inbox?
Edit:
= = = = =
I won't bother adding my headers now, the others that have even added theirs are almost identical to our own, here's a snippet of some one who posted below:
SPF and DMARC results
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of [email protected] designates 69.64.35.11 as permitted sender) [email protected]; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of [email protected] designates 69.64.35.11 as permitted sender) [email protected];
dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from gown.ShoppingBrew.com (ec2-13-58-85-245.us-east-2.compute.amazonaws.com. ) by mx.google.com with ESMTP id n59-v6si5794010qtd.116.2018.04.20.00.37.14 for <<[email protected]>>;
Received-SPF: softfail (google.com: domain of transitioning [email protected] does not designate 69.64.35.11 as permitted sender) client-ip=13.58.85.245;
[+] [-] foota|8 years ago|reply
[+] [-] Operyl|8 years ago|reply
EDIT from below: "If I remember correctly, if you are the recipient of an email from "yourself" Google automatically puts it in the sent items label as well."
[+] [-] alex_young|8 years ago|reply
[+] [-] CivilEngineer|8 years ago|reply
[deleted]
[+] [-] DEFCON28|8 years ago|reply
People are reporting these messages are in their sent mail folder!
Now it's possible that gmail makes it looks like it was "sent mail" if it receives a message "from you" even if you didn't send it, but it's also possible that google has been hacked in a big way.
And some of the people reporting this are knowledgeable people who know what spoofing is, and who have good unique passwords and two-factor enabled.
[+] [-] some1else|8 years ago|reply
[+] [-] ebikelaw|8 years ago|reply
[+] [-] popcorncolonel|8 years ago|reply
[+] [-] kerng|8 years ago|reply
[+] [-] ajnin|8 years ago|reply
[+] [-] tytso|8 years ago|reply
BUT. It comes with a downside. Suppose you want to send e-mail from your Linux laptop, or from a Linux mail server you control, without hard-coding your account password in a text file so you can send e-mail via a GMail server. Or suppose you want to subscribe to a mailing list which rewrites the subject line to include the mailing list name. DMARC breaks all of this. Horribly. So yes, it's more secure, but it comes with a massive cost.
What this means, for example, is I recommend people who work at Google, and who want to interact with either IETF mailing lists or the Linux-kernel mailing lists at vger.kernel.org to send their patches and PULL requests using their @gmail.com address. If they send it using their @google.com address, the same security settings that will prevent this spammers from "faking" e-mails that didn't come from gmail servers, will also break git send-email (unless you want to save your password into at text file --- which is against policy and common sense) and it will break traditional mailing lists.
[+] [-] Keverw|8 years ago|reply
"This may be a spoofed message" Google says, I clicked spam even though it's from myself. It was to me and a bunch of other emails. Wasn't in my sent folder though and no one else has accessed my account.
"Sexy Girls Asian Girls Looking for US Men" is the subject and says it's sent from "----------------- via telus.com"
Really odd, seems to be some ISP in Canada and I live in the USA... Wonder how they got my email.
[+] [-] lione|8 years ago|reply
[+] [-] coleschifer|8 years ago|reply
[+] [-] Spooky23|8 years ago|reply
[+] [-] SyneRyder|8 years ago|reply
[+] [-] DanielDent|8 years ago|reply
"v=spf1 ip4:199.185.220.0/24 ip4:198.161.157.0/24 ip4:198.161.156.0/24 ip4:204.209.205.0/26 ip4:209.171.16.0/24 ip4:100.64.0.0/24 mx ?all"
100.64.0.0/24 is within 100.64.0.0/10
Either I'm missing something, or Telus appears quite confused about the purpose/nature of SPF.
[+] [-] criley2|8 years ago|reply
But my gmail has zero new logins, my 2fa wasn't triggered, etc.
How does a hacker create labels to delete my email but not register a login attempt or trigger my 2fa? I wish I was able to contact google.
EDIT: my only guess was accessing my PC where logins are saved, but I sleep in the same room and I don't think ninja spies broke in. Remote login? Seems farfetched.
[+] [-] jiveturkey|8 years ago|reply
[+] [-] tlogan|8 years ago|reply
I think the "bug" was that not all "Received-SPF" headers are not correctly checked (only first one was checked). However, I'm not even sure if this is a bug since I'm not sure if their migration of emails into G Suite will work if they start not trusting "from: header.
The real bug is probably that email is not marked as spam :)
[+] [-] aquova|8 years ago|reply
[+] [-] marsrover|8 years ago|reply
[+] [-] jimrandomh|8 years ago|reply
[+] [-] DrScump|8 years ago|reply
I had 24 in my Inbox starting as 6:13PM (GMT-7).
[+] [-] p49k|8 years ago|reply
[+] [-] unknown|8 years ago|reply
[deleted]