Gmail spam mystery: Why have secure accounts started spamming themselves?

Spam appears in users' sent folders even from accounts that haven't been compromised.
Written by Liam Tung, Contributing Writer

Video: Robocall from Google? Hang up. It's a scam.

Some Gmail users have been surprised to find spam inexplicably in their Sent folders, with the messages continuing to appear even after users changed their passwords.

People have been reporting on Gmail's Help Forum that the spam to unknown contacts appears to have come from their own account, causing concerns that affected accounts had been compromised.

However, the mystery spam appearing in Sent folders has also been happening on accounts with two-factor authentication enabled. Many affected users reported the spam email's From field included "via telus.net".

"My email account has sent out three spam emails in the past hour to a list of about 10 addresses that I don't recognize," one Gmail user reported.

"I changed my password immediately after the first one, but then it happened again two more times. The subject of the emails is weight loss, and growth supplements for men advertisements. I have reported them as spam. Please help, what else can I do to ensure my account isn't compromised?"

It's not clear why the spam has been appearing in users' Sent folders. However, Google told Mashable that a spam campaign using forged email headers made it look like users were spamming themselves and resulted in the messages wrongly appearing in the Sent folder.

See: Hacking the Nazis: The secret story of the women who broke Hitler's codes (cover story PDF)

"We are aware of a spam campaign impacting a small subset of Gmail users and have actively taken measures to protect against it," a Google spokesperson said in a statement.

"This attempt involved forged email headers that made it appear as if users were receiving emails from themselves, which also led to those messages erroneously appearing in the Sent folder.

"We have identified and are reclassifying all offending emails as spam, and have no reason to believe any accounts were compromised as part of this incident. If you happen to notice a suspicious email, we encourage you to report it as spam. More information on how to report spam can be found by visiting our Help Center."

The problem appears to be related to a trick spammers can use to bypass Gmail's spam filters that ZDNet reported on last year. As researcher Renato Marinho explained, Gmail doesn't filter spam if it comes from a spoofed but valid Gmail address.

Google at the time declined to track the bug as a security issue because it didn't affect the confidentiality or integrity of data.

Previous and related coverage

Spammer's delight: Gmail weirdly doesn't see spoofed @gmail.com addresses as junk

Spammers could have a field day with Gmail users, simply by spoofing real Gmail accounts, according to a security researcher.

Google's new Gmail security: If you're a high-value target, you'll use physical keys

Google will launch a new service to protect politicians and senior executives from sophisticated phishing attacks.

Google bolsters security tools on Google Cloud, G Suite

Google wants its customers to know that it's emphasizing products that protect an organization's sensitive data and assets.

Google's latest Gmail change? Getting directions to an address with a single tap

No more fiddling around on smartphones to use addresses, phone numbers, and contact information.

Editorial standards