​Spammer's delight: Gmail weirdly doesn't see spoofed @gmail.com addresses as junk

Spammers could have a field day with Gmail users, simply by spoofing real Gmail accounts, according to a security researcher.
Written by Liam Tung, Contributing Writer

Spoofed @gmail.com messages arrive in the inbox rather than the spam folder, with no Gmail security warning.

Image: ZDNet/Morphus Labs

Google's Gmail spam filters may block the bulk of spam from hitting your inbox, but according to one researcher it won't filter spam from a spoofed @gmail.com address.

No one likes spam and for the most part Google does a great job of keeping inboxes free of it. For Safer Internet Day, Google highlighted the "geeky detective work" it does to ensure the average Gmail inbox has less than 0.1 percent spam.

Gmail, for example, "tracks where a message originated, to whom it's addressed, and how often the sender has contacted the recipient". This approach helps Google cull spam before the user sees it.

But, according Renato Marinho, a researcher from Brazilian security firm Morphus Labs, Gmail doesn't filter or indeed even warn users about dodgy messages from a spoofed @gmail.com address. That is, the email appears to have come from a Gmail account, but actually came from a non-Gmail server. It's not hard to imagine the fun that hackers and spammers could have with this behavior.

Marinho demonstrated it to ZDNet using a setup he describes in a post, and the spoofed @gmail.com message arrived as promised in our inbox rather than the spam folder. Gmail did not display a security warning either.

The only indication that something might be amiss was that the sender field showed the Gmail address was sent 'via' another server, but that information wasn't even visible in the Gmail app for iOS and Android.

"Messages coming from @gmail.com addresses are not filtered by Gmail anti-spam in a specific condition," explained Marinho.

First, the spoofed Gmail address needs be pretending to be a valid Gmail address. If it's not a valid Gmail address, the message goes straight to Gmail's spam folder. Marinho also demonstrated this process for ZDNet.

Secondly, the email server that sent the message must be authorized via the Sender Policy Framework of the SMTP sender address domain.

For that to happen, the spammer's email server first connects to Gmail and says it wants to deliver a message from his domain, such as Im-a-spammer.com, but the spammer switches the address to a fake Gmail address.

Gmail then queries the spammer's Im-a-spammer.com domain name service (DNS) server to check if the spammer's email server could send messages on behalf of it, which of course the spammer approves.

Marinho says he informed Google of the issue but was told it would not be tracked as a security bug since it did not substantially affect the confidentially or integrity of Google users' data.

He also said Yahoo rejected the spoofed email while Microsoft's Outlook moved the spoofed message to spam. But he believes a serious issue here is the trust Gmail users have in Google reliably filtering out spam.

"The higher our belief in the provider, the lower tends to be our attention to the risks. The main advice here is to revisit this 'trust logic'. Even highly reputable services may fail, and we need to be careful all the time to avoid risks," he wrote.

One sure way to tell if a sender address has been spoofed is by examining the full message headers.

It's not clear why Gmail doesn't block these emails or hide them in the spam folder. ZDNet has asked Google for a response and will update the story if it receives one.

Read more about spam

Editorial standards