from Hacker News

My account is sending spam emails

by benpink on 4/22/18, 4:39 AM with 143 comments

  • by laurencei on 4/22/18, 6:13 AM

    Exact same thing for me.

    Noticed I was getting emails being sent from myself. More worringly was the emails appeared in my SENT folder. For 5mins I was freaking out thinking I was hacked, because I didnt think spoofing emails would show up in MY "sent" folder.

    But I run 2FA, long complex unique password etc. I treat OpSec really highly. I checked all Google security settings, no unauthorised access, no apps using my account etc. Still did a password reset "just in case".

    However one interesting part is after about 4 hours the emails automatically became marked as "spam" - and they disappeared from my "sent" folder simulatenously.

    So it would seem the likely issue is someone worked out a way around the "Spam" setting for Gmail - and a by-product of not flagging spoofed emails as spam is Gmail marks them as "Sent" by you in the labels.

    Seems this was flagged as a security risk over a year ago - and Google declined to fix? https://www.zdnet.com/article/spammers-delight-gmail-weirdly...

  • by jlgaddis on 4/22/18, 6:41 AM

    Don't freak out about them being in your Sent folder. Remember that Gmail doesn't have "traditional" mail folders -- just a huge pile of all your e-mail messages with "labels" attached to them. Apparently Google decides that if the From: address is yours, then you "sent" the message.

    Note that in SMTP there are two "from addresses": the envelope sender (which you don't see) and the "From:" address/header (which you do see) that everyone is familiar with. In most (but not all) legitimate e-mail, they will be the same.

    In these cases, your e-mail address is being used in the "From:" and "To:" headers but a different address is being used in the envelope sender (which is the one that the MTA uses).

    Google does seem to be checking SPF correctly (i.e., according to RFC, which says to use the envelope sender) -- since (it seems that) the result of check_host should be "softfail" and the RFC says that one "SHOULD NOT" reject a message based on that... but Google apparently logged "pass". Odd.

    ---

    ETA: See a comment from ryan-c below about the funky "exists:" mechanism in Telus' SPF record; it explains why check_host() passed.

  • by mike-cardwell on 4/22/18, 9:23 AM

    Some of you posting raw message sources might find a website I built useful:

    https://www.parsemail.org

    From my about page:

    "Paste the raw source of an email into the form on the front page. The email will then be parsed, decoded, separated into its various MIME parts, and displayed in an easy to view fashion. Image attachments will be displayed as images. HTML parts will be rendered in webkit (with javascript and plugins disabled) and then also displayed as an image. IP addresses in headers and message bodies will be identified and highlighted along with a flag representing their origin country. Hostnames and email addresses will also be identified and highlighted."

  • by sethvargo on 4/22/18, 4:33 PM

    Hi all,

    Seth Vargo here from Google. Thank you all for taking the time to report the issue, and thank you for your patience as we fix it. Our engineering teams are aware of this issue and they are working to resolve it as quickly as possible. You should no longer see new spam messages appear in your sent box, and existing spam messages will be automatically removed over the next few days.

  • by dawnerd on 4/22/18, 7:32 AM

    Just wanted to say, the top response on the google forum is exactly why google needs real support and not community members copy-pasting “solutions”.

  • by FuckOffNeemo on 4/22/18, 5:42 AM

    My house mate has had the same issue today on both of his Google accounts. He is both the sender and recipient and there were several other nonsensical email addresses being CC'd in.

    SMTP headers show the emails are relayed from Telus. I'll provide the SMTP headers when I get home.

    = = =

    No unauthorised attempts to log in from third party sources, seperate passwords and MFA on both services.

    It doesn't seem to me that the accounts have been compromised, instead the emails are spoofed. They have all been forwarded from Telus.com. The forum OP posted shows everyone else has the same issue.

    Both accounts were sending hundreds of emails today and Google flagged the emails as likely having not been sent by him, but still did not place them in an appropriate spam filters and allowed them through to his inbox?

    Edit:

    = = = = =

    I won't bother adding my headers now, the others that have even added theirs are almost identical to our own, here's a snippet of some one who posted below:

    SPF and DMARC results

    ARC-Authentication-Results: i=1; mx.google.com;

    spf=pass (google.com: domain of reply@telus.com designates 69.64.35.11 as permitted sender) smtp.mailfrom=Reply@telus.com; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com

    Authentication-Results: mx.google.com;

    spf=pass (google.com: domain of reply@telus.com designates 69.64.35.11 as permitted sender) smtp.mailfrom=Reply@telus.com;

    dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com

    Received: from gown.ShoppingBrew.com (ec2-13-58-85-245.us-east-2.compute.amazonaws.com. ) by mx.google.com with ESMTP id n59-v6si5794010qtd.116.2018.04.20.00.37.14 for <<myemail@gmail.com>>;

    Received-SPF: softfail (google.com: domain of transitioning nkhpw@google.com does not designate 69.64.35.11 as permitted sender) client-ip=13.58.85.245;

  • by Operyl on 4/22/18, 5:36 AM

    This is spoofed email, with you also being the recipient as far as I can tell... Am I missing anything else in this matter? If not, this isn't new.

    EDIT from below: "If I remember correctly, if you are the recipient of an email from "yourself" Google automatically puts it in the sent items label as well."

  • by some1else on 4/22/18, 12:59 PM

    Most people don't realize some services you "Logged into with Google" can also send emails in your name. I didn't come across anyone checking authorized apps in that thread. While this appears to be a spoofing issue, I suggest pruning the list of authorized apps frequently: https://support.google.com/accounts/answer/3466521?hl=en

  • by kerng on 4/22/18, 6:27 AM

    Relevant security issue Gmail declined to fix over a year ago: https://www.zdnet.com/article/spammers-delight-gmail-weirdly...

  • by tytso on 4/22/18, 3:23 PM

    So it's not so simple. You could use DMARC to tell mail servers which honor DMARC to drop all e-mails that have @gmail.com addresses that don't come from gmail.com servers. In fact, this is how @google.com e-mail addresses are treated, and I believe this is a setting which G-Suite administrators can set up for their domains.

    BUT. It comes with a downside. Suppose you want to send e-mail from your Linux laptop, or from a Linux mail server you control, without hard-coding your account password in a text file so you can send e-mail via a GMail server. Or suppose you want to subscribe to a mailing list which rewrites the subject line to include the mailing list name. DMARC breaks all of this. Horribly. So yes, it's more secure, but it comes with a massive cost.

    What this means, for example, is I recommend people who work at Google, and who want to interact with either IETF mailing lists or the Linux-kernel mailing lists at vger.kernel.org to send their patches and PULL requests using their @gmail.com address. If they send it using their @google.com address, the same security settings that will prevent this spammers from "faking" e-mails that didn't come from gmail servers, will also break git send-email (unless you want to save your password into at text file --- which is against policy and common sense) and it will break traditional mailing lists.

  • by Keverw on 4/22/18, 5:43 AM

    I got 2 of these a hour ago.

    "This may be a spoofed message" Google says, I clicked spam even though it's from myself. It was to me and a bunch of other emails. Wasn't in my sent folder though and no one else has accessed my account.

    "Sexy Girls Asian Girls Looking for US Men" is the subject and says it's sent from "----------------- via telus.com"

    Really odd, seems to be some ISP in Canada and I live in the USA... Wonder how they got my email.

  • by SyneRyder on 4/22/18, 5:48 AM

    Another HN thread with more comments about this: https://news.ycombinator.com/item?id=16894593

  • by DanielDent on 4/22/18, 8:32 PM

    Probably unrelated, but telus.net's SPF record appears to authorize RFC6598 (https://tools.ietf.org/html/rfc6598) IP space:

    "v=spf1 ip4:199.185.220.0/24 ip4:198.161.157.0/24 ip4:198.161.156.0/24 ip4:204.209.205.0/26 ip4:209.171.16.0/24 ip4:100.64.0.0/24 mx ?all"

    100.64.0.0/24 is within 100.64.0.0/10

    Either I'm missing something, or Telus appears quite confused about the purpose/nature of SPF.

  • by criley2 on 4/22/18, 6:38 PM

    I woke up this morning to several new labels in my gmail to delete all emails for "bank" "card" "paypal" etc, and paypal was hacked with purchases.

    But my gmail has zero new logins, my 2fa wasn't triggered, etc.

    How does a hacker create labels to delete my email but not register a login attempt or trigger my 2fa? I wish I was able to contact google.

    EDIT: my only guess was accessing my PC where logins are saved, but I sleep in the same room and I don't think ninja spies broke in. Remote login? Seems farfetched.

  • by tlogan on 4/22/18, 3:10 PM

    The emails are spoofed. The bug is Google is labeling emails with "Sent Mail" because "from:" header matches your email.

    I think the "bug" was that not all "Received-SPF" headers are not correctly checked (only first one was checked). However, I'm not even sure if this is a bug since I'm not sure if their migration of emails into G Suite will work if they start not trusting "from: header.

    The real bug is probably that email is not marked as spam :)

  • by aquova on 4/22/18, 5:46 AM

    I had some of these earlier today as well. Mine wasn't from telus however, it was from some .science account. I use a password manager and have 2FA enabled, but I quickly switched my password just to make sure. Sure enough, a few hours later I got another one, for about 5 in total. They seemed to have stopped however.

  • by marsrover on 4/22/18, 1:49 PM

    Something funny I've noticed is my business account is not receiving any spam but my free gmail account is.

  • by jimrandomh on 4/22/18, 5:49 AM

    If you have a suspicious or spoofed email and you want people to analyze what happened, it helps a lot if you include the full headers. To do this in gmail, open the menu and pick "Show Original". Particularly useful are the lines that start with "Received:".

  • by DrScump on 4/22/18, 6:29 AM

    This strategy seems odd. If they had simply omitted the spoofed sending email address from the To:/(B)cc lines, we'd never had seen them in our inboxes... right? Why call early attention to yourself?

    I had 24 in my Inbox starting as 6:13PM (GMT-7).

  • by 4llan on 4/23/18, 1:12 PM

    I have this problem with my Hotmail/Outlook account for almost 5 years and Microsoft team don't even understand what's going on. - https://answers.microsoft.com/en-us/outlook_com/forum/oemail...

  • by imraj96 on 4/22/18, 10:21 AM

    Same thing here! I woke up this morning and saw that I've sent out spam emails (about 15 of them) with my email address via telus and receive responses in my inbox.

  • by aetherspawn on 4/23/18, 12:06 AM

    To temporarily alleviate this issue, I created the following filter to stop my phone ringing constantly:

        from:(me@gmail.com|me@salesforce.com) to:(me@gmail.com) -{has:attachment}

    Mark as read
    Skip the inbox
    Until I added this rule I was being pinged once a minute since lunch time yesterday.

    This ignores: emails from me, or some sales force spammer they were using, to me, that doesn’t have an attachment (so I can still email myself files).

  • by downandout on 4/22/18, 6:30 AM

    I had the same issue tonight. It did not appear in my sent folder, however, and was sent from the same “reply@telus.com” account that everyone else reports. The most recent one (of 5 sent so far) was sent 2 minutes ago. I changed my password an hour ago - but as I suspected that didn’t help because these aren’t being sent via compromised accounts. Someone is using an SMTP server and just spoofing the sent from address.

  • by mediocrejoker on 4/22/18, 6:08 AM

    I had the same thing happen today. At least 6-8 emails in my inbox over the course of an hour or two, from my email address. Mostly ads for "dating" sites with photos of scantily-clad women. The to list includes my address, as well as about 8-10 other addresses, including one at rei.com and another at nih.gov.

    Mine are showing Telus in the relay as well. None show up in the sent folder, and I use 2FA on the account.

  • by dorfsmay on 4/22/18, 12:50 PM

    I wonder if telus did this to allow people using their email system to use Google calendar to send reminders.

  • by sengork on 4/23/18, 4:15 AM

    Some of you might want to see this as well:

    https://mashable.com/2018/04/22/google-gmail-spam-telus/

  • by Tempest1981 on 4/22/18, 4:17 PM

    So who is Telus, and why are they special?

    Is it Google who has a relationship with Telus -- because I'm pretty sure I don't.

    Can Google prevent Telus from doing whatever they're doing? Or is Telus just the victim/conduit of the real spammers?

  • by neop1x on 4/23/18, 9:31 AM

    A bit unrelated but requiring login to just read a forum thread is not good. :( I don't want to login to google again on this device therefore I haven't seen the thread.

  • by piyush_soni on 4/22/18, 9:35 AM

    Wow. I've been facing this since yesterday night, didn't know the entire internet is facing this problem. There's still no official response from Google it seems.

  • by Tempest1981 on 4/22/18, 4:31 PM

    If the emails are (spoofed as) from me, and I tell gmail to mark them as spam, does anything bad happen?

    Gmail shows a weird "Mute" instead option -- never saw that before.

  • by helloindia on 4/22/18, 7:22 AM

    I’ve had similar problem a long time ago with my yahoo account. (Password change didn’t help) So, I cleared my yahoo contact list and that stopped the spam.

  • by stanmancan on 4/22/18, 6:03 PM

    I’ve been debating leaving Google Apps for months now and oddly enough this is the straw that broke the camels back. Will be migrating to a new host today.

  • by dman214 on 4/22/18, 5:56 PM

    This happened to me today as well. I also run 2FA. Did not see any suspicious devices or activity in the log, other than the sent emails.

  • by DigitalSea on 4/22/18, 9:51 AM

    Crazy. This was happening to me today as well. Tonnes of spam from my email, but being sent to these weird blanket emails. Worrying.

  • by ninjaranter on 4/22/18, 5:59 AM

    I had the same thing in my account (same relay through Telus). Here're my headers

      Delivered-To: <myemail@gmail.com>
  Received: by 10.74.77.209 with SMTP id p78csp1252253ood;
          Sat, 21 Apr 2018 19:48:30 -0700 (PDT)
  X-Google-Smtp-Source: AB8JxZrx9G5VDRbvtvoQWl5sUYm3w7k1TQ5f+Sd3g74T+fFLkrWnEV7qhVmFTr7X0pBQCd5q+my5
  X-Received: by 2002:a6b:6f01:: with SMTP id k1-v6mr16819882ioc.221.1524365310928;
          Sat, 21 Apr 2018 19:48:30 -0700 (PDT)
  ARC-Seal: i=1; a=rsa-sha256; t=1524365310; cv=none;
          d=google.com; s=arc-20160816;
          b=Ry11M99U7ldzJoPvejp48dePTM/MlHI4xQTc2jrwZR3CeugDTEfUpA783hpLnaw0gg
           NCsTVBtObV1GYioVRQDSxWAczHFiPQGld0u5afD+xpb2eGpr7/eZxTwvJPHYpl/FLwNk
           pNXj3w7VObPIyj43K4Zkf9rgNF1TRCYx4RbRvesaBcHMADJS1vDRB5TAsJ8DV6dF7gOB
           +O59qvWZzg0nE265rBJ1b8fWXWuQb4KpdVdwolZ3T3fqFDGY2cHnsmZMWTRzcjsLFWuD
           86+fIW1ccWf1eIjNh3LvecY6B0zzW9LjfgQw+0IvrkEdbwDc1EAbNhWI6kilOPIsDJGD
           Lzng==
  ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
          h=date:message-id:subject:to:from:arc-authentication-results;
          bh=4oe6QhhObsHLHbjLfsZs16iUEYy2rMdtn0ju3umolqQ=;
          b=FoRwZqhc5F7H6pItUYqZ2y/OxsZQkWNDEhj4Ody6uJ1vaC3DzUbXqa4mw1Pb0AgfZe
           QaBcfWaloNJJXBBWIjERShMCo3wYb/wcXtdOlT4x3o7uhAxQJ5sGBQqnVQ4QfH/d9pIh
           DaqTXWcaEieX3tsVDXO8UtZviUTsA7FjO2YGkk/f4rj1K9VOkxqiyECGyQf1uDAI/55d
           7O1t76oCpYr/qyAAx2YGBnz87ShD4bORPOg8iHwb9f4zAq7tfwOoF/Z3blPFR8EA2Xam
           q9x+2OIRsA2oX+t/HNsdrYOkWPkYwhiHwptl0vQZDHZn3E4Uue8DofG5sRLoAFM1rVYJ
           e5RA==
  ARC-Authentication-Results: i=1; mx.google.com;
         spf=pass (google.com: domain of reply@telus.com designates 69.64.35.11 as permitted sender) smtp.mailfrom=Reply@telus.com;
         dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
  Return-Path: <Reply@telus.com>
  Received: from shop.eseonew.com (static-ip-69-64-35-11.inaddr.ip-pool.com. [69.64.35.11])
          by mx.google.com with ESMTP id v64-v6si7872516iof.146.2018.04.21.19.48.30
          for <<myemail@gmail.com>>;
          Sat, 21 Apr 2018 19:48:30 -0700 (PDT)
  Received-SPF: pass (google.com: domain of reply@telus.com designates 69.64.35.11 as permitted sender) client-ip=69.64.35.11;
  Authentication-Results: mx.google.com;
         spf=pass (google.com: domain of reply@telus.com designates 69.64.35.11 as permitted sender) smtp.mailfrom=Reply@telus.com;
         dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
  Received: from gown.ShoppingBrew.com (ec2-13-58-85-245.us-east-2.compute.amazonaws.com. )
          by mx.google.com with ESMTP id n59-v6si5794010qtd.116.2018.04.20.00.37.14
          for <<myemail@gmail.com>>;
          Fri, 20 Apr 2018 00:37:14 -0700 (PDT)
  Received-SPF: softfail (google.com: domain of transitioning nkhpw@google.com does not designate 69.64.35.11 as permitted sender) client-ip=13.58.85.245;
  from: ABC Shark Tank <<myemail@gmail.com>>
  To: <senderus@justvaluerate.com>, <senderse@justvaluerate.com>, <monsl@50-233-80-21-static.hfc.comcastbusiness.net>, <mz@traveldailymedia.com>, <gego@nih.gov>, <iscontact@rei.com>, <mz@wp.com>, <info@chadog.fr>, <info@autotrader.com>
  Subject: Exclusive Limited Time Online Offer Shark Tank Success Story
  Message-ID: <NkhPw@google.com=Mx.google.com>
  Content-Type: multipart/report; boundary="f4f5e80f07d80f991b056a2936a0"; report-type=delivery-status
  X-EMMAIL: <@googlemail.fr <myemail@gmail.com>>
  Date: Sat, 21 Apr 2018 22:48:30 -0400  

  --f4f5e80f07d80f991b056a2936a0

  • by tomkat0789 on 4/22/18, 2:59 PM

    This is pretty alarming. Is there another service to switch to that's as reliable and more generally safe as Gmail?

  • by jlengrand on 4/22/18, 9:35 AM

    Great to see this! I was getting mad at all this SPAM coming from myself today!

  • by jeroenheijmans on 4/22/18, 6:12 AM

    Perhaps it's a browser extension/plugin that got hacked?

  • by lukeholder on 4/22/18, 6:01 AM

    My father and I have been getting these all evening.

  • by rco8786 on 4/22/18, 1:34 PM

    Ditto here. 1Password generated pw, 2fa, etc.

  • by mexicanandre on 4/22/18, 7:18 AM

    Yes my gmail spam has gone nuts!!!! Wtf has happened

  • by hartator on 4/22/18, 6:27 AM

    From the way the emails are sent, I bet it's an Android security hole.

  • by Tagore on 4/22/18, 6:23 AM

    I remember when my mom's machine started sending spam with my name in the address field. Clever Trojan.

  • by c3534l on 4/22/18, 6:50 AM

    There was an attack going around many years ago that was basically a spam email that had code embedded in it, which would hack your browser, causing you to send out more spam email when you logged into your account. I assume this is the same sort of thing.

  • by Screwtellus on 4/22/18, 4:24 PM

    Hey guys, you can contact tellus via this link. You don't need to he a customer for this.

    https://www.telus.com/en/support/article/ccts-and-cprst-feed...