A couple of weeks ago I noted that some spammers were sending spam through Gmail. Well, I noticed it again. Whereas in those messages from two weeks ago they were stock spam, this latest batch is enlargement pill spam that contains an image, a link and French phrase for "Click here!"
Just like before, the sending IPs passed the SPF check (the IP's reverse DNS resolves to Google) so clearly this is a case of a security flaw in Gmail's email model being exploited. The stats we have on this particular IP suggest that it has a pretty good historical sending record. Senderbase's Email Reputation Score is also good.
This is a case of spammers taking advantage of security flaws in large email providers. Eventually, Google will get tired of all the spam complaints and will shut this down, but I think it illustrates the regrouping capability of spammers. They are resourceful enough to track down stuff like this and use it for their own ends. I wouldn't be bold enough to say that the next big thing in spamming will be to take advantage of senders with good historical records of email sending patterns, but I will say that for that time being, it is an interesting strategy.
I just thought of another possibility: what if a person has a Gmail account, the person's system is bot-infested and the trojan on there knows the person's email address and password?
That would be an even more interesting twist.
I got this spam in my Gmail account, it's another spam from a Gmail user. I'm not sure if I'm reading the headers right because Google sometimes obfuscates the sending IPs, but it looks like it's sent "locally". Is this coming from a G-spammer?
From - Thu May 17 19:25:11 2007
Received: by 10.114.171.1 with SMTP id t1cs195752wae;
Thu, 17 May 2007 08:57:04 -0700 (PDT)
Received: by 10.82.147.6 with SMTP id u6mr914723bud.1179417412373;
Thu, 17 May 2007 08:56:52 -0700 (PDT)
Received: by 10.82.186.18 with HTTP; Thu, 17 May 2007 08:56:52 -0700 (PDT)
Date: Thu, 17 May 2007 08:56:52 -0700
From: "Chesley Denton" <firstname.lastname@example.org>
To: Me and some others
Subject: Quotes.com BSEA Brokers will be scrambling for this one
Some irrelevant headers are removed.
> Is this coming from a G-spammer?
> Some irrelevant headers are removed.
Unless you accidentally removed a relevant header, this e-mail started and ended in Google.
One of the biggest problem I am having is getting GMail to do something about a spammer using Gmail as their contact point. Try any find a complaint mechanism where they actually do something! I've been trying for months.