Terry Zink's Cyber Security Blog

Discussing Internet security in (mostly) plain English

Chinks in Gmail's armour are still there

Chinks in Gmail's armour are still there

  • Comments 4

A couple of weeks ago I noted that some spammers were sending spam through Gmail.  Well, I noticed it again.  Whereas in those messages from two weeks ago they were stock spam, this latest batch is enlargement pill spam that contains an image, a link and French phrase for "Click here!"

Just like before, the sending IPs passed the SPF check (the IP's reverse DNS resolves to Google) so clearly this is a case of a security flaw in Gmail's email model being exploited.  The stats we have on this particular IP suggest that it has a pretty good historical sending record.  Senderbase's Email Reputation Score is also good.

This is a case of spammers taking advantage of security flaws in large email providers.  Eventually, Google will get tired of all the spam complaints and will shut this down, but I think it illustrates the regrouping capability of spammers.  They are resourceful enough to track down stuff like this and use it for their own ends.  I wouldn't be bold enough to say that the next big thing in spamming will be to take advantage of senders with good historical records of email sending patterns, but I will say that for that time being, it is an interesting strategy.

Leave a Comment
  • Please add 2 and 3 and type the answer here:
  • Post
  • I just thought of another possibility: what if a person has a Gmail account, the person's system is bot-infested and the trojan on there knows the person's email address and password?

    That would be an even more interesting twist.

  • I got this spam in my Gmail account, it's another spam from a Gmail user.  I'm not sure if I'm reading the headers right because Google sometimes obfuscates the sending IPs, but it looks like it's sent "locally".  Is this coming from a G-spammer?

    From - Thu May 17 19:25:11 2007

    X-Account-Key: account2

    X-UIDL: GmailId1129ac183f47c73b

    Delivered-To: Me

    Received: by 10.114.171.1 with SMTP id t1cs195752wae;

           Thu, 17 May 2007 08:57:04 -0700 (PDT)

    Received: by 10.82.147.6 with SMTP id u6mr914723bud.1179417412373;

           Thu, 17 May 2007 08:56:52 -0700 (PDT)

    Received: by 10.82.186.18 with HTTP; Thu, 17 May 2007 08:56:52 -0700 (PDT)

    Date: Thu, 17 May 2007 08:56:52 -0700

    From: "Chesley Denton" <svetlanashahovsquick@gmail.com>

    To: Me and some others

    Subject: Quotes.com BSEA Brokers will be scrambling for this one

    Some irrelevant headers are removed.

  • > Is this coming from a G-spammer?

    > Some irrelevant headers are removed.

    Unless you accidentally removed a relevant header, this e-mail started and ended in Google.

  • One of the biggest problem I am having is getting GMail to do something about a spammer using Gmail as their contact point. Try any find a complaint mechanism where they actually do something! I've been trying for months.

Page 1 of 1 (4 items)