14 DAY TRIAL // Google equipped Gmail with some pretty strong spam filters which manage to keep out most of the spam hitting your inbox, but it can’t keep out everything, especially if it comes from a spoofed @gmail.com address, it seems.
According to one researcher named Renato Marinho, from Brazilian security firm Morphus Labs, Gmail doesn’t filter or warn users about possibly sketchy messages from a spoofed @gmail.com address. Marinho writes that while the email appears to have come from a valid Gmail account, it actually comes from a server that’s not Gmail related. This is something that spammers and, even worse, hackers looking to do you harm could certainly take advantage of.
It seems that the only clue left to indicate that something is not right with this spoofed email is that, in the sender field, you’ll see that the Gmail address was sent via another server. This information isn’t available, however, when you’re checking your mails on the iOS or Android apps.
How does it work?
Marinho explains that for the scheme to work, the spoofed Gmail address that sends the message needs to pretend to be valid because if that doesn’t happen, the message goes straight to the spam folder.
According to the researcher, in order for this to happen, the spammer’s email server must first connect to Gmail saying it wants to deliver a message from his domain, even if it’s not a legitimate one. Instead, the address is switched to a fake Gmail address to fool Google.
While this loophole can be potentially problematic, Google does not believe the issue needs to be tracked as a security bug because it doesn’t really affect the confidentiality or integrity of the Gmail users’ data, says Marinho who contacted Google with this issue.
While a message sent via this particular method will go through Gmail’s filters without a problem, Yahoo will reject the spoofed email, while Microsoft Outlook will move it to the Spam folder.
“Generally, our trust on the technology security filters is directly proportional to the reputation of the service provider. The higher our belief on the provider, the lower tends to be our attention to the risks. The main advice here is to revisit this ‘trust logic.’ Even highly reputable services may fail, and we need to be careful all the time to avoid risks,” the researcher writes.