This is spoofed email, with you also being the recipient as far as I can tell... Am I missing anything else in this matter? If not, this isn't new.
EDIT from below:
"If I remember correctly, if you are the recipient of an email from "yourself" Google automatically puts it in the sent items label as well."
My guess is the sent folder is just a label where from-address matches one of your emails. Spoofing the inbox in the manner mentioned here will naturally also fool the sent folder.
No no! There's something going on here. These emails are in the sent email folder, and people who are definitely not compromised (long random passwords, 2fa, and checked the device login log from google are showing nothing.)
People are reporting these messages are in their sent mail folder!
Now it's possible that gmail makes it looks like it was "sent mail" if it receives a message "from you" even if you didn't send it, but it's also possible that google has been hacked in a big way.
And some of the people reporting this are knowledgeable people who know what spoofing is, and who have good unique passwords and two-factor enabled.
My house mate has had the same issue today on both of his Google accounts. He is both the sender and recipient and there were several other nonsensical email addresses being CC'd in.
SMTP headers show the emails are relayed from Telus. I'll provide the SMTP headers when I get home.
= = =
No unauthorised attempts to log in from third party sources, seperate passwords and MFA on both services.
It doesn't seem to me that the accounts have been compromised, instead the emails are spoofed. They have all been forwarded from Telus.com. The forum OP posted shows everyone else has the same issue.
Both accounts were sending hundreds of emails today and Google flagged the emails as likely having not been sent by him, but still did not place them in an appropriate spam filters and allowed them through to his inbox?
Edit:
= = = = =
I won't bother adding my headers now, the others that have even added theirs are almost identical to our own, here's a snippet of some one who posted below:
SPF and DMARC results
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of reply@telus.com designates 69.64.35.11 as permitted sender)
smtp.mailfrom=Reply@telus.com;
dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of reply@telus.com designates 69.64.35.11 as permitted sender) smtp.mailfrom=Reply@telus.com;
Received: from gown.ShoppingBrew.com (ec2-13-58-85-245.us-east-2.compute.amazonaws.com. )
by mx.google.com with ESMTP id n59-v6si5794010qtd.116.2018.04.20.00.37.14
for <<myemail@gmail.com>>;
Received-SPF: softfail (google.com: domain of transitioning nkhpw@google.com does not designate 69.64.35.11 as permitted sender) client-ip=13.58.85.245;
"This may be a spoofed message" Google says, I clicked spam even though it's from myself. It was to me and a bunch of other emails. Wasn't in my sent folder though and no one else has accessed my account.
"Sexy Girls Asian Girls Looking for US Men" is the subject and says it's sent from "----------------- via telus.com"
Really odd, seems to be some ISP in Canada and I live in the USA... Wonder how they got my email.
Telus is a phone/ISP company, they're pretty much uninvolved other then the ability to send emails from a @gmail.com address for their customers needs. Spammers are just utilizing that for malicious purposes with spoofed headers. As for how they got your email, the spammers could very well be working from the US too, Telus is just a tool. But then again on the internet boundaries matter less and they could be halfway across the world and got your email from a random online leaked list.
I had some of these earlier today as well. Mine wasn't from telus however, it was from some .science account. I use a password manager and have 2FA enabled, but I quickly switched my password just to make sure. Sure enough, a few hours later I got another one, for about 5 in total. They seemed to have stopped however.
If you have a suspicious or spoofed email and you want people to analyze what happened, it helps a lot if you include the full headers. To do this in gmail, open the menu and pick "Show Original". Particularly useful are the lines that start with "Received:".
Some parts of these headers look faked to me, in particular, the bottom most Received is definitely faked, and probably also the bottom most Received-SPF and Authentication-Results.
The current SPF records for telus.com don't seem to allow sending by 69.64.35.11.
Did someone figure out how to trick gmail into accepting bogus headers indicating the SPF passed?
Also, the timestamps on the received headers differ by a lot. This one:
Received: from gown.ShoppingBrew.com (ec2-13-58-85-245.us-east-2.compute.amazonaws.com. )
by mx.google.com with ESMTP id n59-v6si5794010qtd.116.2018.04.20.00.37.14
for <my.email.fake@gmail.com>;
Fri, 20 Apr 2018 00:37:14 -0700 (PDT)
appears to be identical (except for the email address) for the two sample sets of headers in the thread.
It seems like everything in the zone "spf.nssi.telus.com" resolves, regardless of further DNS labels. So yeah, I'd say every host with any IP is allowed to send mails as anything from telus.com. That's a bit unsettling.
Indeed, the DNS records are gone. They had a tweet[1] 1 hour or 2 ago how they are working on it. I guess someone got phoned on his sunday to fix it. I'm hoping for a further update from their side what happened.
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of reply@telus.com designates 69.64.35.11 as permitted sender) smtp.mailfrom=Reply@telus.com;
dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
I had thought that as of early 2017 that had changed the DMARC policy to p=REJECT which would basically reject any attempts at spoofing gmail.com in the From: field. It seems as if someone suddenly (maybe accidentally) reverted that change?
It appears to be validating the envelope sender (reply@telus.com) rather than the from address, per the spec.
The thing is, telus.com doesn't have a DMARC record, and thier SPF record doesn't include 69.64.35.11. This header might be fake. Gmail does currently have a DMARC record that says p=none sp=quarantine. The 'sp' value only applies to subdomains, so the "none" (no action) policy should be used.
Edit: I just verified that gmail's dmarc has had p=none for a long time.
I had the same thing happen today. At least 6-8 emails in my inbox over the course of an hour or two, from my email address. Mostly ads for "dating" sites with photos of scantily-clad women. The to list includes my address, as well as about 8-10 other addresses, including one at rei.com and another at nih.gov.
Mine are showing Telus in the relay as well. None show up in the sent folder, and I use 2FA on the account.
Noticed I was getting emails being sent from myself. More worringly was the emails appeared in my SENT folder. For 5mins I was freaking out thinking I was hacked, because I didnt think spoofing emails would show up in MY "sent" folder.
But I run 2FA, long complex unique password etc. I treat OpSec really highly. I checked all Google security settings, no unauthorised access, no apps using my account etc. Still did a password reset "just in case".
However one interesting part is after about 4 hours the emails automatically became marked as "spam" - and they disappeared from my "sent" folder simulatenously.
So it would seem the likely issue is someone worked out a way around the "Spam" setting for Gmail - and a by-product of not flagging spoofed emails as spam is Gmail marks them as "Sent" by you in the labels.
The thing is I've used Gmail for nearly 10 years (give or take) - and I've never once had a spoofed email reach my inbox. Ever.
Something must have changed, most likely in the past 24 hours (give or take) to allow this to suddenly occur? Or someone's worked out a way passed the gmail spam filters or something.
I’ve used Gmail for longer and I’ve seen it a lot over the years. What’s most likely changed is the volume at which the spammers are doing it, so you finally started seeing some come your way.
Yep, based on those headers it's the exact same thing discussed in the ZDNet and LinkedIn articles.
----
ETA: Just tried it myself, through my own mail server, and the headers are pretty much the same: the IPs are different, of course, and I didn't bother including extra forged Received: headers and such). This works beautifully -- message is in my Inbox (flagged as "Important according to Google magic.") and shows up under "Sent" as well.
After opening up "Show Original" in a new tab and then returning to the message, there's now a small banner (with a yellow background) at the top that reads:
> This may be a spoofed message. Gmail couldn't verify that it was actually sent from your account. Learn more.
There is something strange about those headers. Are they all from the same email?
There are two Received: with by mx.google.com, and they are nearly two days apart. And there are two Received-SPF: headers.
Other than that, my guess is that the spammer has BCC'd you and put your email address in the from: header (oddly lowercase here). Gmail will put messages from you in the Sent folder (label) even when they are sent from outside Gmail.
The extra ones are probably made up by the spammer trying to trick Google's anti spam machinery.
When I was an anti-spam engineer 10 years ago, we saw this sort of tricks all the time. Basically the only headers you can trust are the ones inserted by your own infrastructure. DKIM does mitigate this somewhat, but of course has its own problems.
The last Received: and Received-SPF: headers are forged. It's pretty common for spammers to do that, apparently in an attempt to "trick" either spam filtering software or a person looking at the headers.
>Gmail will put messages from you in the Sent folder (label) even when they are sent from outside Gmail.
On the principle of least surprise, this would seem to be incomplete behavior. I bet every single person reading this was surprised.
It's not a bad place to put such mail, so I suggest that on its web and mobile interface, Gmail simply put some kind of badge for sent mail sent from outside Gmail or your devices. Example:
Source: I mocked above up from Google image search for "gmail sent folder" and an open clipart "information icon".
If you click on that i or hover it should mention that some of these messages were sent from outside Gmail or from your authorized devices but have been put in your Sent folder because your email address is in the from: field.
People notoriously won't know what a new badge means, and this being an uncommon scenario, no one will, panic ensues.
It might be better if such email was automatically marked as spam until the user marks it as good. If they keep doing that, then that send path should gain elevated trust. (I mean, they are using some ML system here right?) I'm imagining an anti-spam-campaign supervisor system that also tracks spam with some sort of soft hash (or ML), running across many user's email.
Yeah, this looks pretty straightforward. As I read it, it looks like telus.com has set up SPF records allowing people to send mail as @gmail.com via Telus' servers. That's fine. These messages are being sent with a "reply@telus.com" return address (the "envelope from"), but they are coming from gown.shoppingbrew.com and rine.play-wto.com (I don't get why there are separate received headers here from different sources -- usually multiple received headers form a chain of custody for the email, and this looks like two different sources somehow both sent the same message ... maybe one of those is forged?).
The only part of this that looks like a Google-specific bug to me is that I'm not sure Gmail should be dropping messages into your Sent folder that did not originate from your authenticated account. If you send a message using some other mail client that logs in to your Gmail account, or an app, or the web app, sure, but if a message just pops into your account with your address as the "from:" header, it shouldn't show up in your Sent label.
The rest of this is just email being as broken as it usually is.
SPF only checks the envelope-from. It doesn't check the other "from:" header. Anybody can easily clone anybody else's SPF records, so any service that allows you to route mail through them and has already cloned Google's SPF records (so that users can send mail through Gmail's servers using their @telus.com address) is vulnerable to this.
If SPF were changed to also check the other from: header, then it would break every single domain that uses Google's mail hosting services but hasn't updated their SPF records. So that's never gonna happen.
This is maybe the biggest reason I wish people would stop using Gmail for any kind of important mail services. The moment you do that, mail from your domain can be spoofed by any other outfit that also uses Gmail, and it will pass SPF, which means it'll cruise right through most spam filters.
DKIM can resolve some of this, but it comes along with a suitcase full of its own nightmares.
Neither DKIM nor SPF provide domain owners with a verifiable disposition policy and monitoring. You should deploy SPF, DKIM and DMARC together. At that point either SPF or DKIM may pass but if the passing SPF/DKIM domain(s) don't match the DMARC domain the message isn't authenticated. Unlike SPF, DMARC will load its policy using the From: header, and thus ensure alignment between envelope-From and From: header (for SPF), or DKIM domain and From: header.
In this particular case, it seems the major issue is that spammers got access to 69.64.35.11, which is included in telus.com's SPF record. In the end, this will hurt deliverability for legitimate emails sent with telus.com in the return path, and I suspect telus.com's customer service will have some explaining to do for their customers.
ARC is the new standard designed to fix the DMARC edge case with forwarding. It's relatively new, though, so adoption isn't nearly as widespread as SPF, DKIM, or DMARC.
It's non-standard, for sure, but it's "by design" and I suppose they can do whatever they want on their own platform. I'll stick with my IMAP4-compliant mail server, though.
Are you sure about that? I have gotten many spoofed spam emails before but I've never seen them appear in my sent folder before. Furthermore when I search "from:[my email]", I see a different listing than when I look in the sent folder.
I have a very short gmail address so I get _loads_ of spam daily. The above is actually correct. Emails from my address, even though they are spoofed will show up in my Sent folder until I mark them as Junk. I just checked with the 3-4 spams I received last night all all where in Sent.
Re: others forging your domain by using Gmail - this is only true in narrow edge cases like this one (which appears to have been relatively quickly fixed by Gmail).
In practice, the Gmail and G suite UIs provide enforcement mechanisms to ensure you own a domain/address before allowing you to send from it.
Does it potentially open you up to spoofing if another loophole/exploit like this is discovered? Sure. But as risk factors go, depending on who you are, that's probably relatively low on the list.
Same too. The odd thing for me is that the client address (from the original text) was an AWS address. Only two appeared in the main inbox. More were sent straight to spam.
They appeared just after I turned on my AWS instance briefly. So I thought it was related.
wow... reading this thread is scary. Google is a joke; my humble advice would be to close your accounts and pay for a better service, life Fastmail or Protonmail.
I think this is exactly what is going on. Gmail doesn't use IMAP folders in the traditional sense, it uses labels. For something to appear in your "Sent" folder, it only has to show your email address as the sender. Since it's quite common for spammers to use your email address as the "From" in spam messages sent to you, Gmail automatically throws it in your Sent "folder" by way of a label.
I freaked out at first when my Fastmail account started getting spammed seemingly by my old Gmail account (I no longer use Gmail but I kept the account active and forwarded to Fastmail to catch anyone I forgot to update with the new address). I logged into Gmail and immediately changed my password, made sure I didn't have any third party app access, and turned on 2FA.
After seeing this HN piece and reading through the first few messages in the Google product forum, I realized it was typical spam that was breaking through Google's spam filter and freaking everyone out due to Google's handling of the Sent folder/label.
I'm not sure how they would fix that, assuming that's even a bug. The email protocol is completely unverified, anyone can send the header they please, including spoofed From: headers. The GMail client itself even allows it, when you compose a new email you can change the "From" to anything. That's actually a rather useful feature when you have several addresses redirecting to one gmail address.
This strategy seems odd. If they had simply omitted the spoofed sending email address from the To:/(B)cc lines, we'd never had seen them in our inboxes... right? Why call early attention to yourself?
Maybe that’s part of the technique to trip up Google’s spam filters, as Google might have assumed that spammers would never bcc the sender and thus treat such mails as more likely to be legitimate.
I had the same issue tonight. It did not appear in my sent folder, however, and was sent from the same “reply@telus.com” account that everyone else reports. The most recent one (of 5 sent so far) was sent 2 minutes ago. I changed my password an hour ago - but as I suspected that didn’t help because these aren’t being sent via compromised accounts. Someone is using an SMTP server and just spoofing the sent from address.
Don't freak out about them being in your Sent folder. Remember that Gmail doesn't have "traditional" mail folders -- just a huge pile of all your e-mail messages with "labels" attached to them. Apparently Google decides that if the From: address is yours, then you "sent" the message.
Note that in SMTP there are two "from addresses": the envelope sender (which you don't see) and the "From:" address/header (which you do see) that everyone is familiar with. In most (but not all) legitimate e-mail, they will be the same.
In these cases, your e-mail address is being used in the "From:" and "To:" headers but a different address is being used in the envelope sender (which is the one that the MTA uses).
Google does seem to be checking SPF correctly (i.e., according to RFC, which says to use the envelope sender) -- since (it seems that) the result of check_host should be "softfail" and the RFC says that one "SHOULD NOT" reject a message based on that... but Google apparently logged "pass". Odd.
---
ETA: See a comment from ryan-c below about the funky "exists:" mechanism in Telus' SPF record; it explains why check_host() passed.
> In most (but not all) legitimate e-mail, they will be the same.
Just to be clear, most automated emails from major providers have them different. This is because, while the From header is shown to the user, the envelope sender is sent bounces.
So companies like Google, SendGrid (used by GitHub), and MailChimp set up special "bounce handler" addresses as the envelope sender to detect if there's a problem sending you email.
There was an attack going around many years ago that was basically a spam email that had code embedded in it, which would hack your browser, causing you to send out more spam email when you logged into your account. I assume this is the same sort of thing.
Nope. This is just Gmail appending the "Sent" label to an email that you received from "you". You didn't actually send it, it was just a spoofed From header.
I’ve had similar problem a long time ago with my yahoo account. (Password change didn’t help)
So, I cleared my yahoo contact list and that stopped the spam.
I think that link was pasted in sarcastically - Microsoft “support” style, where someone is paid to keyword-match your question without bothering to understand your question.
"Paste the raw source of an email into the form on the front page. The email will then be parsed, decoded, separated into its various MIME parts, and displayed in an easy to view fashion. Image attachments will be displayed as images. HTML parts will be rendered in webkit (with javascript and plugins disabled) and then also displayed as an image. IP addresses in headers and message bodies will be identified and highlighted along with a flag representing their origin country. Hostnames and email addresses will also be identified and highlighted."
Whenever I get a weird/suspicious email the first thing I do is look at the source but the amount of info in there (and different encodings) can make it hard to grasp what's going on.
Wow. I've been facing this since yesterday night, didn't know the entire internet is facing this problem. There's still no official response from Google it seems.
153 comments
[ 5068 ms ] story [ 949 ms ] threadEDIT from below: "If I remember correctly, if you are the recipient of an email from "yourself" Google automatically puts it in the sent items label as well."
People are reporting these messages are in their sent mail folder!
Now it's possible that gmail makes it looks like it was "sent mail" if it receives a message "from you" even if you didn't send it, but it's also possible that google has been hacked in a big way.
And some of the people reporting this are knowledgeable people who know what spoofing is, and who have good unique passwords and two-factor enabled.
"If I remember correctly, if you are the recipient of an email from "yourself" Google automatically puts it in the sent items label as well."
Google threw it in my Sent Items despite me not sending it from gmail itself.
SMTP headers show the emails are relayed from Telus. I'll provide the SMTP headers when I get home.
= = =
No unauthorised attempts to log in from third party sources, seperate passwords and MFA on both services.
It doesn't seem to me that the accounts have been compromised, instead the emails are spoofed. They have all been forwarded from Telus.com. The forum OP posted shows everyone else has the same issue.
Both accounts were sending hundreds of emails today and Google flagged the emails as likely having not been sent by him, but still did not place them in an appropriate spam filters and allowed them through to his inbox?
Edit:
= = = = =
I won't bother adding my headers now, the others that have even added theirs are almost identical to our own, here's a snippet of some one who posted below:
SPF and DMARC results
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of reply@telus.com designates 69.64.35.11 as permitted sender) smtp.mailfrom=Reply@telus.com; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of reply@telus.com designates 69.64.35.11 as permitted sender) smtp.mailfrom=Reply@telus.com;
dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from gown.ShoppingBrew.com (ec2-13-58-85-245.us-east-2.compute.amazonaws.com. ) by mx.google.com with ESMTP id n59-v6si5794010qtd.116.2018.04.20.00.37.14 for <<myemail@gmail.com>>;
Received-SPF: softfail (google.com: domain of transitioning nkhpw@google.com does not designate 69.64.35.11 as permitted sender) client-ip=13.58.85.245;
DMARC failed and SPF shows that Telus.com was an approved SMTP relay for Google.com
Edit: posted into my original comment.
"This may be a spoofed message" Google says, I clicked spam even though it's from myself. It was to me and a bunch of other emails. Wasn't in my sent folder though and no one else has accessed my account.
"Sexy Girls Asian Girls Looking for US Men" is the subject and says it's sent from "----------------- via telus.com"
Really odd, seems to be some ISP in Canada and I live in the USA... Wonder how they got my email.
The current SPF records for telus.com don't seem to allow sending by 69.64.35.11.
Did someone figure out how to trick gmail into accepting bogus headers indicating the SPF passed?
Also, the timestamps on the received headers differ by a lot. This one:
appears to be identical (except for the email address) for the two sample sets of headers in the thread.That's why the SPF check doesn't fail.
However, in the year 2018 I'm shocked that Gmail would put messages that fail dmarc into users' inboxes.
1: https://twitter.com/TELUSsupport/status/988060048843657216
The thing is, telus.com doesn't have a DMARC record, and thier SPF record doesn't include 69.64.35.11. This header might be fake. Gmail does currently have a DMARC record that says p=none sp=quarantine. The 'sp' value only applies to subdomains, so the "none" (no action) policy should be used.
Edit: I just verified that gmail's dmarc has had p=none for a long time.
Mine are showing Telus in the relay as well. None show up in the sent folder, and I use 2FA on the account.
Noticed I was getting emails being sent from myself. More worringly was the emails appeared in my SENT folder. For 5mins I was freaking out thinking I was hacked, because I didnt think spoofing emails would show up in MY "sent" folder.
But I run 2FA, long complex unique password etc. I treat OpSec really highly. I checked all Google security settings, no unauthorised access, no apps using my account etc. Still did a password reset "just in case".
However one interesting part is after about 4 hours the emails automatically became marked as "spam" - and they disappeared from my "sent" folder simulatenously.
So it would seem the likely issue is someone worked out a way around the "Spam" setting for Gmail - and a by-product of not flagging spoofed emails as spam is Gmail marks them as "Sent" by you in the labels.
Seems this was flagged as a security risk over a year ago - and Google declined to fix? https://www.zdnet.com/article/spammers-delight-gmail-weirdly...
So you could still send emails to your self and they would not get flagged as spam.
Something must have changed, most likely in the past 24 hours (give or take) to allow this to suddenly occur? Or someone's worked out a way passed the gmail spam filters or something.
Either way - this is clearly "new".
----
ETA: Just tried it myself, through my own mail server, and the headers are pretty much the same: the IPs are different, of course, and I didn't bother including extra forged Received: headers and such). This works beautifully -- message is in my Inbox (flagged as "Important according to Google magic.") and shows up under "Sent" as well.
After opening up "Show Original" in a new tab and then returning to the message, there's now a small banner (with a yellow background) at the top that reads:
> This may be a spoofed message. Gmail couldn't verify that it was actually sent from your account. Learn more.
Apparently someone just found out about it and decided to try it out -- it's obviously "new" to a lot of HN'ers as well.
People who've been affected might not have noticed or cared enough to say/do something.
There are two Received: with by mx.google.com, and they are nearly two days apart. And there are two Received-SPF: headers.
Other than that, my guess is that the spammer has BCC'd you and put your email address in the from: header (oddly lowercase here). Gmail will put messages from you in the Sent folder (label) even when they are sent from outside Gmail.
When I was an anti-spam engineer 10 years ago, we saw this sort of tricks all the time. Basically the only headers you can trust are the ones inserted by your own infrastructure. DKIM does mitigate this somewhat, but of course has its own problems.
On the principle of least surprise, this would seem to be incomplete behavior. I bet every single person reading this was surprised.
It's not a bad place to put such mail, so I suggest that on its web and mobile interface, Gmail simply put some kind of badge for sent mail sent from outside Gmail or your devices. Example:
https://imgur.com/a/KEMf1HM
(Notice the ⓘ [circled i] in the first line.)
Source: I mocked above up from Google image search for "gmail sent folder" and an open clipart "information icon".
If you click on that i or hover it should mention that some of these messages were sent from outside Gmail or from your authorized devices but have been put in your Sent folder because your email address is in the from: field.
It might be better if such email was automatically marked as spam until the user marks it as good. If they keep doing that, then that send path should gain elevated trust. (I mean, they are using some ML system here right?) I'm imagining an anti-spam-campaign supervisor system that also tracks spam with some sort of soft hash (or ML), running across many user's email.
The only part of this that looks like a Google-specific bug to me is that I'm not sure Gmail should be dropping messages into your Sent folder that did not originate from your authenticated account. If you send a message using some other mail client that logs in to your Gmail account, or an app, or the web app, sure, but if a message just pops into your account with your address as the "from:" header, it shouldn't show up in your Sent label.
The rest of this is just email being as broken as it usually is.
SPF only checks the envelope-from. It doesn't check the other "from:" header. Anybody can easily clone anybody else's SPF records, so any service that allows you to route mail through them and has already cloned Google's SPF records (so that users can send mail through Gmail's servers using their @telus.com address) is vulnerable to this.
If SPF were changed to also check the other from: header, then it would break every single domain that uses Google's mail hosting services but hasn't updated their SPF records. So that's never gonna happen.
This is maybe the biggest reason I wish people would stop using Gmail for any kind of important mail services. The moment you do that, mail from your domain can be spoofed by any other outfit that also uses Gmail, and it will pass SPF, which means it'll cruise right through most spam filters.
DKIM can resolve some of this, but it comes along with a suitcase full of its own nightmares.
In this particular case, it seems the major issue is that spammers got access to 69.64.35.11, which is included in telus.com's SPF record. In the end, this will hurt deliverability for legitimate emails sent with telus.com in the return path, and I suspect telus.com's customer service will have some explaining to do for their customers.
Spammers seem to be abusing this hole.
In practice, the Gmail and G suite UIs provide enforcement mechanisms to ensure you own a domain/address before allowing you to send from it.
Does it potentially open you up to spoofing if another loophole/exploit like this is discovered? Sure. But as risk factors go, depending on who you are, that's probably relatively low on the list.
https://www.telus.com/en/support/article/ccts-and-cprst-feed...
They appeared just after I turned on my AWS instance briefly. So I thought it was related.
https://www.telus.com/en/support/article/ccts-and-cprst-feed...
I freaked out at first when my Fastmail account started getting spammed seemingly by my old Gmail account (I no longer use Gmail but I kept the account active and forwarded to Fastmail to catch anyone I forgot to update with the new address). I logged into Gmail and immediately changed my password, made sure I didn't have any third party app access, and turned on 2FA.
After seeing this HN piece and reading through the first few messages in the Google product forum, I realized it was typical spam that was breaking through Google's spam filter and freaking everyone out due to Google's handling of the Sent folder/label.
I had 24 in my Inbox starting as 6:13PM (GMT-7).
Note that in SMTP there are two "from addresses": the envelope sender (which you don't see) and the "From:" address/header (which you do see) that everyone is familiar with. In most (but not all) legitimate e-mail, they will be the same.
In these cases, your e-mail address is being used in the "From:" and "To:" headers but a different address is being used in the envelope sender (which is the one that the MTA uses).
Google does seem to be checking SPF correctly (i.e., according to RFC, which says to use the envelope sender) -- since (it seems that) the result of check_host should be "softfail" and the RFC says that one "SHOULD NOT" reject a message based on that... but Google apparently logged "pass". Odd.
---
ETA: See a comment from ryan-c below about the funky "exists:" mechanism in Telus' SPF record; it explains why check_host() passed.
Bad design, period.
Just to be clear, most automated emails from major providers have them different. This is because, while the From header is shown to the user, the envelope sender is sent bounces.
So companies like Google, SendGrid (used by GitHub), and MailChimp set up special "bounce handler" addresses as the envelope sender to detect if there's a problem sending you email.
https://en.m.wikipedia.org/wiki/Variable_envelope_return_pat...
https://www.parsemail.org
From my about page:
"Paste the raw source of an email into the form on the front page. The email will then be parsed, decoded, separated into its various MIME parts, and displayed in an easy to view fashion. Image attachments will be displayed as images. HTML parts will be rendered in webkit (with javascript and plugins disabled) and then also displayed as an image. IP addresses in headers and message bodies will be identified and highlighted along with a flag representing their origin country. Hostnames and email addresses will also be identified and highlighted."
Whenever I get a weird/suspicious email the first thing I do is look at the source but the amount of info in there (and different encodings) can make it hard to grasp what's going on.
I'll definitely use this in the future!