Email spoofing is one of the oldest spam techniques in the book. This is when the headers of emails are forged to hide the real address of the sender, with the aim of tricking people into clicking through them, thinking they’re from a trusted source.
Aside from spam and solicitation campaigns, spoofing is also widely used in phishing and malware attacks so it’s one security threat that you will have to look out for.
Usually, an email service’s junk filters do a great job of preventing spoofed emails and spam from hitting a user’s mailbox but of course, there are various ways spammers will try and circumvent this.
One such technique, specifically affecting Google’s Gmail, was recently demonstrated by Renato Marinho, a security researcher from Morphus Labs. According to Marinho, although Gmail’s junk filter adequately blocks most of the junk messages it deems as spam, it won’t filter out spam from a spoofed gmail.com address. These emails may appear to be coming from a valid Gmail address but they are actually originating from somewhere else.
How it works
In a LinkedIn post, Marinho listed the necessary steps his team took for testing a successful Gmail spoof.
First, the spoofed email needs to appear to be coming from a valid and working Gmail address, otherwise, it goes directly to the junk folder. Second, the spammer’s email server (the original source of the spoofed email) must connect to Gmail stating that it wants to deliver a message from said domain but internally, the spammer switches the sender address to the fake Gmail address instead.
Gmail then asks the spam email’s DNS server (again, controlled by the spammer) to check if it can send messages on its behalf. The DNS server says “yes,” of course, and according to the security researcher, with this validation, the spoofed email is delivered to the target’s inbox “with no security warnings, tagged with an important sign (if it’s a usual contact) and with the spoofed sender picture profile, increasing its legitimacy.”
As you can see, it’s simple to think that this Gmail spoofing technique can be used to deliver all sorts of nasty stuff, from phishing emails to poisoned links with embedded malware.
Marinho said he has already informed Google of this issue but the company does not believe that it will be tracked as a security bug since “it doesn’t really affect the confidentiality or integrity of the Gmail users’ data.”
He still believes that it’s an issue worth looking at since users put their trust on reputable services, such as Google, to minimize their risk.
“Generally, our trust on the technology security filters is directly proportional to the reputation of the service provider,” Marinho explained. “The higher our belief on the provider, the lower tends to be our attention to the risks. The main advice here is to revisit this ‘trust logic.’ Even highly reputable services may fail and we need to be careful all the time to avoid risks.”
Interestingly, Marinho said that Yahoo rejected the spoofed messages while Outlook.com flagged them and moved them to the recipient’s spam folder.
How to identify a spoofed Gmail message
To catch spoofed Gmail email messages, Marinho advises users to check the message details carefully, preferably through a web browser. Examine the “via” tag on the sender address and see if it’s coming from a non-Gmail server. Unfortunately, this tag and the security details are not yet viewable on Gmail’s Android and iOS apps yet.
Also, check the full message headers. The headers may sometimes reveal signs of a spoofed message, for example, the real message sender’s address shown in “Return-path:” detail.