Google’s filtering capabilities in Gmail are usually excellent at preventing spam from ever hitting your inbox. However, a new variant today is cleverly bypassing those protections by making it appear that your account is the one directly sending the spam email to itself.
There are many reports in the past 24 hours, including from a family member of one of our writers, with several dozen posted to this thread on the official Gmail Help Forum. Essentially, emails are arriving in inboxes that appear to be sent by you, with “Me” as the sender in the inbox view and including your profile icon on mobile.
While the sender name is yours in that main view, opening the message notes a different sender, but with your email address attached on the “From” line. This spam usually involves the message being sent to the same unknown set of recipients. The subject line and contents of the emails appear to greatly vary.
Most worryingly, these messages — often ranging in dozens — also appear in your sent folder. The end result is the appearance that your account is compromised and the one sending these spam emails. A third-party sender is likely somehow spoofing your address to give of the appearance, with the end goal of spam getting you to likely click a link.
According to forum reports, users who reset their passwords are still getting these fraudulent emails afterwards. Meanwhile, suspicious log-in checks note that accounts do not appear to have been improperly accessed by a third-party in the traditional sense.
Update: Google has provided a comment to 9to5Google acknowledging this spam campaign involving “forged email headers that made it appear as if users were receiving emails from themselves.” Impacting “a small subset of Gmail users,” the company’s fix identifies and reclassifies “all offending emails as spam.” Furthermore, Google has “no reason to believe any accounts were compromised as part of this incident.”
“We are aware of a spam campaign impacting a small subset of Gmail users and have actively taken measures to protect against it. This attempt involved forged email headers that made it appear as if users were receiving emails from themselves, which also led to those messages erroneously appearing in the Sent folder. We have identified and are reclassifying all offending emails as spam, and have no reason to believe any accounts were compromised as part of this incident. If you happen to notice a suspicious email, we encourage you to report it as spam. More information on how to report spam can be found by visiting our Help Center.”