Chinks in Gmail’s armour are still there

A couple of weeks ago I noted that some spammers were sending spam through Gmail.  Well, I noticed it again.  Whereas in those messages from two weeks ago they were stock spam, this latest batch is enlargement pill spam that contains an image, a link and French phrase for "Click here!"

Just like before, the sending IPs passed the SPF check (the IP's reverse DNS resolves to Google) so clearly this is a case of a security flaw in Gmail's email model being exploited.  The stats we have on this particular IP suggest that it has a pretty good historical sending record.  Senderbase's Email Reputation Score is also good.

This is a case of spammers taking advantage of security flaws in large email providers.  Eventually, Google will get tired of all the spam complaints and will shut this down, but I think it illustrates the regrouping capability of spammers.  They are resourceful enough to track down stuff like this and use it for their own ends.  I wouldn't be bold enough to say that the next big thing in spamming will be to take advantage of senders with good historical records of email sending patterns, but I will say that for that time being, it is an interesting strategy.

Comments (4)
  1. tzink says:

    I just thought of another possibility: what if a person has a Gmail account, the person’s system is bot-infested and the trojan on there knows the person’s email address and password?

    That would be an even more interesting twist.

  2. tzink says:

    I got this spam in my Gmail account, it’s another spam from a Gmail user.  I’m not sure if I’m reading the headers right because Google sometimes obfuscates the sending IPs, but it looks like it’s sent "locally".  Is this coming from a G-spammer?

    From – Thu May 17 19:25:11 2007

    X-Account-Key: account2

    X-UIDL: GmailId1129ac183f47c73b

    Delivered-To: Me

    Received: by with SMTP id t1cs195752wae;

           Thu, 17 May 2007 08:57:04 -0700 (PDT)

    Received: by with SMTP id u6mr914723bud.1179417412373;

           Thu, 17 May 2007 08:56:52 -0700 (PDT)

    Received: by with HTTP; Thu, 17 May 2007 08:56:52 -0700 (PDT)

    Date: Thu, 17 May 2007 08:56:52 -0700

    From: "Chesley Denton" <>

    To: Me and some others

    Subject: BSEA Brokers will be scrambling for this one

    Some irrelevant headers are removed.

  3. Norman Diamond says:

    > Is this coming from a G-spammer?

    > Some irrelevant headers are removed.

    Unless you accidentally removed a relevant header, this e-mail started and ended in Google.

  4. Peter Larson says:

    One of the biggest problem I am having is getting GMail to do something about a spammer using Gmail as their contact point. Try any find a complaint mechanism where they actually do something! I’ve been trying for months.

Comments are closed.

Skip to main content