Exact same thing for me.<p>Noticed I was getting emails being sent from myself. More worringly was the emails appeared in my SENT folder. For 5mins I was freaking out thinking I was hacked, because I didnt think spoofing emails would show up in MY "sent" folder.<p>But I run 2FA, long complex unique password etc. I treat OpSec really highly. I checked all Google security settings, no unauthorised access, no apps using my account etc. Still did a password reset "just in case".<p>However one interesting part is after about 4 hours the emails automatically became marked as "spam" - and they disappeared from my "sent" folder simulatenously.<p>So it would seem the likely issue is someone worked out a way around the "Spam" setting for Gmail - and a by-product of not flagging spoofed emails as spam is Gmail marks them as "Sent" by you in the labels.<p>Seems this was flagged as a security risk over a year ago - and Google declined to fix? <a href="https://www.zdnet.com/article/spammers-delight-gmail-weirdly-doesnt-see-spoofed-gmail-com-addresses-as-junk/" rel="nofollow">https://www.zdnet.com/article/spammers-delight-gmail-weirdly...</a>
Don't freak out about them being in your Sent folder. Remember that Gmail doesn't have "traditional" mail folders -- just a huge pile of all your e-mail messages with "labels" attached to them. Apparently Google decides that if the From: address is yours, then you "sent" the message.<p>Note that in SMTP there are <i>two</i> "from addresses": the envelope sender (which you don't see) and the "From:" address/header (which you do see) that everyone is familiar with. In most (but not all) legitimate e-mail, they will be the same.<p>In these cases, your e-mail address is being used in the "From:" and "To:" headers but a different address is being used in the envelope sender (which is the one that the MTA uses).<p>Google does seem to be checking SPF correctly (i.e., according to RFC, which says to use the envelope sender) -- since (it seems that) the result of check_host should be "softfail" and the RFC says that one "SHOULD NOT" reject a message based on that... but Google apparently logged "pass". Odd.<p>---<p><i>ETA</i>: See a comment from <i>ryan-c</i> below about the funky "exists:" mechanism in Telus' SPF record; it explains why check_host() passed.
Some of you posting raw message sources might find a website I built useful:<p><a href="https://www.parsemail.org" rel="nofollow">https://www.parsemail.org</a><p>From my about page:<p>"Paste the raw source of an email into the form on the front page. The email will then be parsed, decoded, separated into its various MIME parts, and displayed in an easy to view fashion. Image attachments will be displayed as images. HTML parts will be rendered in webkit (with javascript and plugins disabled) and then also displayed as an image. IP addresses in headers and message bodies will be identified and highlighted along with a flag representing their origin country. Hostnames and email addresses will also be identified and highlighted."
Hi all,<p>Seth Vargo here from Google. Thank you all for taking the time to report the issue, and thank you for your patience as we fix it. Our engineering teams are aware of this issue and they are working to resolve it as quickly as possible. You should no longer see new spam messages appear in your sent box, and existing spam messages will be automatically removed over the next few days.
My house mate has had the same issue today on both of his Google accounts. He is both the sender and recipient and there were several other nonsensical email addresses being CC'd in.<p>SMTP headers show the emails are relayed from Telus. I'll provide the SMTP headers when I get home.<p>= = =<p>No unauthorised attempts to log in from third party sources, seperate passwords and MFA on both services.<p>It doesn't seem to me that the accounts have been compromised, instead the emails are spoofed. They have all been forwarded from Telus.com. The forum OP posted shows everyone else has the same issue.<p>Both accounts were sending hundreds of emails today and Google flagged the emails as likely having not been sent by him, but still did not place them in an appropriate spam filters and allowed them through to his inbox?<p>Edit:<p>= = = = =<p>I won't bother adding my headers now, the others that have even added theirs are almost identical to our own, here's a snippet of some one who posted below:<p>SPF and DMARC results<p>ARC-Authentication-Results: i=1; mx.google.com;<p>spf=pass (google.com: domain of reply@telus.com designates 69.64.35.11 as permitted sender)
smtp.mailfrom=Reply@telus.com;
dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com<p>Authentication-Results: mx.google.com;<p>spf=pass (google.com: domain of reply@telus.com designates 69.64.35.11 as permitted sender) smtp.mailfrom=Reply@telus.com;<p>dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com<p>Received: from gown.ShoppingBrew.com (ec2-13-58-85-245.us-east-2.compute.amazonaws.com. )
by mx.google.com with ESMTP id n59-v6si5794010qtd.116.2018.04.20.00.37.14
for <<myemail@gmail.com>>;<p>Received-SPF: softfail (google.com: domain of transitioning nkhpw@google.com does not designate 69.64.35.11 as permitted sender) client-ip=13.58.85.245;
This is spoofed email, with you also being the recipient as far as I can tell... Am I missing anything else in this matter? If not, this isn't new.<p>EDIT from below:
"If I remember correctly, if you are the recipient of an email from "yourself" Google automatically puts it in the sent items label as well."
Most people don't realize some services you "Logged into with Google" can also send emails in your name. I didn't come across anyone checking authorized apps in that thread. While this appears to be a spoofing issue, I suggest pruning the list of authorized apps frequently: <a href="https://support.google.com/accounts/answer/3466521?hl=en" rel="nofollow">https://support.google.com/accounts/answer/3466521?hl=en</a>
Relevant security issue Gmail declined to fix over a year ago: <a href="https://www.zdnet.com/article/spammers-delight-gmail-weirdly-doesnt-see-spoofed-gmail-com-addresses-as-junk/" rel="nofollow">https://www.zdnet.com/article/spammers-delight-gmail-weirdly...</a>
So it's not so simple. You could use DMARC to tell mail servers which honor DMARC to drop all e-mails that have @gmail.com addresses that don't come from gmail.com servers. In fact, this is how @google.com e-mail addresses are treated, and I believe this is a setting which G-Suite administrators can set up for their domains.<p>BUT. It comes with a downside. Suppose you want to send e-mail from your Linux laptop, or from a Linux mail server you control, without hard-coding your account password in a text file so you can send e-mail via a GMail server. Or suppose you want to subscribe to a mailing list which rewrites the subject line to include the mailing list name. DMARC breaks all of this. Horribly. So yes, it's more secure, but it comes with a massive cost.<p>What this means, for example, is I recommend people who work at Google, and who want to interact with either IETF mailing lists or the Linux-kernel mailing lists at vger.kernel.org to send their patches and PULL requests using their @gmail.com address. If they send it using their @google.com address, the same security settings that will prevent this spammers from "faking" e-mails that didn't come from gmail servers, will also break git send-email (unless you want to save your password into at text file --- which is against policy and common sense) and it will break traditional mailing lists.
I got 2 of these a hour ago.<p>"This may be a spoofed message" Google says, I clicked spam even though it's from myself. It was to me and a bunch of other emails. Wasn't in my sent folder though and no one else has accessed my account.<p>"Sexy Girls Asian Girls Looking for US Men" is the subject and says it's sent from "----------------- via telus.com"<p>Really odd, seems to be some ISP in Canada and I live in the USA... Wonder how they got my email.
Another HN thread with more comments about this:
<a href="https://news.ycombinator.com/item?id=16894593" rel="nofollow">https://news.ycombinator.com/item?id=16894593</a>
Probably unrelated, but telus.net's SPF record appears to authorize RFC6598 (<a href="https://tools.ietf.org/html/rfc6598" rel="nofollow">https://tools.ietf.org/html/rfc6598</a>) IP space:<p>"v=spf1 ip4:199.185.220.0/24 ip4:198.161.157.0/24 ip4:198.161.156.0/24 ip4:204.209.205.0/26 ip4:209.171.16.0/24 ip4:100.64.0.0/24 mx ?all"<p>100.64.0.0/24 is within 100.64.0.0/10<p>Either I'm missing something, or Telus appears quite confused about the purpose/nature of SPF.
I woke up this morning to several new labels in my gmail to delete all emails for "bank" "card" "paypal" etc, and paypal was hacked with purchases.<p>But my gmail has zero new logins, my 2fa wasn't triggered, etc.<p>How does a hacker create labels to delete my email but not register a login attempt or trigger my 2fa? I wish I was able to contact google.<p>EDIT: my only guess was accessing my PC where logins are saved, but I sleep in the same room and I don't think ninja spies broke in. Remote login? Seems farfetched.
The emails are spoofed. The bug is Google is labeling emails with "Sent Mail" because "from:" header matches your email.<p>I think the "bug" was that not all "Received-SPF" headers are not correctly checked (only first one was checked). However, I'm not even sure if this is a bug since I'm not sure if their migration of emails into G Suite will work if they start not trusting "from: header.<p>The real bug is probably that email is not marked as spam :)
I had some of these earlier today as well. Mine wasn't from telus however, it was from some .science account. I use a password manager and have 2FA enabled, but I quickly switched my password just to make sure. Sure enough, a few hours later I got another one, for about 5 in total. They seemed to have stopped however.
If you have a suspicious or spoofed email and you want people to analyze what happened, it helps a lot if you include the full headers. To do this in gmail, open the menu and pick "Show Original". Particularly useful are the lines that start with "Received:".
This strategy seems odd. If they had simply omitted the spoofed sending email address from the To:/(B)cc lines, we'd never had seen them in our inboxes... right? Why call early attention to yourself?<p>I had 24 in my Inbox starting as 6:13PM (GMT-7).
I have this problem with my Hotmail/Outlook account for almost 5 years and Microsoft team don't even understand what's going on. - <a href="https://answers.microsoft.com/en-us/outlook_com/forum/oemail-osend/receiving-phishing-message-in-behalf-of-my-outlook/8201fe49-6a67-49a0-8f7e-b03f9a3bc786" rel="nofollow">https://answers.microsoft.com/en-us/outlook_com/forum/oemail...</a>
Same thing here! I woke up this morning and saw that I've sent out spam emails (about 15 of them) with my email address via telus and receive responses in my inbox.
To temporarily alleviate this issue, I created the following filter to stop my phone ringing constantly:<p><pre><code> from:(me@gmail.com|me@salesforce.com) to:(me@gmail.com) -{has:attachment}
Mark as read
Skip the inbox
</code></pre>
Until I added this rule I was being pinged once a minute since lunch time yesterday.<p>This ignores: emails from me, or some sales force spammer they were using, to me, that doesn’t have an attachment (so I can still email myself files).
I had the same issue tonight. It did not appear in my sent folder, however, and was sent from the same “reply@telus.com” account that everyone else reports. The most recent one (of 5 sent so far) was sent 2 minutes ago. I changed my password an hour ago - but as I suspected that didn’t help because these aren’t being sent via compromised accounts. Someone is using an SMTP server and just spoofing the sent from address.
I had the same thing happen today. At least 6-8 emails in my inbox over the course of an hour or two, from my email address. Mostly ads for "dating" sites with photos of scantily-clad women. The to list includes my address, as well as about 8-10 other addresses, including one at rei.com and another at nih.gov.<p>Mine are showing Telus in the relay as well. None show up in the sent folder, and I use 2FA on the account.
Some of you might want to see this as well:<p><a href="https://mashable.com/2018/04/22/google-gmail-spam-telus/" rel="nofollow">https://mashable.com/2018/04/22/google-gmail-spam-telus/</a>
So who is Telus, and why are they special?<p>Is it Google who has a relationship with Telus -- because I'm pretty sure I don't.<p>Can Google prevent Telus from doing whatever they're doing? Or is Telus just the victim/conduit of the real spammers?
A bit unrelated but requiring login to just read a forum thread is not good. :( I don't want to login to google again on this device therefore I haven't seen the thread.
Wow. I've been facing this since yesterday night, didn't know the entire internet is facing this problem. There's still no official response from Google it seems.
If the emails are (spoofed as) from me, and I tell gmail to mark them as spam, does anything bad happen?<p>Gmail shows a weird "Mute" instead option -- never saw that before.
I’ve had similar problem a long time ago with my yahoo account. (Password change didn’t help)
So, I cleared my yahoo contact list and that stopped the spam.
I’ve been debating leaving Google Apps for months now and oddly enough this is the straw that broke the camels back. Will be migrating to a new host today.
There was an attack going around many years ago that was basically a spam email that had code embedded in it, which would hack your browser, causing you to send out more spam email when you logged into your account. I assume this is the same sort of thing.
Hey guys, you can contact tellus via this link. You don't need to he a customer for this.<p><a href="https://www.telus.com/en/support/article/ccts-and-cprst-feedback-and-contact-information" rel="nofollow">https://www.telus.com/en/support/article/ccts-and-cprst-feed...</a>