Some Gmail users have been surprised to find spam inexplicably in their Sent folders, with the messages continuing to appear even after users changed their passwords.
People have been reporting on Gmail’s Help Forum that the spam to unknown contacts appears to have come from their own account, causing concerns that affected accounts had been compromised.
However, the mystery spam appearing in Sent folders has also been happening on accounts with two-factor authentication enabled. Many affected users reported the spam email’s From field included “via telus.net”.
It’s not clear why the spam has been appearing in users’ Sent folders. However, Google told Mashable that a spam campaign using forged email headers made it look like users were spamming themselves and resulted in the messages wrongly appearing in the sent folder.
“We are aware of a spam campaign impacting a small subset of Gmail users and have actively taken measures to protect against it,” a Google spokesperson said in a statement.
“This attempt involved forged email headers that made it appear as if users were receiving emails from themselves, which also led to those messages erroneously appearing in the Sent folder.
“We have identified and are reclassifying all offending emails as spam, and have no reason to believe any accounts were compromised as part of this incident. If you happen to notice a suspicious email, we encourage you to report it as spam. More information on how to report spam can be found by visiting our Help Center.”
The problem appears to be related to a trick spammers can use to bypass Gmail’s spam filters that ZDNet reported on last year. As researcher Renato Marinho explained, Gmail doesn’t filter spam if it comes from a spoofed but valid Gmail address.
Google at the time declined to track the bug as a security issue because it didn’t affect the confidentiality or integrity of data.