Simple Gmail spoofing leaves users open to targeted attacks

Gmail shows no warning as it delivers legitimate-looking spoofed emails seemingly coming from an existing address, even though they come from a non-Gmail server.

This fact can be misused by attackers who want to trick their targets into clicking on a malicious link or download a malicious attachment, as the likelihood of them doing so rises considerably if the spoofed email seems to have been sent from a known sender.

How to mount such an attack?

“The necessary setup for this type of attack isn’t complex,” Morphus Labs researcher Renato Marinho told me.

“Basically, an attacker needs to set up an Internet domain and an e-mail server authorized to send e-mails on behalf of it. This authorization is given by a SPF (Sender Policy Framework) policy, which is a DNS zone level configuration that informs the IP addresses of the e-mail servers allowed to send e-mail on behalf of that domain. As the e-mail server and the domain are controlled by the attacker, doing this configuration is a kind of self-authorization.”

The result is as follows:

If the spoofed email is sent from an existing Gmail address, Gmail doesn’t raise any flags and delivers the email directly into the inbox:

Gmail spoofing

If it’s sent from a non-existent Gmail address, the email is routed to the Spam folder and Google flags it as suspicious and potentially dangerous:

Gmail spoofing

In the first example, knowledgeable users will likely spot the via attack tag following the sender’s email address, check out the message headers, and see more obvious signs that the message was spoofed (the real message sender is shown in the ‘Return-path:’ value).

But users who are not that tech-savvy will view the sender’s email address, recognize it, and believe the message to have come from that known sender.

But tech-savvy users can still fall for the trick if the peruse the spoofed email via their Gmail iOS or Android app or the native iOS Mail app, as the via tag does not appear after the sender’s address. The Gmail Android app allows users to expand the security details and check the origin server, but the iOS apps don’t offer that possibility.

Gmail spoofing

What does Google have to say about this?

Marihno told me that they have contacted Google about this, and they said they won’t track this issue as a security bug. He asked them whether they intend to do something about it, but so far received no answer. I’ve also asked Google if they are planning to do something, but have yet to hear back from them.

“What we would expect from Gmail is that it could filter or mark as suspect emails sent from ‘’ addresses originated from a non-Gmail server. What Gmail is doing right now is delivering those messages in the recipient’s inbox with no security warning (if the spoofed sender exists in Gmail base),” Marihno explained.

He also added that they’ve tested the same attack on Yahoo and Yahoo rejected the spoofed messages in both cases, and sent them directly to the recipient’s Spam folder.

A variety of attacks might be possible

So, the issue could be exploited for targeted attacks. But could spammers use the same setup – feed a list of existing Gmail accounts into the system and fire off thousands of emails?

“We didn’t try to automate, but I believe Gmail would probably block the origin IP while trying to send multiple emails in a sequence. From the point of view of an attacker, they probably would try to bypass those filters by equalizing the sending rate or by implementing multiple origin servers,” Marinho noted.

More technical details about Morphus Labs’ spoofing experiments can be found here.