On 9/02/2016 2:52 p.m., Nicholas Lee wrote:
Source? not yet.
Method? yes. There are two methods I've seen for these. Both related to
the fact that Gmail is designed to be a mailbox service. Not a
relay/forwarder. Its security systems act like a recipient mailserver
when it verifies the message built-in security; Start-TLS, SPF or DKIM.
The initial spam runs were done using DKIM. DKIM does not necessarily
authenticate the claimed sender, but only the actual sender relative to
the sending server (otherwise it would badly break mailing lists). So
the spamware a few months back was using its own fake-email and DKIM
signatures for delivery. You could see "original-sender" headers with
some hidden email address under a randomized spam domain in the
Received: headers preceeding the DKIM signatures. It appears that some
recipients (not just Gmail) would accept the mail and relay it as long
as that passed, ignoring the fact that DKIM fails for other apparent
'original' addresses in the message.
This run appears to be using SPF in a similar way. Domains with a
transitional "softfail" policy (~all) are stating that any IP address
anywhere is not-denied as an origin for that domain.
Moral of the story is that if you are going to be using any security
features make sure you have them configured securely. And dont rely on
them completely. Halfway "transitional" workarounds like softfail should
only be used temporarily, if at all.