Google fights Gmail hackers

Yesterday I received a strange email sent to a neighborhood list by a neighbor. The subject was “Modesty Marquita” (which sounds like a stripper name, actually) and all that was in the body of the message was a URL to a webserver in Brazil. I searched the web for any references to either of these items and didn’t turn up anything unusual, so I wrote it off.

This evening made me change my mind, however. Another friend (Let’s call her Anne) sent out four similar emails. Same M.O.: a random person’s name in the subject line and a web URL in the body. That’s when I figured out something is not right in Gmail land.

The kicker was this message below (I’ve changed account data). This message was sent from one Gmail account to another one: in other words it never left Google’s network:

Delivered-To: drhfuhruhurr@gmail.com
Received: by 10.229.215.69 with SMTP id hd5cs28671qcb;
Fri, 16 Apr 2010 14:35:10 -0700 (PDT)
Return-Path:
Received-SPF: pass (google.com: domain of uumellmahaye@gmail.com designates 10.229.224.133 as permitted sender) client-ip=10.229.224.133;
Authentication-Results: mr.google.com; spf=pass (google.com: domain of uumellmahaye@gmail.com designates 10.229.224.133 as permitted sender) smtp.mail=uumellmahaye@gmail.com; dkim=pass header.i=uumellmahaye@gmail.com
Received: from mr.google.com ([10.229.224.133])
by 10.229.224.133 with SMTP id io5mr3034127qcb.37.1271453710090 (num_hops = 1);
Fri, 16 Apr 2010 14:35:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=gamma;
h=domainkey-signature:mime-version:received:date:received:message-id
:subject:from:to:content-type;
bh=EZrwQzHaG5KkI5QutUqs2WYtiDijqDBu5v7Jz/lxOCw=;
b=LrrzvnCuUQVJHQYKLAyUeGvJWAxv2a8W44ygdF5nUmd4kwQYt1Xc7SKaNzRekbZRuX
p+Ax4WEgsS5Qc/dkz1Ijy+w8hwNcprLKwccOx0eeja4w2ZJ+5u4cASq0S3z7YWQ2/1SC
ijoTt83AJP46y8x3/TxgY60lMQmPlxi57YQOQ=
DomainKey-Signature: a=rsa-sha1; c=nofws;
d=gmail.com; s=gamma;
h=mime-version:date:message-id:subject:from:to:content-type;
b=K8X+pX6G87ssrDNWRcnJHze33RK5CF87Cbc+5NV/X4xCDYDNz4lrrj2U56mcuMFBif
F8SrTNgw1IPliJf7fplufEjn/pS7oKCWRfwFP56tgdbmf/FlF+oVHMe+CrvZxCKA1K/U
5C7XNVEXOXuYhQV+S96Bl08i9sSZGcJZ4XObM=
MIME-Version: 1.0
Received: by 10.229.32.80 with HTTP; Fri, 16 Apr 2010 14:35:10 -0700 (PDT)
Date: Fri, 16 Apr 2010 17:35:10 -0400
Received: by 10.229.224.133 with SMTP id io5mr3034127qcb.37.1271453710078;
Fri, 16 Apr 2010 14:35:10 -0700 (PDT)
Message-ID:
Subject: john michael klein
From: Anne Uumellmahaye
To: drhfuhruhurr@gmail.com
Content-Type: text/plain; charset=ISO-8859-1

http://www.themanwithtwobrai.ns/home.php

Google appears to be aware of this issue and has implemented new security features in their hosted offerings that are designed to show suspicious activity. A post to the Google Blog explains the new features and how to use them to secure your account.

What’s troubling is that Anne says she checked the new security pages after I alerted her of the compromise but she didn’t see anything out of the ordinary listed there. I wonder what type of access could sneak by Google’s security page, unless perhaps it was something on the inside. Who knows?