Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
Braxton1980 4 days ago

How can he spoof an email address without Gmail or the like flagging it? I'm not talking about the common name but the actual email address.

stavros 4 days ago | parent [-]

That's what I'm curious about too. DMARC should make that impossible.

hedora 4 days ago | parent [-]

The last I heard, Google relied on spam filters for this.

Supposedly, people have been fired after being falsely accused of harassment. The scam works as follows:

Send a message to bob@gappsdomain.com and notavictim at the same domain. Arrange for the headers to be “from” bob. Now, notavictim reports Bob to HR. If the google admin is competent, they look at the headers, and note that Bob didn’t send the email. (Not sure if they catch the offender or not.)

If they’re incompetent, they see the message in Bob’s from box, and recommend he be fired.

This is a feature that enables dubious workflows, where Bob configures spam bots to bother his coworkers, but wants those messages to be auto filed in his sent box.

I didn’t think it worked when spoofing unrelated domains like Google though. That’s just dumb. Maybe the attacker had the author’s IMAP gateway password and moved the message into the inbox?

calmworm 4 days ago | parent [-]

Google spam filters are terrible because they filter way too much legitimate email. I have been a paying business Gmail user for years, all DMARC, DKIM, etc… in place. My messages still go into client Gmail spam folders. It’s extremely infuriating. Google knows I’m not sending spam. They can’t deliver my email properly to their own inboxes? Nonsense.