[tightsocks]

I realize that it is common for spammers to use fake return addresses, but I recently received spam from a person that I know which was CC'd to dozens of other addresses which as far as I can tell came directly from their Gmail address book.

Is there a way to conclusively tell if the spam was sent from their account?

From my novice reading of the headers it really looks like the message did come from my friends Gmail account...

Does it even matter??
I'm not really in a position to help them fix the mess. I'm pretty sure they are Windows users.

[Waragainstsleep]

Beyond checking the IP addresses of the server they were sent from and then checking the hostnames etc. there isn't much you can do anyway. If your friend has IMAP set up on a PC then it could be a local bot, virus or malware program sending them out. Might be worth telling them to scan their PC and change their passwords.

[tightsocks]

Is there a way to tell if this came directly through Gmail or if it is just using a forged 'From' address?
"SENDER-REDACTED@gmail" = my friends email address.

Code:
Delivered-To: [email protected]
Received: by 10.112.146.34 with SMTP id sz2csp43911lbb;
        Sat, 14 Apr 2012 10:59:58 -0700 (PDT)
Return-Path: <[email protected]>
Received-SPF: pass (google.com: domain of [email protected] designates 10.180.102.3 as permitted sender) client-ip=10.180.102.3;
Authentication-Results: mr.google.com; spf=pass (google.com: domain of [email protected] designates 10.180.102.3 as permitted sender) [email protected]; dkim=pass [email protected]
Received: from mr.google.com ([10.180.102.3])
by 10.180.102.3 with SMTP id fk3mr6314652wib.9.1334426398159 (num_hops = 1);
        Sat, 14 Apr 2012 10:59:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:date:message-id:subject:from:to:content-type;
        bh=FFcTfqDTfsw90y/CKEVN15+7WZZTfVFbaVpZfkJJliM=;
        b=d2SoIDwcWeQfCdpJDwDVNXqrNAt0f45fju8FHmiR9yIfl1d2tF2VZ3nLClGye7wfep
         rvu0a3Yk7wAzszNhdHFr0yjyI3gzlxP8FcVnL0doI/zgKugeBE5CJ80OEobNWL0CY3Vf
         xioeTSSVF7RTpbb1pqSzk3xX5cKWjPyPPFjAgJnaESo71zBo//tzZa2+297ODj860H7x
         8WudMJGktbfLZqVOrXvWsk4/5YuM/qA4PPqDhRQjakG1S44q5JT5poh0i9RIX0D+sllj
         ICjvUMSe9rwt4mppzJIhA/IMmmQYi7naD73i70czyuvU+CD73BP1qONLC1Gh28ytCIHl
         OWkA==
MIME-Version: 1.0
Received: by 10.180.102.3 with SMTP id fk3mr5606274wib.9.1334426398122; Sat,
 14 Apr 2012 10:59:58 -0700 (PDT)
Received: by 10.180.93.197 with HTTP; Sat, 14 Apr 2012 10:59:58 -0700 (PDT)

[Waragainstsleep]

Looks reasonably similar to the last one I got sent from a gmail account.

[Thorzdad]

FWIW, my daughter's university, which uses Gmail for their campus email system, has recently been dealing with spam being sent from students' email accounts. The virus/bot gains access to the students' email accounts and starts sending spam to everyone in their "Sent" folder. So, as far as Gmail goes, yes, it could be coming from their actual Gmail account.

[ghporter]

...but not necessarily from their computer. There are two basic exploits possible here. First, the user's computer itself could be infected. This is more likely if the user runs Windows, but that may not be obvious to anyone who receives the spam. In this case, the malware simply takes advantage of any mail client and acts like a fairly common virus, sending out its drivel as if it were the user,

The other exploit, which has happened to a few of my acquaintances, involves capturing Gmail traffic from some other source, such as a weak and/or malicious social networking extension/game/etc. One friend had this happen with both a photo sharing Facebook app (a long time ago, it isn't there anymore), and with a "free online invitations!1!!!1" app that grabbed her Flikr account somehow.

Inform the apparent source that the spam is happening, and from which address, so they can protect themselves and apologize to those who got the spam.

[tightsocks]

Is this malware that infects a persons machine and then runs a local mailbot, or is it happening via some sort of automated access to the Gmail site?

[ghporter]

It could be either, but more likely it is a local infetction that runs a bot, either its own mail routines, or slipping in with the local mail client. Or it could be a browser virus that slips into Gmail when the user logs in.

It is never a good idea to run Windows without virus protection, but the friend I mentioned earlier had one of these exploits catch her while using a very robust corporate antivirus package, which may mean that it wasn't a virus on her machine but instead an exploit that took advantage of her social networking habits.

[Thorzdad]

Originally Posted by ghporter 

...but not necessarily from their computer.

Yes, absolutely it was not coming from students' computers. It was completely happening on the university's Gmail accounts. So, I guess that would an infection on Google's servers, yes?

[tightsocks]

Yeah, I'm not going to be able to help them fix this and I doubt they are savvy enough to be able to clean this up on their own.

[tightsocks]

Originally Posted by Thorzdad 

Yes, absolutely it was not coming from students' computers. It was completely happening on the university's Gmail accounts. So, I guess that would an infection on Google's servers, yes?

Hopefully the Google server's haven't actually been hacked - maybe like Glenn mentioned it is some sort of FaceBook app attack that gets access to the users Gmail acct.

[abby]

you can ask them personally if they're the one who sent it. i usually receive a lot of spam emails from the email address that my friend use. i asked her if she know that she sending me a lot of spam emails but she said she didn't know any of it. i guess her email is hacked :/

[besson3c]

Originally Posted by abby 

you can ask them personally if they're the one who sent it. i usually receive a lot of spam emails from the email address that my friend use. i asked her if she know that she sending me a lot of spam emails but she said she didn't know any of it. i guess her email is hacked :/

Why do you assume her email has been hacked?

Look at the envelope address in the full headers to see where it is originating from.

[reader50]

If her computer has been compromised somehow, her gmail name/login could have been sent to someone else. Then the spammer logs into her gmail account with automated tools, and sends spam to all her contacts. After harvesting the addresses of course.

Change her gmail password to a new random pw. And check the account, see if the emergency email address has been changed, allowing the spammers to recover access after the pw change.

Finally, tell her to dump her winbox and get a Mac.

[besson3c]

Originally Posted by reader50 

If her computer has been compromised somehow, her gmail name/login could have been sent to someone else. Then the spammer logs into her gmail account with automated tools, and sends spam to all her contacts. After harvesting the addresses of course.

Change her gmail password to a new random pw. And check the account, see if the emergency email address has been changed, allowing the spammers to recover access after the pw change.

Finally, tell her to dump her winbox and get a Mac.

It's possible, but it's probably far more likely that this is just your garden variety spoofing, since there is so much of this out there.