Google Evades Google

I received a spam on a gmail account today that didn't end up in the spam bucket automatically. Ordinarily, gmail does a really good job of filtering SPAM, but this account, then used Picasa's built-in invitation features to send an invite to me to lone used a different vector.

The spammer used an Italian free webmail account as the source address. (Maybe something like Nduja is making it in the wild already?) But rather than use the freemail account directly to send the spam, they created a Picasa ook at the Picasa gallery. The invitation mechanism allows you to put whatever text you want in the body of the invitation, which is where they put the invitation for me to send them my personal information.

There were no links in the body of the email itself, except back to Picasa. But what was really interesting about it is that it evaded the Spam filters by using a Google service. It even had the DKIM headers intact. So since Google verified the authenticity of the sender using DKIM, the email must be trusted, right?

Now, I don't know that Google is using DKIM or SPF to actually reject email yet - they might just be measuring at this point. But there's one way that they won't necessarily be 100% effective.