On 9/02/2016 2:52 p.m., Nicholas Lee wrote:

Anyone figure out the source/method of these address book leaks?

See: http://wardinewrock.blogspot.co.nz/2015/09/email-sent-under-my-name-not-from...

Source? not yet. Method? yes. There are two methods I've seen for these. Both related to the fact that Gmail is designed to be a mailbox service. Not a relay/forwarder. Its security systems act like a recipient mailserver when it verifies the message built-in security; Start-TLS, SPF or DKIM. The initial spam runs were done using DKIM. DKIM does not necessarily authenticate the claimed sender, but only the actual sender relative to the sending server (otherwise it would badly break mailing lists). So the spamware a few months back was using its own fake-email and DKIM signatures for delivery. You could see "original-sender" headers with some hidden email address under a randomized spam domain in the Received: headers preceeding the DKIM signatures. It appears that some recipients (not just Gmail) would accept the mail and relay it as long as that passed, ignoring the fact that DKIM fails for other apparent 'original' addresses in the message. This run appears to be using SPF in a similar way. Domains with a transitional "softfail" policy (~all) are stating that any IP address anywhere is not-denied as an origin for that domain. Moral of the story is that if you are going to be using any security features make sure you have them configured securely. And dont rely on them completely. Halfway "transitional" workarounds like softfail should only be used temporarily, if at all. AYJ