Gmail’s Spam Filter Not Impenetrable For Hackers

Google does not send spoofed @Gmail based emails to spam folder – Using this loophole scammers can trick users into identity theft, phishing or malware scam.

Most of us today use Gmail as our primary email platform. It is indeed a very useful platform that is known for its efficiency and effectiveness. However, Gmail may not be as effective as we think it is.

According to a recent research conducted by Renato Marinho at Morphus Labs, Gmail does not seem to spam emails that are sent with the @gmail.com address, even if it is a fake one. The trick is used to bypass Google’s spam recognition system and hence the email seems valid when in reality, it has been generated from another server altogether. This means such an email does not go to the spam folder; rather, it appears in one’s inbox.

More: Gmail Phishing Scam Stealing Credentials Through Infected Attachment

How can you know if it is spam?

Sadly, it is not that easy. However, one may view the address in the sender’s field as that may reveal the Gmail address to be generated from a different server. Nevertheless, this is no use since most spam emails are capable of injecting malware just by being clicked and viewedWhat is more disappointing, is that for Android and iOS users, such an option of finding the server’s actual name in the sender’s field is not available.

Gmail experimental illustration shared by Morphus Labs.

The Mechanism

Research suggests that whenever a spam email with a fake Gmail address is trying bypass Gmail spam filters, it has to connect to the Gmail’s server by appearing to be valid. As such, the spammer can easily mask the fake Gmail address as if it is a legitimate one and go through. 

“Although it has not been considered a security bug, in our opinion, it would be better if Gmail could at least adopt the same behavior we saw when trying to spoof a non-existing Gmail account in which security alerts were shown. Additionally, we suggest to make it possible to view message security details within the Gmail iOS app, as today these users have no ways to verify if they are being spoofed”, writers Marinho.

Google’s views

Although the trick can be potentially harmful, Google does not seem to be very serious about it. When asked as to what should be the course of action to counteract the problem, Google said that it is not a big issue as it does not interfere with a user’s privacy.

More: Hacker finds flaw in Gmail allowing anyone to hack any email account

An opinion such as this can jeopardize the reputation that Google has on the market. While Yahoo and Microsoft recognize such camouflaged email addresses as fake, Google does not.


DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.

More:  Flaws in LastPass Password Manager Allowed Hackers to Steal Credentials

Written by Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.