Several users have lodged complaints on the Gmail Support Forum regarding spam emails that have been appearing in their inboxes which seem to have been sent by their own accounts. Users rightfully worried about their email being compromised, rushed to change passwords and enable two-factor identification only to find the emails still coming.

Lee Mathews with Forbes, a victim of the spamming campaign himself, reports that the scammers are using an SMTP email server to “bounce” emails into users inboxes bypassing spam filters.

The way it works is the scammers will first forge the header of the email with the intended victim’s address. Then they send that email to a bogus address that they know does not exist. Since the anti-spoofing system called DMARC (Domain-based Message Authentication, Reporting & Conformance) was created in 2012, most emails servers will simply reject these bogus headers. However, some older SMTP servers still will bounce the email back to the sender without verifying the actual origin of the message. So not only are the spammed ads winding up in inboxes, but they are also showing up in the sent mail folder.

"[We] have no reason to believe any accounts were compromised as part of this incident."

Google issued a statement saying that it is aware of the issue and is working on a fix.

“We are aware of a spam campaign impacting a small subset of Gmail users and have actively taken measures to protect against it. This attempt involved forged email headers that made it appear as if users were receiving emails from themselves, which also led to those messages erroneously appearing in the Sent folder. We have identified and are reclassifying all offending emails as spam, and have no reason to believe any accounts were compromised as part of this incident. If you happen to notice a suspicious email, we encourage you to report it as spam. More information on how to report spam can be found by visiting our Help Center.”

Mathews says that since Google issued the statement, he has not seen any of the bogus emails. He was previously getting an average of two per day.