My Gmail inbox is a clean, spam-free place, and I like to keep it that way.
Like many of you, I use a separate email address for funneling new site registrations, newsletters and sales alerts. This division of church and state between my two accounts has kept my personal Gmail inbox personal and relatively clutter-free. Until now.
The first questionable message arrived in late December 2015 asking me to verify “my” new Microsoft account, one I didn’t sign up for myself. Hmm, strange, but no big deal. A few days later in January, it was for a new Instagram account registered to my email address and a user name somewhat similar to my own.
Next came the confirmation request to video game-watching service Twitch, (associated to a completely different username), which is laughable because I can’t play a video game to save my life. Music.ly, a service I’ve never heard of, also appeared, as well as “Allison’s” brand-new State Farm Insurance account just a few days after that. Something is definitely going on.
Some emails provide the option to disassociate myself from some of these accounts by clicking within the message, but I’m wary of interacting with a potentially fraudulent email trying to pry out my sensitive information. Best not to click inside.
Should I be freaked out?
It’s a borderline case of suspicious behavior to be sure. On the one hand, typos happen and it’s possible for one or two errant emails to slip through. On the other hand, why this concentration; why the pattern of new account signups? And why now?
Either someone is intentionally trolling me by signing me up for services I don’t want to be part of, or
this is the work of something (or someone) most foul.
I asked Google for answers. A spokesman referred me to their help FAQ.
Google’s Gmail site for suspicious messages doesn’t address my specific issue, but there is a nine-point security checklist that mostly covers the basics. You know, create a strong password, check for suspicious messages (yep, I see them!), update your browser, report dubious emails, that kind of thing. (I already use one of the best tips, two-step verification.)
One of Google’s other online suggestions is to check my account for eyebrow-raising markers of hijacking, that is, the unauthorized use of my account by a person or agent. That would be bad news. Apart from violating your digital property and identity (and tarnishing your good name by using you to do their dirty work), the act of kicking out would-be hijackers from an account can be a huge hassle. (If you ever think your Gmail account has been compromised, start the recovery process here.)
Big chunks of missing dates in an email folder (like the Sent folder) is a big red flag, indicative of a hacker deleting legitimate email as a way of scrubbing evidence that the account was used to send spammy email, possibly the malicious kind. Thankfully, I didn’t see these telltale mass deletions in my mail folders.
Ok, so my account probably wasn’t hacked. Then what was it?
Attack of the…!
There is another explanation for all the sudden signups, apart from hackers and Weird Uncle Steven pranking me with so many email signups.
It’s called a mailbot.
If you’ve ever sent an automated out-of-office message from your account when you went on vacation, you’ve already encountered a mailbot, so you know that these software agents aren’t necessarily nefarious on their own.
“A mailbot can be as simple as sending a notification that a new blog post has come out,” said Stu Sjouwerman, CEO of security awareness training company KnowB4. (Infamous hacker Kevin Mitnick serves as their “Chief Hacking Officer.”)
Secure yourself
- How to stay safe online: CNET’s security checklist
- How to use two-factor authentication without a phone
- How to use Facebook’s new Security Checkup feature
But the same kind of automation that’s used for convenience can also orchestrate a scam that cycles through variations of email permutations until it latches onto a valid address. Then, it signs up that address for newsletters and websites, likely as a way of lifting your account credentials to use in further mailbot attacks.
Mailbots also pose a danger if the link you click looks legit, but really isn’t. “You could get redirected a couple of times and land on a website that hijacks your computer,” Sjouwerman said. “The rule is that if you didn’t ask for it, don’t click on it and don’t open it.”
Seeking revenge
More bad news? Hunting down a lone ‘bot is impractical and expensive, which leaves the burden of dealing with it on the people who are affected most. In my case, there’s no evidence of a breach and Google likely has bigger fish to fry — I can’t expect the team to launch a forensic investigation to track down my low-volume tormenter.
My best option, Google’s help files suggest, is to mark offending emails as spam and shuttle them to a separate folder. As the spam filters learn over time, Gmail should be able to sideline future mailbot attacks behind the scenes. Out of sight, out of mind.
This isn’t a satisfying answer. I’m annoyed and I want to destroy the ‘bot.
I want to track it, espionage-thriller style, and implode it from within
by feeding it code that attacks its basic functionality. I want to give its authors a taste of their own putrid medicine.
But for now, it seems the humble spam folder is all the recourse I have.