How is this possible?
August 4, 2018 7:29 PM   Subscribe

How can you send an e-mail out from a gmail account when your access has been cut off?

I work for a company that has it's own domain name "CompanyX" but through gmail. An employee just left and as is normal for the company we hold open the e-mail account to review for important documents for about a month. However their password is changed and they are supposed to lose access.

I was reviewing the account recently for important documents and noticed that someone had responded to an e-mail that had been sent recently (after they left the job) from this person's account. There was nothing in the sent folder, so I don't know how they sent the e-mail out.

I contacted IT and asked them to change the password. They did, and then a week later when I went to continue the review there were more e-mails that were replied to from that account. I contacted IT and they changed the password again, and then a week later it happened again! I contacted IT and they changed the name of the e-mail account to "" but still held it open for the review period. Then, it happened again! All of these e-mails that are being responded to are recent, so the employee still appears to be able to send e-mails from this work address. I don't really care either way specifically about this happening, but my mind is being bent here on how this is even possible.

Help me understand how one could do this.
posted by Toddles to Technology (11 answers total) 2 users marked this as a favorite
Is it possible the person sent the email from another account but with a "reply-to" of their work account?
posted by brainmouse at 7:36 PM on August 4, 2018 [12 favorites]

Still signed into gmail from their personal phone? Has IT selected "log me out on all other devices"?
posted by arnicae at 7:39 PM on August 4, 2018 [13 favorites]

Changing a Gmail password doesn’t remove all types of access to the account. You can have “app-specific passwords” for lower-security systems (like older email clients) that are separate from the main password, you can have “apps with account access” that don’t have their access rescinded when the password is changed, and the user could have a recovery email address or phone number allowing them to get back in (this last one isn’t the case here as they would have then locked you out by changing the password themselves).

Your IT team should be aware of all of these; they’re all right there in the G Suite admin console.
posted by bcwinters at 7:57 PM on August 4, 2018 [2 favorites]

If their phone number is attached to two-factor authentication, they could just click "forgot password" and within minutes be logged back in.
posted by dobbs at 8:10 PM on August 4, 2018 [3 favorites]

I have a personal Gmail account. The school I attended gave me a Gmail account. These were two separate accounts. At some point, I had enabled sending emails with my school email address from my personal email account, which involved various forms of "yes, allow this" when I had access to both accounts. I also enabled forwarding from the school to the personal account.

After I graduated, I forgot the password to the school email account, and after an even longer period of time, I believe the account was cancelled. I still occasionally receive emails addressed to my school account, though, and I can still send emails from my personal account using the school email address. This makes it appear as if I still have access to said account, even though I don't.
posted by wym at 10:00 PM on August 4, 2018 [3 favorites]

If the employee left on good terms or reasonable terms, call them and ask.
posted by AugustWest at 10:23 PM on August 4, 2018 [2 favorites]

Are you sure these replies aren't automatic resposes as well?
I find it strange thatsomeone who no longer works for you would bother sending work related emails.
posted by AlexiaSky at 10:31 PM on August 4, 2018 [2 favorites]

The fact that these messages don't appear in the "sent" folder might mean they're sending them from a different server. These days, most email servers authenticate the "From" field (see the "countermeasures" section in that link), but maybe there's something misconfigured. If you look at the headers for the email, there should be some information about where it was delivered from and how it was authenticated.
posted by panic at 11:21 PM on August 4, 2018

Email spoofing. It is moderately more difficult these days but still entirely possible. It requires no access to the spoofed account.
posted by jdfan at 7:44 AM on August 5, 2018 [2 favorites]

I find it strange thatsomeone who no longer works for you would bother sending work related emails.

Spoofing + social engineering/phishing, trying to gain access to company systems.
posted by AFABulous at 7:51 AM on August 5, 2018

The fact that you don't see the emails sent from the account is your major clue that they're being spoofed from some other account. If you want it to stop, I suggest you contact your ex-employee and make sure they understand that they are not authorized to speak for the company and that there will be consequences if they continue to do so.

Also, you might want to get on your IT department's case to have them set up spoofing countermeasures for your domain.
posted by Aleyn at 8:49 AM on August 5, 2018

« Older What Is This Word/Feeling That's On The Tip of My...   |   How long can I store not-yet-cooked fava bean... Newer »
This thread is closed to new comments.