One of the easiest things for a spammer to do is forge the from address in an email because the old standard protocols do nothing to verify it in any way. A gmail from address does not mean that the email started out by being sent through gmail. The headers provide the information that can help to prove it either way, via the chain of IP addresses of the servers involved, remembering also that headers are forged by spammers at times as well so once you reach the first untrusted address the rest is probably bogus or useless.
Consider this from the headers of a recent virus containing email:
From: "copier@ - copier@one of the spamgourmet domains"
<ok rest censored, ok was added to one of my disposables>
You can be pretty sure that the email was not sent from the spamgourmet address in the email. The spammer just used copier @ whatever domain they were sending to as their from address to try to get through spam traps and because the virus payload was a document claiming to be a scan.
The header which says where that one really came from was:
Received: from [125.23.162.34] (helo=dsl-kk-static-034.162.23.125.airtelbroadband.in)
by gourmet7.spamgourmet.com with esmtp (Exim 4.80)
(envelope-from <copier@recursor.net>)
id 1aP7SC-0005lm-7b
for my SG address censored; Fri, 29 Jan 2016 11:43:05 +0000
So source was computer in India which connected to the SG mail server and pretended to be sending email from SG. From the IP lookup the dsl part probably means a DSL connection so it's probably part of a botnet or otherwise compromised group of consumers. Though a new spammer might be foolish enough to use their own IP what this one is might be the IP of someone who previously was infected by the virus the email contained.
This in the header is a clue that it's from a spammer using a consumer's IP, rather than a normal mail server:
X-Host-Lookup-Failed: Reverse DNS lookup has failed for 125.23.162.34 (failed)
Nothing wrong with consumers running their own mail servers on their internet connections but the email may have trouble getting through sometimes. One thing I did before using SG was write a plugin to a Windows-based spam filtering proxy server that looked up the IP addresses in a header to see whether they were from ranges known to be end user IPs, then marked them as likely to be spam based on that origin. That was more than fifteen years ago.
This doesn't mean that emails claiming to be from gmail always didn't start at gmail, though. Virus payloads can harvest connection details and allow sending from a gmail account until gmail notices and bans the source.
No need to worry about the discussion telling spammers anything new.
So far as that particular virus email went, here's what would have happened to anyone who used it, according to a virus analysis tool:
https://www.hybrid-analysis.com/sample/ ... onmentId=1 . Not the exact one necessarily, I looked up based on the names of the computer programming contained in the attachment, a Word macro that would run as soon as the document opened, then create the underlying malicious payload. The reason I posted that was so that you can see that the apparent trail of connections made by the virus ended up in Russia so it may well have been a Russian criminal gang trying to steal account information. Or not, there are many ways to make money via viruses besides that one.