Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. SpamAssassin>
  3. users
google and spam
s_iulianv at yahoo
Dec 14, 2020, 3:01 AM
Post #1 of 9 (713 views)
Permalink
Hi all,
First of all i am writing this email from yahoo because from my own domain it seems it's not working because i have DMARC setup and apparently something(maybe ezml) is messing up with the headers. If you have any ideea to whom should i address i will more than happy :)


I am also receiving a lot of spam from google (aparently always domain is trix.bounces.google.com) and all spam is using google forms.For me the problem is solved(meaning that all of these spam is going to quarantine and bayes is learning about those) but i was wondering if:
1) Since email are coming from google how come google is not doing anything? 

2) Are those spam sent manually ? It will be a nightmare for a spammer to do this but how come there not any limitation coming from google if spam are sent via mass-bulk programs/interfaces/etc?
3) I am using also a local(my own) RBL which is trained with IPs from spam. It is queried by spammasssin because i don't want to reject from MTA but use it in conjunction with others scores/rules. Now i have doubts that if i keep adding IPs from google i will end up having all google MTAs added and legit email might be hurt in the progress. What do you think ? Do you have insides about  this trix.bouces.google.com? Looking on RBL doesn't looks too great and it seems from his domain there is spam which is actively sent.
4) I though that maybe google launch something similar with sendgrid but i don't find any reference about it and also the envelope-from are different i didn't found a common denominator. Few examples:

envelope-from <3lXRKXxQOBqgUMOIUQTTQWVa.RJfIaRLLQITWOJZIVL.ZcWNNQKMOaJMb.ZW@trix.bounces.google.com>envelope-from <3Qte3XwgJBdML8USYTTW5Bz7A.1DBz0JH35H03I.GD@trix.bounces.google.com>envelope-from <3senTXxQJBtgJ8N8L4G4HA5I.54HECHAAG4CF.6IGI99C68AM58N.LI@trix.bounces.google.com>envelope-from <3pgTVXxMJBQkrwox0lkwkjwt.x0p.wppvjru.lxvjk31np1kn2.0x@trix.bounces.google.com>envelope-from <3Qc7WXxIJDT4rw.wfxmjjifgizqm99lrfnq.htrhtxrns.lfnyfslxgjy.wt@trix.bounces.google.com>envelope-from <3VT3KXwwJDvwqymqymqmrk55kqemp.gsqmsryx.tixvmwsvkwfix.vs@trix.bounces.google.com>envelope-from <3UxLDXwsJD4gymp6m645uzJsymux.o0yo045qx.stq03stqs4nq5.30@trix.bounces.google.com>

Above also a full example of an email:

https://pastebin.com/DW6dvdxP

Thanks in advance,Iulian
Re: google and spam [ In reply to ]
dominic at timedicer
Dec 14, 2020, 4:12 AM
Post #2 of 9 (713 views)
Permalink
On 14/12/2020 11:01, Iulian Stan wrote:
> Hi all,
>
> First of all i am writing this email from yahoo because from my own
> domain it seems it's not working because i have DMARC setup and
> apparently something(maybe ezml) is messing up with the headers. If
> you have any ideea to whom should i address i will more than happy :)
>
> I am also receiving a lot of spam from google (aparently always domain
> is trix.bounces.google.com) and all spam is using google forms.
> For me the problem is solved(meaning that all of these spam is going
> to quarantine and bayes is learning about those) but i was wondering if:
>
> 1) Since email are coming from google how come google is not doing
> anything?
> 2) Are those spam sent manually ? It will be a nightmare for a spammer
> to do this but how come there not any limitation coming from google if
> spam are sent via mass-bulk programs/interfaces/etc?
> 3) I am using also a local(my own) RBL which is trained with IPs from
> spam. It is queried by spammasssin because i don't want to reject from
> MTA but use it in conjunction with others scores/rules. Now i have
> doubts that if i keep adding IPs from google i will end up having all
> google MTAs added and legit email might be hurt in the progress. What
> do you think ? Do you have insides about  this trix.bouces.google.com?
> Looking on RBL doesn't looks too great and it seems from his domain
> there is spam which is actively sent.
> 4) I though that maybe google launch something similar with sendgrid
> but i don't find any reference about it and also the envelope-from are
> different i didn't found a common denominator. Few examples:
>
> envelope-from
> <3lXRKXxQOBqgUMOIUQTTQWVa.RJfIaRLLQITWOJZIVL.ZcWNNQKMOaJMb.ZW@trix.bounces.google.com>
> ...
>
> Above also a full example of an email:
>
> https://pastebin.com/DW6dvdxP <https://pastebin.com/DW6dvdxP>

To my surprise, you seem to be right. In my logs I have a number of
these (but not a huge number) over the last year, they have almost all
been blocked by SA (not using bayes) - but not blocked by earlier
defences. I have received only a handful of such mails that have passed
SA; now when I check them all definitely spam/phishing. The IPs all seem
to be Google's (within CIDR 209.85.128.0/17). I'm going to add a couple
of points scoring to anything from trix.bounces.google.com.
Re: google and spam [ In reply to ]
rwmaillists at googlemail
Dec 14, 2020, 7:32 AM
Post #3 of 9 (712 views)
Permalink
On Mon, 14 Dec 2020 11:01:59 +0000 (UTC)
Iulian Stan wrote:

> Hi all,
> First of all i am writing this email from yahoo

One of the worst freemail choices for mailing lists because of its DMARC
reject policy.

> because from my own domain it seems it's not working because i
> have DMARC setup and apparently something(maybe ezml) is messing up
> with the headers.


The list does not break DKIM (as part of DMARC) in my experience, unless
the the sending domain has done something that makes it incompatible
with mailing lists. e.g. signing the absence of a list-* header.

The list itself doesn't appear to reject DMARC fails because almost all
such posts that aren't received at gmail still make it to the gmane
newserver (news.gmane.io). If your posts aren't seen on gmane, it's
likely nothing to do with DMARC.
Re: google and spam [ In reply to ]
ruga at protonmail
Dec 14, 2020, 8:20 AM
Post #4 of 9 (712 views)
Permalink
I see a deluge of spam from google.com, catched at FROM, all containing an @NXDOMAIN. Google is tripping on its own shoe laces in this period.

-------- Original Message --------
On Dec 14, 2020, 12:01, Iulian Stan wrote:

> Hi all,
>
> First of all i am writing this email from yahoo because from my own domain it seems it's not working because i have DMARC setup and apparently something(maybe ezml) is messing up with the headers. If you have any ideea to whom should i address i will more than happy :)
>
> I am also receiving a lot of spam from google (aparently always domain is trix.bounces.google.com) and all spam is using google forms.
> For me the problem is solved(meaning that all of these spam is going to quarantine and bayes is learning about those) but i was wondering if:
>
> 1) Since email are coming from google how come google is not doing anything?
>
> 2) Are those spam sent manually ? It will be a nightmare for a spammer to do this but how come there not any limitation coming from google if spam are sent via mass-bulk programs/interfaces/etc?
>
> 3) I am using also a local(my own) RBL which is trained with IPs from spam. It is queried by spammasssin because i don't want to reject from MTA but use it in conjunction with others scores/rules. Now i have doubts that if i keep adding IPs from google i will end up having all google MTAs added and legit email might be hurt in the progress. What do you think ? Do you have insides about this trix.bouces.google.com? Looking on RBL doesn't looks too great and it seems from his domain there is spam which is actively sent.
>
> 4) I though that maybe google launch something similar with sendgrid but i don't find any reference about it and also the envelope-from are different i didn't found a common denominator. Few examples:
>
> envelope-from <3lXRKXxQOBqgUMOIUQTTQWVa.RJfIaRLLQITWOJZIVL.ZcWNNQKMOaJMb.ZW@trix.bounces.google.com>
> envelope-from <3Qte3XwgJBdML8USYTTW5Bz7A.1DBz0JH35H03I.GD@trix.bounces.google.com>
> envelope-from <3senTXxQJBtgJ8N8L4G4HA5I.54HECHAAG4CF.6IGI99C68AM58N.LI@trix.bounces.google.com>
> envelope-from <3pgTVXxMJBQkrwox0lkwkjwt.x0p.wppvjru.lxvjk31np1kn2.0x@trix.bounces.google.com>
> envelope-from <3Qc7WXxIJDT4rw.wfxmjjifgizqm99lrfnq.htrhtxrns.lfnyfslxgjy.wt@trix.bounces.google.com>
> envelope-from <3VT3KXwwJDvwqymqymqmrk55kqemp.gsqmsryx.tixvmwsvkwfix.vs@trix.bounces.google.com>
> envelope-from <3UxLDXwsJD4gymp6m645uzJsymux.o0yo045qx.stq03stqs4nq5.30@trix.bounces.google.com>
>
> Above also a full example of an email:
>
> https://pastebin.com/DW6dvdxP
>
> Thanks in advance,
> Iulian
Re: google and spam [ In reply to ]
iulian at sphere
Dec 14, 2020, 8:46 AM
Post #5 of 9 (712 views)
Permalink
test again from my real domain :)


On 2020-12-14 17:32, RW wrote:
> On Mon, 14 Dec 2020 11:01:59 +0000 (UTC)
> Iulian Stan wrote:
>
>> Hi all,
>> First of all i am writing this email from yahoo
>
> One of the worst freemail choices for mailing lists because of its
> DMARC
> reject policy.
>
>> because from my own domain it seems it's not working because i
>> have DMARC setup and apparently something(maybe ezml) is messing up
>> with the headers.
>
>
> The list does not break DKIM (as part of DMARC) in my experience,
> unless
> the the sending domain has done something that makes it incompatible
> with mailing lists. e.g. signing the absence of a list-* header.
>
> The list itself doesn't appear to reject DMARC fails because almost all
> such posts that aren't received at gmail still make it to the gmane
> newserver (news.gmane.io). If your posts aren't seen on gmane, it's
> likely nothing to do with DMARC.
Re: google and spam [ In reply to ]
rwmaillists at googlemail
Dec 14, 2020, 9:39 AM
Post #6 of 9 (712 views)
Permalink
On Mon, 14 Dec 2020 18:46:15 +0200
iulian stan wrote:

> DKIM-Signature: ...
> h=...:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;

If you sign these headers without adding them all once in your original
message, you are signing their absence. This breaks DKIM and DMARC in
mailing lists.
Re: google and spam [ In reply to ]
iulian at sphere
Dec 14, 2020, 12:38 PM
Post #7 of 9 (712 views)
Permalink
Hello,

Cristal clear for the DMARC issue that i've had.
Any others has any thoughts about trix.bounces.google.com and the spam
that we receive ?

Best regards,
Iulian

On 2020-12-14 19:39, RW wrote:
> On Mon, 14 Dec 2020 18:46:15 +0200
> iulian stan wrote:
>
>> DKIM-Signature: ...
>> h=...:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
>
> If you sign these headers without adding them all once in your original
> message, you are signing their absence. This breaks DKIM and DMARC in
> mailing lists.
Re: google and spam [ In reply to ]
jhardin at impsec
Dec 14, 2020, 12:56 PM
Post #8 of 9 (712 views)
Permalink
On Mon, 14 Dec 2020, Dominic Raferd wrote:

> On 14/12/2020 11:01, Iulian Stan wrote:
>> I am also receiving a lot of spam from google (aparently always domain is
>> trix.bounces.google.com)
>>
>> https://pastebin.com/DW6dvdxP <https://pastebin.com/DW6dvdxP>
>
> To my surprise, you seem to be right. In my logs I have a number of these
> (but not a huge number) over the last year, they have almost all been blocked
> by SA (not using bayes) - but not blocked by earlier defences. I have
> received only a handful of such mails that have passed SA; now when I check
> them all definitely spam/phishing. The IPs all seem to be Google's (within
> CIDR 209.85.128.0/17). I'm going to add a couple of points scoring to
> anything from trix.bounces.google.com.

I'll add a rule for that to my sandbox and we'll see what happens.


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The belief in one’s own moral superiority eventually
erases the conscience. After all, if one is morally superior
to others, then no conscience is needed. All actions and behaviors
are acceptable because they’re done in an effort to
make the world a better place. -- I&I Editorial
-----------------------------------------------------------------------
Tomorrow: Bill of Rights day
Re: google and spam [ In reply to ]
rwmaillists at googlemail
Dec 14, 2020, 2:22 PM
Post #9 of 9 (712 views)
Permalink
On Mon, 14 Dec 2020 16:54:11 +0100
Reindl Harald wrote:

> Am 14.12.20 um 16:32 schrieb RW:
>
> > The list does not break DKIM (as part of DMARC) in my experience
>
> oh come on!
>

Over the last two years I've had 202 DMARC fails reach gmail through
this list (only a small minority of fails were rejected). If I eliminate
those without an author aligned signature and those that signed list-*
headers, that reduces to just 4 over 2 years.

All of the remaining 4 failed DKIM in Apache's AR header on the way in
to the system before they reached the list software, and all 4 were
from amateur run SOHO mail systems.

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal