ZH version is available. Content is displayed in original English for accuracy.
Advertisement
Advertisement
⚡ Community Insights
Discussion Sentiment
45% Positive
Analyzed from 5032 words in the discussion.
Trending Topics
#google#gmail#spam#com#mail#email#address#emails#don#report
Discussion (163 Comments)Read Original on HackerNews
Yes, it was a pain to take all of these steps and it probably took about 3 hours but it was absolutely necessary considering there was no avenue for me to shut down this person otherwise.
Google LLC
Attn: Legal Department – Custodian of Records
1600 Amphitheatre Parkway
Mountain View, CA 94043
In the cover letter I outlined the problem and the desired remedy (shut down the gmail account and preserve IP and other information for law enforcement), and attached two other documents: an annotated printout of the email thread from a prospective victim of the scam (who sensed something was fishy and contacted me through my website) and the local police report I filed to document the attempted fraud in my name.
Someone at Google contacted me about a week later and confirmed that the account was shut down. I don't know if they did anything else regarding preserving data or shutting down any other Google services this person was using.
I also made a report to the FBI’s Internet Crime Complaint Center, although TBH it looks like a black hole that lets the feds say they are "doing something" for ordinary victims.
During the IC3 reporting process I was asked to submit the name of people behind the scam, if known. I knew one of them because the scammer asked for a wire transfer to a named account at a bank in Oregon. Probably a mule.
Does anyone at the FBI or other agencies actually do anything with this information, such as contacting the bank in question or correlating it with other investigations? That's what I would expect if law enforcement were serious about enforcing the laws on the books. But there is no indication that anything happened, other than a confirmation number being spit out on a web page that my report had been received. That's why I made the "black hole" comment earlier.
If the IC3 portal highlighted specific cases or stats ("thanks to reports submitted to IC3, n investigations were initiated/suspects charged/convictions secured") that would really help convince ordinary victims that the government is taking tangible steps to fight this scourge of small-scale scams and frauds that affect millions of people every year.
https://stripe.com/resources/more/what-is-a-card-account-upd...
You can sometimes ask your bank to issue a card and not ping the updater service, but tier one support tends… not to know about it at all.
You can create as many virtual cards as you want. And surprisingly, I've rarely encountered a vendor that rejects them. I set one up for pretty much every recurring service charge, just because it's so easy to do.
It costs a few hundred a year for personal banking, but if you register an LLC (which in MO costs ~$10) you can use your EIN to get a business account. Did it a couple times, once for my non-profit and once for my consulting LLC.
Google, Microsoft, and Amazon are my major sources of spam. These days, this is where spam comes from.
At this point, they are also too big to block. We allowed this to happen, through neglect and laziness. Even in this discussion: how many people use Gmail as their primary email service?
Phone providers should also be detecting this with AI. There is no way this should be occurring anymore.
Spammers however, they have an economic incentive to have experts set up SPF, DMARC and all the other crap to appear legitimate.
I figure an email is worth a beer.
I mention it only as a useful data point, and in the absence of anyone else on the thread mentioning that Google have robust email abuse monitoring.
Certainly mailchimp and the like make things simpler, but the price can be quite high.
https://en.wikipedia.org/wiki/Abuse_Reporting_Format
How to bulk do this is interesting too. https://en.wikipedia.org/wiki/Feedback_loop_(email) says that gmail has a bulk format and that sendgrid is seeing some success.
Not defending just trying to see what a technical solution looks like
Shows you how to use googles thing if you are a sender to know if @gmail folks are reporting you. It doesnt address what to do if someone's @gmail is doing this to you (a workspace custom domain yes)... @gmail are rate-limited to a few 1000s per day per gmail address but this is still a lot obviously
But only in Gmail then? Where is it possible to report a spam from a Gmail address received on a non-Gmail inbox?
Google is being a real PITA as the receiving side for people who try to self-host their mail or who use small providers. They should at least be good citizen on the sending side, which it seems they're not. They are killing email.
You can use this form
>They should at least be good citizen on the sending side, which it seems they're not. They are killing email.
Eh? They do tons in anti-bot detection. But the value in exploiting and using Google's service is extremely high so bot authors are increasingly getting creative. Google stops running Gmail and simply another service becomes a high value target.
At least Microsoft fixed their Azure abuse after 10 years of not giving a fuck. It used to be stupid fucking easy to setup a trial O365 tenant and spam the fucking internet through "onmicrosoft.com" domains. And they let that go for 10 years.
edit: I might be incorrect on this and was thinking about how unsubscribing is standardized instead.
Basically, there is no standard beyond the ages-old requirement to have abuse@ and postmaster@ email addresses that react to such reports. Which Google doesn't follow at all, you just get redirected to some useless web form which requires a Google account and the sacrifice of a goat.
It is entirely Google's fault, and they should be shunned for it and their emails dropped. But unfortunately, they are too big for that by far...
They're not sending emails directly from their gmail address.
But they are adding victim emails to other Google services and then Google themselves send them invitations emails.
And if you name your service like "Google helpdesk - password reset" or something like that.
Invitation email from Google will look very official, but URL in the email will be controlled by the attacker.
It's pretty old working technique used for phishing for years now.
Spam report does nothing, since you're reporting official Google email.
No such thing. And if you just want to assign anybody who works in IT to it in order to create the concept of such of a thing, a large percentage of this community would work at Google, a company that depends on Google, or a company that has the same attitude as google.
So it's less pie in the sky than nonsense. People don't talk about things changing in the physical world without talking about force, mass and inertia, but when it comes to people, the theory of power just evaporates and we start wishing for things to spontaneously happen because we've declared that they should happen.
With some weird definition of "should" which relies on our personal conception of the world. In the physical world, we say something "should" happen when we expect it to happen based on our theories of how the world works. With people we say things "should" happen when we personally want them hard enough.
I’m not jumping through hoops when I’m not doing anything wrong. SPF, DMARC, DKIM, IP address not on a blacklist, and I send zero spam. Only human-written client communications 1:1.
So, my clients with hotmail.com addresses don’t get emails from me. I can call them, they can call me.
Gmail cannot be whitelisted anymore: spam, phishing,... On the other hand, if your users redirect twitter or linkedin notifications from their domain to a gmail account, Google claims you are sending too fast and is suspicious (and throttles or blocks ip).
Hilarious.
In recent months I'm seeing instances where random personal mail accounts on a server I run would receive a barrage of mail in a short amount of time.
Mail seems to be bounced via Google Groups - they are sent from Google's IPs and have headers like X-Google-Group-Id, List-*, etc. all pointing to Google Groups. The actual group ID changes after each individual instance of this. However when I actually check e.g. the List-Archive URL, the group appears to be already been deleted.
The content of mail looks like it originates from various (legit-looking) random public web services, support requests, issue trackers, web contact forms etc. For example, a common reoccurring one is Virginia Department of Motor Vehicles (as in something like "thank you for filing a document #123 with us").
No apparent phishing links, no attached malware, no short advertisements snuck into a text field etc. Just automated replies from "noreply@"-type addresses.
It does not seem to be the case of trying to hide another attack (as discussed here for example: https://news.ycombinator.com/item?id=47609882) - over many instances I've not seen any other malicious activity. And this mail is filtered out easily enough based on Google's headers.
It all looks like there is some bot that a) creates a Google group and subscribes (one or more) random email addresses to a Google group and then b) enters the group's mail address into a bunch of random web forms that then send their automated responses to the group.
What could be the motivation for this? After the fact it's filtered pretty easily based on headers. It's not nearly enough volume to DoS the server. But why would someone go through the trouble of setting this up?
The format is something like googlegroups-manage+{groupName}+unsubscribe@googlegroups.com
Just send an email there and they stop coming (for that list).
Source: I was getting spam like this, a fellow victim did some tests and confirmed that it stopped the onslaught of messages.
It's not even that much of a hassle. What worries me is that I don't understand why someone would go through the trouble of doing this for no apparent benefit. I hope I'm not somehow unknowingly enabling some sort of an attack on any of the entities sending these automated replies.
Maybe try saying the spam has porn or inappropriate images?
I remember a bunch of spam and fishing emails from weird Outlook addresses. Don't remember any from Google.
The obvious (and correct) explanation is deliverability. Spammers send from Google services because they can inbox, they don’t send from other services because those services will not inbox successfully.
I'm not denying that they are sometimes used by spammers, but they are definitely a legitimate operation that takes action against spammers if you report them.
Google Workspace email is very generous with the kind of outgoing email you can send via their SMTP servers.
I’ve not been reporting them because I already know they aren’t valid and do not google’s work for them
Have reported AppSheet to FCC after seeing Google wasn't doing enough--same scam email format, same inbox-landing pathway, but still irked.
Also try forwarding the emails to the phishing emails of the misrepresented brands, when they have an address for it. Figure they're the ones who have any power.
I always report them with suggestions they teach their AI that invoices sent to large number of addresses are phishing.
This is starting to become important as countries (very unwisely!) start tying things like national ID and banking to smartphones.
But when a moderately technical colleague wanted to do the same, I told her to use Mox, she set it up and Gmail doesn't block her either.
So... would you please elaborate?
Fixing it was always pretty simple -- or at least, non-mysterious. They'd bounce some things, I'd look at the headers of the bounced messages, and therein were links to instructions there that showed how to resolve whatever issue it was this year.
Just follow the steps, implement the new thing, and stuff started flowing again in rather short order. Not so bad.
IIRC, the only time it ever cost us any money was when the RBLs started keeping track of dynamic IP pools and we needed to finally shift over to something actually-static.
AWS, on the other hand has proven willing to move mountains for me as a $15/mo customer.
Zero. OTOH, since I'm sure they are training on emails and archiving/profiling everything forever even if we delete messages.. those constant threats to become a paying customer before hitting some arbitrary small quota are still villainous
Maybe it's only legacy, but gmail brings customers to Google and their related services. Escalation then brings them on as paying Customers. As loss leader may make a loss if looked at in a bubble, but if looked at as part of the "Customer Lifecycle" then other areas of profit would likely be much smaller without the free gateway.
It takes me active resistance to avoid Google's paid services, and I'm staunchly independent in relatively rare air. The minor capitulation required to turn into a paying Customer would capture a good percentage of their erstwhile-free gmail users (I would think. Yes, conjecture, interested in explanations of alternative theories).
Source: Used to work there.
How do they get money for free? What is stopping everyone else from doing the same?
> ridiculous assertion.
What is ridiculous is the idea that running an email service a massive scale like Gmail is somehow free.
How did we get to the point where there can be 12 services, but the one with lots of customers is a "Monopoly". Its a complete destruction of the word. They aren't killing their competitors, nor making it illegal to compete. Yeah its harder in the current era to run your own mail server, for a variety of reasons involving spam. But can we just cut the shit on calling literally every company with more than 100 employees a Monopoly?
market power
>What is stopping everyone else from doing the same?
see above
I've worked at a start up where the marketing team just had a `marketing@startup.com` email that was just like any other email in Google Workspace and used that for all marketing communications. Eventually they bumped up against that limit and a couple of engineers had to help them troubleshoot and there were enough blog and stack overflow posts at the time about hitting the limit to make make me think what they were doing wasn't uncommon.
When you consider the scale of Gmail and that this is almost certainly a Workspace account so they're mixed in with business customers, I'm not sure how much of an anomaly 10k emails a week actually is.
Just imagine a weekly newsletter with 100k subscribers.
Above that threshold you should use tools like moosend, benchmarkemail, or similar. And they ask a pretty penny when you reach that scale.
It's not perfect though. For some reason, it doesn't find (or deliberately ignores) OVH hosts that are relaying spam.
One example: they seem to have a size limit of 50KB when you report a spam mail via their web form. I've received quite some spam that exceeds that because they use base64 encoding of the body, add non-visible filler content to drown out the actual spam/phishing message, etc.
SpamCop suggests to cut off the message and still process it but then they miss e.g. the link to the phishing website and thus they can't send out a report for that.
Speaking of phishing links: a lot of the phishing mails I receive, link to some account on storage.googleapis.com. I've seen mails with links to the same account for weeks on end before they switch to a different one, implying that these links remain online for a long time. You would think that marking such mails as phishing in GMail (they are already flagged as spam) would get them on some kind of radar but apparently not...
Are the real-time-blackhole lists still a thing?
If they're regularly allowing spam and not responding to reports in any sort of timely manner, possibly they should be reported to those.
Not going to work though, is it. Too big to fail shouldn't be a thing. It's not like you can't be flexible about it or give them some room to deal with it within corporate policy; but they do need to deal with it, right?
Realistically, I think some companies have outgrown the size where internet can still self-regulate them. You'd hurt yourself more than gmail.
This either needs laws or new game theory.
Or -you know- deprecate the current email system. I know that's a perennial proposal; but that's because every year it gets even more broken in even more interesting ways. It's patch-on-patch-on-patch at the moment. Just spinning up sendmail on a random box won't quite cut it anymore, if you want to participate.
It sometimes stops for weeks, then it continiues.
from my logs as an example: Nov 13 22:10:51 bert postfix/smtpd[2693931]: NOQUEUE: reject: RCPT from mail-oi1-x248.google.com[2607:f8b0:4864:20::248]: 450 4.1.8 <ki+bncBD77RLFFQACRBZOX3DEAMGQEU5V3LXY@zf.thesparklebar.com>: Sender address rejected: Domain not found; from=<ki+bncBD77RLFFQACRBZOX3DEAMGQEU5V3LXY@zf.thesparklebar.com> to=<rmayer13@nerd-residenz.de> proto=ESMTP helo=<mail-oi1-x248.google.com> Nov 13 22:12:07 bert postfix/smtpd[2696594]: NOQUEUE: reject: RCPT from mail-ua1-x948.google.com[2607:f8b0:4864:20::948]: 450 4.1.8 <ki+bncBD77RLFFQACRBZOX3DEAMGQEU5V3LXY@zf.thesparklebar.com>: Sender address rejected: Domain not found; from=<ki+bncBD77RLFFQACRBZOX3DEAMGQEU5V3LXY@zf.thesparklebar.com> to=<rmayer1000@nerd-residenz.de> proto=ESMTP helo=<mail-ua1-x948.google.com> Nov 13 22:12:18 bert postfix/smtpd[2696594]: NOQUEUE: reject: RCPT from mail-wm1-x346.google.com[2a00:1450:4864:20::346]: 450 4.1.8 <ki+bncBDO2ZDH5DIIOXB6ZZADBUBFIYC6HQ@zf.thesparklebar.com>: Sender address rejected: Domain not found; from=<ki+bncBDO2ZDH5DIIOXB6ZZADBUBFIYC6HQ@zf.thesparklebar.com> to=<rmayer13@nerd-residenz.de> proto=ESMTP helo=<mail-wm1-x346.google.com> Nov 13 22:12:37 bert postfix/smtpd[2696594]: NOQUEUE: reject: RCPT from mail-lf1-x146.google.com[2a00:1450:4864:20::146]: 450 4.1.8 <ki+bncBDO2ZDH5DIIOXB6ZZADBUBFIYC6HQ@zf.thesparklebar.com>: Sender address rejected: Domain not found; from=<ki+bncBDO2ZDH5DIIOXB6ZZADBUBFIYC6HQ@zf.thesparklebar.com> to=<rmayer333@nerd-residenz.de> proto=ESMTP helo=<mail-lf1-x146.google.com> Nov 13 22:13:08 bert postfix/smtpd[2696594]: NOQUEUE: reject: RCPT from mail-lj1-x248.google.com[2a00:1450:4864:20::248]: 450 4.1.8 <hc+bncBDO2ZDH5DIIOXB6ZZADBUBB2QEZ74@zf.thesparklebar.com>: Sender address rejected: Domain not found; from=<hc+bncBDO2ZDH5DIIOXB6ZZADBUBB2QEZ74@zf.thesparklebar.com> to=<rmayer@nerd-residenz.de> proto=ESMTP helo=<mail-lj1-x248.google.com> Nov 13 22:13:08 bert postfix/smtpd[2696594]: NOQUEUE: reject: RCPT from mail-wm1-x345.google.com[2a00:1450:4864:20::345]: 450 4.1.8 <ki+bncBDO2ZDH5DIIOXB6ZZADBUBFIYC6HQ@zf.thesparklebar.com>: Sender address rejected: Domain not found; from=<ki+bncBDO2ZDH5DIIOXB6ZZADBUBFIYC6HQ@zf.thesparklebar.com> to=<rmayerrmayer@nerd-residenz.de> proto=ESMTP helo=<mail-wm1-x345.google.com> Nov 13 22:14:03 bert postfix/smtpd[2696594]: NOQUEUE: reject: RCPT from mail-lj1-x248.google.com[2a00:1450:4864:20::248]: 450 4.1.8 <ki+bncBDO2ZDH5DIIOXB6ZZADBUBFIYC6HQ@zf.thesparklebar.com>: Sender address rejected: Domain not found; from=<ki+bncBDO2ZDH5DIIOXB6ZZADBUBFIYC6HQ@zf.thesparklebar.com> to=<rmayera@nerd-residenz.de> proto=ESMTP helo=<mail-lj1-x248.google.com>
As you can see, the to-address is generated and its different hosts at google trying to send mails.
Searching for zf.thesparklebar.com shows others having the same problem.
I don't think people appreciate that this is really the key observation here. In large institutions, for anything significant to happen, there have to be incentives and alternatives, and these are set by management. Management in turn usually cares about their incentives, and the company overall mostly cares about the bottom line and the financial reports.
As a result, this is unlikely to get addressed, unless there is significant pressure, like media coverage, people mass-resigning from Gmail, or major email servers blocking Google. But none of these are likely to happen.