spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dominic Raferd <domi...@timedicer.co.uk>
Subject Re: google and spam
Date Mon, 14 Dec 2020 12:12:26 GMT
On 14/12/2020 11:01, Iulian Stan wrote:
> Hi all,
>
> First of all i am writing this email from yahoo because from my own 
> domain it seems it's not working because i have DMARC setup and 
> apparently something(maybe ezml) is messing up with the headers. If 
> you have any ideea to whom should i address i will more than happy :)
>
> I am also receiving a lot of spam from google (aparently always domain 
> is trix.bounces.google.com) and all spam is using google forms.
> For me the problem is solved(meaning that all of these spam is going 
> to quarantine and bayes is learning about those) but i was wondering if:
>
> 1) Since email are coming from google how come google is not doing 
> anything?
> 2) Are those spam sent manually ? It will be a nightmare for a spammer 
> to do this but how come there not any limitation coming from google if 
> spam are sent via mass-bulk programs/interfaces/etc?
> 3) I am using also a local(my own) RBL which is trained with IPs from 
> spam. It is queried by spammasssin because i don't want to reject from 
> MTA but use it in conjunction with others scores/rules. Now i have 
> doubts that if i keep adding IPs from google i will end up having all 
> google MTAs added and legit email might be hurt in the progress. What 
> do you think ? Do you have insides about  this trix.bouces.google.com? 
> Looking on RBL doesn't looks too great and it seems from his domain 
> there is spam which is actively sent.
> 4) I though that maybe google launch something similar with sendgrid 
> but i don't find any reference about it and also the envelope-from are 
> different i didn't found a common denominator. Few examples:
>
> envelope-from 
> <3lXRKXxQOBqgUMOIUQTTQWVa.RJfIaRLLQITWOJZIVL.ZcWNNQKMOaJMb.ZW@trix.bounces.google.com>
> ...
>
> Above also a full example of an email:
>
> https://pastebin.com/DW6dvdxP <https://pastebin.com/DW6dvdxP>

To my surprise, you seem to be right. In my logs I have a number of 
these (but not a huge number) over the last year, they have almost all 
been blocked by SA (not using bayes) - but not blocked by earlier 
defences. I have received only a handful of such mails that have passed 
SA; now when I check them all definitely spam/phishing. The IPs all seem 
to be Google's (within CIDR 209.85.128.0/17). I'm going to add a couple 
of points scoring to anything from trix.bounces.google.com.


Mime
View raw message