Google is objectively running a spammer mailing list service

October 5, 2017

If you are a mailing list service provider, there are a number of things that you need to do, things that fall under not so much best practices as self defense. My little list is:

  • You shouldn't allow random people you don't know and haven't carefully authenticated to set up mailing lists that you'll send out for them.
  • If you do let such people set up mailing lists, you should require that all email addresses added to them be explicitly confirmed with the usual two step 'do you really want to subscribe to this' process.
  • If you actually allow random people you don't know to add random email addresses to their mailing lists, you absolutely must keep a very close eye on the volume of rejections to such mailing lists. A significant rate of rejections is an extremely dangerous warning sign.

Google, of course, does none of these, perhaps because doing any of these would require more people or reduce 'user engagement', also known as the number of theoretical eyeballs that ads can be shown to. The result is predictable:

2017-10-04 08:19 [] [...] F=<emails1+[...]> rejected [...]
2017-10-04 08:26 [] [...] F=<emails5+[...]> rejected [...]
2017-10-04 08:31 [] [...] F=<emails7+[...]> rejected [...]
2017-10-04 08:31 [] [...] F=<emails7+[...]> rejected [...]
2017-10-04 08:32 [] [...] F=<emails8+[...]> rejected [...]
2017-10-04 08:39 [] [...] F=<emails9+[...]> rejected [...]
2017-10-04 08:40 [] [...] F=<emails9+[...]> rejected [...]
2017-10-04 08:40 [] [...] F=<emails11+[...]> rejected [...]
2017-10-04 08:40 [] [...] F=<emails11+[...]> rejected [...]
2017-10-04 08:41 [] [...] F=<emails11+[...]> rejected [...]
2017-10-04 11:57 [] [...] F=<emails15+[...]> rejected [...]
2017-10-04 12:06 [] [...] F=<emails16+[...]> rejected [...]
2017-10-04 12:09 [] [...] F=<emails18+[...]> rejected [...]

That's just from today; we have more from yesterday, October 2nd, and October 1st. They're a mixture of RCPT TO rejections (generally due to 'no such user') and post-DATA rejections from our commercial anti-spam system laughing very loudly at the idea of accepting the email. Many other copies made it through, not because they weren't seen as spam but because they were sent to users who hadn't opted into our SMTP time spam rejection.

Google has deliberately chosen to mix all of its outgoing email into one big collection of mail servers that third parties like us can't easily tell apart. For Google, this has the useful effect of forcing recipients to choke down much of Google's spam because of GMail, instead of letting people block it selectively. In this case, we have some trapped mail headers that suggest that this is something to do with Google Groups, which is of course something that we've seen before, with bonus failures. That was about six years ago and apparently Google still doesn't care.

(Individual people at Google may care, and they may be very passionate about caring, but clearly the corporate entity that is Google doesn't care. If it did care, this would not happen. At a minimum, there would be absolutely no way to add email addresses to any form of mailing list without positive confirmation from said addresses. Instead, well, it's been six years and this stuff is still happening.)

PS: My unhappy reactions yesterday on Twitter may have produced some results, which is better than nothing, but it should go without saying that that's not exactly a good solution to the general issue. Spammers are like ants; getting rid of one is simply dealing with the symptoms, not the problems.

Written on 05 October 2017.
« My new worry about Firefox 56 and the addons that I care about
Spam issues need to be considered from the start »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Thu Oct 5 00:31:56 2017
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.