Google is objectively running a spammer mailing list service

October 5, 2017

If you are a mailing list service provider, there are a number of things that you need to do, things that fall under not so much best practices as self defense. My little list is:

  • You shouldn't allow random people you don't know and haven't carefully authenticated to set up mailing lists that you'll send out for them.
  • If you do let such people set up mailing lists, you should require that all email addresses added to them be explicitly confirmed with the usual two step 'do you really want to subscribe to this' process.
  • If you actually allow random people you don't know to add random email addresses to their mailing lists, you absolutely must keep a very close eye on the volume of rejections to such mailing lists. A significant rate of rejections is an extremely dangerous warning sign.

Google, of course, does none of these, perhaps because doing any of these would require more people or reduce 'user engagement', also known as the number of theoretical eyeballs that ads can be shown to. The result is predictable:

2017-10-04 08:19 [] [...] F=<emails1+[...]> rejected [...]
2017-10-04 08:26 [] [...] F=<emails5+[...]> rejected [...]
2017-10-04 08:31 [] [...] F=<emails7+[...]> rejected [...]
2017-10-04 08:31 [] [...] F=<emails7+[...]> rejected [...]
2017-10-04 08:32 [] [...] F=<emails8+[...]> rejected [...]
2017-10-04 08:39 [] [...] F=<emails9+[...]> rejected [...]
2017-10-04 08:40 [] [...] F=<emails9+[...]> rejected [...]
2017-10-04 08:40 [] [...] F=<emails11+[...]> rejected [...]
2017-10-04 08:40 [] [...] F=<emails11+[...]> rejected [...]
2017-10-04 08:41 [] [...] F=<emails11+[...]> rejected [...]
2017-10-04 11:57 [] [...] F=<emails15+[...]> rejected [...]
2017-10-04 12:06 [] [...] F=<emails16+[...]> rejected [...]
2017-10-04 12:09 [] [...] F=<emails18+[...]> rejected [...]

That's just from today; we have more from yesterday, October 2nd, and October 1st. They're a mixture of RCPT TO rejections (generally due to 'no such user') and post-DATA rejections from our commercial anti-spam system laughing very loudly at the idea of accepting the email. Many other copies made it through, not because they weren't seen as spam but because they were sent to users who hadn't opted into our SMTP time spam rejection.

Google has deliberately chosen to mix all of its outgoing email into one big collection of mail servers that third parties like us can't easily tell apart. For Google, this has the useful effect of forcing recipients to choke down much of Google's spam because of GMail, instead of letting people block it selectively. In this case, we have some trapped mail headers that suggest that this is something to do with Google Groups, which is of course something that we've seen before, with bonus failures. That was about six years ago and apparently Google still doesn't care.

(Individual people at Google may care, and they may be very passionate about caring, but clearly the corporate entity that is Google doesn't care. If it did care, this would not happen. At a minimum, there would be absolutely no way to add email addresses to any form of mailing list without positive confirmation from said addresses. Instead, well, it's been six years and this stuff is still happening.)

PS: My unhappy reactions yesterday on Twitter may have produced some results, which is better than nothing, but it should go without saying that that's not exactly a good solution to the general issue. Spammers are like ants; getting rid of one is simply dealing with the symptoms, not the problems.

Comments on this page:

By David at 2017-10-21 16:55:37:

Thank you for commenting on Google outbound spam.

I resorted to placing delivery from unknown Gmail senders in soft-bounce limbo; 95% of the time manually marking the source for Automatic Spam Report (ASR) treatment where on the next attempt the message is both bounced and a copy submitted to Google's feedback loop with a "RFC5965 ARF email abuse report." Several retired-now-spam-trap destination addresses trigger instant ASR, no manual review. An impressive number of bad actors remain willing to spend $280 per thousand Gmail accounts (buyaccs dot com slash en) and spam lists of horrendous quality. ASR for Gmail and other major freemail providers, the one form of pain I can inflict, has somewhat lowered the overall incoming abuse rate particularly flows originating from the paying customer sort that Google tolerates per your entry.

Off-topic, have you observed email from eBay failing DKIM validation? For the last couple of months I see most messages failing both opendkim-2.10.3 and SpamAssassin DKIM.

Written on 05 October 2017.
« My new worry about Firefox 56 and the addons that I care about
Spam issues need to be considered from the start »

Page tools: View Source, View Normal, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Thu Oct 5 00:31:56 2017
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.