Posted by pabs3 16 hours ago
Yes, it was a pain to take all of these steps and it probably took about 3 hours but it was absolutely necessary considering there was no avenue for me to shut down this person otherwise.
Google LLC
Attn: Legal Department – Custodian of Records
1600 Amphitheatre Parkway
Mountain View, CA 94043
In the cover letter I outlined the problem and the desired remedy (shut down the gmail account and preserve IP and other information for law enforcement), and attached two other documents: an annotated printout of the email thread from a prospective victim of the scam (who sensed something was fishy and contacted me through my website) and the local police report I filed to document the attempted fraud in my name.
Someone at Google contacted me about a week later and confirmed that the account was shut down. I don't know if they did anything else regarding preserving data or shutting down any other Google services this person was using.
I also made a report to the FBI’s Internet Crime Complaint Center, although TBH it looks like a black hole that lets the feds say they are "doing something" for ordinary victims.
During the IC3 reporting process I was asked to submit the name of people behind the scam, if known. I knew one of them because the scammer asked for a wire transfer to a named account at a bank in Oregon. Probably a mule.
Does anyone at the FBI or other agencies actually do anything with this information, such as contacting the bank in question or correlating it with other investigations? That's what I would expect if law enforcement were serious about enforcing the laws on the books. But there is no indication that anything happened, other than a confirmation number being spit out on a web page that my report had been received. That's why I made the "black hole" comment earlier.
If the IC3 portal highlighted specific cases or stats ("thanks to reports submitted to IC3, n investigations were initiated/suspects charged/convictions secured") that would really help convince ordinary victims that the government is taking tangible steps to fight this scourge of small-scale scams and frauds that affect millions of people every year.
I didn't know that. But that is another point that could be highlighted on the IC3 homepage or confirmation, along with aggregated data about enforcement actions resulting from submissions from ordinary victims.
De minimis non curat FBI.
They may also flag certain cases to be passed to other relevant authorities like FinCEN, the Secret Service, the Postal Inspection Service, various military investigative services, or even the intelligence community (assuming NSA doesn't already intercept the mailbox which would be a very reasonable thing to do).
It's like the internet crimes version of putting the serial number of stolen property in a police report. They ain't looking for it, but they'll tack the charge when they inventory a crackhouse bust and that number pops up stolen.
They aren't dedicating serious resources to speculatively looking at the reports and trying to assess patterns like some TV cop looking at a series of dead hookers and saying "aha we have a serial killer on the loose".
But I was careful to use certified mail return receipt as google’s legal office knows that this can be used for documentation and proof if the case ever goes further.
In other words, having a paper trail is more likely to get acted upon.
https://stripe.com/resources/more/what-is-a-card-account-upd...
You can sometimes ask your bank to issue a card and not ping the updater service, but tier one support tends… not to know about it at all.
There was a lawsuit about a decade ago where a company was owed about $500k in ad fraud refunds and Google kept saying they had paid it, it ended up being an incomplete part of their software that had inadvertently withheld $75 million!
https://www.businessinsider.com/google-emails-adtrader-lawsu...
You can create as many virtual cards as you want. And surprisingly, I've rarely encountered a vendor that rejects them. I set one up for pretty much every recurring service charge, just because it's so easy to do.
It costs a few hundred a year for personal banking, but if you register an LLC (which in MO costs ~$10) you can use your EIN to get a business account. Did it a couple times, once for my non-profit and once for my consulting LLC.
The other part of the scam involved sending money to a bank account in Oregon with someone else's name attached to it. I notified the bank in a similar manner and hope they shut it down (not confirmed; my next step is to notify the Oregon banking regulator about the incident).
The hope is that once the bank account and gmail account are shut down the scammer will stop or move on. But I am concerned this could be a whack-a-mole problem that doesn't go away.
My incident is unlikely to be a real account being taken over. The name format was "firstnamelastnameofficial@gmail.com" and I have a somewhat rare name ... probably well under 40 people worldwide with the exact spelling.
Google, Microsoft, and Amazon are my major sources of spam. These days, this is where spam comes from.
At this point, they are also too big to block. We allowed this to happen, through neglect and laziness. Even in this discussion: how many people use Gmail as their primary email service?
Phone providers should also be detecting this with AI. There is no way this should be occurring anymore.
Edit: I’m not implying this is morally right or good for anyone but Google shareholders. This is just 21st Century American capitalism
Spammers however, they have an economic incentive to have experts set up SPF, DMARC and all the other crap to appear legitimate.
https://workaround.org/ispmail-trixie/anti-spoofing-dkim-spf...
We do have a _tremendous_ amount of spam fail these checks, as well as a few legitimate organizations.... Some of our peer companies have sent out notices that they will bounce anything that fail these checks in the coming years, and we're probably going to to do the same before too long.
It's trivially easy, and absolutely valuable
I figure an email is worth a beer.
I mention it only as a useful data point, and in the absence of anyone else on the thread mentioning that Google have robust email abuse monitoring.
Certainly mailchimp and the like make things simpler, but the price can be quite high.
Spam is not email from legitimate companies with valid contact details that have an opt out that you forgot to click when you signed up with them. That's legitimate marketing emails. You might argue they also shouldn't exist, but they are a different category.
I get plenty of the second from mailchimp (it's what they do), almost none of the first. Marking the second kind as spam, rather than clicking the unsubscribe link is dangerous because it teaches your anti-spam filter to reject messages from legitimate companies. You might find that if they need to contact you for a genuine reason e.g. a reciept for a future transaction, the message is blocked.
No, they’re all spam. It’s just that some spam is significantly worse than others.
Edit:
this just reminded me of an interaction with a customer when I worked at a dialup ISP over 20 years ago. We would routinely get abuse reports about spam coming from our network that would turn out to be a family computer with a virus. We would disable their account until we got ahold of them, and then help them run antivirus or redirect them to a local shop to fix it.
But this one time my boss is like “Hey you wanna pretend you're the email manager? We have an actual spammer sending ads for a local business through our smtp servers”. We were all laughing at the audacity of it, they were sending thousands of the same message out, I think it was for a tackle shop.
When I called the guy to let him know why we disabled his account he immediately got angry at me, I vividly remember him saying “It’s not spam, it’s for a business!!” I explained to him that it doesn’t matter, it’s just as bad, and could get the whole company blacklisted from sending emails. Turns out his friend owned the business, and convinced him to install something that sent emails through outlook express.
The reason I got that duty is because I had no problem being confrontational back then. I remember telling him that I think he should be fined, and permanently banned from the internet. But that we’ll only let him back on if he uninstalls the thing.
He called back indignantly asking why we were allowing some other spam. I had to explain that it was from another network, and we’re trying to stop it, and that if every ISP were like us then it would barely be a problem.
I wonder if that business spams through google now.
I would disagree with that definition, and wikipedia and multiple dictionaries appear to agree with me; it doesn't matter how many dark patterns the company uses or whether they (claim to) let you opt out after the fact, if the message is unwelcome, it's spam.
https://www.merriam-webster.com/dictionary/spam
> spam noun
> unsolicited usually commercial messages (such as emails, text messages, or Internet postings) sent to a large number of recipients or posted in a large number of places
https://dictionary.cambridge.org/dictionary/english/spam
> unwanted email, usually advertisements
I don't get _only_ this from Mailchimp, but I definitely get quite a bit of this from Mailchimp, Sendgrid, and others. I've marked it spam, reported it to them (no response), and continued to receive the emails.
I can be kind of scatter brained and generally give the benefit of the doubt, but sometimes it's pretty clear that, e.g., I most definitely did not sign up with some accountant in a different country, in a place I've never been to, to receive reminders of tax deadlines that don't apply to me and offers of accounting services I can't use. Or if I somehow did, the signup was deceptive enough that they never received meaningful consent and I'd call it spam anyway.
(And the email they're sending this to is not some easily confused gmail address or a fat finger--it's my own name at my own domain.)
Having valid contact details or an opt out on their sign up form isn't relevant given I never signed up. It's _unsolicited_, _bulk_ email. It's spam.
Legitimate companies like to not provide the legally-required opt-in flow and assume consent without ever enabling or disabling a consent checkbox. That is spam too.
It's on Mailchimp to not take business from companies that abuse their system. If they get flagged as spam and their other customers have delivery issues because of that, I see that as a feature, not a bug.
Yes it is. Using a dark pattern to trick me into signing up doesn't make it not spam. It's still spam.
> Or if you ask not to be added to a mailing list and are added anyway.*
> Spam is not email from legitimate companies with valid contact details that have an opt out that you forgot to click when you signed up with them.
There's a HUGE grey area between the random unsolicited emails for scams and legitimate business partners where I forgot to check the opt out. I get almost none of the first (spam filters are pretty good at keeping Nigerian princes from getting help to access their money), and also almost none of the last (because I'm hypervigilant about opting out of email and cookies and all that trash), so all the spam I get is from "asked not to be added but added anyways".
Most of those are coming from Mailchimp and similar services. I'm sure that if I could take the senders to court and disentangle their web of parent companies that had my email in the web form for 10 seconds before I opted out and they sold it to each of their 20 daughter companies and partner organizations, and then I received the first "legitimate marketing email" (LOL! LMFAO!) and unsubscribed from that (which will take effect in 20 business days) so now I'm only subscribed to 19 new mailing lists from that company and also the dozen other organizations they're a part of, until they pivot to a new marketing agency which - oopsie! - forgot about my opt-out request.
That's Mailchimp's business model and the way that the entire "legitimate marketing" economy works, but I still consider it spam.
It's very rare, but I get those types of spam emails from MailChimp.
This is the textbook legal definition of spam in any sensible jurisdiction, though.
that might be what it is for in a theoretical sense. but that is not how it is being used.
Mailchimp is specifically made for mass email emission, for marketing a newsletter and whatnot. So yeah, a lot of people will consider them spammers.
There's some delusion in the marketing world that just because someone places an order or creates an account they should be spammed.
It's a little irritating, although I reserve full enmity for the spammers who I've never interacted with ever.
Yes, this excludes any people, customers or otherwise, who did not knowingly and willingly opt-in to specifically receive marketing emails / promotional emails / any other unnecessary emails.
A good heuristic is: if somebody receives an email from you that they do not want, there's a good chance you're spamming them: maybe by calling a marketing email, an "update" instead; maybe because you didn't make it abundantly clear to them when they opted-in that they would receive emails of that type.
It worries me a lot that people clicking "mark as spam" on messages from legit companies because they subscribed to the newsletter will mean that my messages with important information (order confirmations, e-tickets etc.) will get blocked.
> It worries me a lot that people clicking "mark as spam" on messages from legit companies because they subscribed to the newsletter will mean that my messages with important information (order confirmations, e-tickets etc.) will get blocked.
They probably didn't subscribe to the newsletter, they were subscribed, or tricked into subscribing. Either way, it's spam, and legitimate companies do not mix transactional e-mail ("order confirmations, e-tickets, etc.") with marketing e-mail.
FWIW, I'm one of such people clicking "mark as spam" on marketing e-mail, and I do it intentionally.
Don't send spam and I won't mark it as spam. I didn't sign up for your newsletter, don't send it to me. Creating an account or placing an order does not mean I agree to your spam.
Checking my received emails for mailchimp I see a whole bunch of legitimate emails, including for flightschedulepro which uses it. I also see replies to my abuse reports to mailchimp saying the problems have been addressed.
Do you report any of these spams to mailchimp?
https://en.wikipedia.org/wiki/Abuse_Reporting_Format
How to bulk do this is interesting too. https://en.wikipedia.org/wiki/Feedback_loop_(email) says that gmail has a bulk format and that sendgrid is seeing some success.
Not defending just trying to see what a technical solution looks like
Shows you how to use googles thing if you are a sender to know if @gmail folks are reporting you. It doesnt address what to do if someone's @gmail is doing this to you (a workspace custom domain yes)... @gmail are rate-limited to a few 1000s per day per gmail address but this is still a lot obviously
But only in Gmail then? Where is it possible to report a spam from a Gmail address received on a non-Gmail inbox?
Google is being a real PITA as the receiving side for people who try to self-host their mail or who use small providers. They should at least be good citizen on the sending side, which it seems they're not. They are killing email.
You can use this form
>They should at least be good citizen on the sending side, which it seems they're not. They are killing email.
Eh? They do tons in anti-bot detection. But the value in exploiting and using Google's service is extremely high so bot authors are increasingly getting creative. Google stops running Gmail and simply another service becomes a high value target.
At least Microsoft fixed their Azure abuse after 10 years of not giving a fuck. It used to be stupid fucking easy to setup a trial O365 tenant and spam the fucking internet through "onmicrosoft.com" domains. And they let that go for 10 years.
edit: I might be incorrect on this and was thinking about how unsubscribing is standardized instead.
Basically, there is no standard beyond the ages-old requirement to have abuse@ and postmaster@ email addresses that react to such reports. Which Google doesn't follow at all, you just get redirected to some useless web form which requires a Google account and the sacrifice of a goat.
It is entirely Google's fault, and they should be shunned for it and their emails dropped. But unfortunately, they are too big for that by far...
Same as Gmail broke IMAP standard, or Gtalk XMPP standard.
Google can do whatever they please, they've become the standard of humanity surveillance.
They're not sending emails directly from their gmail address.
But they are adding victim emails to other Google services and then Google themselves send them invitations emails.
And if you name your service like "Google helpdesk - password reset" or something like that.
Invitation email from Google will look very official, but URL in the email will be controlled by the attacker.
It's pretty old working technique used for phishing for years now.
Spam report does nothing, since you're reporting official Google email.
In recent months I'm seeing instances where random personal mail accounts on a server I run would receive a barrage of mail in a short amount of time.
Mail seems to be bounced via Google Groups - they are sent from Google's IPs and have headers like X-Google-Group-Id, List-*, etc. all pointing to Google Groups. The actual group ID changes after each individual instance of this. However when I actually check e.g. the List-Archive URL, the group appears to be already been deleted.
The content of mail looks like it originates from various (legit-looking) random public web services, support requests, issue trackers, web contact forms etc. For example, a common reoccurring one is Virginia Department of Motor Vehicles (as in something like "thank you for filing a document #123 with us").
No apparent phishing links, no attached malware, no short advertisements snuck into a text field etc. Just automated replies from "noreply@"-type addresses.
It does not seem to be the case of trying to hide another attack (as discussed here for example: https://news.ycombinator.com/item?id=47609882) - over many instances I've not seen any other malicious activity. And this mail is filtered out easily enough based on Google's headers.
It all looks like there is some bot that a) creates a Google group and subscribes (one or more) random email addresses to a Google group and then b) enters the group's mail address into a bunch of random web forms that then send their automated responses to the group.
What could be the motivation for this? After the fact it's filtered pretty easily based on headers. It's not nearly enough volume to DoS the server. But why would someone go through the trouble of setting this up?
My thinking so far against was 1) after a few months I'm pretty sure I would hear about the real attack 2) Repeating too frequently. People aren't getting hacked all the time (I hope).
But who knows? Now I'm thinking that maybe some other step in the attack is failing and maybe the attackers just trigger the email bomb part pre-emptively in case they actually succeed in resetting the password/purchasing/whatever.
The format is something like googlegroups-manage+{groupName}+unsubscribe@googlegroups.com
Just send an email there and they stop coming (for that list).
Source: I was getting spam like this, a fellow victim did some tests and confirmed that it stopped the onslaught of messages.
It's not even that much of a hassle. What worries me is that I don't understand why someone would go through the trouble of doing this for no apparent benefit. I hope I'm not somehow unknowingly enabling some sort of an attack on any of the entities sending these automated replies.
Gmail cannot be whitelisted anymore: spam, phishing,... On the other hand, if your users redirect twitter or linkedin notifications from their domain to a gmail account, Google claims you are sending too fast and is suspicious (and throttles or blocks ip).
Hilarious.
No such thing. And if you just want to assign anybody who works in IT to it in order to create the concept of such of a thing, a large percentage of this community would work at Google, a company that depends on Google, or a company that has the same attitude as google.
So it's less pie in the sky than nonsense. People don't talk about things changing in the physical world without talking about force, mass and inertia, but when it comes to people, the theory of power just evaporates and we start wishing for things to spontaneously happen because we've declared that they should happen.
With some weird definition of "should" which relies on our personal conception of the world. In the physical world, we say something "should" happen when we expect it to happen based on our theories of how the world works. With people we say things "should" happen when we personally want them hard enough.
Before Google, AOL were the previous big-beast mail host, and they did provide some tools to help diagnose why you couldn't get through to their users. It still felt like there was more of a balance of power towards the grumpy sysadmins.
I’m not jumping through hoops when I’m not doing anything wrong. SPF, DMARC, DKIM, IP address not on a blacklist, and I send zero spam. Only human-written client communications 1:1.
So, my clients with hotmail.com addresses don’t get emails from me. I can call them, they can call me.
Maybe try saying the spam has porn or inappropriate images?
I remember a bunch of spam and fishing emails from weird Outlook addresses. Don't remember any from Google.
The obvious (and correct) explanation is deliverability. Spammers send from Google services because they can inbox, they don’t send from other services because those services will not inbox successfully.
I'm not denying that they are sometimes used by spammers, but they are definitely a legitimate operation that takes action against spammers if you report them.