FSF trying to contact Google about spammer sending 10k+ mails from Gmail account

Posted by pabs3 18 hours ago

FSF trying to contact Google about spammer sending 10k+ mails from Gmail account(daedal.io)

345 points | 197 commentspage 2

talkingtab 7 hours ago|

Anyone interested in creating a CommunityEmailAlliance. Like dkim but with blocks on corporate email systems that allow spamming?

binaryturtle 5 hours ago||

I'm getting a lot, and I mean A LOT, spam recently from various "<IP in reverse notation>.bc.googleusercontent.com" domains. Not sure what can be done about that. But the uptick is very noticeable.

tolciho 49 minutes ago|

Depends on the mail server. I'd probably 5xx all mail from googleusercontent.com as I don't give a toss if something Google breaks, and could debug what happened from the mail server logs. Google's incompetence in marking all the OpenBSD mailing list traffic as spam is why I'm running my own MX. If you have actual customers on your mail services you should audit the logs, see if anyone is actually using Google for something legit (usually it's the spam, I mean, marketing department being their usual sleazy selves), maybe flag the messages as potential spam by default. If you do have users doing something wacky with googleusercontent.com (email notifications from batch jobs, or something?) there are other ways those notifications could be done, e.g. over a VPN or via some other service that would allow all googleusercontent.com to be blocked by default from doing SMTP, ideally at the firewall level so less CPU is wasted on them. Complications here are that people forget or leave and so there might be some wacky workflow that uses Google running on some walled off server somewhere, so it may be a months long "slow simmer" to see if there is anything legit hiding in the noise. Or you could yank the band-aid off and see what breaks?

YesThatTom2 11 hours ago||

I’m old enough to remember when the FSF said that blocking spam was censorship. Good to see them wake up.

TheChaplain 16 hours ago||

It seems weird that Google wouldn't have some kind of observability alert on outgoing email. 10k emails per week is a lot.

superfrank 16 hours ago||

I'm not sure it actually is. Free Gmail is limited to 500 emails a day, but Workspace accounts are allowed up to 2000, so this this spammer has to be using a Workspace account.

I've worked at a start up where the marketing team just had a `marketing@startup.com` email that was just like any other email in Google Workspace and used that for all marketing communications. Eventually they bumped up against that limit and a couple of engineers had to help them troubleshoot and there were enough blog and stack overflow posts at the time about hitting the limit to make make me think what they were doing wasn't uncommon.

When you consider the scale of Gmail and that this is almost certainly a Workspace account so they're mixed in with business customers, I'm not sure how much of an anomaly 10k emails a week actually is.

compounding_it 16 hours ago|||

What if someone (Google) used Google suite to send 10k emails to fire people. Wouldn’t that be considered normal for the server for a day let alone a week. Yes I know I could have come up with a better example.

blitzar 15 hours ago|||

ye olde corporate reply to all bomb .. no more emails this week everyone, we have used up our quota

gambiting 15 hours ago|||

Those would be internal so I'm not sure they'd even count against your quota.

compounding_it 15 hours ago||

The example was given to say you could be a gsuite customer and have 10k emails a week be very normal. Something that wouldn’t trigger any alarms unless set. The alarms would probably be set on a curve. Something unusual would be far off the curve.

likis 14 hours ago|||

10k outgoing emails per week it NOT a lot.

Just imagine a weekly newsletter with 100k subscribers.

marcyb5st 14 hours ago|||

Yeah, you are using the wrong tool if you send your newsletter from a gmail account at that scale. You can get away with a few tens of people, perhaps a few hundreds.

Above that threshold you should use tools like moosend, benchmarkemail, or similar. And they ask a pretty penny when you reach that scale.

pembrook 14 hours ago|||

You can’t send bulk newsletters from gmail/outlook.

xp84 14 hours ago||

Well, you can't directly, but you can use SMTP, which you can plug into any garden-variety spamming tool as long as it supports that.

thayne 15 hours ago||

It may not be a single email, they might be using many throwaway accounts.

vachina 12 hours ago||

someone hooked up their web app to Google Workspace email and the web app got pwned.

Google Workspace email is very generous with the kind of outgoing email you can send via their SMTP servers.

throwawaysoxjje 15 hours ago||

I wonder if this has to do with the massive number of google calendar invites I’ve been getting as payment/billing notifications lately.

I’ve not been reporting them because I already know they aren’t valid and do not google’s work for them

Barbing 13 hours ago||

Anyone getting hit with (Google) AppSheet-originating recruitment emails? Very well done. Imitating the biggest US brands.

Have reported AppSheet to FCC after seeing Google wasn't doing enough--same scam email format, same inbox-landing pathway, but still irked.

Also try forwarding the emails to the phishing emails of the misrepresented brands, when they have an address for it. Figure they're the ones who have any power.

KomoD 14 hours ago||

I thought they fixed that spam method a while ago

detourdog 14 hours ago|||

I haven't seen that ooe lately. I currently get lots of Nortoon Lifelock invoices with hundreds of addresses in the to field.

I always report them with suggestions they teach their AI that invoices sent to large number of addresses are phishing.

john_strinlai 8 hours ago|||

we received several this week, so apparently not

noobermin 16 hours ago||

It honestly is a bit dissapointing that most of the internet's "infrastructure" is tied up in large corporations that just get money for free by being the only provider and face little to no backlash (because of their monopoly) when they neglect things like basic customer service.

subroutine 16 hours ago||

Gmail is free. How much customer support resources should someone reasonably expect a company to dedicate towards their free-of-charge services?

pjc50 13 hours ago|||

Increasingly of the opinion that "free service with no support that's structurally essential for an economy" is some kind of trap. Possibly just the most comfortable kind of trap, a local optimum from which it's difficult to escape.

This is starting to become important as countries (very unwisely!) start tying things like national ID and banking to smartphones.

nomel 16 hours ago||||

I don't know if it's that simple. As a litmus test, try to set up your own mail server. See how many milliseconds it takes for it to be blacklisted by gmail. And then observe the response time for their support, when you try to clear up the confusion that google has about your intentions.

Arnt 14 hours ago|||

I run my own mail server, not blacklisted. Now I'm a bit of a special case, I know mail well.

But when a moderately technical colleague wanted to do the same, I told her to use Mox, she set it up and Gmail doesn't block her either.

So... would you please elaborate?

dwedge 9 hours ago|||

I find there are three peopls who comment about hosting email. A small group like us who set it up correctly and never have problems. A larger group who set it up but get the dns wrong and warn people not to. And a third bigger group who never tried but listen to the second group and always comment that you'll have 1% deliverability

ssl-3 4 hours ago||

It is different than it once was.

It was dead-nuts simple in the 1990s: Just learn enough about DNS to put in an MX record that points to an A record, get sendmail working, and have it begin delivering mail. The end. (Open relay? No spam filter? No virus scanning? No nothin'? Yeah, that kind of was the style at the time...)

It's got a lot more steps today, but it's still do-able. Operationally, keeping a mail server online and treated well just takes one or two people to spend a little bit of time occasionally to stay proactively ahead of new expectations and requirements instead of reacting to them after things change.

It also helps if Carla, from marketing, doesn't wake up one day and decide to spam the entire customer list without asking for guidance first. Maybe I should have put some automatic mitigation into place for that, but whatever: We chatted about that and it never happened again.

(Or at least, I find that to be true with smaller companies. Bigger ones obviously may require more elaborate systems to handle more volume and/or provide better uptime. But the requirements of keeping the reputation up are about the same regardless of scale, and that still only takes one or two people to pay attention to things sometimes. [And the only reason two might be required is in case one of them gets hit by a bus.])

nonameiguess 45 minutes ago|||

"Blacklisted" probably doesn't have a sufficiently clear definition. I don't even run my own server, just use a custom family domain that is served by protonmail, and discovered when trying to go through foster licensing that virtually all of the agencies were not reading my e-mails because Microsoft and Google alike were routing them into the spam folder, but they weren't being blocked or bounced. I wouldn't have even known if I hadn't called a few and asked them to check.

I am definitely not being flagged for any actual spam-like behavior. I might send out 40 e-mails a year, and even though it's a "family" domain, I'm the only one who has ever used it, ironically enough, as part of my decade-old effort to de-Google.

ssl-3 14 hours ago||||

I've built mail servers before Gmail existed that lasted long enough to get blacklisted by Gmail.

Fixing it was always pretty simple -- or at least, non-mysterious. They'd bounce some things, I'd look at the headers of the bounced messages, and therein were links to instructions there that showed how to resolve whatever issue it was this year.

Just follow the steps, implement the new thing, and stuff started flowing again in rather short order. Not so bad.

IIRC, the only time it ever cost us any money was when the RBLs started keeping track of dynamic IP pools and we needed to finally shift over to something actually-static.

oivey 16 hours ago||||

It’s free, but it’s not like they’re running Gmail as a charity, either. It has revenue and contributes to their other businesses.

bigfatkitten 15 hours ago||||

Google’s support for paying customers isn’t much better unless you’re spending well into the millions per year.

AWS, on the other hand has proven willing to move mountains for me as a $15/mo customer.

BLKNSLVR 15 hours ago||||

If it didn't provide value it wouldn't exist.

Maybe it's only legacy, but gmail brings customers to Google and their related services. Escalation then brings them on as paying Customers. As loss leader may make a loss if looked at in a bubble, but if looked at as part of the "Customer Lifecycle" then other areas of profit would likely be much smaller without the free gateway.

It takes me active resistance to avoid Google's paid services, and I'm staunchly independent in relatively rare air. The minor capitulation required to turn into a paying Customer would capture a good percentage of their erstwhile-free gmail users (I would think. Yes, conjecture, interested in explanations of alternative theories).

sambuccid 15 hours ago||||

We might not be paying money, but we don't know what happens to our private data. Maybe it's not used at all, maybe used just internally, maybe could be even sold. Data of millions of users is very very valuable, even just thinking about how much targeted adverts could be placed with it.

fragmede 15 hours ago||

It isn't sold directly. There are robust internal controls so random employees can't just snoop on eg ex girlfriends' email or be fired.

Source: Used to work there.

robot-wrangler 15 hours ago||||

> How much customer support resources should someone reasonably expect

Zero. OTOH, since I'm sure they are training on emails and archiving/profiling everything forever even if we delete messages.. those constant threats to become a paying customer before hitting some arbitrary small quota are still villainous

grey-area 15 hours ago||||

Gmail shows ads to make money so it is not loss making. Google Workspace charges money per user (and still offers abysmal support).

dec0dedab0de 8 hours ago||||

Enough that they're not facilitating abuse.

gilrain 10 hours ago|||

Gmail is profitable. How much harm should profitable services be allowed to perpetuate in the world to enable their profit?

unmole 16 hours ago||

> get money for free

How do they get money for free? What is stopping everyone else from doing the same?

noobermin 16 hours ago|||

A monopoly. It's hard for "everyone else" to develop a monopoly today, to suggest otherwise is a ridiculous assertion.

unmole 16 hours ago|||

Gmail is not a monopoly. When it comes to actual paying customers, it is not even the market leader

> ridiculous assertion.

What is ridiculous is the idea that running an email service a massive scale like Gmail is somehow free.

JoshTriplett 15 hours ago|||

> Gmail is not a monopoly.

https://pdx.social/@evergreensewing/116388477430172491

> For the first time since we started the company back in January/February, we have a customer who does NOT use Gmail for their email address.

> In case you wanted to see what a monopoly looks like.

diath 12 hours ago|||

This is anecdotal but here's the breakdown of top 10 e-mail providers from my database, does not look like a monopoly:

    MariaDB > SELECT SUBSTRING_INDEX(email, '@', -1) AS domain, COUNT(*) AS cnt FROM accounts GROUP BY domain HAVING domain != '' ORDER BY cnt DESC LIMIT 10;
    +-------------+-------+
    | domain      | cnt   |
    +-------------+-------+
    | hotmail.com | 38015 |
    | gmail.com   | 16280 |
    | yahoo.com   |  4080 |
    | o2.pl       |  2321 |
    | wp.pl       |  2206 |
    | live.com    |  1415 |
    | outlook.com |   814 |
    | interia.pl  |   609 |
    | hotmail.es  |   590 |
    | live.se     |   521 |
    +-------------+-------+
    10 rows in set (0.044 sec)

JoshTriplett 1 hour ago||

That's helpful data, thank you. Sounds like it may depend on the service. (I'm genuinely shocked to see that many hotmail addresses, and can't help but wonder if there are correlations with other factors.)

unmole 14 hours ago|||

Most people use Gmail because they want to, not because they have to. It's a free, superior product. Pretending voluntary preference is a monopoly is nonsense, but it is a very Mastodon-brained take.

JoshTriplett 1 hour ago||

One way monopolies form is by giving away something that others would have to charge money for.

Another way monopolies form is via exclusionary practices and the resulting impression that "things that aren't gmail are less reliable". (Anti-spam does not have to be exclusionary, and anti-spam is generally a good thing, but when it reliably sends smaller providers' mail to spam based solely on them being smaller providers, it is.)

Another way monopolies form is via social effects. "What's your gmail?", or people on first-tier technical support hearing you say an email address and assuming it's a gmail address and having to be corrected, and having never encountered one of those before.

Assuming any of those are "voluntary preference" is a take.

noobermin 16 hours ago||||

It's a figure of speech. I am not saying it is literally free. I'm being facitious. What I mean is they get money overwhelmingly because of their position in advertising and through android that essentially allows them to never worry about losing users. Who is going to going to attempt to delete their google account over poor customer service? You literally cannot access half of the internet today without a Google account.

ranger_danger 15 hours ago|||

> You literally cannot access half of the internet today without a Google account.

This must be the half I have never heard of then. What non-google websites specifically require a google account?

unmole 15 hours ago|||

[flagged]

themafia 15 hours ago||||

Try running your own SMTP server for a while. Gmail holds what appears to be monopoly power and uses it quite readily. Even ISPs with "free" customer email addresses aren't nearly as onerous as google is.

eesmith 12 hours ago|||

There is a common misapprehension that the term "monopoly" can only be used when there a single supplier.

Quoting https://en.wikipedia.org/wiki/Monopoly : "In law, a monopoly is a business entity that has significant market power, that is, the power to charge overly high prices, which is associated with unfair price raises."

Or from Milton Freedman, "Monopoly exists when a specific individual or enterprise has sufficient control over a particular product or service to determine significantly the terms on which other individuals shall have access to it". https://archive.org/details/capitalismfreedo0000frie/page/12...

In the post-Borkian interpretation of monopoly, adored by the rich and powerful because it enables market concentration which would otherwise be forbidden, consumer price is the main measure of control, hence free services can never be a monopoly.

Scholars have long pointed out Bork's view results from a flawed analysis of the intent of the Sherman Antitrust act. For example, Sherman wrote "If we would not submit to an emperor, we should not submit to an autocrat of trade, with power to prevent competition and to fix the price of any commodity.” (Emphasis mine. Widely quoted, original transcript at p2457 of https://www.congress.gov/bound-congressional-record/1890/03/... ). Freedman makes a similar point (see above) that a negative effect of a monopoly is to reduce access to alternatives.

One well-known rejection of the Borkian view is in Lina Khan "Amazon's Antitrust Paradox" paper. https://yalelawjournal.org/pdf/e.710.Khan.805_zuvfyyeh.pdf

In it she quotes Robert Pitofsky in "The Political Content of Antitrust":

"A third and overriding political concern is that if the free-market sector of the economy is allowed to develop under antitrust rules that are blind to all but economic concerns, the likely result will be an economy so dominated by a few corporate giants that it will be impossible for the state not to play a more intrusive role in economic affairs"

(I can't find a copy of that source online, but you can see the quote at https://archive.org/details/traderegulationc0005pito/mode/2u... where Pitofsky rejects viewing antitrust law through an exclusively economic lens.)

Even if you support the Borkian interpretation, you should still worry about the temptation for the US government to "play a more intrusive role" with GMail accounts. I strongly doubt Google will follow Lavabit's lead and shut down email should the feds come by with a gag order to turn over the company's private keys.

In the name of national security, of course.

protocolture 16 hours ago|||

They aren't a monopoly, and especially not a monopoly on emails.

How did we get to the point where there can be 12 services, but the one with lots of customers is a "Monopoly". Its a complete destruction of the word. They aren't killing their competitors, nor making it illegal to compete. Yeah its harder in the current era to run your own mail server, for a variety of reasons involving spam. But can we just cut the shit on calling literally every company with more than 100 employees a Monopoly?

mindslight 16 hours ago|||

Postel's law means you can just mentally replace "monopoly" with "anticompetitive restraint of trade" and go on to address the substantive point.

protocolture 15 hours ago||

But theres not even that going on.

Most of the problems people have spinning up their own email servers, like getting blacklisted by the big boys, are less bad societally than actually accepting and routing the quantity of spam they are blacklisting. Does it benefit them? Kind of. But its not anticompetitive in any real sense. These restrictions are obvious and basic. If you really wanted to, you could spend a significant, but in the grand scheme of things small, amount of money to break into the same game.

I mean theres a non zero chance that if Google, Microsoft and Amazon stopped being so damn picky, the government would turn around and regulate that they do exactly what they are doing now, to resist the plague of spam that would result.

Its like getting mad at Visa and Mastercard for insisting on the PCI DSS for people they transact with. If it wasn't mandated by Visa and Mastercard, it would become government regulation (and is already referenced by regulators in some jurisdictions)

"Ooooh no Visa is being anticompetitive making me secure my environment and prove that security to a trusted third party what a terrible monopoly they have".

xeyownt 12 hours ago||

You are missing the point.

The point is that they don't provide the level of services required by their position, which is dominant.

When you have a legitimate problem with Google, they don't reply to you. The news here is again an example of that. The only thing you can do is abide by their rules, which often requires you to subscribe to their services or be at their mercy.

bmandale 16 hours ago||||

>How do they get money for free?

market power

>What is stopping everyone else from doing the same?

see above

unmole 16 hours ago||

Nice circular reasoning you got there. How do they have market power? Did they get it for free?

darkwater 16 hours ago|||

No, they got it by Gmail being a loss leader paid by Google AdSense in the search engine. Now they have AdSense in Gmail directly, so I guess it pays for itself.

unmole 15 hours ago||

So, Google built a superior product that is profitable and we are supposed to be mad about this?

throwaway173738 8 hours ago|||

AT&T was once broken up and then after that you could connect a modem to a phone line. The whole public use of the Internet is a consequence of breaking up a “superior product” that became a bloated market incumbent resting on its laurels.

darkwater 9 hours ago|||

No, we should be mad at Google or any other BigTech taking over a big enough chunk of a federated system to basically dictate what can be sent/received and what not. With no human in the loop if you don't agree with their decisions.

ranger_danger 16 hours ago|||

Advertising and eyeballs, I'd assume

anonymousiam 12 hours ago||

Lately I've been using SpamCop.net to make spam reports. It seems to work, and it's free. You are encouraged to donate, and they don't ask for much.

It's not perfect though. For some reason, it doesn't find (or deliberately ignores) OVH hosts that are relaying spam.

dirkf 9 hours ago|

I've been using SpamCop for years (decades?) but lately I've been wondering if they're still relevant.

One example: they seem to have a size limit of 50KB when you report a spam mail via their web form. I've received quite some spam that exceeds that because they use base64 encoding of the body, add non-visible filler content to drown out the actual spam/phishing message, etc.

SpamCop suggests to cut off the message and still process it but then they miss e.g. the link to the phishing website and thus they can't send out a report for that.

Speaking of phishing links: a lot of the phishing mails I receive, link to some account on storage.googleapis.com. I've seen mails with links to the same account for weeks on end before they switch to a different one, implying that these links remain online for a long time. You would think that marking such mails as phishing in GMail (they are already flagged as spam) would get them on some kind of radar but apparently not...

tiku 11 hours ago||

I'm reporting every spamm mail that I get through Gmail from Gmail accounts but it doesn't seem to help!

Kim_Bruning 11 hours ago|

(I haven't run my own mail-server in a while. It's getting harder and harder.)

Are the real-time-blackhole lists still a thing?

If they're regularly allowing spam and not responding to reports in any sort of timely manner, possibly they should be reported to those.

Not going to work though, is it. Too big to fail shouldn't be a thing. It's not like you can't be flexible about it or give them some room to deal with it within corporate policy; but they do need to deal with it, right?

Realistically, I think some companies have outgrown the size where internet can still self-regulate them. You'd hurt yourself more than gmail.

This either needs laws or new game theory.

Or -you know- deprecate the current email system. I know that's a perennial proposal; but that's because every year it gets even more broken in even more interesting ways. It's patch-on-patch-on-patch at the moment. Just spinning up sendmail on a random box won't quite cut it anymore, if you want to participate.

More comments...