[Cialug] Google SPAM
Jared Brees
fromj2sitsme at msn.com
Thu Dec 23 05:51:12 UTC 2021
Lee, I'm not sure why you're resisting their answers, but David and Andrew have the correct answer(s) as far as the problem was described. Use email headers to verify where the email is from and blacklist to your heart's content if it says it's Google/Gmail without proper SPF/DKIM saying so. If you wanted "Google but not Gmail", you could take the Gmail SPF record, dump the netblocks (looks like there are about a dozen or so CIDR ranges currently), take the reverse DNS of the source IP, and if it comes from Google, compare against the list from the SPF record. But the "right way" would not be to blacklist Google Cloud just because of some bad actors, rather just those that aren't passing SPF go to junk automatically.
Side note, for what it's worth, 209.x.y.z is not a class B in classful networking, it'd be a class C (but that's not really relevant anyway since CIDR). https://en.wikipedia.org/wiki/Classful_network https://datatracker.ietf.org/doc/html/rfc791
Side side note, the domain registration data and DNS servers for theplanet[.]com do not appear to correlate with any other Google-owned domains I've spot-checked (google.com, google.org, gmail.com, abc.xyz)
Lastly, if you've already isolated the spam to a single IP address - why not just block that one?
________________________________
From: Cialug <cialug-bounces at cialug.org> on behalf of David Champion <dchamp1337 at gmail.com>
Sent: Monday, December 13, 2021 22:34
To: Central Iowa Linux Users Group <cialug at cialug.org>
Subject: Re: [Cialug] Google SPAM
Maybe the right thing to do would be to set up your mail server to reject
emails that don't pass DMARC tests (i.e. SPF and DKIM),
See:
https://www.linuxbabe.com/mail-server/opendmarc-postfix-ubuntu
-dc
On Mon, Dec 13, 2021 at 2:41 PM L. V. Lammert <lvl at omnitec.net> wrote:
> On Mon, 13 Dec 2021, Andrew Denner wrote:
>
> > I get it, the biggest issue I can see is not only Google uses the
> > Googlecloud. Some users may have legit domains/use and just black
> > holeing all ofGoogle cloud less Gmail may be a rather heavy hand.
> >
> The weirdest part is that it seems to come in waves - weeks of little or
> none, .. then 50 in one day. All in some weird font, unreadable. Only the
> From is typically readable.
>
> Logging source IPS just so see any pattern, so far a single Class B:
>
> 209.85.n.n
>
> Wonder if Google owns theplanet.com?
>
> Safe travels!!
>
> Lee
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
>
_______________________________________________
Cialug mailing list
Cialug at cialug.org
https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
More information about the Cialug
mailing list