Mailing List Archive

Spam from Googlegroups (rfc-ignorant)
Hello *,

since some days I become spamed with several 1000 invitations to tonns
of GoogleGroups. Nearly all Groupowners have Yahoo Emails.

Now I have send 16 messages to <abuse@googlegroups.com> and get every
time a message back I should go to a link and log in and fillout a
WebForm and this from the spamed account...

This mean, I have to create for each abused E-Mail an account at Google!

Question: How do you handel such crap?

Blocking ANY Google Domains wont work very well... even if I get per
day over 100.000 spams from them on my servers. If more users would use
there own Domain, the gmail/googlemail problem would disappear.

Thanks, Greetings and nice Day/Evening
Michelle Konzack

--
##################### Debian GNU/Linux Consultant ######################
Development of Intranet and Embedded Systems with Debian GNU/Linux

itsystems@tdnet France itsystems@tdnet
Owner Michelle Konzack Owner Michelle Konzack

Apt. 917 (homeoffice) Gewerbe Strasse 3
50, rue de Soultz 77694 Kehl/Germany
67100 Strasbourg/France Tel office: +49-176-86004575
Tel mobil: +33-6-61925193 Tel mobil: +49-177-9351947

<http://www.itsystems.tamay-dogan.net/> <http://www.flexray4linux.org/>
<http://www.debian.tamay-dogan.net/> <http://www.can4linux.org/>

Jabber linux4michelle@jabber.ccc.de

Linux-User #280138 with the Linux Counter, http://counter.li.org/
Re: Spam from Googlegroups (rfc-ignorant) [ In reply to ]
On Sun, 3 Jul 2011 17:45:33 +0200, Michelle Konzack wrote:

> Question: How do you handel such crap?

reject yahoo.com senders that are NOT dkim signed

eg one could do it simple postfwd with a combined rule that match
client_name and sender_domain

but use dkim if you can

post a sample spam so rule maintainers can help
Re: Spam from Googlegroups (rfc-ignorant) [ In reply to ]
Hello Benny Pedersen,

Am 2011-07-03 18:15:46, hacktest Du folgendes herunter:
> reject yahoo.com senders that are NOT dkim signed

The message has a From: from GoogleGroups... and in the E-Mail is the
E-Mail of the Group-Owner and the Groupname

Thanks, Greetings and nice Day/Evening
Michelle Konzack

--
##################### Debian GNU/Linux Consultant ######################
Development of Intranet and Embedded Systems with Debian GNU/Linux

itsystems@tdnet France itsystems@tdnet
Owner Michelle Konzack Owner Michelle Konzack

Apt. 917 (homeoffice) Gewerbe Straße 3
50, rue de Soultz 77694 Kehl/Germany
67100 Strasbourg/France Tel: +49-177-9351947 mobil
Tel: +33-6-61925193 mobil Tel: +49-176-86004575 office

<http://www.itsystems.tamay-dogan.net/> <http://www.flexray4linux.org/>
<http://www.debian.tamay-dogan.net/> <http://www.can4linux.org/>

Jabber linux4michelle@jabber.ccc.de
ICQ #328449886

Linux-User #280138 with the Linux Counter, http://counter.li.org/
Re: Spam from Googlegroups (rfc-ignorant) [ In reply to ]
On Mon, 4 Jul 2011 14:50:12 +0200, Michelle Konzack wrote:

>> reject yahoo.com senders that are NOT dkim signed
> The message has a From: from GoogleGroups... and in the E-Mail is
> the
> E-Mail of the Group-Owner and the Groupname

is there 2 dkim signers so ?

did both pass ?
Re: Spam from Googlegroups (rfc-ignorant) [ In reply to ]
Hello Benny Pedersen,

Am 2011-07-04 15:53:33, hacktest Du folgendes herunter:
> On Mon, 4 Jul 2011 14:50:12 +0200, Michelle Konzack wrote:
> >>reject yahoo.com senders that are NOT dkim signed
> >The message has a From: from GoogleGroups... and in the E-Mail
> >is the
> >E-Mail of the Group-Owner and the Groupname
>
> is there 2 dkim signers so ?
> did both pass ?

----8<------------------------------------------------------------------
Return-Path: <grbounce-aSLITQoAAABbHOT1FpKskcdh-XyiK3Hj=linux4michelle=tamay-dogan.net@googlegroups.com>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.tamay-dogan.net
X-Spam-Level:
X-Spam-Status: No, score=-0.2 required=4.5 tests=BAYES_20,MISSING_MID,
RCVD_IN_DNSWL_LOW,SPF_PASS,T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from mail-vx0-f187.google.com (mail-vx0-f187.google.com [::ffff:209.85.220.187])
(TLS: TLSv1/SSLv3,128bits,AES128-SHA)
by mail.tamay-dogan.net with esmtp; Sun, 03 Jul 2011 07:52:28 +0200
id 00001F6B.4E10039C.00000F88
Received: by vxb37 with SMTP id 37so2376613vxb.4
for <linux4michelle@tamay-dogan.net>; Sat, 02 Jul 2011 22:52:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=googlegroups.com; s=beta;
h=from:to:subject:x-google-loop:date:mime-version:content-type;
bh=JiSTKRkr02tjFnoEzmGaFgUAdVZgs020MXG6DlIYhT0=;
b=LPB+Uyvcn5/+ks03h5W0T9+swjqrc3bW+3xVucpMSGKsjoXf/YWkKdj2em8i7WejZ1
6Rk7CISPz2bukKN8r5avvFKIkBb/YxGzdoqyxlYOaQ+DxxZ55xzmDZLZbgKEH+T1/MV+
7ADlJG1p3gfHFHLf2aFYirISMKXNXpfL2Tt+M=
Received: by 10.220.98.212 with SMTP id r20mr13873vcn.50.1309672326020;
Sat, 02 Jul 2011 22:52:06 -0700 (PDT)
From: noreply@googlegroups.com
To: linux4michelle@tamay-dogan.net
Subject: Google Groups: You've been invited to deividfincher77364
X-Google-Loop: sub_invite
Date: Sun, 03 Jul 2011 05:52:06 +0000
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 7bit
Delivered-To: michelle.konXXXXXXXXux4michelle@tamay-dogan.net
Message-Id: <iDt1l.A.CT.1VAEOB@samba3>
X-TDMailSerialnumber: 10752011
X-TDMailCount: true

mitra.hesab8042286@yahoo.com has invited you to join the deividfincher77364
group with this message:

doubt conditions for and the formation until meaning their bank if for I
against Private the .

Here is the group's description:

In early disease frequently complicated person

---------------------- Google Groups Information ----------------------

You can accept this invitation by clicking the following URL:

http://groups.google.com/group/deividfincher77364/sub?s=hbxFIhQAAABO8lvvNKv7QrRd6oV-EnvhoeaIsP9k1eV1OMtpjOoZlQ&hl=en


--------------------- If This Message Is Unwanted ---------------------

If you feel that this message is abuse, please inform the Google Groups staff
by using the URL below.

http://groups.google.com/groups/abuse?invite=YgAAAERtOErxAAAAPIMqkG4AAAAAADo9a5oiQeIiXYfRfGKkNBUo9iw&hl=en

----8<------------------------------------------------------------------


The problem is, that this invitation messages are endless... I get tonns
of them and because I have no Google account these messages are probably
spam.

Thanks, Greetings and nice Day/Evening
Michelle Konzack

--
##################### Debian GNU/Linux Consultant ######################
Development of Intranet and Embedded Systems with Debian GNU/Linux

itsystems@tdnet France itsystems@tdnet
Owner Michelle Konzack Owner Michelle Konzack

Apt. 917 (homeoffice) Gewerbe Straße 3
50, rue de Soultz 77694 Kehl/Germany
67100 Strasbourg/France Tel: +49-177-9351947 mobil
Tel: +33-6-61925193 mobil Tel: +49-176-86004575 office

<http://www.itsystems.tamay-dogan.net/> <http://www.flexray4linux.org/>
<http://www.debian.tamay-dogan.net/> <http://www.can4linux.org/>

Jabber linux4michelle@jabber.ccc.de
ICQ #328449886

Linux-User #280138 with the Linux Counter, http://counter.li.org/
Re: Spam from Googlegroups (rfc-ignorant) [ In reply to ]
On Tue, 2011-07-05 at 10:29 +0200, Michelle Konzack wrote:

....snippage....

> mitra.hesab8042286@yahoo.com has invited you to join the deividfincher77364
> group with this message:
>
Is this a legitimate google group, i.e. one that wasn't set up as a spam
target? I ask because the genuine Google Groups I've seen have either
USENET type names or (at least) human-comprehensible names while this
one is pure obfuscated garbage.

IOW, can junk groups be identified by a rule that looks at the structure
of the group name?

> The problem is, that this invitation messages are endless... I get tonns
> of them and because I have no Google account these messages are probably
> spam.
>
AFAIK you can be a member of a Google Group without having a Google
account. Many of them map onto USENET so you can read them without ever
going near Google.

HTH

Martin
Re: Spam from Googlegroups (rfc-ignorant) [ In reply to ]
Hello Martin Gregorie,

Am 2011-07-05 10:29:25, hacktest Du folgendes herunter:
> Is this a legitimate google group, i.e. one that wasn't set up as a spam
> target?

It doen not seeem to be...

> I ask because the genuine Google Groups I've seen have either
> USENET type names or (at least) human-comprehensible names while this
> one is pure obfuscated garbage.
>
> IOW, can junk groups be identified by a rule that looks at the structure
> of the group name?

It would be nice, if there could be an option for this kind of spam

> AFAIK you can be a member of a Google Group without having a Google
> account. Many of them map onto USENET so you can read them without ever
> going near Google.

But the second link in the INVITE message which should point to an Abuse
Form is working only, if you have an Google-Account to log in. AND, it
is required, that you write the Abuse Complain from the E-Mail which was
abused...

This mean, I have to create Google accounts for
michelle.konzack
linux4michelle
bsd4michelle
...
nearly 200 others from my own enterprise (and 10 domains) like
sammelbestellung
verkauf
sales
einkauf
support
verwaltung
abuse
listmaster
hostmaster
webmaster

Yesterday I was at my Advocat because my GmbH and I have asked him about
this Spamcrap for HUGE Enterprises like Google... He is definitively
willing to sue Google, Yahoo and Microsoft (Live/Hotmal/MSN) in Germany.

It can not be, that I have to accept nearly 400.000 Spams every day from
them. I have to pay for the traffic on my Mailservers... and I am only
a VERY small ISP. The estimated costs for spam are arround 12.000 Euro
per month and increasing, since I have to upgrade my servers to bigger
CPUs and more memory because spamassassin/clamav require it. Currently
I get only 12-14 mio spams per day (it is the half of the middle of the
last year), but the crap from China or Asia is currently nearly 90%.

> HTH
> Martin

Thanks, Greetings and nice Day/Evening
Michelle Konzack

--
##################### Debian GNU/Linux Consultant ######################
Development of Intranet and Embedded Systems with Debian GNU/Linux

itsystems@tdnet France itsystems@tdnet
Owner Michelle Konzack Owner Michelle Konzack

Apt. 917 (homeoffice) Gewerbe Straße 3
50, rue de Soultz 77694 Kehl/Germany
67100 Strasbourg/France Tel: +49-177-9351947 mobil
Tel: +33-6-61925193 mobil Tel: +49-176-86004575 office

<http://www.itsystems.tamay-dogan.net/> <http://www.flexray4linux.org/>
<http://www.debian.tamay-dogan.net/> <http://www.can4linux.org/>

Jabber linux4michelle@jabber.ccc.de
ICQ #328449886

Linux-User #280138 with the Linux Counter, http://counter.li.org/
Re: Spam from Googlegroups (rfc-ignorant) [ In reply to ]
On Tue, 5 Jul 2011 10:29:21 +0200, Michelle Konzack wrote:

> Return-Path:
>
> <grbounce-aSLITQoAAABbHOT1FpKskcdh-XyiK3Hj=linux4michelle=tamay-dogan.net@googlegroups.com>

could add this domain as freemail_domains

left handside before @ can be a freemail sender

> X-Spam-Status: No, score=-0.2 required=4.5
> tests=BAYES_20,MISSING_MID,
> RCVD_IN_DNSWL_LOW,SPF_PASS,T_DKIM_INVALID autolearn=ham
> version=3.3.1

adjust autolearn down to -1.2

> X-Google-Loop: sub_invite

reject in mta, or score it in spammassassin

> The problem is, that this invitation messages are endless... I get
> tonns
> of them and because I have no Google account these messages are
> probably
> spam.

if its unvanted its spam
Re: Spam from Googlegroups (rfc-ignorant) [ In reply to ]
On Tue, 2011-07-05 at 12:07 +0200, Michelle Konzack wrote:

> But the second link in the INVITE message which should point to an Abuse
> Form is working only, if you have an Google-Account to log in. AND, it
> is required, that you write the Abuse Complain from the E-Mail which was
> abused...
>
OK, that catches me out too. Today I got the first of these messages
I've seen and, since it was fresh in my mind, I wrote a rule:

#
# Spamiferous Google Groups invitations
#
describe MG_GGROUPINV Unwanted invitation to join a Google Group
header __MG_GGH1 From =~ /noreply\@googlegroups\.com/
header __MG_GGH2 Subject =~ /^Google Groups:/
uri __MG_GGY /yahoo\.com/
body __MG_GGRP /the [a-z]{1,20}\d{1,6} group/
meta MG_GGROUPINV (__MG_GGH1 && __MG_GGH2 && __MG_GGY && __MG_GGRP)
score MG_GGROUPINV 8.5

This triggers on the message I received and the one Michelle posted. It
doesn't touch anything else in my spam test collection. It should be
fairly fast since most of its target regions in the message are short,
and even the body text containing the URI is pretty concise. I think it
will be hard to fool since everything it matches is standard Google
boiler plate and URIs apart from the Yahoo domain reference, which was
probably auto-generated from the address the spammer used to trigger the
invitation-spam.

Its an unspecific rule, in that it will trigger on any GG invitation
mail coming from Yahoo, but I don't care because I don't use Google
Groups, know very few Yahoo clients and think its a vanishingly small
chance that a Yahoo user would invite me to join a GG I'd be interested
in. However, ymmv.


Martin