hehehe.. assume you are directing that to the Google outbound spam
filtering team ;) But need to recognize it in a way that it isn't a
whack a mole approach.. eg, chasing tenant ID's..
Valuable contribution none the less..
Need to be able to see a pattern that can automatically mark a tenant as
a spammer.. probably needs one more bit of information.. might be worth
getting our auditors to deploy a DRE (Dynamic Rule Engine) rule across
all our installations, to feed our DFS (Distributed Feedback Systems)
data specific to the Google Tenant ID..
But so that it doesn't trigger on a legit user, what suggestions does
the list have as far as another data point in these messages, and I can
pass it along to the team/researchers..
On 2021-04-27 10:26 a.m., Michael Wise via mailop wrote:
Look at the next thing after the first / to get the Google tenant ID.
Typically that first subdirectory is common to a whole lot of this spam.
Some examples…
dsgdfdf
signaturesatori
svg02
bioun
assi98sd8a
Aloha,
Michael.
--
*Michael J Wise*
MicrosoftCorporation| Spam Analysis
"Your Spam Specimen Has Been Processed."
Open a ticket for Hotmail <http://go.microsoft.com/fwlink/?LinkID=614866> ?
-----Original Message-----
From: mailop <mailop-boun...@mailop.org> On Behalf Of Michael Peddemors
via mailop
Sent: Tuesday, April 27, 2021 9:12 AM
To: mailop@mailop.org
Subject: [EXTERNAL] Re: [mailop] [INFORMATION] What's happening in the
world of spam/email abuse update
On 2021-04-27 8:31 a.m., Rob McEwen via mailop wrote:
> On 4/27/2021 11:00 AM, Michael Peddemors via mailop wrote:
>> New Google Groups style spam outbreak..
>
>
> Many of them (or all of them?) are doing the following:
>
> (1) sent from legit Google mail servers
>
> (2) the spammer's "payload URL" in the body of the message - is content
> is hosted at *storage[.]googleapis[.]com* servers
>
> (3) Those links are staying "live" for many days (possibly weeks/months?)
>
> This combination (1 & 2) makes them difficult to block - especially for
> small and medium sized hosters who don't have as much expertise and
> resources to deal with this. Not to make excuses for such organizations'
> lack of abilities or resources/time - but they shouldn't be forced to
> expend such resources on dealing with "friendly fire" from google's
> network. If Google were a small startup doing this right now, their IPs
> and domains would all get onto anti-spam lists, they'd be put out of
> business, and we'd "call it a day"! And then I also can't help but
> wonder - how many of those smaller email hosters just lost business
> email hosting customers this month to Google G-Suite - due to the
> customers' frustration over these SAME spams getting to the inbox? See
> the problem here?
>
> Also, this storage[.]googleapis[.]com spam has been happening for a long
> time - but they were sent from the spammers' own IP space (or other
> irrelevant IP space) - now they suddenly figured out a way to get these
> spams to be sent from Google MTAs.
>
> --
> Rob McEwen, invaluement
Yes, while in general it has been happening for a while (for a period we
even started blocking all Google Groups mail as a shot over their bow,
however we went back to 'filtering' it as likely spam, there were legit
users affected) this looks to be a new way to send Google list spam, and
not the traditional groups spamming methods we have seen over the last year.
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at
https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linuxmagic.com%2F&data=04%7C01%7Cmichael.wise%40microsoft.com%7Cd73512d103d64c1fa08408d909978ce5%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637551368794581187%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=qoUsog3MBf3RyExxJdC2QnLnXBKsAcFVyeko5omcs%2Bk%3D&reserved=0
@linuxmagic
A Wizard IT Company - For More Info
https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.wizard.ca%2F&data=04%7C01%7Cmichael.wise%40microsoft.com%7Cd73512d103d64c1fa08408d909978ce5%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637551368794581187%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Fugr7qba4Om6u%2BQCXy0paHuBaXBKbCrfXK1Bs4zGcMI%3D&reserved=0
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
_______________________________________________
mailop mailing list
mailop@mailop.org <mailto:mailop@mailop.org>
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist.mailop.org%2Flistinfo%2Fmailop&data=04%7C01%7Cmichael.wise%40microsoft.com%7Cd73512d103d64c1fa08408d909978ce5%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637551368794581187%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Q%2BCt5NULvDzIYfcg5FhpGvx04ksmTIXM06kT6V43mv0%3D&reserved=0
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
