This is a log snippet that may be helpful. Seems like Spamhaus and invaluement are starting to deal with it. The 74.75.228.35 address in this example is a Charter Communications IP.
If it's really true (@Michael?) that no host with "googleusercontent" should be touching our MTAs, then perhaps the more efficient route would be to create a filter for Fail2Ban to just ban the IPs? zimbra@mb42:~$ grep googleusercontent.com /var/log/zimbra.log Sep 19 00:52:43 my postfix/postscreen[2183487]: NOQUEUE: reject: RCPT from [34.78.118.67]:36576: 550 5.7.1 Service unavailable; client [34.78.118.67] blocked using <mykey>.zen.dq.spamhaus.net; from=<[email protected]>, to=<redacted.com>, proto=ESMTP, helo=<[10.88.0.3]> Sep 19 11:09:32 my postfix/submission/smtpd[4066485 connect from 74.75.228.35.bc.googleusercontent.com[35.228.75.74] Sep 19 11:09:32 my postfix/submission/smtpd[4066485 Anonymous TLS connection established from 74.75.228.35.bc.googleusercontent.com[35.228.75.74]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 Sep 19 11:09:32 my postfix/submission/smtpd[4066485 lost connection after STARTTLS from 74.75.228.35.bc.googleusercontent.com[35.228.75.74] Sep 19 11:09:32 my postfix/submission/smtpd[4066485 disconnect from 74.75.228.35.bc.googleusercontent.com[35.228.75.74] ehlo=1 starttls=1 commands=2 Regards, Mark -- _________________________________________________________________ L. Mark Stone, Founder North America's Leading Zimbra VAR/BSP/Training Partner For Companies With Mission-Critical Email Needs Winner of the Zimbra Americas VAR Partner of the Year - Two Years Running ! | From: "Scott Q. via mailop" <[email protected]> | To: "Chris" <[email protected]>, "Michael Peddemors" | <[email protected]> | Cc: [email protected] | Sent: Thursday, September 18, 2025 9:59:20 PM | Subject: Re: [mailop] Google Cloud Asia Spam | Would you guys mind sharing the blocks you are throttling / blocking ? | What we did for now is simply looking up the PTR for any 34/8 and 35/8 | connecting IP and if it ends with googleusercontent.com give it some spam | points. | Thanks! | Scott | On Thursday, 18/09/2025 at 16:06 Chris via mailop wrote: || On 2025-09-18 08:34, Michael Peddemors via mailop wrote: || > *.googleusercontent.com should not only not be sending email (either change || > PTR, || > or use a relay) so you can go beyond scoring, and simply reject. || > Also, given the history of abuse and/or compromises, we also recommend that || > you do || > NOT allow email authentication from those IPs, except as permitted in an || > allow || > .acl. || > Make sense? || I concur. || We've been dropping packets originating from them without so much as an ACK || for some 5yrs. || Without *any* repercussions. Just reject. Your life will be much better for || it. :) || > On 2025-09-16 07:58, Scott Q. via mailop wrote: || >> Sorry for reviving an older thread, we are still battling this Google spam || >> issue. || >> Anyone else scoring e-mails directly received from IPs with a PTR of || >> *.googleusercontent.com ? Any downside to doing this ? || >> Gmail/Workspace doesn't use that PTR but are there legitimate Google || >> services that do ? || >> Thanks! || >> Scott || >> On Thursday, 04/09/2025 at 16:21 Alex Burch wrote: || >> They might have legacy accounts where port 25 is unblocked. I think || >> Infusionsoft/Keap had their IPs hosted at GCP at one point and they || >> had the port 25 block lifted to send with them. || >> Thanks, || >> Alex || >> -- || >> Alexander Burch || >> ActiveCampaign / Senior Deliverability Engineer ||>> [ mailto:[email protected] | [email protected] ] || >> <mailto:[email protected]> || >> 1 North Dearborn St Suite 500, Chicago IL, 60602 ||>> < [ https://www.facebook.com/activecampaign | || >> https://www.facebook.com/activecampaign ] > ||>> < [ http://www.twitter.com/activecampaign | || >> http://www.twitter.com/activecampaign ] > ||>> < [ https://www.linkedin.com/company/activecampaign-inc | || >> https://www.linkedin.com/company/activecampaign-inc ] -> ||>> < [ https://plus.google.com/107063868317743606466 | || >> https://plus.google.com/107063868317743606466 ] > ||>> < [ https://www.activecampaign.com/sig/?u=aburch&c=1 | || >> https://www.activecampaign.com/sig/?u=aburch&c=1 ] > || >> On Thu, Sep 4, 2025 at 9:12 AM Scott Q. via mailop ||>> < [ mailto:[email protected] | [email protected] ] <mailto:[email protected]>> || >> wrote: || >> I get that, but the question is more whether GCP blocks outbound || >> port 25 or not. || >> Their docs say they are blocking it: ||>> [ https://cloud.google.com/compute/docs/tutorials/sending-mail | || >> https://cloud.google.com/compute/docs/tutorials/sending-mail ] ||>> < [ https://cloud.google.com/compute/docs/tutorials/sending-mail | || >> https://cloud.google.com/compute/docs/tutorials/sending-mail ] > || >> yet we see evidence to the contrary. Surely it's a configuration || >> mistake somewhere (?). || >> Maybe someone from Google can shed some light on this. || >> Thanks! || >> On Thursday, 04/09/2025 at 11:25 Michael Peddemors via mailop || >> wrote: || >> Careful.. the list admins don't like us using this list to || >> complain || >> about spam, but yeah.. || >> Anything with a PTR of 1.132.64.34.bc.googleusercontent.com ||>> < [ http://1.132.64.34.bc.googleusercontent.com/ | || >> http://1.132.64.34.bc.googleusercontent.com ] >. is suspect, || >> and should be rejected (port 25) ... || >> Standard ruleset for a couple of years.. but even more || >> important, is the || >> number of IPs in those ranges used in email hacking, and BEC || >> Compromise || >> attacks. || >> You might even like to block attempts to other ports by || >> default, and || >> create a 'permitted' acl for IPs in those ranges for || >> legitimate use. || >> On 2025-09-04 07:55, Scott Q. via mailop wrote: || >> > Anyone else seeing an uptick lately of Spam e-mails || >> originating from || >> > these ranges ? || >> > 34.64.132.0/22 < [ http://34.64.132.0/22 | http://34.64.132.0/22 ] > || >> > 35.240.0.0/13 < [ http://35.240.0.0/13 | http://35.240.0.0/13 ] > || >> > Mostly e-mails with: Content-Type: text/plain; || >> charset="iso-2022-jp" || >> > What's interesting is that GCP has outbound port 25 || >> blocked by default || >> > yet these hosts are able to do direct-to-mx deliveries. || >> > If anyone from Google is reading this - can you have a look || >> ? || >> > Thanks! || >> > Scott || >> > _______________________________________________ || >> > mailop mailing list || >> > [ mailto:[email protected] | [email protected] ] <mailto:[email protected]> ||>> > [ https://list.mailop.org/listinfo/mailop | || >> > https://list.mailop.org/listinfo/mailop ] ||>> < [ https://list.mailop.org/listinfo/mailop | || >> https://list.mailop.org/listinfo/mailop ] > || >> -- "Catch the Magic of Linux..." || >> ------------------------------------------------------------------------ || >> Michael Peddemors, President/CEO LinuxMagic Inc. || >> Visit us at [ http://www.linuxmagic.com/ | http://www.linuxmagic.com ] || >> < [ http://www.linuxmagic.com/ | http://www.linuxmagic.com ] > @linuxmagic ||>> A Wizard IT Company - For More Info [ http://www.wizard.ca/ | || >> http://www.wizard.ca ] || >> < [ http://www.wizard.ca/ | http://www.wizard.ca ] > || >> "LinuxMagic" a Reg. TradeMark of Wizard Tower TechnoServices || >> Ltd. || >> ------------------------------------------------------------------------ || >> 604-682-0300 Beautiful British Columbia, Canada || >> _______________________________________________ || >> mailop mailing list || >> [ mailto:[email protected] | [email protected] ] <mailto:[email protected]> ||>> [ https://list.mailop.org/listinfo/mailop | || >> https://list.mailop.org/listinfo/mailop ] ||>> < [ https://list.mailop.org/listinfo/mailop | || >> https://list.mailop.org/listinfo/mailop ] > || >> _______________________________________________ || >> mailop mailing list || >> [ mailto:[email protected] | [email protected] ] <mailto:[email protected]> ||>> [ https://list.mailop.org/listinfo/mailop | || >> https://list.mailop.org/listinfo/mailop ] ||>> < [ https://list.mailop.org/listinfo/mailop | || >> https://list.mailop.org/listinfo/mailop ] > || >> _______________________________________________ || >> mailop mailing list || >> [ mailto:[email protected] | [email protected] ] ||>> [ https://list.mailop.org/listinfo/mailop | || >> https://list.mailop.org/listinfo/mailop ] || > -- || > "Catch the Magic of Linux..." || > ------------------------------------------------------------------------ || > Michael Peddemors, President/CEO LinuxMagic Inc. ||> Visit us at [ http://www.linuxmagic.com/ | http://www.linuxmagic.com ] || > @linuxmagic ||> A Wizard IT Company - For More Info [ http://www.wizard.ca/ | || > http://www.wizard.ca ] || > "LinuxMagic" a Reg. TradeMark of Wizard Tower TechnoServices Ltd. || > ------------------------------------------------------------------------ || > 604-682-0300 Beautiful British Columbia, Canada || > _______________________________________________ || > mailop mailing list || > [ mailto:[email protected] | [email protected] ] ||> [ https://list.mailop.org/listinfo/mailop | || > https://list.mailop.org/listinfo/mailop ] || _______________________________________________ || mailop mailing list || [ mailto:[email protected] | [email protected] ] || [ https://list.mailop.org/listinfo/mailop | || https://list.mailop.org/listinfo/mailop ] | _______________________________________________ | mailop mailing list | [email protected] | https://list.mailop.org/listinfo/mailop
_______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
