Reviving this thread again. Either I'm going crazy or our code is bad or these spammers are that advanced - and Google is somehow facilitating their operation.
So for example, this spammer e-mailed us from 34.131.37.79. We now check the PTR at connection time and DNS reported: GUC debug ip=34.131.37.79 ptr=h97wz.com ; therefore our system doesn't score the message. if I check it in DNS, it reports: 79.37.131.34.in-addr.arpa domain name pointer 79.37.131.34.bc.googleusercontent.com. so what happened ? The user controls the PTR for a Google IP ? And he switches it back and forth ? I tried checking, Google DNS doesn't provide a SOA for that PTR range - that query type is refused, so I can't tell when it was last changed. It really seems the spammer changes his PTR - probably to avoid this detection - and then puts it back to googleusercontent.com ? Thanks! Scott On Friday, 19/09/2025 at 18:51 Chris wrote: On 2025-09-18 18:59, Scott Q. via mailop wrote: > Would you guys mind sharing the blocks you are throttling / blocking ? For our purposes. This is a process. The blocks we maintain are ever-changing. minute-to-minute, day-to-day, ... IOW unless you intend to maintain the block, read; monitor. You'll potentially be blocking innocent IPs. IOW our block containing the bc.googleusercontent.com IPs are not contiguous CIDR's. There are many /32's. We add and remove IPs from this block all day. In fact, I see we some 100,000 slated to be added shortly. IMHO for your perceived purposes. You might (as we already do) simply set your MX to REJECT on bc.googleusercontent.com. FWIW it's currently at 1,416,389 single IPs with ~100,000 to add. HTH --Chris > > What we did for now is simply looking up the PTR for any 34/8 and 35/8 > connecting IP and if it ends with googleusercontent.com give it some > spam points. > > Thanks! > > > > Scott > > > On Thursday, 18/09/2025 at 16:06 Chris via mailop wrote: > > > > > On 2025-09-18 08:34, Michael Peddemors via mailop wrote: >> *.googleusercontent.com should not only not be sending email (either > change >> PTR, >> or use a relay) so you can go beyond scoring, and simply reject. >> >> Also, given the history of abuse and/or compromises, we also > recommend that >> you do >> NOT allow email authentication from those IPs, except as permitted > in an >> allow >> .acl. >> >> Make sense? > > I concur. > We've been dropping packets originating from them without so much as > an ACK > for some 5yrs. > Without *any* repercussions. Just reject. Your life will be much > better for > it. :) > >> >> On 2025-09-16 07:58, Scott Q. via mailop wrote: >>> Sorry for reviving an older thread, we are still battling this > Google spam >>> issue. >>> >>> Anyone else scoring e-mails directly received from IPs with a PTR > of >>> *.googleusercontent.com ? Any downside to doing this ? >>> >>> Gmail/Workspace doesn't use that PTR but are there legitimate > Google >>> services that do ? >>> >>> Thanks! >>> Scott >>> >>> On Thursday, 04/09/2025 at 16:21 Alex Burch wrote: >>> >>> They might have legacy accounts where port 25 is > unblocked. I think >>> Infusionsoft/Keap had their IPs hosted at GCP at one point > and they >>> had the port 25 block lifted to send with them. >>> Thanks, >>> Alex >>> >>> >>> -- >>> >>> Alexander Burch >>> ActiveCampaign / Senior Deliverability Engineer >>> [email protected] >>> 1 North Dearborn St Suite 500, Chicago IL, 60602 >>> >>> >>> >>> >>> >>> >>> >>> >>> On Thu, Sep 4, 2025 at 9:12 AM Scott Q. via mailop >>> wrote: >>> >>> I get that, but the question is more whether GCP > blocks outbound >>> port 25 or not. >>> >>> Their docs say they are blocking it: >>> > https://cloud.google.com/compute/docs/tutorials/sending-mail >>> >>> >>> yet we see evidence to the contrary. Surely it's a > configuration >>> mistake somewhere (?). >>> >>> Maybe someone from Google can shed some light on > this. >>> >>> Thanks! >>> >>> On Thursday, 04/09/2025 at 11:25 Michael Peddemors > via mailop >>> wrote: >>> >>> Careful.. the list admins don't like us > using this list to >>> complain >>> about spam, but yeah.. >>> >>> Anything with a PTR of > 1.132.64.34.bc.googleusercontent.com >>> . is suspect, >>> and should be rejected (port 25) ... >>> >>> Standard ruleset for a couple of years.. > but even more >>> important, is the >>> number of IPs in those ranges used in email > hacking, and BEC >>> Compromise >>> attacks. >>> >>> You might even like to block attempts to > other ports by >>> default, and >>> create a 'permitted' acl for IPs in those > ranges for >>> legitimate use. >>> >>> On 2025-09-04 07:55, Scott Q. via mailop > wrote: >>> > Anyone else seeing an uptick lately of > Spam e-mails >>> originating from >>> > these ranges ? >>> > >>> > 34.64.132.0/22 >>> > 35.240.0.0/13 >>> > >>> > Mostly e-mails with: Content-Type: > text/plain; >>> charset="iso-2022-jp" >>> > >>> > What's interesting is that GCP has > outbound port 25 >>> blocked by default >>> > yet these hosts are able to do > direct-to-mx deliveries. >>> > >>> > If anyone from Google is reading this > - can you have a look >>> ? >>> > >>> > Thanks! >>> > Scott >>> > >>> > >>> > > _______________________________________________ >>> > mailop mailing list >>> > [email protected] >>> > > https://list.mailop.org/listinfo/mailop >>> >>> >>> >>> -- "Catch the Magic > of Linux..." >>> >>> > ------------------------------------------------------------------------ >>> Michael Peddemors, President/CEO LinuxMagic > Inc. >>> Visit us at http://www.linuxmagic.com >>> @linuxmagic >>> A Wizard IT Company - For More Info > http://www.wizard.ca >>> >>> "LinuxMagic" a Reg. TradeMark of Wizard > Tower TechnoServices >>> Ltd. >>> >>> > ------------------------------------------------------------------------ >>> 604-682-0300 Beautiful British Columbia, > Canada >>> >>> > _______________________________________________ >>> mailop mailing list >>> [email protected] >>> https://list.mailop.org/listinfo/mailop >>> >>> >>> _______________________________________________ >>> mailop mailing list >>> [email protected] >>> https://list.mailop.org/listinfo/mailop >>> >>> >>> >>> _______________________________________________ >>> mailop mailing list >>> [email protected] >>> https://list.mailop.org/listinfo/mailop >> >> >> -- >> "Catch the Magic of Linux..." >> > ------------------------------------------------------------------------ >> Michael Peddemors, President/CEO LinuxMagic Inc. >> Visit us at http://www.linuxmagic.com @linuxmagic >> A Wizard IT Company - For More Info http://www.wizard.ca >> "LinuxMagic" a Reg. TradeMark of Wizard Tower TechnoServices Ltd. >> > ------------------------------------------------------------------------ >> 604-682-0300 Beautiful British Columbia, Canada >> >> _______________________________________________ >> mailop mailing list >> [email protected] >> https://list.mailop.org/listinfo/mailop > > _______________________________________________ > mailop mailing list > [email protected] > https://list.mailop.org/listinfo/mailop > > _______________________________________________ > mailop mailing list > [email protected] > https://list.mailop.org/listinfo/mailop
_______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
