But now they don't for example.
h97wz.com has address 34.129.70.88
88.70.129.34.in-addr.arpa domain name pointer
88.70.129.34.bc.googleusercontent.com.
I think these guys change the PTR to match their domain whenever they
start their spam campaign and then switch it off. Thus rendering
filtering by *googleusercontent.com ineffective.
It's also hard to filter within 34/8 35/8 because GCP hosts lots of
big senders like *wayfair.com/co.uk , or latam.com , etc
If anyone from Google is reading this:
- Why are all customers allowed to send out from your networks to port
25 ?
- Why are all customers allowed to change their PTR at will
I understand making exceptions for vetted customers but now you have
some 'customers' that are effectively using your infrastructure to
spam everyone else.
Scott
On Thursday, 09/10/2025 at 20:29 David Prall via mailop wrote:
Doing a forward lookup on h97wz.com does go to google space now. But a
different address, and yes the forward and reverse match currently.
The
TTL on the forward is 5 seconds and the reverse is 60 seconds. So they
could be moving around within googles infrastructure or just releasing
and adding an address. It's been pretty stable for the past 10
minutes,
you might have just hit it at the right time for them making a change.
David
--
https://dprall.net
On 10/9/2025 1:04 PM, Scott Q. via mailop wrote:
> Reviving this thread again. Either I'm going crazy or our code is
bad or
> these spammers are that advanced - and Google is somehow
facilitating
> their operation.
>
> So for example, this spammer e-mailed us from 34.131.37.79. We now
check
> the PTR at connection time and DNS reported:
> GUC debug ip=34.131.37.79 ptr=h97wz.com ; therefore our system
doesn't
> score the message.
>
> if I check it in DNS, it reports: 79.37.131.34.in-addr.arpa domain
name
> pointer 79.37.131.34.bc.googleusercontent.com.
>
> so what happened ? The user controls the PTR for a Google IP ? And
he
> switches it back and forth ? I tried checking, Google DNS doesn't
> provide a SOA for that PTR range - that query type is refused, so I
> can't tell when it was last changed.
>
> It really seems the spammer changes his PTR - probably to avoid this
> detection - and then puts it back to googleusercontent.com ?
>
> Thanks!
> Scott
>
> On Friday, 19/09/2025 at 18:51 Chris wrote:
>
> On 2025-09-18 18:59, Scott Q. via mailop wrote:
> > Would you guys mind sharing the blocks you are
throttling /
> blocking ?
>
> For our purposes. This is a process. The blocks we maintain
are
> ever-changing.
> minute-to-minute, day-to-day, ...
> IOW unless you intend to maintain the block, read; monitor.
You'll
> potentially be
> blocking innocent IPs. IOW our block containing the
> bc.googleusercontent.com
> IPs
> are not contiguous CIDR's. There are many /32's. We add and
remove
> IPs from
> this
> block all day. In fact, I see we some 100,000 slated to be
added
> shortly.
> IMHO for
> your perceived purposes. You might (as we already do) simply
set
> your MX to
> REJECT
> on bc.googleusercontent.com.
>
> FWIW it's currently at 1,416,389 single IPs with ~100,000 to
add.
>
> HTH
>
> --Chris
> >
> > What we did for now is simply looking up the PTR for
any 34/8 and
> 35/8
> > connecting IP and if it ends with googleusercontent.com
give it some
> > spam points.
> >
> > Thanks!
> >
> >
> >
> > Scott
> >
> >
> > On Thursday, 18/09/2025 at 16:06 Chris via mailop
wrote:
> >
> >
> >
> >
> > On 2025-09-18 08:34, Michael Peddemors via mailop
wrote:
> >> *.googleusercontent.com should not only not be sending
email (either
> > change
> >> PTR,
> >> or use a relay) so you can go beyond scoring, and
simply reject.
> >>
> >> Also, given the history of abuse and/or compromises,
we also
> > recommend that
> >> you do
> >> NOT allow email authentication from those IPs, except
as permitted
> > in an
> >> allow
> >> .acl.
> >>
> >> Make sense?
> >
> > I concur.
> > We've been dropping packets originating from them
without so much as
> > an ACK
> > for some 5yrs.
> > Without *any* repercussions. Just reject. Your life
will be much
> > better for
> > it. :)
> >
> >>
> >> On 2025-09-16 07:58, Scott Q. via mailop wrote:
> >>> Sorry for reviving an older thread, we are still
battling this
> > Google spam
> >>> issue.
> >>>
> >>> Anyone else scoring e-mails directly received from
IPs with a PTR
> > of
> >>> *.googleusercontent.com ? Any downside to doing this
?
> >>>
> >>> Gmail/Workspace doesn't use that PTR but are there
legitimate
> > Google
> >>> services that do ?
> >>>
> >>> Thanks!
> >>> Scott
> >>>
> >>> On Thursday, 04/09/2025 at 16:21 Alex Burch wrote:
> >>>
> >>> They might have legacy accounts where port
25 is
> > unblocked. I think
> >>> Infusionsoft/Keap had their IPs hosted at
GCP at one point
> > and they
> >>> had the port 25 block lifted to send with
them.
> >>> Thanks,
> >>> Alex
> >>>
> >>>
> >>> --
> >>>
> >>> Alexander Burch
> >>> ActiveCampaign / Senior Deliverability
Engineer
> >>> [email protected]
> >>> 1 North Dearborn St Suite 500, Chicago IL,
60602
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> On Thu, Sep 4, 2025 at 9:12 AM Scott Q.
via mailop
> >>> wrote:
> >>>
> >>> I get that, but the question is more
whether GCP
> > blocks outbound
> >>> port 25 or not.
> >>>
> >>> Their docs say they are blocking it:
> >>>
> >
https://cloud.google.com/compute/docs/tutorials/sending-mail
>
> >>>
> >>>
> >>> yet we see evidence to the contrary.
Surely it's a
> > configuration
> >>> mistake somewhere (?).
> >>>
> >>> Maybe someone from Google can shed
some light on
> > this.
> >>>
> >>> Thanks!
> >>>
> >>> On Thursday, 04/09/2025 at 11:25
Michael Peddemors
> > via mailop
> >>> wrote:
> >>>
> >>> Careful.. the list admins
don't like us
> > using this list to
> >>> complain
> >>> about spam, but yeah..
> >>>
> >>> Anything with a PTR of
> > 1.132.64.34.bc.googleusercontent.com
> >>> . is suspect,
> >>> and should be rejected (port
25) ...
> >>>
> >>> Standard ruleset for a
couple of years..
> > but even more
> >>> important, is the
> >>> number of IPs in those
ranges used in email
> > hacking, and BEC
> >>> Compromise
> >>> attacks.
> >>>
> >>> You might even like to block
attempts to
> > other ports by
> >>> default, and
> >>> create a 'permitted' acl for
IPs in those
> > ranges for
> >>> legitimate use.
> >>>
> >>> On 2025-09-04 07:55, Scott
Q. via mailop
> > wrote:
> >>> > Anyone else seeing an
uptick lately of
> > Spam e-mails
> >>> originating from
> >>> > these ranges ?
> >>> >
> >>> > 34.64.132.0/22
> >>> > 35.240.0.0/13
> >>> >
> >>> > Mostly e-mails with:
Content-Type:
> > text/plain;
> >>> charset="iso-2022-jp"
> >>> >
> >>> > What's interesting is
that GCP has
> > outbound port 25
> >>> blocked by default
> >>> > yet these hosts are
able to do
> > direct-to-mx deliveries.
> >>> >
> >>> > If anyone from Google
is reading this
> > - can you have a look
> >>> ?
> >>> >
> >>> > Thanks!
> >>> > Scott
> >>> >
> >>> >
> >>> >
> > _______________________________________________
> >>> > mailop mailing list
> >>> > [email protected]
> >>> >
> > https://list.mailop.org/listinfo/mailop
listinfo/mailop>
> >>>
> >>>
> >>>
> >>> --
"Catch the Magic
> > of Linux..."
> >>>
> >>>
> >
>
------------------------------------------------------------------------
> >>> Michael Peddemors,
President/CEO LinuxMagic
> > Inc.
> >>> Visit us at
http://www.linuxmagic.com www.linuxmagic.com>
> >>> @linuxmagic
> >>> A Wizard IT Company - For
More Info
> > http://www.wizard.ca
> >>>
> >>> "LinuxMagic" a Reg.
TradeMark of Wizard
> > Tower TechnoServices
> >>> Ltd.
> >>>
> >>>
> >
>
------------------------------------------------------------------------
> >>> 604-682-0300 Beautiful
British Columbia,
> > Canada
> >>>
> >>>
> > _______________________________________________
> >>> mailop mailing list
> >>> [email protected]
> >>> https://list.mailop.org/listinfo/mailop
list.mailop.org/listinfo/mailop>
> >>>
> >>>
> >>>
_______________________________________________
> >>> mailop mailing list
> >>> [email protected]
> >>> https://list.mailop.org/listinfo/mailop
list.mailop.org/listinfo/mailop>
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> mailop mailing list
> >>> [email protected]
> >>> https://list.mailop.org/listinfo/mailop
list.mailop.org/listinfo/mailop>
> >>
> >>
> >> --
> >> "Catch the Magic of Linux..."
> >>
> >
>
------------------------------------------------------------------------
> >> Michael Peddemors, President/CEO LinuxMagic Inc.
> >> Visit us at http://www.linuxmagic.com
www.linuxmagic.com> @linuxmagic
> >> A Wizard IT Company - For More Info
http://www.wizard.ca
>
> >> "LinuxMagic" a Reg. TradeMark of Wizard Tower
TechnoServices Ltd.
> >>
> >
>
------------------------------------------------------------------------
> >> 604-682-0300 Beautiful British Columbia, Canada
> >>
> >> _______________________________________________
> >> mailop mailing list
> >> [email protected]
> >> https://list.mailop.org/listinfo/mailop
list.mailop.org/listinfo/mailop>
> >
> > _______________________________________________
> > mailop mailing list
> > [email protected]
> > https://list.mailop.org/listinfo/mailop
listinfo/mailop>
> >
> > _______________________________________________
> > mailop mailing list
> > [email protected]
> > https://list.mailop.org/listinfo/mailop
listinfo/mailop>
>
>
> _______________________________________________
> mailop mailing list
> [email protected]
> https://list.mailop.org/listinfo/mailop
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
