I can't share the info but Google is aware of the calendar abuse. They
are working on it.
We've also seen SES start going the way of Sendgrid becoming a very bad
sesspool for spam.
And I laughed when you say "wait until CloudFlare starts getting abused"
because CloudFlare protects so many of the bad actors, it's not even funny.
Regards,
KAM
On 11/12/2025 4:36 PM, Michael Peddemors via mailop wrote:
Yeah, there is little way to stop this without..
* playing whack-a-mole on phone numbers contained in invite
* blocking all Google Calendar invites
Once again, this has to be the sender responsibility <sic>, but this
goes to show the eroding trend of obfuscating information, leading to
abuse. Give the ability to send anonymously, and it will attract
threat actors..
Amazon SES is a great example, and wait until CloudFlare starts
getting abused. If you want email delivery to succeed, more
transparency is required.
Received: from a48-34.smtp-out.amazonses.com (HELO
a48-34.smtp-out.amazonses.com) (54.240.48.34)
..
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; d=amazonses.com; t=1762981891;
h=Content-Transfer-Encoding:From:To:Reply-To:Subject:Message-ID:Date:MIME-Version:Content-Type:Feedback-ID;
bh=qOYZOZ272kZG+SbC7k+JP6ve7k9eJ9ZuEmelkzDT14k=;
b=seWNnqo5BzTvo3MCarnFQ8Er+dagZ5u/D5bsqdOu9nVdl6chkP9j0V3Yl6+oC1EA
ow0ksVugBOPK93IQiZMC03mQIT7fsE8TSm50rxqW8wgnRR0aZcvctTqcsg+NeJHnMiC
CvLIkKhzjSbGESAQhJQGxibERjgUGD+CLFIkOAVg=
Content-Transfer-Encoding: quoted-printable
From: Revenue Unit <[email protected]>
To: <redacted>
Reply-To: [email protected]
Subject: Overview Audit
Message-ID: <[email protected]>
Date: Wed, 12 Nov 2025 21:11:30 +0000
MIME-Version: 1.0
Content-Type: text/html; charset=utf-8
Feedback-ID:
::1.us-east-1.M7eHMda1Faa6suUxyNQpj0UCMQ7UspPByedrB4oe/30=:AmazonSES
X-SES-Outgoing: 2025.11.12-54.240.48.34
How would you differentiate this type of malware, from all other
traffic flows using Amazon SES (Fake Tax Refund Spam)
Additional trace headers, at least showing what the originator was
would be helpful.
On 2025-11-12 07:42, Scott Q. via mailop wrote:
Not sure what to make of this. The contents of the invite show:
Organizer
DAVID DEITHER LAURENTE
QUISPE<mailto:[email protected]>
[email protected]<mailto:[email protected]>
and ayacucho.edu.pe mail is handled by 1 aspmx.l.google.com
So these aren't free accounts - spammers compromised entire tenants
and created their own accounts there in order to receive mail back ?
Scott
On Wednesday, 12/11/2025 at 06:29 Hans-Martin Mosner via mailop wrote:
Am 11.11.25 um 17:25 schrieb Scott Q. via mailop:
But these seem like legitimate Google issued invites, not faked
in any way - maybe compromised accounts ?
Anyone from Google can chime in if you are aware of this issue ?
We can't really start scoring/blocking Google calendar invites,
or can we ?
They are Google. Do you seriously expect them to care?
Most likely the accounts used to send have been created for the
purpose of spamming. Handing out free anonymous accounts is what
makes Google attractive to spammers (and the fact that these
accounts can stay active for sufficient time despite being reported
as spam sources).
Doing something at the receiving end is pretty difficult, as the
difference between unwanted and wanted invites isn't clear in the
general case. You might be able to detect URLs within the text that
indicate unwanted stuff, anf you might treat invites from senders
who have had previous contact with the recipient as likely desired,
but all of this is very error-prone.
Cheers,
Hans-Martin
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
