On Monday 25 February 2008 9:34 am, Michael Scheidell wrote: > Based on googles standard 'we don't have any clients who would email > from google' ignore bot, then what? if google doesn't have any direct > clients, then does this indicate they are running an open relay? (email > purports to come from Argentina (and > > 201.231.43.135 does.) > > , RDNS for first untrusted looks like google. whois on netblock shows > google in US. > What types of emails (besides 'gmail.com' ) email is supposed to come > from google? are we going to start getting postini clients relayed > through google now? > > > If they don't even have a web site to report 'spam' or open relays to, > then how would you even contact them? > (this is the first untrusted received line). > I received the below from Google ref one of my spam reports, some content has been snipped:
Thank you for your note. This is an automated reply. If you're reporting a spam email with a Google return address, please be assured that it did not originate with Google. Google does not permit others to send unsolicited email through its mail servers. This was sent from > From: "Google Help" <[EMAIL PROTECTED]> I replied to them with the message headers and what I thought to be evidence that this spam in fact did come from a Google account. I use a formail recipe that adds the senders IP, ASN and CIDR to the end of all messages. This is what was shown for the spam from Google: X-SenderIP: 72.14.204.239 X-ASN: ASN-15169 X-CIDR: 72.14.204.0/23 Looking up the senders IP gave this result: > [EMAIL PROTECTED] ~]$ nslookup 72.14.204.239 > Server: 127.0.0.1 > Address: 127.0.0.1#53 > > Non-authoritative answer: > 239.204.14.72.in-addr.arpa name = qb-out-0506.google.com. > > Authoritative answers can be found from: > 204.14.72.in-addr.arpa nameserver = ns2.google.com. > 204.14.72.in-addr.arpa nameserver = ns3.google.com. > 204.14.72.in-addr.arpa nameserver = ns1.google.com. > 204.14.72.in-addr.arpa nameserver = ns4.google.com. > ns1.google.com internet address = 216.239.32.10 > ns2.google.com internet address = 216.239.34.10 > ns3.google.com internet address = 216.239.36.10 > ns4.google.com internet address = 216.239.38.10 The script that I run to report spam to NANAS and to the offending messages ISP's abuse addresses gave this result: > Spam IP: 72.14.204.239 (qb-out-0506.google.com) > Base domain: google.com > Message ID: <[EMAIL PROTECTED]> > ASN (0): 15169 - CIDR: 72.14.204.0/23 > ASN Org (0): Google, Inc > > Spamhaus: > IPWHOIS: > SpamCop: > Relays VISI: > Composite BL: > Dynablock BL: > DSBL Proxy: > DSBL Multihop: > SORBS OR: > SPEWS L1: > SPEWS L2: > RFCI P'master: > RFCI Abuse: > RFCI WHOIS: > RFCI BogusMX: > > WHOIS Addrs (IP): [EMAIL PROTECTED] > ASN Addrs: > RFCI WHOIS: > > WHOIS addresses (google.com): > Abuse.net addresses (google.com): [EMAIL PROTECTED] > Skipping recursed domains > Ignore addresses: > Recipients: [EMAIL PROTECTED], [EMAIL PROTECTED] > Recursed recipients: > > Reporting to [EMAIL PROTECTED], [EMAIL PROTECTED] > ...with: "Spam report: (72.14.204.239) Queen Elizabeths The Sec II Foundation" Whether the report to abuse@ and postmaster@ did any good I don't know, however, I haven't heard back from them. This will also give you abuse addresses for different domains: > [EMAIL PROTECTED] ~]$ telnet whois.abuse.net 43 > Trying 208.31.42.95... > Connected to whois.abuse.net (208.31.42.95). > Escape character is '^]'. > google.com > [EMAIL PROTECTED] (for google.com) > If this was too much information, my apologies -- Chris KeyID 0xE372A7DA98E6705C
pgplpEmC9FDtL.pgp
Description: PGP signature