How can I block this spam coming via Google?

Richard G

Richard G

Verified User
Joined
Jul 6, 2008
Messages
14,831
Location
Maastricht
Lately our customers are getting a lot of spam. Problem is that we can not block it the normal way, as they are coming via Google.
We report every instance, but they keep coming, it looks like this:

Code: 
eceived: from server.mycompany.nl
    by server.mycompany.nl with LMTP
    id oRgGHvZkt2lEAwsAugeUdg
    (envelope-from <[email protected]>)
    for <[email protected]>; Mon, 16 Mar 2026 03:03:34 +0100
Received: from mail-oa1-x45.google.com ([2001:4860:4864:20::45])
    by server.mycompany.nl with esmtps  (TLS1.3) tls TLS_AES_256_GCM_SHA384
    (Exim 4.99.1)
    (envelope-from <[email protected]>)
    id 1w1xIk-00000004JP9-0jUe
    for [email protected];
    Mon, 16 Mar 2026 03:03:34 +0100
Received: by mail-oa1-x45.google.com with SMTP id 586e51a60fabf-40ee506cf49so36469725fac.2
        for <[email protected]>; Sun, 15 Mar 2026 19:03:24 -0700 (PDT)
From: "Infinitizone Support" <[email protected]>
To: <[email protected]>

To me it seemed the best way to block was to block the sender, firebaseapp.com but that seems not to work for me or I'm doing something wrong.

In the /etc/virtual/blacklist_domains there firebaseapp.com is present.
In the /etc/virtual/blacklist_senders I did it like this (probably wrong) *@*.firebaseapp.com

So I guess I need to change the second one, because an asterisk is only to be used at the beginning/leading. And probably just firebaseapp.com won't work.

But I'm really not good with regular expressions and don't even understand the regex101.com tester how that works.
I could use ^@*.firebaseapp.com but doubt this is good.

Can anybody help me with this or put me in the right direction or maybe a better way to block these spam mails coming via Google without blocking Google?
 
I think we need another method. Seems that spammers found another spam method.
They send mail from some domain, then reroute it via Gmail to send it to our servers.

We got another example of this:
Code: 
Received: by 2002:a05:6000:1846:b0:439:c2a3:a2e9 with SMTP id
 ffacd0b85a97d-43a04b19a37ls3821076f8f.0.-pod-prod-06-eu; Wed, 18 Mar 2026
 09:01:09 -0700 (PDT)
Received: by mail-wm1-x347.google.com with SMTP id 5b1f17b1804b1-485375aa56esf778125e9.1
        for <x>; Wed, 18 Mar 2026 09:07:11 -0700 (PDT)
Received: by 2002:a05:6000:1a87:b0:432:dbd4:cac9 with SMTP id
 ffacd0b85a97d-43a04b815e7ls4220957f8f.1.-pod-prod-06-eu; Wed, 18 Mar 2026
 09:01:07 -0700 (PDT)
Received: from speed-hosting4you.de (Mail.Sh4y.de [83.136.82.37])
    by Mail.Sh4y.de (Postfix) with ESMTPSA id C61171240E61
    for <x>; Wed, 18 Mar 2026 17:01:06 +0100 (CET)
Received: from Mail.Sh4y.de (Mail.sh4y.de. [2001:4ba0:ffea:2c9:1::5])
        by mx.google.com with ESMTPS id ffacd0b85a97d-43b518a25aasi7586192f8f.196.2026.03.18.09.01.07
        for <x>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 18 Mar 2026 09:01:07 -0700 (PDT)
Received: from mail-wm1-x347.google.com ([2a00:1450:4864:20::347])
    by server.ourserver.nl with esmtps  (TLS1.3) tls TLS_AES_256_GCM_SHA384
    (Exim 4.99.1)
    (envelope-from <[email protected]>)
    id 1w2tQO-00000005lzd-0TsK
    for x;
    Wed, 18 Mar 2026 17:07:12 +0100
Received: from server.ourserver.nl
    by server.ourserver.nl with LMTP
    id 8Z9GFbDNummx9hEAugeUdg
    (envelope-from <[email protected]>)
    for <x>; Wed, 18 Mar 2026 17:07:12 +0100

In this only our hostname is masked, the rest is as is.
As you can see it's send from Sh4y.de somehow via hosting4you.de and then we got it via Google.com.

Here's a second example. Now going through both outlook and gmail.
Code: 
Received: from GVXPR05CU001.outbound.protection.outlook.com (mail-swedencentralazlp170130007.outbound.protection.outlook.com. [2a01:111:f403:c202::7])
        by mx.google.com with ESMTPS id d2e1a72fcca58-82a6b58cc00si5879683b3a.58.2026.03.18.09.02.20
        for <x>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 18 Mar 2026 09:02:21 -0700 (PDT)
Received: by 2002:a05:6a00:90a3:b0:822:747d:3af9 with SMTP id
 d2e1a72fcca58-82a18a08cbals6356244b3a.2.-pod-prod-09-us; Wed, 18 Mar 2026
 09:02:29 -0700 (PDT)
Received: by 2002:a05:6a00:90a3:b0:822:747d:3af9 with SMTP id
 d2e1a72fcca58-82a18a08cbals6356283b3a.2.-pod-prod-09-us; Wed, 18 Mar 2026
 09:02:30 -0700 (PDT)
Received: from de2-emailsignatures-cloud.codetwo.com (20.79.222.204) by
 AMS0EPF00000198.mail.protection.outlook.com (10.167.16.244) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.9723.19 via Frontend Transport; Wed, 18 Mar 2026 16:02:13 +0000
Received: from AMS0EPF00000198.eurprd05.prod.outlook.com
 (2603:10a6:20b:46e:cafe::ad) by AS9PR06CA0612.outlook.office365.com
 (2603:10a6:20b:46e::19) with Microsoft SMTP Server (version=TLS1_3,
 cipher=TLS_AES_256_GCM_SHA384) id 15.20.9700.27 via Frontend Transport; Wed,
 18 Mar 2026 16:01:50 +0000
Received: from AS9PR06CA0612.eurprd06.prod.outlook.com (2603:10a6:20b:46e::19)
 by PA2PR10MB8393.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:102:417::11) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9723.19; Wed, 18 Mar
 2026 16:02:13 +0000
Received: by mail-pj1-x1045.google.com with SMTP id 98e67ed59e1d1-358f058973fsf181642a91.1
        for <x>; Wed, 18 Mar 2026 09:07:08 -0700 (PDT)
Received: from mail-pj1-x1045.google.com ([2607:f8b0:4864:20::1045])
    by server.ourserver.nl with esmtps  (TLS1.3) tls TLS_AES_256_GCM_SHA384
    (Exim 4.99.1)
    (envelope-from <[email protected]>)
    id 1w2tQL-00000005lwA-3djT
    for x;
    Wed, 18 Mar 2026 17:07:10 +0100
Received: from server.ourserver.nl
    by server.ourserver.nl with LMTP
    id 8WlrOq7Nummx9hEAugeUdg
    (envelope-from <[email protected]>)
    for <x>; Wed, 18 Mar 2026 17:07:10 +0100

We can't block google or outlook so how can we block this? I'm sure others will have or get spam probles like this too.

Maybe @zEitEr a good idea?
This is only an example, we get them from multiple places but on top of the header it's always google or outlook delivering it seems.
 
The above are header results from spamcop, this is an original header from the last message.
Seeing the email content (not displayed) it looks like a bounce message coming back and somehow to us while we are not originating.

Code: 
Received: by 2002:a05:6000:1846:b0:439:c2a3:a2e9 with SMTP id
 ffacd0b85a97d-43a04b19a37ls3821076f8f.0.-pod-prod-06-eu; Wed, 18 Mar 2026
 09:01:09 -0700 (PDT)
Received: by mail-wm1-x347.google.com with SMTP id 5b1f17b1804b1-485375aa56esf778125e9.1
        for <[email protected]>; Wed, 18 Mar 2026 09:07:11 -0700 (PDT)
Received: by 2002:a05:6000:1a87:b0:432:dbd4:cac9 with SMTP id
 ffacd0b85a97d-43a04b815e7ls4220957f8f.1.-pod-prod-06-eu; Wed, 18 Mar 2026
 09:01:07 -0700 (PDT)
Received: from speed-hosting4you.de (Mail.Sh4y.de [83.136.82.37])
    by Mail.Sh4y.de (Postfix) with ESMTPSA id C61171240E61
    for <[email protected]>; Wed, 18 Mar 2026 17:01:06 +0100 (CET)
Received: from Mail.Sh4y.de (Mail.sh4y.de. [2001:4ba0:ffea:2c9:1::5])
        by mx.google.com with ESMTPS id ffacd0b85a97d-43b518a25aasi7586192f8f.196.2026.03.18.09.01.07
        for <[email protected]>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 18 Mar 2026 09:01:07 -0700 (PDT)
Received: from mail-wm1-x347.google.com ([2a00:1450:4864:20::347])
    by server.ourserver.nl with esmtps  (TLS1.3) tls TLS_AES_256_GCM_SHA384
    (Exim 4.99.1)
    (envelope-from <[email protected]>)
    id 1w2tQO-00000005lzd-0TsK
    for [email protected];
    Wed, 18 Mar 2026 17:07:12 +0100
Received: from server.ourserver.nl
    by server.ourserver.nl with LMTP
    id 8Z9GFbDNummx9hEAugeUdg
    (envelope-from <[email protected]>)
    for <[email protected]>; Wed, 18 Mar 2026 17:07:12 +0100
Reply-To: "Support - Speed-Hosting4you" <[email protected]>
From: "'Support - Speed-Hosting4you' via cerple" <[email protected]>
To: <[email protected]>
Subject: RE: Ihre Anliegen auf SH4Y [2026031861781] Re: Scheibe einschlagen, Gurt schneiden, Familie
Date: Wed, 18 Mar 2026 17:01:06 +0100
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="----=_NextPart_000_003B_01DCB76B.B1728B90"
X-Mailer: PHPMailer 7.0.2 (https://github.com/PHPMailer/PHPMailer)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1773850030; x=1774454830;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to
         :x-original-authentication-results:x-original-sender
         :content-transfer-encoding:mime-version:message-id:subject:from:to
         :date:x-beenthere:x-beenthere:x-gm-message-state:from:to:cc:subject
         :date:message-id:reply-to;
        bh=2RweR99JA6XwUGKwp3ODYkT60m+dvmSNMDFerfmt8HM=;
        b=T8zHoQyBed4kylPrFiuK+X1o4HmtR0QUaaOAKuAjFYlb8ctw/rMzzndLKyvd/gKFAH
         GVppwBj5BV6cZ124sauU/ZIC2Jj8kmyKR9e7prNhHjD/93hO5Vfsa7lU0EqXJ6SGJfAe
         hIG3v0WdRWW26PlJkGFt4PR9VgQqvvZTma+zy0Xjm34Yu1vJKTtcMpSNNAF76sC7IJ1Q
         WVxM3Q7FOsUlZFF+Y9GKLXN4dMyih95rgPfbroCrk5F4lMsAotwc0GPGtJauMLpthOLW
         7pdJOJQQSUrDdM5sxZFbimJ+plczL07BsES+V7W0/6/34lhIlTrNS4cl53vi+Q7vCl+a
         CZnA==
X-Forwarded-Encrypted: i=2; AJvYcCWbtcY6WQ0PNaKLtiVWvuWL+sijViV25XTwhhD0HcDP5tYvqTDWm3seXOrhuOsrEzd/[email protected]
X-Forwarded-Encrypted: i=2; AJvYcCVBXffKVk/VYRVlXoD5leuYN0Wz9PRcadaAlqDzyDTTGAUYXVRJm6vI32qAiOzYot/[email protected]
X-Gm-Message-State: AOJu0YxVDuVUcTMCiikIPAo+p3id7/6vzP0TUbxnArRyeqmQ1AO5CxDt
    J6Pe31fr8NoAHI7IGmmCggxRE90rGstx9Kwu1wjdezxF9b1t7ZwXIguNKnXonb4pW9I=
X-Received: by 2002:a5d:5848:0:b0:435:9cd5:bb2a with SMTP id ffacd0b85a97d-43b527af569mr6851891f8f.24.1773850026854;
        Wed, 18 Mar 2026 09:07:06 -0700 (PDT)
X-Received: by 2002:adf:f04e:0:b0:439:fcd5:c9bb with SMTP id ffacd0b85a97d-43b527c902fmr4681496f8f.34.1773849669354;
        Wed, 18 Mar 2026 09:01:09 -0700 (PDT)
X-Received: by 2002:a05:6000:25c4:b0:439:de1d:74c6 with SMTP id ffacd0b85a97d-43b527aa5f5mr7183018f8f.19.1773849667395;
        Wed, 18 Mar 2026 09:01:07 -0700 (PDT)
X-BeenThere: [email protected]; h="AV1CL+GH9GqVDuhDsdXhX13vFz+lgKTdSsEpsgYz9Ywwfw+mvg=="
X-BeenThere: [email protected]; h="AV1CL+GPsvlJnRnM4+BmQ/znz+X22w+KupLr97I07AucYY+PJA=="
Thread-Index: AQKdpump9gSsEGhMpvrAf9HpjVXWFg==
X-Original-Sender: [email protected]
X-Original-Authentication-Results: mx.google.com;       dkim=pass
 [email protected] header.s=default header.b=pz+y1DFf;       spf=pass
 (google.com: domain of [email protected] designates 2001:4ba0:ffea:2c9:1::5 as
 permitted sender) [email protected];       dmarc=pass
 (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=sh4y.de
X-Original-From: Support - Speed-Hosting4you <[email protected]>
X-Spam-Checked-In-Group: [email protected]
X-Google-Group-Id: 616710976686
List-Help: <https://support.google.com/a/capturesoul.com/bin/topic.py?topic=25838>, <mailto:[email protected]>
List-Subscribe: <https://groups.google.com/a/capturesoul.com/group/sdsdsdsdsdsdsdsdsdsdsdsdsdsdsd/subscribe>, <mailto:[email protected]>
List-Unsubscribe: <mailto:[email protected]>, <https://groups.google.com/a/capturesoul.com/group/de3/subscribe>
X-DKIM: signer='capturesoul.com' status='pass' reason=''

Or maybe @mxroute some idea to prevent this?
 
Last edited:
so, a mailbox on sh4y.de is hacked (because of the passed spf, dkim, etc), or there is a misconfigured google group at capturesoul.com that allows forwarding everything from everyone and your customer is subscribed to it. But the address and subject indicate a hacked ticket/support account.

I don't know what sh4y.de is (didn't look) but they might want to know their support email might be compromised.

Edit: Bunch of typos
 
We had the same spam from capturesoul via google groups, just putted ..
/etc/virtual/blacklist_domains -> capturesoul.com
/etc/virtual/blacklist_senders -> *@capturesoul.com
and it finished.
 
sysdev said:
so, a mailbox on sh4y.de is hacked
Click to expand...
I doubt it or it must be a lot of mailboxes, because we got 16 different of these messages today.
The one from sh4y.de is just an example.
As you could se we also got loads from firebaseapp.com until I blocked those and a spoofed other mail address, but almost every mail is coming form a different provider, so sh4y.de is just one of them.

One is even a reply... let me look it up.

RE: RE: Ihre Anliegen auf SH4Y [2026031861781] Re: Scheibe einschlagen, Gurt schneiden, Familie

Hello,

Our system flagged your email as spam, which caused your request to be closed automatically.

If you’re a legitimate customer and believe this was a mistake, simply reply with “NOTSPAM”, and we’ll reopen your request right away. We apologize for any inconvenience and appreciate your patience.

Thank you for understanding!

Best regards,
Casino Support TeamStill Need Help?
[Live Chat] [https://happyjokers.com/] | [FAQ] [https://happyjokers.com/faq]

Ticket ID: hd.1773838398428.z74l0w.f5c372e3
Click to expand...

From hosting4you.de to the spammer.

So why are they ending up via Google at the domain of my customer or even via google and outlook at my customer?

@johannes I already did that too, but I blocked multiple domains this week already.
Also blocked that speed-hosting4you.de and sh4y.de but those are only 2. Customer is getting lots of different of these the past weeks.

Still don't understand why it can get through google and outlook. Even as reply to the spammer. Very odd.

So only solution is to find the non-Google and non-outlook in the headers and block those?
 
You must log in or register to reply here.
Back
Top