Solved How can I block this spam coming via Google?

They are getting more. Today a customer of mine also received 6 spam mails from that yinoce.com group.
So now I blocked that domain and for the time being I also blocked google groups.
 
Not sure if this helps but I found that our score on some servers using RSPAMD that had FORGED_SENDER spam rating symbol was set to 2.5 and those servers were getting some spam through. But 1 server we had had it set to 6 and spam kept getting blocked as spam.

Again not sure if this is a fix but monitoring it more.

Also looks like greylisting is stopping it on rspamd nicely:

yinoce.png
 
Last edited:
I'm using Spamassassin.
Today one other spam message came through to my client, via google, not google groups. Just again another chinese domain.
 
Looks like only way to block it is have a very high score for X-Google-Group-Id

And rather whitelist it for that tiny percentage of customers that need it whitelist or increase their spam score may be a better strategy.
 
In /etc/blacklist_senders I added:
*@googlegroups.com
and restarted Exim ofcourse.
Not 100% sure if this is correct but at this moment I didn't see it coming via a google group anymore.
 
LawsHosting said:
Surely if this is an exploit/bug, Google would know by now.
Click to expand...
It's an exploit caused by google. Because it looks like people can add e-mail addresses to groups without any verification of those mail addresses if they want to be in the group.
Or they can add them to a group and send them a message instead of Google sending them an invitation.

Either way, to me it seems Google can add to the solution.
 
For rspamd you can define symbols/multimap to trigget on specific mail headers.
By giving a small score (1.5) you don't block everything from groups.
Adding a bad domains list helps to further define what the groups headers actually are. Good groups or bad groups.
Then use the combination to block groups spam from specific domains.

# /etc/rspamd/local.d/multimap.conf
Code: 
GOOGLE_GROUPS_LIST {
  type = "content";
  filter = "headers";
  map = "/etc/rspamd/maps.d/google_groups_headers.map";
  regexp = true;
  score = 1.5;
  description = "Mail has Google Groups / mailing-list headers";
}

ABUSE_SENDER_DOMAIN {
  type = "from";
  filter = "email:domain";
  map = "/etc/rspamd/maps.d/abuse_sender_domains.map";
  score = 6.0;
  description = "Known abuse sender domain";
}

Next you add the headers to check:
/etc/rspamd/maps.d/google_groups_headers.map

Code: 
/^X-Google-Group-Id:/i
/^List-Help:/i
/^List-Subscribe:/i
/^List-Unsubscribe:/i
/^X-Original-Sender:/i

And a list of bad domains:
/etc/rspamd/maps.d/abuse_sender_domains.map

Code: 
capturesoul.com
deyan365.com
... etc ...

Next you hit the combo harder:
# /etc/rspamd/local.d/composites.conf

Code: 
GOOGLE_GROUPS_ABUSE {
  expression = "GOOGLE_GROUPS_LIST & ABUSE_SENDER_DOMAIN";
  score = 12.0;
  description = "Google Groups mail combined with known abuse source";
}

P.S. I'm very good in typo's and not so much in documenting.
 
You must log in or register to reply here.
Back
Top