Active8
Verified User
- Joined
- Jul 13, 2013
- Messages
- 1,872
Solved How can I block this spam coming via Google?
- Thread starter Richard G
- Start date
Hostking
Verified User
I checked logs across all our servers and we’re no longer seeing new spam from these Google Groups reaching customer inboxes — most of it is now being caught by the spam filter rule mentioned earlier.
The KAM.cf rules also made a noticeable difference.
If these messages are still getting through on your side, it’s worth checking your scoring setup. For example, if your required score is around 8, make sure your custom rule like HK_GOOGLE_GROUPS is set significantly higher (e.g. 10+) so it guarantees a hit.
Here’s an example of how these messages are being scored on our side:
spamd: result: Y 19 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,GB_URI_ASTERISK,HK_GOOGLE_GROUPS,HTML_FONT_SIZE_HUGE,HTML_IMAGE_ONLY_08,HTML_MESSAGE,HTML_SHORT_LINK_IMG_1,MAILING_LIST_MULTI,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,URIBL_ABUSE_SURBL,URIBL_DBL_BLOCKED
So even though the messages pass SPF/DKIM, the combined rule weight (especially HK_GOOGLE_GROUPS) pushes them well over the threshold.
The KAM.cf rules also made a noticeable difference.
If these messages are still getting through on your side, it’s worth checking your scoring setup. For example, if your required score is around 8, make sure your custom rule like HK_GOOGLE_GROUPS is set significantly higher (e.g. 10+) so it guarantees a hit.
Here’s an example of how these messages are being scored on our side:
spamd: result: Y 19 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,GB_URI_ASTERISK,HK_GOOGLE_GROUPS,HTML_FONT_SIZE_HUGE,HTML_IMAGE_ONLY_08,HTML_MESSAGE,HTML_SHORT_LINK_IMG_1,MAILING_LIST_MULTI,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,URIBL_ABUSE_SURBL,URIBL_DBL_BLOCKED
So even though the messages pass SPF/DKIM, the combined rule weight (especially HK_GOOGLE_GROUPS) pushes them well over the threshold.
Hostking
Verified User
Here’s another example showing the same pattern — note how everything passes SPF/DKIM/DMARC, yet the message is still clearly spam and gets caught mainly due to the Google Groups rule:
Return-path: <[email protected]>
Envelope-to: hello@<domainremoved>;
Delivery-date: Tue, 28 Apr 2026 18:04:28 +0200
Received: from mail-yw1-f200.google.com ([209.85.128.200])
by <server removed> with esmtps (TLS1.3)
(Exim 4.99.1)
for hello@<domainremoved>;
Authentication-Results:
dkim=pass;
spf=pass;
dmarc=pass;
Precedence: list
Mailing-list: list [email protected]
List-ID: <hs.chinacvcn.com>
X-Google-Group-Id: 806615142161
X-Spam-Score: 11.7 (required 8.0)
And the key part from the SpamAssassin breakdown:
pts rule name description
---- ---------------------- ---------------------------------------
10.0 HK_GOOGLE_GROUPS Message sent via Google Groups
1.9 URIBL_ABUSE_SURBL URL listed in blocklist
0.5 LOCAL_HTML_ONLY_HIGH HTML-only message
0.2 HEADER_FROM_DIFFERENT_DOMAINS
-1.0 MAILING_LIST_MULTI
Even though authentication is clean (SPF_PASS, DKIM_VALID, DMARC_PASS), the message still scores 11.7, mainly due to:
HK_GOOGLE_GROUPS (custom rule doing the heavy lifting)
URIBL hit
Typical HTML-only / list characteristics
Without a strong rule like HK_GOOGLE_GROUPS, this would likely slip through on many default configurations.
Return-path: <[email protected]>
Envelope-to: hello@<domainremoved>;
Delivery-date: Tue, 28 Apr 2026 18:04:28 +0200
Received: from mail-yw1-f200.google.com ([209.85.128.200])
by <server removed> with esmtps (TLS1.3)
(Exim 4.99.1)
for hello@<domainremoved>;
Authentication-Results:
dkim=pass;
spf=pass;
dmarc=pass;
Precedence: list
Mailing-list: list [email protected]
List-ID: <hs.chinacvcn.com>
X-Google-Group-Id: 806615142161
X-Spam-Score: 11.7 (required 8.0)
And the key part from the SpamAssassin breakdown:
pts rule name description
---- ---------------------- ---------------------------------------
10.0 HK_GOOGLE_GROUPS Message sent via Google Groups
1.9 URIBL_ABUSE_SURBL URL listed in blocklist
0.5 LOCAL_HTML_ONLY_HIGH HTML-only message
0.2 HEADER_FROM_DIFFERENT_DOMAINS
-1.0 MAILING_LIST_MULTI
Even though authentication is clean (SPF_PASS, DKIM_VALID, DMARC_PASS), the message still scores 11.7, mainly due to:
HK_GOOGLE_GROUPS (custom rule doing the heavy lifting)
URIBL hit
Typical HTML-only / list characteristics
Without a strong rule like HK_GOOGLE_GROUPS, this would likely slip through on many default configurations.