You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Michael Scheidell <sc...@secnap.net> on 2008/02/25 16:34:54 UTC
google running an open relay?
Based on googles standard 'we don't have any clients who would email
from google' ignore bot, then what? if google doesn't have any direct
clients, then does this indicate they are running an open relay? (email
purports to come from Argentina (and
201.231.43.135 does.)
, RDNS for first untrusted looks like google. whois on netblock shows
google in US.
What types of emails (besides 'gmail.com' ) email is supposed to come
from google? are we going to start getting postini clients relayed
through google now?
If they don't even have a web site to report 'spam' or open relays to,
then how would you even contact them?
(this is the first untrusted received line).
maybe make a meta?
__FROM_GMAIL
__RCV_GOOGLE
and
GOOGLE_RELAY !__FROM_GMAIL && RCV_GOOGLE
Received: from rv-out-0910.google.com (rv-out-0910.google.com [209.85.198.185])
by fl.us.spammertrap.net (Postfix) with ESMTP id F24DC2E116
for <mm...@secnap.com>; Mon, 25 Feb 2008 09:07:49 -0500 (EST)
Received: by rv-out-0910.google.com with SMTP id f5so1286176rvb.59
for <mm...@secnap.com>; Mon, 25 Feb 2008 06:07:47 -0800 (PST)
Received: by 10.140.251.1 with SMTP id y1mr2106744rvh.149.1203948466792;
Mon, 25 Feb 2008 06:07:46 -0800 (PST)
Received: from owcom2 ( [201.231.43.135])
by mx.google.com with ESMTPS id s54sm6210986rnb.10.2008.02.25.06.06.41
(version=SSLv3 cipher=RC4-MD5);
Mon, 25 Feb 2008 06:07:35 -0800 (PST)
Message-ID: <00...@owcom2>
From: "Gonzalo Caseres - Openware" <gc...@openware.biz>
To: <mm...@secnap.com>
Subject: Openware Argentina
Date: Mon, 25 Feb 2008 12:01:07 -0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_00AE_01C877A6.1A73C3D0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
Return-Path: gcaseres@openware.biz
--
Michael Scheidell, CTO
Main: 561-999-5000, Office: 561-939-7259
> *| *SECNAP Network Security Corporation
Winner 2008 Technosium hot company award.
www.technosium.com/hotcompanies/ <http://www.technosium.com/hotcompanies/>
_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(tm).
For Information please see http://www.spammertrap.com
_________________________________________________________________________
Re: google running an open relay?
Posted by Michelle Konzack <li...@freenet.de>.
Helo *,
Am 2008-02-26 07:36:23, schrieb Michael Scheidell:
> > If this was too much information, my apologies
> >
> So, bottom line, either they are running an open relay (since we can 'be
> assured that it did not originate with Google'), or they lie.
>
> I guess with a company the size of Google, we will be forced to eat our spam
> and love it.
>
> Reminds me of he droidbot responses I got from yahoo with DKIM signed email
> originating with yahoo telling me that the email didn't come from yahoo.
>
> Too bad yahoo and google are too high and mighty to actually care about spam
> complaints.
>
> (anyone here been on the net long enough to remember the 'bimbo' usenet
> spams? What was the name of that big famous company that refused to deal
> with them? Sorry, I don't remember, they aren't around anymore)
My "official" E-Mail-Address (from which I am sending this message)
is hit by currently 2.000 to 63.000 spams per day and I get between
50 and 3000 over verified <gmail> accounts.
Also I am owner of (currently) 50 Mailservers worldwide with in summary
70.000 clients and I am hit by over 6million spams per day where over
150.000 coming from <gmail> accounts
On of the biggest pigs is <wi...@gmail.com> or <wi...@gmail.com>
and I have send over 800 messages to <ab...@gmail.com> and get only
automated responses... and <wieseltux> is continuing to spam my E-Mail
and hundreds of mailinglists...
I think, I will setup a BOT to get rid of those <gmal> spams and hit ANY
gmail/google/googlegroops employes I can find...
I have done this with rejected messages from <uol.com.br> long time ago
and it was working fine
(The owner of the E-Mail has forwarded an account which he/she use on
Debian-ML and the UOL has rejected those messages and created several
100.000 spams; And of course, UOL is one of the BIGGER bresilian ISP's)
Thanks, Greetings and nice Day
Michelle Konzack
Systemadministrator
Tamay Dogan Network
Debian GNU/Linux Consultant
--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant #####################
Michelle Konzack Apt. 917 ICQ #328449886
+49/177/9351947 50, rue de Soultz MSN LinuxMichi
+33/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com)
Gmail captha broken: was Re: google running an open relay?
Posted by Michael Scheidell <sc...@secnap.net>.
Maybe this is it:
(February 25, 2008)
Spammers have figured out a way to defeat the Gmail Captcha
challenge-response mechanism, which is used to ensure that requests to
create new accounts are coming from real people and not from automated
programs. Spammers successfully broke the Hotmail Captcha program in the
last few weeks.
http://www.theregister.co.uk/2008/02/25/gmail_captcha_crack/print.html
_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(tm).
For Information please see http://www.spammertrap.com
_________________________________________________________________________
Re: google running an open relay?
Posted by Michael Scheidell <sc...@secnap.net>.
> From: Chris <cp...@embarqmail.com>
> Date: Mon, 25 Feb 2008 21:31:57 -0600
> To: <us...@spamassassin.apache.org>
> Subject: Re: google running an open relay?
>
> I received the below from Google ref one of my spam reports, some content has
> been snipped:
>
> Thank you for your note. This is an automated reply. If you're reporting a
> spam email with a Google return address, please be assured that it did not
> originate with Google. Google does not permit others to send unsolicited
> email through its mail servers.
[snip]
> If this was too much information, my apologies
>
So, bottom line, either they are running an open relay (since we can 'be
assured that it did not originate with Google'), or they lie.
I guess with a company the size of Google, we will be forced to eat our spam
and love it.
Reminds me of he droidbot responses I got from yahoo with DKIM signed email
originating with yahoo telling me that the email didn't come from yahoo.
Too bad yahoo and google are too high and mighty to actually care about spam
complaints.
(anyone here been on the net long enough to remember the 'bimbo' usenet
spams? What was the name of that big famous company that refused to deal
with them? Sorry, I don't remember, they aren't around anymore)
--
Michael Scheidell, CTO
>|SECNAP Network Security
Winner 2008 Network Products Guide Hot Companies
FreeBsd SpamAssassin Ports maintainer
Charter member, ICSA labs anti-spam consortium
_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(tm).
For Information please see http://www.spammertrap.com
_________________________________________________________________________
Re: google running an open relay?
Posted by Chris <cp...@embarqmail.com>.
On Monday 25 February 2008 9:34 am, Michael Scheidell wrote:
> Based on googles standard 'we don't have any clients who would email
> from google' ignore bot, then what? if google doesn't have any direct
> clients, then does this indicate they are running an open relay? (email
> purports to come from Argentina (and
>
> 201.231.43.135 does.)
>
> , RDNS for first untrusted looks like google. whois on netblock shows
> google in US.
> What types of emails (besides 'gmail.com' ) email is supposed to come
> from google? are we going to start getting postini clients relayed
> through google now?
>
>
> If they don't even have a web site to report 'spam' or open relays to,
> then how would you even contact them?
> (this is the first untrusted received line).
>
I received the below from Google ref one of my spam reports, some content has
been snipped:
Thank you for your note. This is an automated reply. If you're reporting a
spam email with a Google return address, please be assured that it did not
originate with Google. Google does not permit others to send unsolicited
email through its mail servers.
This was sent from
> From: "Google Help" <po...@google.com>
I replied to them with the message headers and what I thought to be evidence
that this spam in fact did come from a Google account. I use a formail recipe
that adds the senders IP, ASN and CIDR to the end of all messages. This is
what was shown for the spam from Google:
X-SenderIP: 72.14.204.239
X-ASN: ASN-15169
X-CIDR: 72.14.204.0/23
Looking up the senders IP gave this result:
> [chris@cpollock ~]$ nslookup 72.14.204.239
> Server: 127.0.0.1
> Address: 127.0.0.1#53
>
> Non-authoritative answer:
> 239.204.14.72.in-addr.arpa name = qb-out-0506.google.com.
>
> Authoritative answers can be found from:
> 204.14.72.in-addr.arpa nameserver = ns2.google.com.
> 204.14.72.in-addr.arpa nameserver = ns3.google.com.
> 204.14.72.in-addr.arpa nameserver = ns1.google.com.
> 204.14.72.in-addr.arpa nameserver = ns4.google.com.
> ns1.google.com internet address = 216.239.32.10
> ns2.google.com internet address = 216.239.34.10
> ns3.google.com internet address = 216.239.36.10
> ns4.google.com internet address = 216.239.38.10
The script that I run to report spam to NANAS and to the offending messages
ISP's abuse addresses gave this result:
> Spam IP: 72.14.204.239 (qb-out-0506.google.com)
> Base domain: google.com
> Message ID: <61...@mail.gmail.com>
> ASN (0): 15169 - CIDR: 72.14.204.0/23
> ASN Org (0): Google, Inc
>
> Spamhaus:
> IPWHOIS:
> SpamCop:
> Relays VISI:
> Composite BL:
> Dynablock BL:
> DSBL Proxy:
> DSBL Multihop:
> SORBS OR:
> SPEWS L1:
> SPEWS L2:
> RFCI P'master:
> RFCI Abuse:
> RFCI WHOIS:
> RFCI BogusMX:
>
> WHOIS Addrs (IP): arin-contact@google.com
> ASN Addrs:
> RFCI WHOIS:
>
> WHOIS addresses (google.com):
> Abuse.net addresses (google.com): abuse@google.com
> Skipping recursed domains
> Ignore addresses:
> Recipients: abuse@google.com, postmaster@google.com
> Recursed recipients:
>
> Reporting to abuse@google.com, postmaster@google.com
> ...with: "Spam report: (72.14.204.239) Queen Elizabeths The Sec II
Foundation"
Whether the report to abuse@ and postmaster@ did any good I don't know,
however, I haven't heard back from them. This will also give you abuse
addresses for different domains:
> [chris@cpollock ~]$ telnet whois.abuse.net 43
> Trying 208.31.42.95...
> Connected to whois.abuse.net (208.31.42.95).
> Escape character is '^]'.
> google.com
> abuse@google.com (for google.com)
>
If this was too much information, my apologies
--
Chris
KeyID 0xE372A7DA98E6705C