Yes, it was a pain to take all of these steps and it probably took about 3 hours but it was absolutely necessary considering there was no avenue for me to shut down this person otherwise.
Google, Microsoft, and Amazon are my major sources of spam. These days, this is where spam comes from.
At this point, they are also too big to block. We allowed this to happen, through neglect and laziness. Even in this discussion: how many people use Gmail as their primary email service?
Phone providers should also be detecting this with AI. There is no way this should be occurring anymore.
I figure an email is worth a beer.
I mention it only as a useful data point, and in the absence of anyone else on the thread mentioning that Google have robust email abuse monitoring.
https://en.wikipedia.org/wiki/Abuse_Reporting_Format
How to bulk do this is interesting too. https://en.wikipedia.org/wiki/Feedback_loop_(email) says that gmail has a bulk format and that sendgrid is seeing some success.
Not defending just trying to see what a technical solution looks like
But only in Gmail then? Where is it possible to report a spam from a Gmail address received on a non-Gmail inbox?
Google is being a real PITA as the receiving side for people who try to self-host their mail or who use small providers. They should at least be good citizen on the sending side, which it seems they're not. They are killing email.
edit: I might be incorrect on this and was thinking about how unsubscribing is standardized instead.
Basically, there is no standard beyond the ages-old requirement to have abuse@ and postmaster@ email addresses that react to such reports. Which Google doesn't follow at all, you just get redirected to some useless web form which requires a Google account and the sacrifice of a goat.
It is entirely Google's fault, and they should be shunned for it and their emails dropped. But unfortunately, they are too big for that by far...
Same as Gmail broke IMAP standard, or Gtalk XMPP standard.
Google can do whatever they please, they've become the standard of humanity surveillance.
Certainly mailchimp and the like make things simpler, but the price can be quite high.
Spam is not email from legitimate companies with valid contact details that have an opt out that you forgot to click when you signed up with them. That's legitimate marketing emails. You might argue they also shouldn't exist, but they are a different category.
I get plenty of the second from mailchimp (it's what they do), almost none of the first. Marking the second kind as spam, rather than clicking the unsubscribe link is dangerous because it teaches your anti-spam filter to reject messages from legitimate companies. You might find that if they need to contact you for a genuine reason e.g. a reciept for a future transaction, the message is blocked.
I don't get _only_ this from Mailchimp, but I definitely get quite a bit of this from Mailchimp, Sendgrid, and others. I've marked it spam, reported it to them (no response), and continued to receive the emails.
I can be kind of scatter brained and generally give the benefit of the doubt, but sometimes it's pretty clear that, e.g., I most definitely did not sign up with some accountant in a different country, in a place I've never been to, to receive reminders of tax deadlines that don't apply to me and offers of accounting services I can't use. Or if I somehow did, the signup was deceptive enough that they never received meaningful consent and I'd call it spam anyway.
(And the email they're sending this to is not some easily confused gmail address or a fat finger--it's my own name at my own domain.)
Having valid contact details or an opt out on their sign up form isn't relevant given I never signed up. It's _unsolicited_, _bulk_ email. It's spam.
This is the textbook legal definition of spam in any sensible jurisdiction, though.
Checking my received emails for mailchimp I see a whole bunch of legitimate emails, including for flightschedulepro which uses it. I also see replies to my abuse reports to mailchimp saying the problems have been addressed.
Do you report any of these spams to mailchimp?
Mailchimp is specifically made for mass email emission, for marketing a newsletter and whatnot. So yeah, a lot of people will consider them spammers.
It worries me a lot that people clicking "mark as spam" on messages from legit companies because they subscribed to the newsletter will mean that my messages with important information (order confirmations, e-tickets etc.) will get blocked.
> It worries me a lot that people clicking "mark as spam" on messages from legit companies because they subscribed to the newsletter will mean that my messages with important information (order confirmations, e-tickets etc.) will get blocked.
They probably didn't subscribe to the newsletter, they were subscribed, or tricked into subscribing. Either way, it's spam, and legitimate companies do not mix transactional e-mail ("order confirmations, e-tickets, etc.") with marketing e-mail.
They're not sending emails directly from their gmail address.
But they are adding victim emails to other Google services and then Google themselves send them invitations emails.
And if you name your service like "Google helpdesk - password reset" or something like that.
Invitation email from Google will look very official, but URL in the email will be controlled by the attacker.
It's pretty old working technique used for phishing for years now.
Spam report does nothing, since you're reporting official Google email.
Maybe try saying the spam has porn or inappropriate images?
Gmail cannot be whitelisted anymore: spam, phishing,... On the other hand, if your users redirect twitter or linkedin notifications from their domain to a gmail account, Google claims you are sending too fast and is suspicious (and throttles or blocks ip).
Hilarious.
I remember a bunch of spam and fishing emails from weird Outlook addresses. Don't remember any from Google.
The obvious (and correct) explanation is deliverability. Spammers send from Google services because they can inbox, they don’t send from other services because those services will not inbox successfully.
I'm not denying that they are sometimes used by spammers, but they are definitely a legitimate operation that takes action against spammers if you report them.
Google Workspace email is very generous with the kind of outgoing email you can send via their SMTP servers.
I’ve not been reporting them because I already know they aren’t valid and do not google’s work for them
Have reported AppSheet to FCC after seeing Google wasn't doing enough--same scam email format, same inbox-landing pathway, but still irked.
Also try forwarding the emails to the phishing emails of the misrepresented brands, when they have an address for it. Figure they're the ones who have any power.
I always report them with suggestions they teach their AI that invoices sent to large number of addresses are phishing.
This is starting to become important as countries (very unwisely!) start tying things like national ID and banking to smartphones.
But when a moderately technical colleague wanted to do the same, I told her to use Mox, she set it up and Gmail doesn't block her either.
So... would you please elaborate?
Fixing it was always pretty simple -- or at least, non-mysterious. They'd bounce some things, I'd look at the headers of the bounced messages, and therein were links to instructions there that showed how to resolve whatever issue it was this year.
Just follow the steps, implement the new thing, and stuff started flowing again in rather short order. Not so bad.
IIRC, the only time it ever cost us any money was when the RBLs started keeping track of dynamic IP pools and we needed to finally shift over to something actually-static.
AWS, on the other hand has proven willing to move mountains for me as a $15/mo customer.
Zero. OTOH, since I'm sure they are training on emails and archiving/profiling everything forever even if we delete messages.. those constant threats to become a paying customer before hitting some arbitrary small quota are still villainous
Maybe it's only legacy, but gmail brings customers to Google and their related services. Escalation then brings them on as paying Customers. As loss leader may make a loss if looked at in a bubble, but if looked at as part of the "Customer Lifecycle" then other areas of profit would likely be much smaller without the free gateway.
It takes me active resistance to avoid Google's paid services, and I'm staunchly independent in relatively rare air. The minor capitulation required to turn into a paying Customer would capture a good percentage of their erstwhile-free gmail users (I would think. Yes, conjecture, interested in explanations of alternative theories).
Source: Used to work there.
How do they get money for free? What is stopping everyone else from doing the same?
> ridiculous assertion.
What is ridiculous is the idea that running an email service a massive scale like Gmail is somehow free.
https://pdx.social/@evergreensewing/116388477430172491
> For the first time since we started the company back in January/February, we have a customer who does NOT use Gmail for their email address.
> In case you wanted to see what a monopoly looks like.
MariaDB > SELECT SUBSTRING_INDEX(email, '@', -1) AS domain, COUNT(*) AS cnt FROM accounts GROUP BY domain HAVING domain != '' ORDER BY cnt DESC LIMIT 10;
+-------------+-------+
| domain | cnt |
+-------------+-------+
| hotmail.com | 38015 |
| gmail.com | 16280 |
| yahoo.com | 4080 |
| o2.pl | 2321 |
| wp.pl | 2206 |
| live.com | 1415 |
| outlook.com | 814 |
| interia.pl | 609 |
| hotmail.es | 590 |
| live.se | 521 |
+-------------+-------+
10 rows in set (0.044 sec)This must be the half I have never heard of then. What non-google websites specifically require a google account?
Quoting https://en.wikipedia.org/wiki/Monopoly : "In law, a monopoly is a business entity that has significant market power, that is, the power to charge overly high prices, which is associated with unfair price raises."
Or from Milton Freedman, "Monopoly exists when a specific individual or enterprise has sufficient control over a particular product or service to determine significantly the terms on which other individuals shall have access to it". https://archive.org/details/capitalismfreedo0000frie/page/12...
In the post-Borkian interpretation of monopoly, adored by the rich and powerful because it enables market concentration which would otherwise be forbidden, consumer price is the main measure of control, hence free services can never be a monopoly.
Scholars have long pointed out Bork's view results from a flawed analysis of the intent of the Sherman Antitrust act. For example, Sherman wrote "If we would not submit to an emperor, we should not submit to an autocrat of trade, with power to prevent competition and to fix the price of any commodity.” (Emphasis mine. Widely quoted, original transcript at p2457 of https://www.congress.gov/bound-congressional-record/1890/03/... ). Freedman makes a similar point (see above) that a negative effect of a monopoly is to reduce access to alternatives.
One well-known rejection of the Borkian view is in Lina Khan "Amazon's Antitrust Paradox" paper. https://yalelawjournal.org/pdf/e.710.Khan.805_zuvfyyeh.pdf
In it she quotes Robert Pitofsky in "The Political Content of Antitrust":
"A third and overriding political concern is that if the free-market sector of the economy is allowed to develop under antitrust rules that are blind to all but economic concerns, the likely result will be an economy so dominated by a few corporate giants that it will be impossible for the state not to play a more intrusive role in economic affairs"
(I can't find a copy of that source online, but you can see the quote at https://archive.org/details/traderegulationc0005pito/mode/2u... where Pitofsky rejects viewing antitrust law through an exclusively economic lens.)
Even if you support the Borkian interpretation, you should still worry about the temptation for the US government to "play a more intrusive role" with GMail accounts. I strongly doubt Google will follow Lavabit's lead and shut down email should the feds come by with a gag order to turn over the company's private keys.
In the name of national security, of course.
How did we get to the point where there can be 12 services, but the one with lots of customers is a "Monopoly". Its a complete destruction of the word. They aren't killing their competitors, nor making it illegal to compete. Yeah its harder in the current era to run your own mail server, for a variety of reasons involving spam. But can we just cut the shit on calling literally every company with more than 100 employees a Monopoly?
Most of the problems people have spinning up their own email servers, like getting blacklisted by the big boys, are less bad societally than actually accepting and routing the quantity of spam they are blacklisting. Does it benefit them? Kind of. But its not anticompetitive in any real sense. These restrictions are obvious and basic. If you really wanted to, you could spend a significant, but in the grand scheme of things small, amount of money to break into the same game.
I mean theres a non zero chance that if Google, Microsoft and Amazon stopped being so damn picky, the government would turn around and regulate that they do exactly what they are doing now, to resist the plague of spam that would result.
Its like getting mad at Visa and Mastercard for insisting on the PCI DSS for people they transact with. If it wasn't mandated by Visa and Mastercard, it would become government regulation (and is already referenced by regulators in some jurisdictions)
"Ooooh no Visa is being anticompetitive making me secure my environment and prove that security to a trusted third party what a terrible monopoly they have".
The point is that they don't provide the level of services required by their position, which is dominant.
When you have a legitimate problem with Google, they don't reply to you. The news here is again an example of that. The only thing you can do is abide by their rules, which often requires you to subscribe to their services or be at their mercy.
market power
>What is stopping everyone else from doing the same?
see above
Are the real-time-blackhole lists still a thing?
If they're regularly allowing spam and not responding to reports in any sort of timely manner, possibly they should be reported to those.
Not going to work though, is it. Too big to fail shouldn't be a thing. It's not like you can't be flexible about it or give them some room to deal with it within corporate policy; but they do need to deal with it, right?
Realistically, I think some companies have outgrown the size where internet can still self-regulate them. You'd hurt yourself more than gmail.
This either needs laws or new game theory.
Or -you know- deprecate the current email system. I know that's a perennial proposal; but that's because every year it gets even more broken in even more interesting ways. It's patch-on-patch-on-patch at the moment. Just spinning up sendmail on a random box won't quite cut it anymore, if you want to participate.
It's not perfect though. For some reason, it doesn't find (or deliberately ignores) OVH hosts that are relaying spam.
I've worked at a start up where the marketing team just had a `marketing@startup.com` email that was just like any other email in Google Workspace and used that for all marketing communications. Eventually they bumped up against that limit and a couple of engineers had to help them troubleshoot and there were enough blog and stack overflow posts at the time about hitting the limit to make make me think what they were doing wasn't uncommon.
When you consider the scale of Gmail and that this is almost certainly a Workspace account so they're mixed in with business customers, I'm not sure how much of an anomaly 10k emails a week actually is.
Just imagine a weekly newsletter with 100k subscribers.
Above that threshold you should use tools like moosend, benchmarkemail, or similar. And they ask a pretty penny when you reach that scale.
It sometimes stops for weeks, then it continiues.
from my logs as an example: Nov 13 22:10:51 bert postfix/smtpd[2693931]: NOQUEUE: reject: RCPT from mail-oi1-x248.google.com[2607:f8b0:4864:20::248]: 450 4.1.8 <ki+bncBD77RLFFQACRBZOX3DEAMGQEU5V3LXY@zf.thesparklebar.com>: Sender address rejected: Domain not found; from=<ki+bncBD77RLFFQACRBZOX3DEAMGQEU5V3LXY@zf.thesparklebar.com> to=<rmayer13@nerd-residenz.de> proto=ESMTP helo=<mail-oi1-x248.google.com> Nov 13 22:12:07 bert postfix/smtpd[2696594]: NOQUEUE: reject: RCPT from mail-ua1-x948.google.com[2607:f8b0:4864:20::948]: 450 4.1.8 <ki+bncBD77RLFFQACRBZOX3DEAMGQEU5V3LXY@zf.thesparklebar.com>: Sender address rejected: Domain not found; from=<ki+bncBD77RLFFQACRBZOX3DEAMGQEU5V3LXY@zf.thesparklebar.com> to=<rmayer1000@nerd-residenz.de> proto=ESMTP helo=<mail-ua1-x948.google.com> Nov 13 22:12:18 bert postfix/smtpd[2696594]: NOQUEUE: reject: RCPT from mail-wm1-x346.google.com[2a00:1450:4864:20::346]: 450 4.1.8 <ki+bncBDO2ZDH5DIIOXB6ZZADBUBFIYC6HQ@zf.thesparklebar.com>: Sender address rejected: Domain not found; from=<ki+bncBDO2ZDH5DIIOXB6ZZADBUBFIYC6HQ@zf.thesparklebar.com> to=<rmayer13@nerd-residenz.de> proto=ESMTP helo=<mail-wm1-x346.google.com> Nov 13 22:12:37 bert postfix/smtpd[2696594]: NOQUEUE: reject: RCPT from mail-lf1-x146.google.com[2a00:1450:4864:20::146]: 450 4.1.8 <ki+bncBDO2ZDH5DIIOXB6ZZADBUBFIYC6HQ@zf.thesparklebar.com>: Sender address rejected: Domain not found; from=<ki+bncBDO2ZDH5DIIOXB6ZZADBUBFIYC6HQ@zf.thesparklebar.com> to=<rmayer333@nerd-residenz.de> proto=ESMTP helo=<mail-lf1-x146.google.com> Nov 13 22:13:08 bert postfix/smtpd[2696594]: NOQUEUE: reject: RCPT from mail-lj1-x248.google.com[2a00:1450:4864:20::248]: 450 4.1.8 <hc+bncBDO2ZDH5DIIOXB6ZZADBUBB2QEZ74@zf.thesparklebar.com>: Sender address rejected: Domain not found; from=<hc+bncBDO2ZDH5DIIOXB6ZZADBUBB2QEZ74@zf.thesparklebar.com> to=<rmayer@nerd-residenz.de> proto=ESMTP helo=<mail-lj1-x248.google.com> Nov 13 22:13:08 bert postfix/smtpd[2696594]: NOQUEUE: reject: RCPT from mail-wm1-x345.google.com[2a00:1450:4864:20::345]: 450 4.1.8 <ki+bncBDO2ZDH5DIIOXB6ZZADBUBFIYC6HQ@zf.thesparklebar.com>: Sender address rejected: Domain not found; from=<ki+bncBDO2ZDH5DIIOXB6ZZADBUBFIYC6HQ@zf.thesparklebar.com> to=<rmayerrmayer@nerd-residenz.de> proto=ESMTP helo=<mail-wm1-x345.google.com> Nov 13 22:14:03 bert postfix/smtpd[2696594]: NOQUEUE: reject: RCPT from mail-lj1-x248.google.com[2a00:1450:4864:20::248]: 450 4.1.8 <ki+bncBDO2ZDH5DIIOXB6ZZADBUBFIYC6HQ@zf.thesparklebar.com>: Sender address rejected: Domain not found; from=<ki+bncBDO2ZDH5DIIOXB6ZZADBUBFIYC6HQ@zf.thesparklebar.com> to=<rmayera@nerd-residenz.de> proto=ESMTP helo=<mail-lj1-x248.google.com>
As you can see, the to-address is generated and its different hosts at google trying to send mails.
Searching for zf.thesparklebar.com shows others having the same problem.
I don't think people appreciate that this is really the key observation here. In large institutions, for anything significant to happen, there have to be incentives and alternatives, and these are set by management. Management in turn usually cares about their incentives, and the company overall mostly cares about the bottom line and the financial reports.
As a result, this is unlikely to get addressed, unless there is significant pressure, like media coverage, people mass-resigning from Gmail, or major email servers blocking Google. But none of these are likely to happen.