[Asrg] gmail as source of spam (was VPN)

David Wilson <David.Wilson@isode.com> Tue, 07 July 2009 13:11 UTC

Return-Path: <David.Wilson@isode.com>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 226403A6E71 for <asrg@core3.amsl.com>; Tue, 7 Jul 2009 06:11:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S32aMlduPcET for <asrg@core3.amsl.com>; Tue, 7 Jul 2009 06:11:33 -0700 (PDT)
Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by core3.amsl.com (Postfix) with ESMTP id 089DC3A6AE6 for <asrg@irtf.org>; Tue, 7 Jul 2009 06:11:33 -0700 (PDT)
Received: from [172.16.0.137] (shiny.isode.com [62.3.217.250]) by rufus.isode.com (submission channel) via TCP with ESMTPSA id <SlNIQgBV9Me-@rufus.isode.com> for <asrg@irtf.org>; Tue, 7 Jul 2009 14:06:11 +0100
From: David Wilson <David.Wilson@isode.com>
To: asrg@irtf.org
In-Reply-To: <4A52C36D.6040207@billmail.scconsult.com>
References: <20090623213728.1825.qmail@simone.iecc.com> <4A41D773.50508@telmon.org> <4A41E506.2010106@mines-paristech.fr> <20090624160052.B5DC62428A@panix5.panix.com> <4A426B9D.7090901@mines-paristech.fr> <4A43618A.6000205@tana.it> <4A4F7DD0.4040404@billmail.scconsult.com> <4A51D35E.70306@tana.it> <4A52C36D.6040207@billmail.scconsult.com>
Organization: Isode Limited
Date: Tue, 07 Jul 2009 14:06:10 +0100
Message-Id: <1246971970.3060.110.camel@tardis.isode.net>
X-Mailer: Evolution 2.26.2 (2.26.2-1.fc11)
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-15"
Content-transfer-encoding: quoted-printable
Subject: [Asrg] gmail as source of spam (was VPN)
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: asrg@irtf.org
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jul 2009 13:11:34 -0000

On Mon, 2009-07-06 at 23:39 -0400, Bill Cole wrote:
> The overwhelming majority of mail I am offered by the Gmail outbounds
> is spam. Google has played games with how they will accept abuse
> reports, giving the appearance of not really wanting them.

This is not our experience, so I was surprised, and had a look over the
last few days. We get a lot of main allegedly from 'gmail.com', but the
vast majority of that is not from gmail.com hosts. As the SPF info
has ?all, these get a NEUTRAL SPF status (and the sources mostly don't
get past Spamhaus). Not many of the messages which get an SPF PASS from
gmail.com are actual spam. And the great majority of the spam are 419
type scams, or other advance fee/financial scams.

[There was one rather nice "you've won a lottery" message sent to a
honeypot address which informed the recipient that they had won 

  "£2,500,000 (2 million, 5 hundred Great British Pound Starlings)"

That's a lot of rather heavy birds!]

I guess that 419 scammers, unlike most spammers, want a reply to their
message, so send it from an actual account used by an actual person.

A couple of weeks ago, the gmail.com account of someone we deal with was
hacked, and used to send spam. We saw a couple of messages, and one had
several recipients, which were clearly from that user's address book.
So, it was not being used for general spamming, but only to send
messages to those likely to have the sender in their address book, and
so avoid anti-spam measures, I presume.

It is perhaps not surprising that different sites see different
patterns. But we do not see the actual google outbound MTAs (as
indicated by the SPF info for _spf.google.com) as a significant source
of spam.

best regards

David