Hi List
Operating the SWINOG Blacklist and Spamtraps, I notice quite some spam
originating from Google IPv6 Ranges (yes, trying to catching up
whitelisting them, which is not easy with their constant morphing).
Usually the Received: Line parser skips a line indicating a whitelisted
souce IP.
Unfortunately with emails sent over Gmail, there are no more IP source
before the Google IP Address, so I started wondering if there is any
other way to find an unique source in the Gmail Headers:
Like for example trying to base64 decode such strings:
X-Gm-Message-State: APjAAAULgJIbXPmiYeO34K1oPDHCszLRsTEIWu44mCUMhwcvNI2FSw2C
13E/GzFi+GzlVSKPy4cBzQaU513ns+TJSg1RReBoON3S
=> does not decode to human readable string. Or is this not base64?
X-Google-Smtp-Source:
APXvYqxVPTn6xkps+03MiBFtpaU14OeJ20XxcX1Q6Tdg7/H8nOZpNx6gGMtNRggJ6WXmISfZ4L2aqtsCyvqjsMYyO+4=
=> does not decode to human readable string, but that header sounds very
promising.
X-Received: by 2002:a54:4694:: with SMTP id k20mr20471032oic.136.1563371906203;
Wed, 17 Jul 2019 06:58:26 -0700 (PDT)
IPv6 mapped IPv4 address from RFC1918. What about the ID? Could hat be
used to match and block the source?
Received: from 776393159873 named unknown by gmailapi.google.com with
HTTPREST; Wed, 17 Jul 2019 06:58:24 -0700
Well, could 776393159873 be some kind of encoded source IP? Or just a
unique token for the origin IP which could be used to match spam from
this source?
Any help is welcome!
Mit freundlichen Grüssen
-Benoît Panizzon-
--
I m p r o W a r e A G - Leiter Commerce Kunden
______________________________________________________
Zurlindenstrasse 29 Tel +41 61 826 93 00
CH-4133 Pratteln Fax +41 61 826 93 01
Schweiz Web http://www.imp.ch
______________________________________________________
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
