On Thu, Jul 18, 2019 at 3:11 AM Benoit Panizzon via mailop < mailop@mailop.org> wrote:
> Hi List > > Operating the SWINOG Blacklist and Spamtraps, I notice quite some spam > originating from Google IPv6 Ranges (yes, trying to catching up > whitelisting them, which is not easy with their constant morphing). > > Usually the Received: Line parser skips a line indicating a whitelisted > souce IP. > > Unfortunately with emails sent over Gmail, there are no more IP source > before the Google IP Address, so I started wondering if there is any > other way to find an unique source in the Gmail Headers: > > Like for example trying to base64 decode such strings: > > X-Gm-Message-State: > APjAAAULgJIbXPmiYeO34K1oPDHCszLRsTEIWu44mCUMhwcvNI2FSw2C > 13E/GzFi+GzlVSKPy4cBzQaU513ns+TJSg1RReBoON3S > > => does not decode to human readable string. Or is this not base64? > > X-Google-Smtp-Source: > APXvYqxVPTn6xkps+03MiBFtpaU14OeJ20XxcX1Q6Tdg7/H8nOZpNx6gGMtNRggJ6WXmISfZ4L2aqtsCyvqjsMYyO+4= > > => does not decode to human readable string, but that header sounds very > promising. > These headers are typically base64 encoded encrypted serialized protocol buffers. Without the key, you won't get anything out of them, and the keys rotate on a schedule. For what's actually in them, it's probably overkill, but better safe than sorry. They also don't contain the IP address. > X-Received: by 2002:a54:4694:: with SMTP id > k20mr20471032oic.136.1563371906203; > Wed, 17 Jul 2019 06:58:26 -0700 (PDT) > > IPv6 mapped IPv4 address from RFC1918. What about the ID? Could hat be > used to match and block the source? > The ID is a unique ID for the message in our system, so not tied to the source. The IP address is internal. Received: from 776393159873 named unknown by gmailapi.google.com with > HTTPREST; Wed, 17 Jul 2019 06:58:24 -0700 > > Well, could 776393159873 be some kind of encoded source IP? Or just a > unique token for the origin IP which could be used to match spam from > this source? > I think it's a unique token for the client of the API, ie the specific third party client/service, but not the user themselves, but I haven't checked. As Grant pointed out, we consider the IP address of the user to be PII and do not share it in most cases. Brandon
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
