If you change your DMARC to reject instead of quarantine, Google will
outright reject these. If you're looking at an attack this significant
in scope, it may be worth doing.
root@gw:~# dig TXT _dmarc.sender.net +short
"v=DMARC1; p=quarantine; ruf=mailto:ab...@sender.net; pct=100"
On 2022-03-02 02:08, Edgaras | SENDER via mailop wrote:
Hi all,
sorry, I can't describe the stupidity and incompetence of Gmail
systems lately without resorting to expletives. Seriously everyone,
see for yourselves.
Gmail is now accepting mail from Spamhaus EDROP listed spam ranges:
176.56.220.0/24 [1]
176.56.221.0/24 [2]
176.56.222.0/24 [3]
Which are all included here in
https://www.spamhaus.org/sbl/query/SBL442803
None of those networks are included in our SPF, which has -all.
From,To,CC,Subject,Date headers are all oversigned to prevent DKIM
replay attacks.
And yet Gmail still somehow accepts mail from these ranges, and thinks
it's authenticated.
Google, how much more of a stink there has to be for someone to pay
attention to this issue? I did not publicize this issue on purpose -
so that other spammers would not take advantage of this weakness in
your spam filter. Do we have to announce this on Hacker News, Reddit
and elsewhere? I don't think that it's only our domain's reputation
being abused this way, and a lot of people are exposed to spam/scams,
so we will have to go public if this does not get fixed urgently.
PS: The following networks are also participating in this attack, so
it's safe to presume they are under the control of the same spam gang,
which operates the above-mentioned networks in DROP list. Spamhaus, I
know you're on the list - feel free to escalate those listings to
DROP:
103.110.248.0/24 [4]
103.110.249.0/24 [5]
103.110.251.0/24 [6]
103.205.17.0/24 [7]
103.205.18.0/24 [8]
103.205.19.0/24 [9]
103.217.82.0/24 [10]
162.251.248.0/24 [11]
162.251.249.0/24 [12]
162.251.250.0/24 [13]
162.251.251.0/24 [14]
162.251.252.0/24 [15]
162.251.253.0/24 [16]
162.251.254.0/24 [17]
162.251.255.0/24 [18]
Edgar Vaitkevičius, founder / CEO
ed...@sender.net
Links:
------
[1] http://176.56.220.0/24
[2] http://176.56.221.0/24
[3] http://176.56.222.0/24
[4] http://103.110.248.0/24
[5] http://103.110.249.0/24
[6] http://103.110.251.0/24
[7] http://103.205.17.0/24
[8] http://103.205.18.0/24
[9] http://103.205.19.0/24
[10] http://103.217.82.0/24
[11] http://162.251.248.0/24
[12] http://162.251.249.0/24
[13] http://162.251.250.0/24
[14] http://162.251.251.0/24
[15] http://162.251.252.0/24
[16] http://162.251.253.0/24
[17] http://162.251.254.0/24
[18] http://162.251.255.0/24
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
