On 4/20/2022 11:41 PM, Larry M. Smith via mailop wrote:
I'd suggest anything that shows gmailapi.google.com in the header be rejected -- at least until Google can get a handle on the abuse
Excellent information - somehow, this slipped under my radar. So I've just done some cursory analysis of this in the past 1 hour. This is definitely worth exploring - however - those with large mail systems and/or who are adverse to having false positives - just know that this will hit on a significant amount of false positives. For example, what I found is that some CRMs and some accounting systems - use this Google API for things like sending invoices to clients and for other legit transactional messages, and that sometimes happens for both gsuite business addresses (using their own domain) AND gmail addresses, too. Also, even if it had zero false positives (it doesn't come close to that) - even then - of all gmail spams, the total gmail spams that this hits is about 1/5th or 1/4th of all gmail spams, so this far from a comprehensive solution to the gmail spam issue, not even considering the false positives. Too many other gmail-sent spams don't have that header.
However, this still might be worth adding a point or two to the spam score and/or amplifying other existing scoring? And that will work even better if combined with using email and domain name WLs that would then further minimize potential false positives (so not apply this scoring to those messages).
So this is still very helpful info! Thanks! -- Rob McEwen, invaluement _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
