If its those pesky crap TLD’s just block the whole TLD. As you said the spammer is not sending from @gmail.com but from a own domain using gmail MX right?
My blocklist is: /\.(accountant|accountants|asia|auto|berlin|bid|buzz|camera|car|cam|cars|casa|cfd|christmas|click|club|college|computer|country|cricket|cyou|date|design|download|exposed|email|fail|faith|finance|fit|fun|gdn|global|guru|help|host|jetzt|kim|icu|life|live|link|loan|london|media|men|mom|news|ninja|online|page|party|photography|pro|protection|pub|racing|realtor|reise|ren|rent|rest|review|rocks|science|security|shop|site|solutions|space|storage|store|stream|study|surf|tech|technology|theatre|today|top|trade|university|uno|us|viajes|vip|vividal|wang|webcam|website|win|work|works|world|xin|xyz|zip|xn--.*)$/ Feel free to use it. Note: Its a TLD blocklist, so use it as a regexp, it will only match the end of string. Make sure to match it case insensitive. Block both in MIME From and in MAIL FROM. Because what I understand, its not gmail domains sending to you, but spammers with their own domains using gmail infrastructure right? Because you said ”Google Site Verification record”. Best regards, Sebastian Nielsen Från: Hans-Martin Mosner via mailop <mailop@mailop.org> Skickat: den 2 november 2024 17:50 Till: mailop@mailop.org Ämne: [mailop] Gmail not accepting the spam they sent themselves Hi folks, today I noticed a spam wave sent through Gmail accounts - Gmail happily pushes the spam into our users inboxes, but some of our addresses are role accounts which forward to personal Gmail accounts. So this is what we get when trying to forward such a piece: 421-4.7.28 Gmail has detected an unusual rate of mail originating from your DKIM 421-4.7.28 domain [gopa.pobretv.soy 36]. To protect our users from spam, 421-4.7.28 mail sent from your domain has been temporarily rate limited. For 421-4.7.28 more information, go to 421-4.7.28 https://support.google.com/mail/?p=UnsolicitedRateLimitError to 421 4.7.28 review our Bulk Email Senders Guidelines. 4fb4d7f45d1cf-5ceac81993esi4035932a12.645 - gsmtp And this is how this came to our system (redacted): Nov 2 17:00:21 localhost postfix/smtpd[2112960]: 89DAE1202DF: client=mail-ej1-f69.google.com[209.85.218.69] Nov 2 17:00:21 localhost postfix/cleanup[2116799]: 89DAE1202DF: message-id= <mailto:cak+kxv4vkx1n2tl5f9vrgxi9hd3qkunhpq60shp97jusrzp...@mail.gmail.com> <cak+kxv4vkx1n2tl5f9vrgxi9hd3qkunhpq60shp97jusrzp...@mail.gmail.com> Nov 2 17:00:21 localhost postfix/qmgr[2947926]: 89DAE1202DF: from= <mailto:nse+bncbdjjppf26ifrbt4ttg4qmgqex7hq...@gopa.pobretv.soy> <nse+bncbdjjppf26ifrbt4ttg4qmgqex7hq...@gopa.pobretv.soy>, size=10280, nrcpt=1 (queue active) Nov 2 17:00:22 localhost postfix/lmtp[2112353]: 89DAE1202DF: to=<redacted>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.73, delays=0.3/0/0/0.42, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 28C56120330) Nov 2 17:00:22 localhost postfix/qmgr[2947926]: 89DAE1202DF: removed The sending domain has a Google site verification DNS entry and has its MX at Google, so they can't really claim that they have no relation to the spammer at all... Looking back through the logs, I find matching incidents from more than a month ago, probably there were more earlier but we don't keep logs that long. At least I now have a pattern to match against. Sadly blocking Gmail altogether isn't an option, though the amount of trouble they're causing would be good reason to do it. Cheers, Hans-Martin
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
