Am 09.10.25 um 19:04 schrieb Scott Q. via mailop:
Reviving this thread again. Either I'm going crazy or our code is bad or these spammers are that advanced - and Google
is somehow facilitating their operation.
So for example, this spammer e-mailed us from 34.131.37.79. We now check the
PTR at connection time and DNS reported:
GUC debug ip=34.131.37.79 ptr=h97wz.com ; therefore our system doesn't score
the message.
if I check it in DNS, it reports: 79.37.131.34.in-addr.arpa domain name pointer
79.37.131.34.bc.googleusercontent.com.
so what happened ? The user controls the PTR for a Google IP ? And he switches it back and forth ? I tried checking,
Google DNS doesn't provide a SOA for that PTR range - that query type is refused, so I can't tell when it was last
changed.
It really seems the spammer changes his PTR - probably to avoid this detection - and then puts it back to
googleusercontent.com ?
That sounds weird, I did not see this behavior here.
What I'm now doing is to make a query to origin.asn.cymru.com for all bc.googleusercontent.com mail attempts and add the
IP range into our IP blocklist for port 25. There are some legitimate users doing IMAP and mail submission from Google
cloud IPs, but port 25 should not be accessed from anonymous cloud IPs.
Cheers,
Hans-Martin
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
