Doing a forward lookup on h97wz.com does go to google space now. But a
different address, and yes the forward and reverse match currently. The
TTL on the forward is 5 seconds and the reverse is 60 seconds. So they
could be moving around within googles infrastructure or just releasing
and adding an address. It's been pretty stable for the past 10 minutes,
you might have just hit it at the right time for them making a change.
David
--
https://dprall.net
On 10/9/2025 1:04 PM, Scott Q. via mailop wrote:
Reviving this thread again. Either I'm going crazy or our code is bad or
these spammers are that advanced - and Google is somehow facilitating
their operation.
So for example, this spammer e-mailed us from 34.131.37.79. We now check
the PTR at connection time and DNS reported:
GUC debug ip=34.131.37.79 ptr=h97wz.com ; therefore our system doesn't
score the message.
if I check it in DNS, it reports: 79.37.131.34.in-addr.arpa domain name
pointer 79.37.131.34.bc.googleusercontent.com.
so what happened ? The user controls the PTR for a Google IP ? And he
switches it back and forth ? I tried checking, Google DNS doesn't
provide a SOA for that PTR range - that query type is refused, so I
can't tell when it was last changed.
It really seems the spammer changes his PTR - probably to avoid this
detection - and then puts it back to googleusercontent.com ?
Thanks!
Scott
On Friday, 19/09/2025 at 18:51 Chris wrote:
On 2025-09-18 18:59, Scott Q. via mailop wrote:
> Would you guys mind sharing the blocks you are throttling /
blocking ?
For our purposes. This is a process. The blocks we maintain are
ever-changing.
minute-to-minute, day-to-day, ...
IOW unless you intend to maintain the block, read; monitor. You'll
potentially be
blocking innocent IPs. IOW our block containing the
bc.googleusercontent.com
IPs
are not contiguous CIDR's. There are many /32's. We add and remove
IPs from
this
block all day. In fact, I see we some 100,000 slated to be added
shortly.
IMHO for
your perceived purposes. You might (as we already do) simply set
your MX to
REJECT
on bc.googleusercontent.com.
FWIW it's currently at 1,416,389 single IPs with ~100,000 to add.
HTH
--Chris
>
> What we did for now is simply looking up the PTR for any 34/8 and
35/8
> connecting IP and if it ends with googleusercontent.com give it some
> spam points.
>
> Thanks!
>
>
>
> Scott
>
>
> On Thursday, 18/09/2025 at 16:06 Chris via mailop wrote:
>
>
>
>
> On 2025-09-18 08:34, Michael Peddemors via mailop wrote:
>> *.googleusercontent.com should not only not be sending email (either
> change
>> PTR,
>> or use a relay) so you can go beyond scoring, and simply reject.
>>
>> Also, given the history of abuse and/or compromises, we also
> recommend that
>> you do
>> NOT allow email authentication from those IPs, except as permitted
> in an
>> allow
>> .acl.
>>
>> Make sense?
>
> I concur.
> We've been dropping packets originating from them without so much as
> an ACK
> for some 5yrs.
> Without *any* repercussions. Just reject. Your life will be much
> better for
> it. :)
>
>>
>> On 2025-09-16 07:58, Scott Q. via mailop wrote:
>>> Sorry for reviving an older thread, we are still battling this
> Google spam
>>> issue.
>>>
>>> Anyone else scoring e-mails directly received from IPs with a PTR
> of
>>> *.googleusercontent.com ? Any downside to doing this ?
>>>
>>> Gmail/Workspace doesn't use that PTR but are there legitimate
> Google
>>> services that do ?
>>>
>>> Thanks!
>>> Scott
>>>
>>> On Thursday, 04/09/2025 at 16:21 Alex Burch wrote:
>>>
>>> They might have legacy accounts where port 25 is
> unblocked. I think
>>> Infusionsoft/Keap had their IPs hosted at GCP at one point
> and they
>>> had the port 25 block lifted to send with them.
>>> Thanks,
>>> Alex
>>>
>>>
>>> --
>>>
>>> Alexander Burch
>>> ActiveCampaign / Senior Deliverability Engineer
>>> [email protected] <mailto:[email protected]>
>>> 1 North Dearborn St Suite 500, Chicago IL, 60602
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Thu, Sep 4, 2025 at 9:12 AM Scott Q. via mailop
>>> wrote:
>>>
>>> I get that, but the question is more whether GCP
> blocks outbound
>>> port 25 or not.
>>>
>>> Their docs say they are blocking it:
>>>
> https://cloud.google.com/compute/docs/tutorials/sending-mail
<https://cloud.google.com/compute/docs/tutorials/sending-mail>
>>>
>>>
>>> yet we see evidence to the contrary. Surely it's a
> configuration
>>> mistake somewhere (?).
>>>
>>> Maybe someone from Google can shed some light on
> this.
>>>
>>> Thanks!
>>>
>>> On Thursday, 04/09/2025 at 11:25 Michael Peddemors
> via mailop
>>> wrote:
>>>
>>> Careful.. the list admins don't like us
> using this list to
>>> complain
>>> about spam, but yeah..
>>>
>>> Anything with a PTR of
> 1.132.64.34.bc.googleusercontent.com
>>> . is suspect,
>>> and should be rejected (port 25) ...
>>>
>>> Standard ruleset for a couple of years..
> but even more
>>> important, is the
>>> number of IPs in those ranges used in email
> hacking, and BEC
>>> Compromise
>>> attacks.
>>>
>>> You might even like to block attempts to
> other ports by
>>> default, and
>>> create a 'permitted' acl for IPs in those
> ranges for
>>> legitimate use.
>>>
>>> On 2025-09-04 07:55, Scott Q. via mailop
> wrote:
>>> > Anyone else seeing an uptick lately of
> Spam e-mails
>>> originating from
>>> > these ranges ?
>>> >
>>> > 34.64.132.0/22
>>> > 35.240.0.0/13
>>> >
>>> > Mostly e-mails with: Content-Type:
> text/plain;
>>> charset="iso-2022-jp"
>>> >
>>> > What's interesting is that GCP has
> outbound port 25
>>> blocked by default
>>> > yet these hosts are able to do
> direct-to-mx deliveries.
>>> >
>>> > If anyone from Google is reading this
> - can you have a look
>>> ?
>>> >
>>> > Thanks!
>>> > Scott
>>> >
>>> >
>>> >
> _______________________________________________
>>> > mailop mailing list
>>> > [email protected] <mailto:[email protected]>
>>> >
> https://list.mailop.org/listinfo/mailop <https://list.mailop.org/
listinfo/mailop>
>>>
>>>
>>>
>>> -- "Catch the Magic
> of Linux..."
>>>
>>>
>
------------------------------------------------------------------------
>>> Michael Peddemors, President/CEO LinuxMagic
> Inc.
>>> Visit us at http://www.linuxmagic.com <http://
www.linuxmagic.com>
>>> @linuxmagic
>>> A Wizard IT Company - For More Info
> http://www.wizard.ca <http://www.wizard.ca>
>>>
>>> "LinuxMagic" a Reg. TradeMark of Wizard
> Tower TechnoServices
>>> Ltd.
>>>
>>>
>
------------------------------------------------------------------------
>>> 604-682-0300 Beautiful British Columbia,
> Canada
>>>
>>>
> _______________________________________________
>>> mailop mailing list
>>> [email protected] <mailto:[email protected]>
>>> https://list.mailop.org/listinfo/mailop <https://
list.mailop.org/listinfo/mailop>
>>>
>>>
>>> _______________________________________________
>>> mailop mailing list
>>> [email protected] <mailto:[email protected]>
>>> https://list.mailop.org/listinfo/mailop <https://
list.mailop.org/listinfo/mailop>
>>>
>>>
>>>
>>> _______________________________________________
>>> mailop mailing list
>>> [email protected] <mailto:[email protected]>
>>> https://list.mailop.org/listinfo/mailop <https://
list.mailop.org/listinfo/mailop>
>>
>>
>> --
>> "Catch the Magic of Linux..."
>>
>
------------------------------------------------------------------------
>> Michael Peddemors, President/CEO LinuxMagic Inc.
>> Visit us at http://www.linuxmagic.com <http://
www.linuxmagic.com> @linuxmagic
>> A Wizard IT Company - For More Info http://www.wizard.ca
<http://www.wizard.ca>
>> "LinuxMagic" a Reg. TradeMark of Wizard Tower TechnoServices Ltd.
>>
>
------------------------------------------------------------------------
>> 604-682-0300 Beautiful British Columbia, Canada
>>
>> _______________________________________________
>> mailop mailing list
>> [email protected] <mailto:[email protected]>
>> https://list.mailop.org/listinfo/mailop <https://
list.mailop.org/listinfo/mailop>
>
> _______________________________________________
> mailop mailing list
> [email protected] <mailto:[email protected]>
> https://list.mailop.org/listinfo/mailop <https://list.mailop.org/
listinfo/mailop>
>
> _______________________________________________
> mailop mailing list
> [email protected] <mailto:[email protected]>
> https://list.mailop.org/listinfo/mailop <https://list.mailop.org/
listinfo/mailop>
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
