Yeah, there is little way to stop this without..
* playing whack-a-mole on phone numbers contained in invite
* blocking all Google Calendar invites
Once again, this has to be the sender responsibility <sic>, but this
goes to show the eroding trend of obfuscating information, leading to
abuse. Give the ability to send anonymously, and it will attract threat
actors..
Amazon SES is a great example, and wait until CloudFlare starts getting
abused. If you want email delivery to succeed, more transparency is
required.
Received: from a48-34.smtp-out.amazonses.com (HELO
a48-34.smtp-out.amazonses.com) (54.240.48.34)
..
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; d=amazonses.com; t=1762981891;
h=Content-Transfer-Encoding:From:To:Reply-To:Subject:Message-ID:Date:MIME-Version:Content-Type:Feedback-ID;
bh=qOYZOZ272kZG+SbC7k+JP6ve7k9eJ9ZuEmelkzDT14k=;
b=seWNnqo5BzTvo3MCarnFQ8Er+dagZ5u/D5bsqdOu9nVdl6chkP9j0V3Yl6+oC1EA
ow0ksVugBOPK93IQiZMC03mQIT7fsE8TSm50rxqW8wgnRR0aZcvctTqcsg+NeJHnMiC
CvLIkKhzjSbGESAQhJQGxibERjgUGD+CLFIkOAVg=
Content-Transfer-Encoding: quoted-printable
From: Revenue Unit <[email protected]>
To: <redacted>
Reply-To: [email protected]
Subject: Overview Audit
Message-ID: <[email protected]>
Date: Wed, 12 Nov 2025 21:11:30 +0000
MIME-Version: 1.0
Content-Type: text/html; charset=utf-8
Feedback-ID:
::1.us-east-1.M7eHMda1Faa6suUxyNQpj0UCMQ7UspPByedrB4oe/30=:AmazonSES
X-SES-Outgoing: 2025.11.12-54.240.48.34
How would you differentiate this type of malware, from all other traffic
flows using Amazon SES (Fake Tax Refund Spam)
Additional trace headers, at least showing what the originator was would
be helpful.
On 2025-11-12 07:42, Scott Q. via mailop wrote:
Not sure what to make of this. The contents of the invite show:
Organizer
DAVID DEITHER LAURENTE QUISPE<mailto:[email protected]>
[email protected]<mailto:[email protected]>
and ayacucho.edu.pe mail is handled by 1 aspmx.l.google.com
So these aren't free accounts - spammers compromised entire tenants and
created their own accounts there in order to receive mail back ?
Scott
On Wednesday, 12/11/2025 at 06:29 Hans-Martin Mosner via mailop wrote:
Am 11.11.25 um 17:25 schrieb Scott Q. via mailop:
But these seem like legitimate Google issued invites, not faked
in any way - maybe compromised accounts ?
Anyone from Google can chime in if you are aware of this issue ?
We can't really start scoring/blocking Google calendar invites,
or can we ?
They are Google. Do you seriously expect them to care?
Most likely the accounts used to send have been created for the
purpose of spamming. Handing out free anonymous accounts is what
makes Google attractive to spammers (and the fact that these
accounts can stay active for sufficient time despite being reported
as spam sources).
Doing something at the receiving end is pretty difficult, as the
difference between unwanted and wanted invites isn't clear in the
general case. You might be able to detect URLs within the text that
indicate unwanted stuff, anf you might treat invites from senders
who have had previous contact with the recipient as likely desired,
but all of this is very error-prone.
Cheers,
Hans-Martin
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Reg. TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
