We've taken an approach that has basically eliminated it. This exim ACL:
deny message = Blocking non-whitelisted messages from Google Groups
!authenticated = *
condition = ${if match{$sender_address}{\N\+bnc\N}{yes}{no}}
!condition = ${if exists{/etc/googlegroups_whitelist}\
{${lookup{${domain:$sender_address}}lsearch{/etc/googlegroups_whitelist}{yes}{no}}}\
{no}}
logwrite = Blocked Google Groups sender: $sender_address
Then we have googlegroups.com as the first item in
/etc/googlegroups_whitelist. Almost all of the spam comes from different
envelope senders, like the one mentioned here. The number of Google
Workspace domains that both utilize Google Groups and cross legitimate
paths with our customers is excessively low, so the whitelist is very
tiny. It has proven to be the lesser evil.
On 2025-11-13 23:08, Hans-Martin Mosner via mailop wrote:
Am 14.11.25 um 01:03 schrieb L. Mark Stone via mailop:
You won't be the only one rejecting such emails. The sender will
likely figure it out soon enough.
No. Or rather, yes, but it's just working as designed for them.
This is a spamming organization abusing Google Groups. They are
apparently adding addresses to these groups without confirmed opt-in,
and then they are spamming them as if there is no future.
In addition, since this is a kind of mailing list, everyone sending a
"stop this spam" message is reaching all others, thus multiplying the
amount of spam messages.
Google being Google, they don't care. Do not expect any published
abuse address to reach any real person who would be able and willing
to do something about it. I've got an automated (rate-limited) abuse
reporting script which only reports one Google Group id per 5 minutes
with a text suggesting that the abused groups should be shut down to
stop this (there aren't that many). This has sent several thousand
abuse reports, so even if they only do statistical abuse handling they
should have noticed it, but there hasn't been any reaction.
What I've been doing with relatively good success (i.e. dropping the
amount of Google Groups spam to zero for my users) is this:
* Reject some recurring sender domains at the MAIL FROM stage. This
includes the mentioned "thesparklebar.com" and "shirleyaraujo.com.br".
Other domains seem to be used for a run and then dropped, I don't
bother adding them to my reject list.
* Reject all messages having one of these group ids in their
X-Google-Group-Id header field (that list may be incomplete, I'm
updating it as I find new group ids):
32361261845
32976746193
34193060777
75738278181
75806030712
133383420092
157778155495
188897610095
203853971473
222922044049
225011247119
244433668019
292719453295
318224100302
320817839263
337418121877
365577621345
388554251640
395351454906
400592288404
409577362945
466372128756
481272551361
482190531493
577248945045
669325251339
705941964503
729849756397
741179668648
857222679235
858357679088
860443333406
892716983347
905504428623
935902109903
991407652928
1019298026647
1049103205925 * In addition, the Google hosts sending Groups messages
seem to be a distinct set from those that are being used for regular
mail. You might want to track them and block them at the
router/firewall if your users don't receive legitimate Google Groups
messages. I've done that (with 8-hour fail2ban blocks) for a while but
that risks blocking legitimate mails for a few of my users.
By the way, the only living person from Google that I remember posting
here, Brandon Long, hasn't posted in some months, and he also did not
respond to my direct mail regarding this ongoing attack. Does anyone
know whether all is well with him?
Cheers,
Hans-Martin
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
