On 14/12/2020 11:01, Iulian Stan wrote:
Hi all,
First of all i am writing this email from yahoo because from my own
domain it seems it's not working because i have DMARC setup and
apparently something(maybe ezml) is messing up with the headers. If
you have any ideea to whom should i address i will more than happy :)
I am also receiving a lot of spam from google (aparently always domain
is trix.bounces.google.com) and all spam is using google forms.
For me the problem is solved(meaning that all of these spam is going
to quarantine and bayes is learning about those) but i was wondering if:
1) Since email are coming from google how come google is not doing
anything?
2) Are those spam sent manually ? It will be a nightmare for a spammer
to do this but how come there not any limitation coming from google if
spam are sent via mass-bulk programs/interfaces/etc?
3) I am using also a local(my own) RBL which is trained with IPs from
spam. It is queried by spammasssin because i don't want to reject from
MTA but use it in conjunction with others scores/rules. Now i have
doubts that if i keep adding IPs from google i will end up having all
google MTAs added and legit email might be hurt in the progress. What
do you think ? Do you have insides about this trix.bouces.google.com?
Looking on RBL doesn't looks too great and it seems from his domain
there is spam which is actively sent.
4) I though that maybe google launch something similar with sendgrid
but i don't find any reference about it and also the envelope-from are
different i didn't found a common denominator. Few examples:
envelope-from
<3lxrkxxqobqgumoiuqttqwva.rjfiarllqitwojzivl.zcwnnqkmoajmb...@trix.bounces.google.com>
...
Above also a full example of an email:
https://pastebin.com/DW6dvdxP <https://pastebin.com/DW6dvdxP>
To my surprise, you seem to be right. In my logs I have a number of
these (but not a huge number) over the last year, they have almost all
been blocked by SA (not using bayes) - but not blocked by earlier
defences. I have received only a handful of such mails that have passed
SA; now when I check them all definitely spam/phishing. The IPs all seem
to be Google's (within CIDR 209.85.128.0/17). I'm going to add a couple
of points scoring to anything from trix.bounces.google.com.
