I got a human being at Google to look into my problem and take action after sending a police report to Google‘s legal department certified mail return receipt along with a letter describing how someone was impersonating me and my business using a Gmail address in an attempt to commit fraud.
Yes, it was a pain to take all of these steps and it probably took about 3 hours but it was absolutely necessary considering there was no avenue for me to shut down this person otherwise.
Oh that's a good idea! I got locked out of my YouTube premium account and they kept charging me. Couldn't get in contact with anyone at YouTube because the YT premium support line is behind the YT login. So I had to change my credit card number. Somehow they still kept billing the card, so the credit card company said they'd have to close my account entirely to get Google to stop billing me for a service they wouldn't let me cancel.
That's a built-in thing; Visa, MasterCard, Amex all have updater services that ensure trusted merchants get the replacement card seamlessly. This leads to annoying edge cases like yours.
BoA issued me a new card after a fraudulent charge, the next year on the same date the same fraudulent charge showed up (annual billing cycle). This happened for more than three years because after they issued a new card they updated the service that billed the fraud with the new number.
That's an uphill battle, I tried doing that with a gym once who said to cancel, I had to come in only on Tuesday in the morning when the manager was there with a certified notarized cancellation form.
You can create as many virtual cards as you want. And surprisingly, I've rarely encountered a vendor that rejects them. I set one up for pretty much every recurring service charge, just because it's so easy to do.
It costs a few hundred a year for personal banking, but if you register an LLC (which in MO costs ~$10) you can use your EIN to get a business account. Did
it a couple times, once for my non-profit and once for my consulting LLC.
Are the virtual cards credit cards or hooked up to your account (i.e. debit cards)? there's a big difference. Also, they're not a bank so FDIC insurance and other bank aspects are different. Not what I'd personally use for my long-term savings-oriented finances, but fine for more operational things.
You have to realize that once Google flips the bit on you and they think you are trying to scam them (or others via them) you are absolutely dead to them. They don't want to hear from you ever again. You're banned to hell. The fact that a billing system didn't get switched off isn't so surprising; the internal architecture of their systems is so complicated that it would take multiple human lifetimes to explain how it all works.
> The fact that a billing system didn't get switched off isn't so surprising; the internal architecture of their systems is so complicated that it would take multiple human lifetimes to explain how it all works.
There was a lawsuit about a decade ago where a company was owed about $500k in ad fraud refunds and Google kept saying they had paid it, it ended up being an incomplete part of their software that had inadvertently withheld $75 million!
Wasn't expecting this comment to go far. This took place about a month ago. For those who are interested, here is the address I sent the police report and cover letter to:
Google LLC
Attn: Legal Department – Custodian of Records
1600 Amphitheatre Parkway
Mountain View, CA 94043</i>
In the cover letter I outlined the problem and the desired remedy (shut down the gmail account and preserve IP and other information for law enforcement), and attached two other documents: an annotated printout of the email thread from a prospective victim of the scam (who sensed something was fishy and contacted me through my website) and the local police report I filed to document the attempted fraud in my name.
Someone at Google contacted me about a week later and confirmed that the account was shut down. I don't know if they did anything else regarding preserving data or shutting down any other Google services this person was using.
I also made a report to the FBI’s Internet Crime Complaint Center, although TBH it looks like a black hole that lets the feds say they are "doing something" for ordinary victims.
Having worked in compliance engineering I have also reported through the IC3 portal, and spoken with lawyers and analysts who register with FinCEN (which, to be clear, is maybe just a step beyond "My Uncle works at Nintendo...") and I have heard that those reports do get reviewed and often acted on, but yes, you will typically never hear back from them. (FinCEN has its own reporting structure, but we also submitted certain reports through the IC3 portal as well.)
Honestly, the "acted upon" part needs to be highlighted in tangible ways, otherwise people will be suspicious that nothing ever happens to our reports, leading to fewer reports being submitted.
During the IC3 reporting process I was asked to submit the name of people behind the scam, if known. I knew one of them because the scammer asked for a wire transfer to a named account at a bank in Oregon. Probably a mule.
Does anyone at the FBI or other agencies actually do anything with this information, such as contacting the bank in question or correlating it with other investigations? That's what I would expect if law enforcement were serious about enforcing the laws on the books. But there is no indication that anything happened, other than a confirmation number being spit out on a web page that my report had been received. That's why I made the "black hole" comment earlier.
If the IC3 portal highlighted specific cases or stats ("thanks to reports submitted to IC3, n investigations were initiated/suspects charged/convictions secured") that would really help convince ordinary victims that the government is taking tangible steps to fight this scourge of small-scale scams and frauds that affect millions of people every year.
There are strict rules about not talking about open investigations because of so-called "Tipping-off" rules. It can carry some pretty serious penalties - jail time, fines. I agree it would be nice if the FBI itself made some announcements about these sorts of things, and they might do that in aggregate, but if you're a bank or fintech employee and you're in communication with the FBI you absolutely cannot say anything about it. Even confirming that an investigation existed could be penalized.
> Even confirming that an investigation existed could be penalized.
I didn't know that. But that is another point that could be highlighted on the IC3 homepage or confirmation, along with aggregated data about enforcement actions resulting from submissions from ordinary victims.
My assumption is that they at least have an intern read them, but only act on reports likely to lead to major cases, for some value of "major" that includes cases where terrorism, large sums of money, or Important People are involved, or more generally cases that could lead to seriously good/bad PR if pursued/ignored.
De minimis non curat FBI.
They may also flag certain cases to be passed to other relevant authorities like FinCEN, the Secret Service, the Postal Inspection Service, various military investigative services, or even the intelligence community (assuming NSA doesn't already intercept the mailbox which would be a very reasonable thing to do).
"Acted upon" in these sorts of bulk data contexts typically means "charge them for an extra count when we pick them up for something else".
It's like the internet crimes version of putting the serial number of stolen property in a police report. They ain't looking for it, but they'll tack the charge when they inventory a crackhouse bust and that number pops up stolen.
They aren't dedicating serious resources to speculatively looking at the reports and trying to assess patterns like some TV cop looking at a series of dead hookers and saying "aha we have a serial killer on the loose".
Yes, they could easily spin up another gmail address.
The other part of the scam involved sending money to a bank account in Oregon with someone else's name attached to it. I notified the bank in a similar manner and hope they shut it down (not confirmed; my next step is to notify the Oregon banking regulator about the incident).
The hope is that once the bank account and gmail account are shut down the scammer will stop or move on. But I am concerned this could be a whack-a-mole problem that doesn't go away.
You can't send high volume through new accounts. Usually when a gmail account is being used for real spamming, it's an established one that's been taken over and the spammers are just discharging the accumulated reputation of the account.
> Usually when a gmail account is being used for real spamming, it's an established one that's been taken over
My incident is unlikely to be a real account being taken over. The name format was "firstnamelastnameofficial@gmail.com" and I have a somewhat rare name ... probably well under 40 people worldwide with the exact spelling.
No, I did not identify myself as a lawyer. I just wrote the letter as a victim of a scammer using Google services to impersonate me.
But I was careful to use certified mail return receipt as google’s legal office knows that this can be used for documentation and proof if the case ever goes further.
In other words, having a paper trail is more likely to get acted upon.
I gave up on trying to report abuse to Google, Amazon or Microsoft. It seems reports simply get ignored and the big providers do nothing. I hope the FSF with its weight and media presence can finally do something.
Google, Microsoft, and Amazon are my major sources of spam. These days, this is where spam comes from.
At this point, they are also too big to block. We allowed this to happen, through neglect and laziness. Even in this discussion: how many people use Gmail as their primary email service?
On YouTube I reported bot accounts for a couple days, the only reaction I got was that at some point it showed a popup that told me too many false reports would lead to a ban. Not sure what Google gets out of it, but there is no way they could be that bad at fighting bots unless they're not even trying. Even trivial tricks like copy-pasted texts keep working.
Google makes loads of money through scam ads and fake/AI slop videos. Anyone trying to get in the way of that is putting Google's profits at risk, hence why they shut down legitimate accounts but scammers just run free.
They're not trying. I've seen an advertiser remain active for months with literally tens of thousands of ads where clicking them directly downloads a malicious exe file that most antivirus scanners flag.
Tech support scams still?! I don't even understand how this is possible. If Google wanted to they could come up with the tech to bypass the spam/scammers own ghosting system. They must have some kind of invisible Google bot that checks for downloads/scams, right?
Phone providers should also be detecting this with AI. There is no way this should be occurring anymore.
They're definitely not trying - in any form. I run a marketplace for dogs (i.e. craigslist for puppies & dogs) and scammers are always trying to post fakes ads. They always use Gmail accounts. Every time I ban a gmail address, they scammers will just get a new one. Same scammer/person has created thousands of gmail accounts and Google doesn't care. I have reported this to Google. For the amount of info Google has on people, trivial for them to prevent some of this.
We had that issue of someone advertising fake clones of our sites specifically to push fake malware ridden payloads. We only got it handled by bugging internal contacts at Google. It sucked and worse we had to bug them for weeks because the attacker was churning through multiple domains and probably over 100 breached Ad accounts by the time they stopped
This is called a monopoly. I know people who run their own mail servers to be as independent as possible. Ironically, they show up as spam in Gmail all the time because "This message is similar to messages that were identified as spam in the past." Meanwhile, it's a fucking simple one paragraph message to a programming mailing list. They have to wrestle with DMARK or choose not to as they feel DMARK is playing into the hands of the monopolies giving them too much influence and power over something as simple and fundamental as email.
If you’re not capable of setting up DMARC correctly then it’s a safe assumption you aren’t capable of adequately securing your email server. Which is even easier to mess up with much higher consequences. Even if you are not intending to be a spammer, if your server gets pwned you will become an unwitting one.
I set up my orgs SPF/DKIM/DMARC (we self host, they have feelings about corporate data sovereignity...) it look about 30 min having never touched them before, and maybe another 15 to write an ansible playbook to rotate the keys.
We do have a _tremendous_ amount of spam fail these checks, as well as a few legitimate organizations.... Some of our peer companies have sent out notices that they will bounce anything that fail these checks in the coming years, and we're probably going to to do the same before too long.
Google suspend email accounts that get lots of spam reports. It happens a couple of times a year for salespeople in my company who use Gmass (a bulk email sending tool).
I mention it only as a useful data point, and in the absence of anyone else on the thread mentioning that Google have robust email abuse monitoring.
Was going to say there’s a good reason lots of people use services like mailchimp now. You’re not sensibly managing it yourself with the current (very sensible) regulations in the US / EU, nor do you want to be sending from your own domain en masse.
Mailchimp and other legitimate services (other than salesforce, which is best just blocked) don't permit spam, whereas gmail and outlook don't give a fuck unless the spammer gets a large amount of abuse reports.
Certainly mailchimp and the like make things simpler, but the price can be quite high.
No, it's valid for me, and I just verified. In spam filter for past month: 0 mailchimp. In valid emails: 6 emails from a service that I signed up for via mailchimp.
Checking my received emails for mailchimp I see a whole bunch of legitimate emails, including for flightschedulepro which uses it. I also see replies to my abuse reports to mailchimp saying the problems have been addressed.
Yes, I used to agree with that, but have since given in and accepted that most companies (except mine and a handful of others) will spam all customers who buy a product without asking them first.
It's a little irritating, although I reserve full enmity for the spammers who I've never interacted with ever.
> Marketing is only spam when it isn't previous customers, or people who have specifically opted in.
Yes, this excludes any people, customers or otherwise, who did not knowingly and willingly opt-in to specifically receive marketing emails / promotional emails / any other unnecessary emails.
A good heuristic is: if somebody receives an email from you that they do not want, there's a good chance you're spamming them: maybe by calling a marketing email, an "update" instead; maybe because you didn't make it abundantly clear to them when they opted-in that they would receive emails of that type.
I think thats a really wrong definition of spam. Spam is untargeted junk from people you don't know, who are probably hiding there real identity using fake email headers etc. If it's a legit company with legit unsubscribe options, it's not spam.
It worries me a lot that people clicking "mark as spam" on messages from legit companies because they subscribed to the newsletter will mean that my messages with important information (order confirmations, e-tickets etc.) will get blocked.
That's a spammer's definition. Everyone else's definition is that spam is unsolicited e-mail. Which covers most marketing e-mail, and not just the cold messages, but especially marketing e-mail from vendors you had interacted with in some way in the past.
> It worries me a lot that people clicking "mark as spam" on messages from legit companies because they subscribed to the newsletter will mean that my messages with important information (order confirmations, e-tickets etc.) will get blocked.
They probably didn't subscribe to the newsletter, they were subscribed, or tricked into subscribing. Either way, it's spam, and legitimate companies do not mix transactional e-mail ("order confirmations, e-tickets, etc.") with marketing e-mail.
FWIW, I'm one of such people clicking "mark as spam" on marketing e-mail, and I do it intentionally.
> It worries me a lot that people clicking "mark as spam" on messages from legit companies because they subscribed to the newsletter will mean that my messages with important information (order confirmations, e-tickets etc.) will get blocked.
Don't send spam and I won't mark it as spam. I didn't sign up for your newsletter, don't send it to me. Creating an account or placing an order does not mean I agree to your spam.
I don't think your definition of spam matches the one that I understand it to mean. Spam is random email from someone you have not had contact with before firing messages to every address they can find anywhere on the web, the dark web, etc. Or if you ask not to be added to a mailing list and are added anyway. They often use fraudulent tricks to try to get the email through filters, such as fake from addresses.
Spam is not email from legitimate companies with valid contact details that have an opt out that you forgot to click when you signed up with them. That's legitimate marketing emails. You might argue they also shouldn't exist, but they are a different category.
I get plenty of the second from mailchimp (it's what they do), almost none of the first. Marking the second kind as spam, rather than clicking the unsubscribe link is dangerous because it teaches your anti-spam filter to reject messages from legitimate companies. You might find that if they need to contact you for a genuine reason e.g. a reciept for a future transaction, the message is blocked.
> I don't think your definition of spam matches the one that I understand it to mean. Spam is random email from someone you have not had contact with before firing messages to every address they can find anywhere on the web, the dark web, etc. Or if you ask not to be added to a mailing list and are added anyway.
I don't get _only_ this from Mailchimp, but I definitely get quite a bit of this from Mailchimp, Sendgrid, and others. I've marked it spam, reported it to them (no response), and continued to receive the emails.
I can be kind of scatter brained and generally give the benefit of the doubt, but sometimes it's pretty clear that, e.g., I most definitely did not sign up with some accountant in a different country, in a place I've never been to, to receive reminders of tax deadlines that don't apply to me and offers of accounting services I can't use. Or if I somehow did, the signup was deceptive enough that they never received meaningful consent and I'd call it spam anyway.
(And the email they're sending this to is not some easily confused gmail address or a fat finger--it's my own name at my own domain.)
Having valid contact details or an opt out on their sign up form isn't relevant given I never signed up. It's _unsolicited_, _bulk_ email. It's spam.
I get plenty of Mailchimp spam from people who have bought email lists and added me to their newsletter. It’s against their ToS, and I always indicate that I did not sign up for the list when I unsubscribe. Maybe it does something.
* Spam is not email from legitimate companies with valid contact details that have an opt out that you forgot to click when you signed up with them. That's legitimate marketing emails. You might argue they also shouldn't exist, but they are a different category.*
No, they’re all spam. It’s just that some spam is significantly worse than others.
Edit:
this just reminded me of an interaction with a customer when I worked at a dialup ISP over 20 years ago. We would routinely get abuse reports about spam coming from our network that would turn out to be a family computer with a virus. We would disable their account until we got ahold of them, and then help them run antivirus or redirect them to a local shop to fix it.
But this one time my boss is like “Hey you wanna pretend you're the email manager? We have an actual spammer sending ads for a local business through our smtp servers”. We were all laughing at the audacity of it, they were sending thousands of the same message out, I think it was for a tackle shop.
When I called the guy to let him know why we disabled his account he immediately got angry at me, I vividly remember him saying “It’s not spam, it’s for a business!!” I explained to him that it doesn’t matter, it’s just as bad, and could get the whole company blacklisted from sending emails. Turns out his friend owned the business, and convinced him to install something that sent emails through outlook express.
The reason I got that duty is because I had no problem being confrontational back then. I remember telling him that I think he should be fined, and permanently banned from the internet. But that we’ll only let him back on if he uninstalls the thing.
He called back indignantly asking why we were allowing some other spam. I had to explain that it was from another network, and we’re trying to stop it, and that if every ISP were like us then it would barely be a problem.
I wonder if that business spams through google now.
> Spam is not email from legitimate companies with valid contact details that have an opt out that you forgot to click when you signed up with them. That's legitimate marketing emails. You might argue they also shouldn't exist, but they are a different category.
Yes it is. Using a dark pattern to trick me into signing up doesn't make it not spam. It's still spam.
I disagree, I get plenty of spam from Mailchimp. Spammers seem to be able to add email addresses to Mailchimp without verification, and they just keep making new accounts/"campaigns" to re-add my email addresses.
Legitimate companies like to not provide the legally-required opt-in flow and assume consent without ever enabling or disabling a consent checkbox. That is spam too.
It's on Mailchimp to not take business from companies that abuse their system. If they get flagged as spam and their other customers have delivery issues because of that, I see that as a feature, not a bug.
> I don't think your definition of spam matches the one that I understand it to mean. Spam is random email from someone you have not had contact with before firing messages to every address they can find anywhere on the web, the dark web, etc. Or if you ask not to be added to a mailing list and are added anyway. They often use fraudulent tricks to try to get the email through filters, such as fake from addresses.
I would disagree with that definition, and wikipedia and multiple dictionaries appear to agree with me; it doesn't matter how many dark patterns the company uses or whether they (claim to) let you opt out after the fact, if the message is unwelcome, it's spam.
> unsolicited usually commercial messages (such as emails, text messages, or Internet postings) sent to a large number of recipients or posted in a large number of places
> Spam is random email from someone you have not had contact with before firing messages to every address they can find anywhere on the web, the dark web, etc.
> </i>Or if you ask not to be added to a mailing list and are added anyway.*
> Spam is not email from legitimate companies with valid contact details that have an opt out that you forgot to click when you signed up with them.
There's a HUGE grey area between the random unsolicited emails for scams and legitimate business partners where I forgot to check the opt out. I get almost none of the first (spam filters are pretty good at keeping Nigerian princes from getting help to access their money), and also almost none of the last (because I'm hypervigilant about opting out of email and cookies and all that trash), so all the spam I get is from "asked not to be added but added anyways".
Most of those are coming from Mailchimp and similar services. I'm sure that if I could take the senders to court and disentangle their web of parent companies that had my email in the web form for 10 seconds before I opted out and they sold it to each of their 20 daughter companies and partner organizations, and then I received the first "legitimate marketing email" (LOL! LMFAO!) and unsubscribed from that (which will take effect in 20 business days) so now I'm only subscribed to 19 new mailing lists from that company and also the dozen other organizations they're a part of, until they pivot to a new marketing agency which - oopsie! - forgot about my opt-out request.
That's Mailchimp's business model and the way that the entire "legitimate marketing" economy works, but I still consider it spam.
I guess you can only report spam through the gmail web interface which the FSF aren't using (because they're not using gmail, for obvious ideological reasons).
I did some tiny digging because I remembered that there is a way to report individual messages in a structured machine readable way to abuse@ for these things --- i suspect that this is technically supported by gmail (if not given a lot of signal weight)
Shows you how to use googles thing if you are a sender to know if @gmail folks are reporting you. It doesnt address what to do if someone's @gmail is doing this to you (a workspace custom domain yes)... @gmail are rate-limited to a few 1000s per day per gmail address but this is still a lot obviously
But only in Gmail then? Where is it possible to report a spam from a Gmail address received on a non-Gmail inbox?
Google is being a real PITA as the receiving side for people who try to self-host their mail or who use small providers. They should at least be good citizen on the sending side, which it seems they're not. They are killing email.
Basically, there is no standard beyond the ages-old requirement to have abuse@ and postmaster@ email addresses that react to such reports. Which Google doesn't follow at all, you just get redirected to some useless web form which requires a Google account and the sacrifice of a goat.
It is entirely Google's fault, and they should be shunned for it and their emails dropped. But unfortunately, they are too big for that by far...
>They should at least be good citizen on the sending side, which it seems they're not. They are killing email.
Eh? They do tons in anti-bot detection. But the value in exploiting and using Google's service is extremely high so bot authors are increasingly getting creative. Google stops running Gmail and simply another service becomes a high value target.
At least Microsoft fixed their Azure abuse after 10 years of not giving a fuck. It used to be stupid fucking easy to setup a trial O365 tenant and spam the fucking internet through "onmicrosoft.com" domains. And they let that go for 10 years.
How would it even be possible to name a service "Google helpdesk - password reset" or something like that, without being insta banned? Obvious fraud in the making, not getting recognized?
No, you don't understand. The people at my company are auto-opt-in premium-communication value-add customer-relationship-establishment specialists. But otherwise, I agree with you: everyone else is a spammer.
Somewhat related to spam coming from Google servers, maybe someone can shed some light on what could be the motivation behind this activity:
In recent months I'm seeing instances where random personal mail accounts on a server I run would receive a barrage of mail in a short amount of time.
Mail seems to be bounced via Google Groups - they are sent from Google's IPs and have headers like X-Google-Group-Id, List-*, etc. all pointing to Google Groups. The actual group ID changes after each individual instance of this. However when I actually check e.g. the List-Archive URL, the group appears to be already been deleted.
The content of mail looks like it originates from various (legit-looking) random public web services, support requests, issue trackers, web contact forms etc. For example, a common reoccurring one is Virginia Department of Motor Vehicles (as in something like "thank you for filing a document #123 with us").
No apparent phishing links, no attached malware, no short advertisements snuck into a text field etc. Just automated replies from "noreply@"-type addresses.
It does not seem to be the case of trying to hide another attack (as discussed here for example: https://news.ycombinator.com/item?id=47609882) - over many instances I've not seen any other malicious activity. And this mail is filtered out easily enough based on Google's headers.
It all looks like there is some bot that a) creates a Google group and subscribes (one or more) random email addresses to a Google group and then b) enters the group's mail address into a bunch of random web forms that then send their automated responses to the group.
What could be the motivation for this? After the fact it's filtered pretty easily based on headers. It's not nearly enough volume to DoS the server. But why would someone go through the trouble of setting this up?
Yes. I got the same issue… and when someone replies, all users in the mailing list receive it… that’s why I would see a ton of replies saying please remove me from your mailing list. Very annoying. The only solution I found was to create an inbox rule to reject those, as I couldn’t unsubscribe
I just block the group address on the MTA, but it doesn't matter. In all instances so far when it came to my attention the group was already deleted. Next time they will use a different group and I don't want to blanket ban all Google Group mail for my users.
It's not even that much of a hassle. What worries me is that I don't understand why someone would go through the trouble of doing this for no apparent benefit. I hope I'm not somehow unknowingly enabling some sort of an attack on any of the entities sending these automated replies.
This is almost certainly subscription bombing / email bombing. The goal is to flood someone's inbox with hundreds of legitimate-looking automated emails so they miss a real one - typically a password reset confirmation, a purchase receipt, or a "new device login" alert. The actual attack is happening on some other service where the victim has an account. The fact that you don't see it on your server doesn't mean much, the target is the victim's primary inbox elsewhere.
My thinking so far against was 1) after a few months I'm pretty sure I would hear about the real attack 2) Repeating too frequently. People aren't getting hacked all the time (I hope).
But who knows? Now I'm thinking that maybe some other step in the attack is failing and maybe the attackers just trigger the email bomb part pre-emptively in case they actually succeed in resetting the password/purchasing/whatever.
I have been observing this for the last 2-3 years (4 postfix servers sysadmin)
Gmail cannot be whitelisted anymore: spam, phishing,...
On the other hand, if your users redirect twitter or linkedin notifications from their domain to a gmail account, Google claims you are sending too fast and is suspicious (and throttles or blocks ip).
Rhetorical question- but what is it going to take for the IT Community to start treating Gmail and the rest of the "too big to block" as adversarial entities and actually block them for their bad behavior. Pie in the sky I know.
Microsoft refuses to deliver legitimate emails to hotmail.com addresses so I tell clients how it is.
I’m not jumping through hoops when I’m not doing anything wrong. SPF, DMARC, DKIM, IP address not on a blacklist, and I send zero spam. Only human-written client communications 1:1.
So, my clients with hotmail.com addresses don’t get emails from me. I can call them, they can call me.
No such thing. And if you just want to assign anybody who works in IT to it in order to create the concept of such of a thing, a large percentage of this community would work at Google, a company that depends on Google, or a company that has the same attitude as google.
So it's less pie in the sky than nonsense. People don't talk about things changing in the physical world without talking about force, mass and inertia, but when it comes to people, the theory of power just evaporates and we start wishing for things to spontaneously happen because we've declared that they should happen.
With some weird definition of "should" which relies on our personal conception of the world. In the physical world, we say something "should" happen when we expect it to happen based on our theories of how the world works. With people we say things "should" happen when we personally want them hard enough.
There was a time before Google when various mailing lists of grumpy sysadmins in key institutions could decide the fate of a new mail sender, internet-wide. But yes that "internet community" is small fry now, and can only cut off their own noses if they don't like Google's mail policies.
Before Google, AOL were the previous big-beast mail host, and they did provide some tools to help diagnose why you couldn't get through to their users. It still felt like there was more of a balance of power towards the grumpy sysadmins.
I was getting spam called constantly every 5 minutes (blocked by Google call screening) and the attackers made an error if sending a message with their AWS bucket url. I was able to submit an abuse report to Amazon and puff Amazon dismantled the entire spam group. No more spam since then.
Maybe try saying the spam has porn or inappropriate images?
gmail, outlook and salesforce create about 90% of the spam that gets through blacklists. Salesforce is simple to fix: I just block anything from salesforce from our network, as it just seems to be 100% used by spammers. Gmail and outlook are the major problem, as there is no way of addressing their spam issue.
Although they does have proper abuse policies and do take action against spammers. I don't get any spam from them (except perhaps the very occasional one), and I know businesses that use mailchimp and similar services for valid marketing (to previous customers). Just looking through my received mailbox, I see many legitimate emails from mailchimp.
I'm not denying that they are sometimes used by spammers, but they are definitely a legitimate operation that takes action against spammers if you report them.
In my experience, everyone got their act together except Google. I also used to receive massive amounts of spam from Azure and Sendgrid but this eventually stopped. Now 80% of the spam I receive is from the Google network, mainly Google Cloud.
Why do you interpret that as everyone except Google getting their act together?
The obvious (and correct) explanation is deliverability. Spammers send from Google services because they can inbox, they don’t send from other services because those services will not inbox successfully.
I'm getting a lot, and I mean A LOT, spam recently from various "<IP in reverse notation>.bc.googleusercontent.com" domains. Not sure what can be done about that. But the uptick is very noticeable.
What if someone (Google) used Google suite to send 10k emails to fire people. Wouldn’t that be considered normal for the server for a day let alone a week. Yes I know I could have come up with a better example.
The example was given to say you could be a gsuite customer and have 10k emails a week be very normal. Something that wouldn’t trigger any alarms unless set. The alarms would probably be set on a curve. Something unusual would be far off the curve.
I'm not sure it actually is. Free Gmail is limited to 500 emails a day, but Workspace accounts are allowed up to 2000, so this this spammer has to be using a Workspace account.
I've worked at a start up where the marketing team just had a `marketing@startup.com` email that was just like any other email in Google Workspace and used that for all marketing communications. Eventually they bumped up against that limit and a couple of engineers had to help them troubleshoot and there were enough blog and stack overflow posts at the time about hitting the limit to make make me think what they were doing wasn't uncommon.
When you consider the scale of Gmail and that this is almost certainly a Workspace account so they're mixed in with business customers, I'm not sure how much of an anomaly 10k emails a week actually is.
Yeah, you are using the wrong tool if you send your newsletter from a gmail account at that scale. You can get away with a few tens of people, perhaps a few hundreds.
Above that threshold you should use tools like moosend, benchmarkemail, or similar. And they ask a pretty penny when you reach that scale.
Anyone getting hit with (Google) AppSheet-originating recruitment emails? Very well done. Imitating the biggest US brands.
Have reported AppSheet to FCC after seeing Google wasn't doing enough--same scam email format, same inbox-landing pathway, but still irked.
Also try forwarding the emails to the phishing emails of the misrepresented brands, when they have an address for it. Figure they're the ones who have any power.
It honestly is a bit dissapointing that most of the internet's "infrastructure" is tied up in large corporations that just get money for free by being the only provider and face little to no backlash (because of their monopoly) when they neglect things like basic customer service.
They aren't a monopoly, and especially not a monopoly on emails.
How did we get to the point where there can be 12 services, but the one with lots of customers is a "Monopoly". Its a complete destruction of the word. They aren't killing their competitors, nor making it illegal to compete. Yeah its harder in the current era to run your own mail server, for a variety of reasons involving spam. But can we just cut the shit on calling literally every company with more than 100 employees a Monopoly?
Most of the problems people have spinning up their own email servers, like getting blacklisted by the big boys, are less bad societally than actually accepting and routing the quantity of spam they are blacklisting. Does it benefit them? Kind of. But its not anticompetitive in any real sense. These restrictions are obvious and basic. If you really wanted to, you could spend a significant, but in the grand scheme of things small, amount of money to break into the same game.
I mean theres a non zero chance that if Google, Microsoft and Amazon stopped being so damn picky, the government would turn around and regulate that they do exactly what they are doing now, to resist the plague of spam that would result.
Its like getting mad at Visa and Mastercard for insisting on the PCI DSS for people they transact with. If it wasn't mandated by Visa and Mastercard, it would become government regulation (and is already referenced by regulators in some jurisdictions)
"Ooooh no Visa is being anticompetitive making me secure my environment and prove that security to a trusted third party what a terrible monopoly they have".
The point is that they don't provide the level of services required by their position, which is dominant.
When you have a legitimate problem with Google, they don't reply to you. The news here is again an example of that. The only thing you can do is abide by their rules, which often requires you to subscribe to their services or be at their mercy.
It's a figure of speech. I am not saying it is literally free. I'm being facitious. What I mean is they get money overwhelmingly because of their position in advertising and through android that essentially allows them to never worry about losing users. Who is going to going to attempt to delete their google account over poor customer service? You literally cannot access half of the internet today without a Google account.
Try running your own SMTP server for a while. Gmail holds what appears to be monopoly power and uses it quite readily. Even ISPs with "free" customer email addresses aren't nearly as onerous as google is.
Most people use Gmail because they want to, not because they have to. It's a free, superior product. Pretending voluntary preference is a monopoly is nonsense, but it is a very Mastodon-brained take.
There is a common misapprehension that the term "monopoly" can only be used when there a single supplier.
Quoting https://en.wikipedia.org/wiki/Monopoly : "In law, a monopoly is a business entity that has significant market power, that is, the power to charge overly high prices, which is associated with unfair price raises."
Or from Milton Freedman, "Monopoly exists when a specific individual or enterprise has sufficient control over a particular product or service to determine significantly the terms on which other individuals shall have access to it". https://archive.org/details/capitalismfreedo0000frie/page/12...
In the post-Borkian interpretation of monopoly, adored by the rich and powerful because it enables market concentration which would otherwise be forbidden, consumer price is the main measure of control, hence free services can never be a monopoly.
Scholars have long pointed out Bork's view results from a flawed analysis of the intent of the Sherman Antitrust act. For example, Sherman wrote "If we would not submit to an emperor, we should not submit to an autocrat of trade, with power to prevent competition and to fix the price of any commodity.” (Emphasis mine. Widely quoted, original transcript at p2457 of https://www.congress.gov/bound-congressional-record/1890/03/... ). Freedman makes a similar point (see above) that a negative effect of a monopoly is to reduce access to alternatives.
In it she quotes Robert Pitofsky in "The Political Content of Antitrust":
"A third and overriding political concern is that if the free-market sector of the economy is allowed to develop under antitrust rules that are blind to all but economic concerns, the likely result will be an economy so dominated by a few corporate giants that it will be impossible for the state not to play a more intrusive role in economic affairs"
Even if you support the Borkian interpretation, you should still worry about the temptation for the US government to "play a more intrusive role" with GMail accounts. I strongly doubt Google will follow Lavabit's lead and shut down email should the feds come by with a gag order to turn over the company's private keys.
No, they got it by Gmail being a loss leader paid by Google AdSense in the search engine. Now they have AdSense in Gmail directly, so I guess it pays for itself.
No, we should be mad at Google or any other BigTech taking over a big enough chunk of a federated system to basically dictate what can be sent/received and what not. With no human in the loop if you don't agree with their decisions.
AT&T was once broken up and then after that you could connect a modem to a phone line. The whole public use of the Internet is a consequence of breaking up a “superior product” that became a bloated market incumbent resting on its laurels.
I don't know if it's that simple. As a litmus test, try to set up your own mail server. See how many milliseconds it takes for it to be blacklisted by gmail. And then observe the response time for their support, when you try to clear up the confusion that google has about your intentions.
I find there are three peopls who comment about hosting email. A small group like us who set it up correctly and never have problems. A larger group who set it up but get the dns wrong and warn people not to. And a third bigger group who never tried but listen to the second group and always comment that you'll have 1% deliverability
It was dead-nuts simple in the 1990s: Just learn enough about DNS to put in an MX record that points to an A record, get sendmail working, and have it begin delivering mail. The end. (Open relay? No spam filter? No virus scanning? No nothin'? Yeah, that kind of was the style at the time...)
It's got a lot more steps today, but it's still do-able. Operationally, keeping a mail server online and treated well just takes one or two people to spend a little bit of time occasionally to stay proactively ahead of new expectations and requirements instead of reacting to them after things change.
It also helps if Carla, from marketing, doesn't wake up one day and decide to spam the entire customer list without asking for guidance first. Maybe I should have put some automatic mitigation into place for that, but whatever: We chatted about that and it never happened again.
(Or at least, I find that to be true with smaller companies. Bigger ones obviously may require more elaborate systems to handle more volume and/or provide better uptime. But the requirements of keeping the reputation up are about the same regardless of scale, and that still only takes one or two people to pay attention to things sometimes. [And the only reason two might be required is in case one of them gets hit by a bus.])
I've built mail servers before Gmail existed that lasted long enough to get blacklisted by Gmail.
Fixing it was always pretty simple -- or at least, non-mysterious. They'd bounce some things, I'd look at the headers of the bounced messages, and therein were links to instructions there that showed how to resolve whatever issue it was this year.
Just follow the steps, implement the new thing, and stuff started flowing again in rather short order. Not so bad.
IIRC, the only time it ever cost us any money was when the RBLs started keeping track of dynamic IP pools and we needed to finally shift over to something actually-static.
> How much customer support resources should someone reasonably expect
Zero. OTOH, since I'm sure they are training on emails and archiving/profiling everything forever even if we delete messages.. those constant threats to become a paying customer before hitting some arbitrary small quota are still villainous
Maybe it's only legacy, but gmail brings customers to Google and their related services. Escalation then brings them on as paying Customers. As loss leader may make a loss if looked at in a bubble, but if looked at as part of the "Customer Lifecycle" then other areas of profit would likely be much smaller without the free gateway.
It takes me active resistance to avoid Google's paid services, and I'm staunchly independent in relatively rare air. The minor capitulation required to turn into a paying Customer would capture a good percentage of their erstwhile-free gmail users (I would think. Yes, conjecture, interested in explanations of alternative theories).
We might not be paying money, but we don't know what happens to our private data.
Maybe it's not used at all, maybe used just internally, maybe could be even sold.
Data of millions of users is very very valuable, even just thinking about how much targeted adverts could be placed with it.
Increasingly of the opinion that "free service with no support that's structurally essential for an economy" is some kind of trap. Possibly just the most comfortable kind of trap, a local optimum from which it's difficult to escape.
This is starting to become important as countries (very unwisely!) start tying things like national ID and banking to smartphones.
I've been using SpamCop for years (decades?) but lately I've been wondering if they're still relevant.
One example: they seem to have a size limit of 50KB when you report a spam mail via their web form. I've received quite some spam that exceeds that because they use base64 encoding of the body, add non-visible filler content to drown out the actual spam/phishing message, etc.
SpamCop suggests to cut off the message and still process it but then they miss e.g. the link to the phishing website and thus they can't send out a report for that.
Speaking of phishing links: a lot of the phishing mails I receive, link to some account on storage.googleapis.com. I've seen mails with links to the same account for weeks on end before they switch to a different one, implying that these links remain online for a long time. You would think that marking such mails as phishing in GMail (they are already flagged as spam) would get them on some kind of radar but apparently not...
(I haven't run my own mail-server in a while. It's getting harder and harder.)
Are the real-time-blackhole lists still a thing?
If they're regularly allowing spam and not responding to reports in any sort of timely manner, possibly they should be reported to those.
Not going to work though, is it. Too big to fail shouldn't be a thing. It's not like you can't be flexible about it or give them some room to deal with it within corporate policy; but they do need to deal with it, right?
Realistically, I think some companies have outgrown the size where internet can still self-regulate them. You'd hurt yourself more than gmail.
This either needs laws or new game theory.
Or -you know- deprecate the current email system. I know that's a perennial proposal; but that's because every year it gets even more broken in even more interesting ways. It's patch-on-patch-on-patch at the moment. Just spinning up sendmail on a random box won't quite cut it anymore, if you want to participate.
I wonder if they do not take this kind of thank that seriously so to encourage the paid tier for storage. I am teetering nearer my end to the free, mostly from all the emails over the years.
Had Google trying to send me mails to non-existing mail-addresses over months. You would think their logs might catch something like that or they would react to my complaints ... they don't and they just dont care.
It sometimes stops for weeks, then it continiues.
from my logs as an example:
Nov 13 22:10:51 bert postfix/smtpd[2693931]: NOQUEUE: reject: RCPT from mail-oi1-x248.google.com[2607:f8b0:4864:20::248]: 450 4.1.8 <ki+bncBD77RLFFQACRBZOX3DEAMGQEU5V3LXY@zf.thesparklebar.com>: Sender address rejected: Domain not found; from=<ki+bncBD77RLFFQACRBZOX3DEAMGQEU5V3LXY@zf.thesparklebar.com> to=<rmayer13@nerd-residenz.de> proto=ESMTP helo=<mail-oi1-x248.google.com>
Nov 13 22:12:07 bert postfix/smtpd[2696594]: NOQUEUE: reject: RCPT from mail-ua1-x948.google.com[2607:f8b0:4864:20::948]: 450 4.1.8 <ki+bncBD77RLFFQACRBZOX3DEAMGQEU5V3LXY@zf.thesparklebar.com>: Sender address rejected: Domain not found; from=<ki+bncBD77RLFFQACRBZOX3DEAMGQEU5V3LXY@zf.thesparklebar.com> to=<rmayer1000@nerd-residenz.de> proto=ESMTP helo=<mail-ua1-x948.google.com>
Nov 13 22:12:18 bert postfix/smtpd[2696594]: NOQUEUE: reject: RCPT from mail-wm1-x346.google.com[2a00:1450:4864:20::346]: 450 4.1.8 <ki+bncBDO2ZDH5DIIOXB6ZZADBUBFIYC6HQ@zf.thesparklebar.com>: Sender address rejected: Domain not found; from=<ki+bncBDO2ZDH5DIIOXB6ZZADBUBFIYC6HQ@zf.thesparklebar.com> to=<rmayer13@nerd-residenz.de> proto=ESMTP helo=<mail-wm1-x346.google.com>
Nov 13 22:12:37 bert postfix/smtpd[2696594]: NOQUEUE: reject: RCPT from mail-lf1-x146.google.com[2a00:1450:4864:20::146]: 450 4.1.8 <ki+bncBDO2ZDH5DIIOXB6ZZADBUBFIYC6HQ@zf.thesparklebar.com>: Sender address rejected: Domain not found; from=<ki+bncBDO2ZDH5DIIOXB6ZZADBUBFIYC6HQ@zf.thesparklebar.com> to=<rmayer333@nerd-residenz.de> proto=ESMTP helo=<mail-lf1-x146.google.com>
Nov 13 22:13:08 bert postfix/smtpd[2696594]: NOQUEUE: reject: RCPT from mail-lj1-x248.google.com[2a00:1450:4864:20::248]: 450 4.1.8 <hc+bncBDO2ZDH5DIIOXB6ZZADBUBB2QEZ74@zf.thesparklebar.com>: Sender address rejected: Domain not found; from=<hc+bncBDO2ZDH5DIIOXB6ZZADBUBB2QEZ74@zf.thesparklebar.com> to=<rmayer@nerd-residenz.de> proto=ESMTP helo=<mail-lj1-x248.google.com>
Nov 13 22:13:08 bert postfix/smtpd[2696594]: NOQUEUE: reject: RCPT from mail-wm1-x345.google.com[2a00:1450:4864:20::345]: 450 4.1.8 <ki+bncBDO2ZDH5DIIOXB6ZZADBUBFIYC6HQ@zf.thesparklebar.com>: Sender address rejected: Domain not found; from=<ki+bncBDO2ZDH5DIIOXB6ZZADBUBFIYC6HQ@zf.thesparklebar.com> to=<rmayerrmayer@nerd-residenz.de> proto=ESMTP helo=<mail-wm1-x345.google.com>
Nov 13 22:14:03 bert postfix/smtpd[2696594]: NOQUEUE: reject: RCPT from mail-lj1-x248.google.com[2a00:1450:4864:20::248]: 450 4.1.8 <ki+bncBDO2ZDH5DIIOXB6ZZADBUBFIYC6HQ@zf.thesparklebar.com>: Sender address rejected: Domain not found; from=<ki+bncBDO2ZDH5DIIOXB6ZZADBUBFIYC6HQ@zf.thesparklebar.com> to=<rmayera@nerd-residenz.de> proto=ESMTP helo=<mail-lj1-x248.google.com>
As you can see, the to-address is generated and its different hosts at google trying to send mails.
Searching for zf.thesparklebar.com shows others having the same problem.
Ah yes, the tried and true method of getting into contact with someone at google: sending a blast to social media for an actual human, because Google literally makes it impossible to talk to anyone at all. Worst customer support in all of tech.
Good luck. These big tech companies have no incentive to care about support or really anything that isn’t tied directly to making money. And unless you have a friend there, Google staff have no incentive either. Solving this won’t help with their promotions.
I think there are lots of people that will see this story that either work at google or know someone who does, and I bet it will lead to their issue getting fixed. The squeaky wheel gets the grease.
It would help if they provided literally any way for a squeaky wheel to squeak at them aside from squeaking at the employees with a modicum of dignity (if they still exist)
> Google staff have no incentive either. Solving this won’t help with their promotions.
I don't think people appreciate that this is really the key observation here. In large institutions, for anything significant to happen, there have to be incentives and alternatives, and these are set by management. Management in turn usually cares about their incentives, and the company overall mostly cares about the bottom line and the financial reports.
As a result, this is unlikely to get addressed, unless there is significant pressure, like media coverage, people mass-resigning from Gmail, or major email servers blocking Google. But none of these are likely to happen.
This is a plausible explanation based on the amount of fraud tolerated in other parts of their business. But it's probably going to cost you more than one Workspace subscription.
I got a human being at Google to look into my problem and take action after sending a police report to Google‘s legal department certified mail return receipt along with a letter describing how someone was impersonating me and my business using a Gmail address in an attempt to commit fraud.
Yes, it was a pain to take all of these steps and it probably took about 3 hours but it was absolutely necessary considering there was no avenue for me to shut down this person otherwise.
Oh that's a good idea! I got locked out of my YouTube premium account and they kept charging me. Couldn't get in contact with anyone at YouTube because the YT premium support line is behind the YT login. So I had to change my credit card number. Somehow they still kept billing the card, so the credit card company said they'd have to close my account entirely to get Google to stop billing me for a service they wouldn't let me cancel.
That's a built-in thing; Visa, MasterCard, Amex all have updater services that ensure trusted merchants get the replacement card seamlessly. This leads to annoying edge cases like yours.
https://stripe.com/resources/more/what-is-a-card-account-upd...
You can sometimes ask your bank to issue a card and not ping the updater service, but tier one support tends… not to know about it at all.
BoA issued me a new card after a fraudulent charge, the next year on the same date the same fraudulent charge showed up (annual billing cycle). This happened for more than three years because after they issued a new card they updated the service that billed the fraud with the new number.
Did you try to demand a charge-back every time?
That's an uphill battle, I tried doing that with a gym once who said to cancel, I had to come in only on Tuesday in the morning when the manager was there with a certified notarized cancellation form.
The idea of a chargeback against Google/Apple/Amazon and their response being a permanent ban of all my accounts is a bit terrifying.
Switch to Mercury banking. https://mercury.com/
You can create as many virtual cards as you want. And surprisingly, I've rarely encountered a vendor that rejects them. I set one up for pretty much every recurring service charge, just because it's so easy to do.
It costs a few hundred a year for personal banking, but if you register an LLC (which in MO costs ~$10) you can use your EIN to get a business account. Did it a couple times, once for my non-profit and once for my consulting LLC.
Are the virtual cards credit cards or hooked up to your account (i.e. debit cards)? there's a big difference. Also, they're not a bank so FDIC insurance and other bank aspects are different. Not what I'd personally use for my long-term savings-oriented finances, but fine for more operational things.
You have to realize that once Google flips the bit on you and they think you are trying to scam them (or others via them) you are absolutely dead to them. They don't want to hear from you ever again. You're banned to hell. The fact that a billing system didn't get switched off isn't so surprising; the internal architecture of their systems is so complicated that it would take multiple human lifetimes to explain how it all works.
> The fact that a billing system didn't get switched off isn't so surprising; the internal architecture of their systems is so complicated that it would take multiple human lifetimes to explain how it all works.
There was a lawsuit about a decade ago where a company was owed about $500k in ad fraud refunds and Google kept saying they had paid it, it ended up being an incomplete part of their software that had inadvertently withheld $75 million!
https://www.businessinsider.com/google-emails-adtrader-lawsu...
More often than people would like to admit, Google IS the scammer...
Sadly you are right. They are billing my Euro charges from a UK (non Euro) bank, which adds 2% money exchange fee on everything.
Wasn't expecting this comment to go far. This took place about a month ago. For those who are interested, here is the address I sent the police report and cover letter to:
Google LLC
Attn: Legal Department – Custodian of Records
1600 Amphitheatre Parkway
Mountain View, CA 94043</i>
In the cover letter I outlined the problem and the desired remedy (shut down the gmail account and preserve IP and other information for law enforcement), and attached two other documents: an annotated printout of the email thread from a prospective victim of the scam (who sensed something was fishy and contacted me through my website) and the local police report I filed to document the attempted fraud in my name.
Someone at Google contacted me about a week later and confirmed that the account was shut down. I don't know if they did anything else regarding preserving data or shutting down any other Google services this person was using.
I also made a report to the FBI’s Internet Crime Complaint Center, although TBH it looks like a black hole that lets the feds say they are "doing something" for ordinary victims.
Having worked in compliance engineering I have also reported through the IC3 portal, and spoken with lawyers and analysts who register with FinCEN (which, to be clear, is maybe just a step beyond "My Uncle works at Nintendo...") and I have heard that those reports do get reviewed and often acted on, but yes, you will typically never hear back from them. (FinCEN has its own reporting structure, but we also submitted certain reports through the IC3 portal as well.)
Honestly, the "acted upon" part needs to be highlighted in tangible ways, otherwise people will be suspicious that nothing ever happens to our reports, leading to fewer reports being submitted.
During the IC3 reporting process I was asked to submit the name of people behind the scam, if known. I knew one of them because the scammer asked for a wire transfer to a named account at a bank in Oregon. Probably a mule.
Does anyone at the FBI or other agencies actually do anything with this information, such as contacting the bank in question or correlating it with other investigations? That's what I would expect if law enforcement were serious about enforcing the laws on the books. But there is no indication that anything happened, other than a confirmation number being spit out on a web page that my report had been received. That's why I made the "black hole" comment earlier.
If the IC3 portal highlighted specific cases or stats ("thanks to reports submitted to IC3, n investigations were initiated/suspects charged/convictions secured") that would really help convince ordinary victims that the government is taking tangible steps to fight this scourge of small-scale scams and frauds that affect millions of people every year.
There are strict rules about not talking about open investigations because of so-called "Tipping-off" rules. It can carry some pretty serious penalties - jail time, fines. I agree it would be nice if the FBI itself made some announcements about these sorts of things, and they might do that in aggregate, but if you're a bank or fintech employee and you're in communication with the FBI you absolutely cannot say anything about it. Even confirming that an investigation existed could be penalized.
> Even confirming that an investigation existed could be penalized.
I didn't know that. But that is another point that could be highlighted on the IC3 homepage or confirmation, along with aggregated data about enforcement actions resulting from submissions from ordinary victims.
My assumption is that they at least have an intern read them, but only act on reports likely to lead to major cases, for some value of "major" that includes cases where terrorism, large sums of money, or Important People are involved, or more generally cases that could lead to seriously good/bad PR if pursued/ignored.
De minimis non curat FBI.
They may also flag certain cases to be passed to other relevant authorities like FinCEN, the Secret Service, the Postal Inspection Service, various military investigative services, or even the intelligence community (assuming NSA doesn't already intercept the mailbox which would be a very reasonable thing to do).
"Acted upon" in these sorts of bulk data contexts typically means "charge them for an extra count when we pick them up for something else".
It's like the internet crimes version of putting the serial number of stolen property in a police report. They ain't looking for it, but they'll tack the charge when they inventory a crackhouse bust and that number pops up stolen.
They aren't dedicating serious resources to speculatively looking at the reports and trying to assess patterns like some TV cop looking at a series of dead hookers and saying "aha we have a serial killer on the loose".
What stopped them from continuing with a new similar Gmail address?
Motivation I guess
Yes, they could easily spin up another gmail address.
The other part of the scam involved sending money to a bank account in Oregon with someone else's name attached to it. I notified the bank in a similar manner and hope they shut it down (not confirmed; my next step is to notify the Oregon banking regulator about the incident).
The hope is that once the bank account and gmail account are shut down the scammer will stop or move on. But I am concerned this could be a whack-a-mole problem that doesn't go away.
You can't send high volume through new accounts. Usually when a gmail account is being used for real spamming, it's an established one that's been taken over and the spammers are just discharging the accumulated reputation of the account.
> Usually when a gmail account is being used for real spamming, it's an established one that's been taken over
My incident is unlikely to be a real account being taken over. The name format was "firstnamelastnameofficial@gmail.com" and I have a somewhat rare name ... probably well under 40 people worldwide with the exact spelling.
Did the letter identify you as a lawyer? I wonder if Google handles it differently if it has a law office letterhead etc.
No, I did not identify myself as a lawyer. I just wrote the letter as a victim of a scammer using Google services to impersonate me.
But I was careful to use certified mail return receipt as google’s legal office knows that this can be used for documentation and proof if the case ever goes further.
In other words, having a paper trail is more likely to get acted upon.
I gave up on trying to report abuse to Google, Amazon or Microsoft. It seems reports simply get ignored and the big providers do nothing. I hope the FSF with its weight and media presence can finally do something.
Google, Microsoft, and Amazon are my major sources of spam. These days, this is where spam comes from.
At this point, they are also too big to block. We allowed this to happen, through neglect and laziness. Even in this discussion: how many people use Gmail as their primary email service?
On YouTube I reported bot accounts for a couple days, the only reaction I got was that at some point it showed a popup that told me too many false reports would lead to a ban. Not sure what Google gets out of it, but there is no way they could be that bad at fighting bots unless they're not even trying. Even trivial tricks like copy-pasted texts keep working.
Bot comments and uploads count in KPIs. Blocking/Removing bots = KPIs look worse.
Google makes loads of money through scam ads and fake/AI slop videos. Anyone trying to get in the way of that is putting Google's profits at risk, hence why they shut down legitimate accounts but scammers just run free.
They're not trying. I've seen an advertiser remain active for months with literally tens of thousands of ads where clicking them directly downloads a malicious exe file that most antivirus scanners flag.
They make money on those ads, you’re asking a mega corporation to make less money. Good luck.
Tech support scams still?! I don't even understand how this is possible. If Google wanted to they could come up with the tech to bypass the spam/scammers own ghosting system. They must have some kind of invisible Google bot that checks for downloads/scams, right?
Phone providers should also be detecting this with AI. There is no way this should be occurring anymore.
They're definitely not trying - in any form. I run a marketplace for dogs (i.e. craigslist for puppies & dogs) and scammers are always trying to post fakes ads. They always use Gmail accounts. Every time I ban a gmail address, they scammers will just get a new one. Same scammer/person has created thousands of gmail accounts and Google doesn't care. I have reported this to Google. For the amount of info Google has on people, trivial for them to prevent some of this.
Until a scammer uses some of your information then you get banned from Google with no way to appeal.
Shadowbans work much better for this purpose
Worse, they're actively working to allow malicious activity. Meta made 10% of it's revenue, around $16B from known scams: https://www.reuters.com/investigations/meta-is-earning-fortu...
Why would they? Their ad dollars spend the same, and they have no incentive to police it when they are protected by section 230.
Edit: I’m not implying this is morally right or good for anyone but Google shareholders. This is just 21st Century American capitalism
We had that issue of someone advertising fake clones of our sites specifically to push fake malware ridden payloads. We only got it handled by bugging internal contacts at Google. It sucked and worse we had to bug them for weeks because the attacker was churning through multiple domains and probably over 100 breached Ad accounts by the time they stopped
Not me, but then most people are allergic to paying $10 a month.
I figure an email is worth a beer.
This is called a monopoly. I know people who run their own mail servers to be as independent as possible. Ironically, they show up as spam in Gmail all the time because "This message is similar to messages that were identified as spam in the past." Meanwhile, it's a fucking simple one paragraph message to a programming mailing list. They have to wrestle with DMARK or choose not to as they feel DMARK is playing into the hands of the monopolies giving them too much influence and power over something as simple and fundamental as email.
DMARC isn't really that big of an issue to wrestle with, and I don't see how it gives anybody influence or power.
The thing is, it's a mess to set up if you are not doing it correctly - which is all too easy if you are not doing this day-to-day.
Spammers however, they have an economic incentive to have experts set up SPF, DMARC and all the other crap to appear legitimate.
I think that this is overstated, it takes ~15 minutes to set up SPF and DMARC correctly and few people run their own email servers.
https://workaround.org/ispmail-trixie/anti-spoofing-dkim-spf...
If you’re not capable of setting up DMARC correctly then it’s a safe assumption you aren’t capable of adequately securing your email server. Which is even easier to mess up with much higher consequences. Even if you are not intending to be a spammer, if your server gets pwned you will become an unwitting one.
I set up my orgs SPF/DKIM/DMARC (we self host, they have feelings about corporate data sovereignity...) it look about 30 min having never touched them before, and maybe another 15 to write an ansible playbook to rotate the keys.
We do have a _tremendous_ amount of spam fail these checks, as well as a few legitimate organizations.... Some of our peer companies have sent out notices that they will bounce anything that fail these checks in the coming years, and we're probably going to to do the same before too long.
It's trivially easy, and absolutely valuable
Google suspend email accounts that get lots of spam reports. It happens a couple of times a year for salespeople in my company who use Gmass (a bulk email sending tool).
I mention it only as a useful data point, and in the absence of anyone else on the thread mentioning that Google have robust email abuse monitoring.
So, just to clarify, the salespeople are spamming cold addresses, or are they opted in or existing customers?
Was going to say there’s a good reason lots of people use services like mailchimp now. You’re not sensibly managing it yourself with the current (very sensible) regulations in the US / EU, nor do you want to be sending from your own domain en masse.
Mailchimp and other legitimate services (other than salesforce, which is best just blocked) don't permit spam, whereas gmail and outlook don't give a fuck unless the spammer gets a large amount of abuse reports.
Certainly mailchimp and the like make things simpler, but the price can be quite high.
This seems to be a laughable claim? I don't get anything but spam from Mailchimp.
No, it's valid for me, and I just verified. In spam filter for past month: 0 mailchimp. In valid emails: 6 emails from a service that I signed up for via mailchimp.
Checking my received emails for mailchimp I see a whole bunch of legitimate emails, including for flightschedulepro which uses it. I also see replies to my abuse reports to mailchimp saying the problems have been addressed.
Do you report any of these spams to mailchimp?
Indeed, Mailchimp is a tool specifically built and advertised to send spam.
Where does it say on their website that it is specifically for sending spam?
Someone’s marketing emails are someone else’s spam.
Mailchimp is specifically made for mass email emission, for marketing a newsletter and whatnot. So yeah, a lot of people will consider them spammers.
Spam is defined as unsolicited bulk email. Marketing is only spam when it isn't previous customers, or people who have specifically opted in.
100% of marketing email I've received is spam. I didn't knowingly or willingly sign up for any of it.
There's some delusion in the marketing world that just because someone places an order or creates an account they should be spammed.
Yes, I used to agree with that, but have since given in and accepted that most companies (except mine and a handful of others) will spam all customers who buy a product without asking them first.
It's a little irritating, although I reserve full enmity for the spammers who I've never interacted with ever.
> Marketing is only spam when it isn't previous customers, or people who have specifically opted in.
Yes, this excludes any people, customers or otherwise, who did not knowingly and willingly opt-in to specifically receive marketing emails / promotional emails / any other unnecessary emails.
A good heuristic is: if somebody receives an email from you that they do not want, there's a good chance you're spamming them: maybe by calling a marketing email, an "update" instead; maybe because you didn't make it abundantly clear to them when they opted-in that they would receive emails of that type.
I think thats a really wrong definition of spam. Spam is untargeted junk from people you don't know, who are probably hiding there real identity using fake email headers etc. If it's a legit company with legit unsubscribe options, it's not spam.
It worries me a lot that people clicking "mark as spam" on messages from legit companies because they subscribed to the newsletter will mean that my messages with important information (order confirmations, e-tickets etc.) will get blocked.
That's a spammer's definition. Everyone else's definition is that spam is unsolicited e-mail. Which covers most marketing e-mail, and not just the cold messages, but especially marketing e-mail from vendors you had interacted with in some way in the past.
> It worries me a lot that people clicking "mark as spam" on messages from legit companies because they subscribed to the newsletter will mean that my messages with important information (order confirmations, e-tickets etc.) will get blocked.
They probably didn't subscribe to the newsletter, they were subscribed, or tricked into subscribing. Either way, it's spam, and legitimate companies do not mix transactional e-mail ("order confirmations, e-tickets, etc.") with marketing e-mail.
FWIW, I'm one of such people clicking "mark as spam" on marketing e-mail, and I do it intentionally.
> It worries me a lot that people clicking "mark as spam" on messages from legit companies because they subscribed to the newsletter will mean that my messages with important information (order confirmations, e-tickets etc.) will get blocked.
Don't send spam and I won't mark it as spam. I didn't sign up for your newsletter, don't send it to me. Creating an account or placing an order does not mean I agree to your spam.
Mailchimp is for sending emails that people signed up to receive. If enough recipients click "unsubscribe", the whole email campaign gets suspended.
Signed up, or were signed up without their knowledge, or were tricked into signing up.
>Mailchimp is for sending emails that people signed up to receive.
that might be what it is for in a theoretical sense. but that is not how it is being used.
I don't think your definition of spam matches the one that I understand it to mean. Spam is random email from someone you have not had contact with before firing messages to every address they can find anywhere on the web, the dark web, etc. Or if you ask not to be added to a mailing list and are added anyway. They often use fraudulent tricks to try to get the email through filters, such as fake from addresses.
Spam is not email from legitimate companies with valid contact details that have an opt out that you forgot to click when you signed up with them. That's legitimate marketing emails. You might argue they also shouldn't exist, but they are a different category.
I get plenty of the second from mailchimp (it's what they do), almost none of the first. Marking the second kind as spam, rather than clicking the unsubscribe link is dangerous because it teaches your anti-spam filter to reject messages from legitimate companies. You might find that if they need to contact you for a genuine reason e.g. a reciept for a future transaction, the message is blocked.
> an opt out that you forgot to click when you signed up with them
This is the textbook legal definition of spam in any sensible jurisdiction, though.
> I don't think your definition of spam matches the one that I understand it to mean. Spam is random email from someone you have not had contact with before firing messages to every address they can find anywhere on the web, the dark web, etc. Or if you ask not to be added to a mailing list and are added anyway.
I don't get _only_ this from Mailchimp, but I definitely get quite a bit of this from Mailchimp, Sendgrid, and others. I've marked it spam, reported it to them (no response), and continued to receive the emails.
I can be kind of scatter brained and generally give the benefit of the doubt, but sometimes it's pretty clear that, e.g., I most definitely did not sign up with some accountant in a different country, in a place I've never been to, to receive reminders of tax deadlines that don't apply to me and offers of accounting services I can't use. Or if I somehow did, the signup was deceptive enough that they never received meaningful consent and I'd call it spam anyway.
(And the email they're sending this to is not some easily confused gmail address or a fat finger--it's my own name at my own domain.)
Having valid contact details or an opt out on their sign up form isn't relevant given I never signed up. It's _unsolicited_, _bulk_ email. It's spam.
I get plenty of Mailchimp spam from people who have bought email lists and added me to their newsletter. It’s against their ToS, and I always indicate that I did not sign up for the list when I unsubscribe. Maybe it does something.
* Spam is not email from legitimate companies with valid contact details that have an opt out that you forgot to click when you signed up with them. That's legitimate marketing emails. You might argue they also shouldn't exist, but they are a different category.*
No, they’re all spam. It’s just that some spam is significantly worse than others.
Edit:
this just reminded me of an interaction with a customer when I worked at a dialup ISP over 20 years ago. We would routinely get abuse reports about spam coming from our network that would turn out to be a family computer with a virus. We would disable their account until we got ahold of them, and then help them run antivirus or redirect them to a local shop to fix it.
But this one time my boss is like “Hey you wanna pretend you're the email manager? We have an actual spammer sending ads for a local business through our smtp servers”. We were all laughing at the audacity of it, they were sending thousands of the same message out, I think it was for a tackle shop.
When I called the guy to let him know why we disabled his account he immediately got angry at me, I vividly remember him saying “It’s not spam, it’s for a business!!” I explained to him that it doesn’t matter, it’s just as bad, and could get the whole company blacklisted from sending emails. Turns out his friend owned the business, and convinced him to install something that sent emails through outlook express.
The reason I got that duty is because I had no problem being confrontational back then. I remember telling him that I think he should be fined, and permanently banned from the internet. But that we’ll only let him back on if he uninstalls the thing.
He called back indignantly asking why we were allowing some other spam. I had to explain that it was from another network, and we’re trying to stop it, and that if every ISP were like us then it would barely be a problem.
I wonder if that business spams through google now.
> Spam is not email from legitimate companies with valid contact details that have an opt out that you forgot to click when you signed up with them. That's legitimate marketing emails. You might argue they also shouldn't exist, but they are a different category.
Yes it is. Using a dark pattern to trick me into signing up doesn't make it not spam. It's still spam.
I disagree, I get plenty of spam from Mailchimp. Spammers seem to be able to add email addresses to Mailchimp without verification, and they just keep making new accounts/"campaigns" to re-add my email addresses.
Legitimate companies like to not provide the legally-required opt-in flow and assume consent without ever enabling or disabling a consent checkbox. That is spam too.
It's on Mailchimp to not take business from companies that abuse their system. If they get flagged as spam and their other customers have delivery issues because of that, I see that as a feature, not a bug.
> Spam is random email from someone you have not had contact with before
It's very rare, but I get those types of spam emails from MailChimp.
> I don't think your definition of spam matches the one that I understand it to mean. Spam is random email from someone you have not had contact with before firing messages to every address they can find anywhere on the web, the dark web, etc. Or if you ask not to be added to a mailing list and are added anyway. They often use fraudulent tricks to try to get the email through filters, such as fake from addresses.
I would disagree with that definition, and wikipedia and multiple dictionaries appear to agree with me; it doesn't matter how many dark patterns the company uses or whether they (claim to) let you opt out after the fact, if the message is unwelcome, it's spam.
https://www.merriam-webster.com/dictionary/spam
> spam noun
> unsolicited usually commercial messages (such as emails, text messages, or Internet postings) sent to a large number of recipients or posted in a large number of places
https://dictionary.cambridge.org/dictionary/english/spam
> unwanted email, usually advertisements
> Spam is random email from someone you have not had contact with before firing messages to every address they can find anywhere on the web, the dark web, etc.
> </i>Or if you ask not to be added to a mailing list and are added anyway.*
> Spam is not email from legitimate companies with valid contact details that have an opt out that you forgot to click when you signed up with them.
There's a HUGE grey area between the random unsolicited emails for scams and legitimate business partners where I forgot to check the opt out. I get almost none of the first (spam filters are pretty good at keeping Nigerian princes from getting help to access their money), and also almost none of the last (because I'm hypervigilant about opting out of email and cookies and all that trash), so all the spam I get is from "asked not to be added but added anyways".
Most of those are coming from Mailchimp and similar services. I'm sure that if I could take the senders to court and disentangle their web of parent companies that had my email in the web form for 10 seconds before I opted out and they sold it to each of their 20 daughter companies and partner organizations, and then I received the first "legitimate marketing email" (LOL! LMFAO!) and unsubscribed from that (which will take effect in 20 business days) so now I'm only subscribed to 19 new mailing lists from that company and also the dozen other organizations they're a part of, until they pivot to a new marketing agency which - oopsie! - forgot about my opt-out request.
That's Mailchimp's business model and the way that the entire "legitimate marketing" economy works, but I still consider it spam.
I guess you can only report spam through the gmail web interface which the FSF aren't using (because they're not using gmail, for obvious ideological reasons).
I did some tiny digging because I remembered that there is a way to report individual messages in a structured machine readable way to abuse@ for these things --- i suspect that this is technically supported by gmail (if not given a lot of signal weight)
https://en.wikipedia.org/wiki/Abuse_Reporting_Format
How to bulk do this is interesting too. https://en.wikipedia.org/wiki/Feedback_loop_(email) says that gmail has a bulk format and that sendgrid is seeing some success.
Not defending just trying to see what a technical solution looks like
Edit: https://www.twilio.com/en-us/blog/insights/leveraging-gmail-...
Shows you how to use googles thing if you are a sender to know if @gmail folks are reporting you. It doesnt address what to do if someone's @gmail is doing this to you (a workspace custom domain yes)... @gmail are rate-limited to a few 1000s per day per gmail address but this is still a lot obviously
> Google have robust email abuse monitoring
But only in Gmail then? Where is it possible to report a spam from a Gmail address received on a non-Gmail inbox?
Google is being a real PITA as the receiving side for people who try to self-host their mail or who use small providers. They should at least be good citizen on the sending side, which it seems they're not. They are killing email.
Spam reporting is pretty standardized? If your email client doesn't support it that's not Google's fault.
edit: I might be incorrect on this and was thinking about how unsubscribing is standardized instead.
Standardized how?
Basically, there is no standard beyond the ages-old requirement to have abuse@ and postmaster@ email addresses that react to such reports. Which Google doesn't follow at all, you just get redirected to some useless web form which requires a Google account and the sacrifice of a goat.
It is entirely Google's fault, and they should be shunned for it and their emails dropped. But unfortunately, they are too big for that by far...
Maybe is thing about Gmail about "This message is spam", that is a Gmail feature not anything standard.
Same as Gmail broke IMAP standard, or Gtalk XMPP standard.
Google can do whatever they please, they've become the standard of humanity surveillance.
Marking a mail as spam locally is different from spam reporting
https://support.google.com/mail/contact/abuse
You can use this form
>They should at least be good citizen on the sending side, which it seems they're not. They are killing email.
Eh? They do tons in anti-bot detection. But the value in exploiting and using Google's service is extremely high so bot authors are increasingly getting creative. Google stops running Gmail and simply another service becomes a high value target.
At least Microsoft fixed their Azure abuse after 10 years of not giving a fuck. It used to be stupid fucking easy to setup a trial O365 tenant and spam the fucking internet through "onmicrosoft.com" domains. And they let that go for 10 years.
I wouldn't say that's robust email monitoring at all. It's embarassingly bad. Gmass shouldn't exist and your salespeople should be out of a job.
I think in this case and all the others.
They're not sending emails directly from their gmail address.
But they are adding victim emails to other Google services and then Google themselves send them invitations emails.
And if you name your service like "Google helpdesk - password reset" or something like that.
Invitation email from Google will look very official, but URL in the email will be controlled by the attacker.
It's pretty old working technique used for phishing for years now.
Spam report does nothing, since you're reporting official Google email.
How would it even be possible to name a service "Google helpdesk - password reset" or something like that, without being insta banned? Obvious fraud in the making, not getting recognized?
I hope you realise, it does sound like you are suggesting that salespeople in your company are essentially spammers.
Most of the salespeople in any company are spammers.
No, you don't understand. The people at my company are auto-opt-in premium-communication value-add customer-relationship-establishment specialists. But otherwise, I agree with you: everyone else is a spammer.
Somewhat related to spam coming from Google servers, maybe someone can shed some light on what could be the motivation behind this activity:
In recent months I'm seeing instances where random personal mail accounts on a server I run would receive a barrage of mail in a short amount of time.
Mail seems to be bounced via Google Groups - they are sent from Google's IPs and have headers like X-Google-Group-Id, List-*, etc. all pointing to Google Groups. The actual group ID changes after each individual instance of this. However when I actually check e.g. the List-Archive URL, the group appears to be already been deleted.
The content of mail looks like it originates from various (legit-looking) random public web services, support requests, issue trackers, web contact forms etc. For example, a common reoccurring one is Virginia Department of Motor Vehicles (as in something like "thank you for filing a document #123 with us").
No apparent phishing links, no attached malware, no short advertisements snuck into a text field etc. Just automated replies from "noreply@"-type addresses.
It does not seem to be the case of trying to hide another attack (as discussed here for example: https://news.ycombinator.com/item?id=47609882) - over many instances I've not seen any other malicious activity. And this mail is filtered out easily enough based on Google's headers.
It all looks like there is some bot that a) creates a Google group and subscribes (one or more) random email addresses to a Google group and then b) enters the group's mail address into a bunch of random web forms that then send their automated responses to the group.
What could be the motivation for this? After the fact it's filtered pretty easily based on headers. It's not nearly enough volume to DoS the server. But why would someone go through the trouble of setting this up?
Yes. I got the same issue… and when someone replies, all users in the mailing list receive it… that’s why I would see a ton of replies saying please remove me from your mailing list. Very annoying. The only solution I found was to create an inbox rule to reject those, as I couldn’t unsubscribe
The headers actually contain an unsubscribe email address that actually works.
The format is something like googlegroups-manage+{groupName}+unsubscribe@googlegroups.com
Just send an email there and they stop coming (for that list).
Source: I was getting spam like this, a fellow victim did some tests and confirmed that it stopped the onslaught of messages.
I just block the group address on the MTA, but it doesn't matter. In all instances so far when it came to my attention the group was already deleted. Next time they will use a different group and I don't want to blanket ban all Google Group mail for my users.
It's not even that much of a hassle. What worries me is that I don't understand why someone would go through the trouble of doing this for no apparent benefit. I hope I'm not somehow unknowingly enabling some sort of an attack on any of the entities sending these automated replies.
This is almost certainly subscription bombing / email bombing. The goal is to flood someone's inbox with hundreds of legitimate-looking automated emails so they miss a real one - typically a password reset confirmation, a purchase receipt, or a "new device login" alert. The actual attack is happening on some other service where the victim has an account. The fact that you don't see it on your server doesn't mean much, the target is the victim's primary inbox elsewhere.
Thanks. It might still turn out to be this.
My thinking so far against was 1) after a few months I'm pretty sure I would hear about the real attack 2) Repeating too frequently. People aren't getting hacked all the time (I hope).
But who knows? Now I'm thinking that maybe some other step in the attack is failing and maybe the attackers just trigger the email bomb part pre-emptively in case they actually succeed in resetting the password/purchasing/whatever.
I have been observing this for the last 2-3 years (4 postfix servers sysadmin)
Gmail cannot be whitelisted anymore: spam, phishing,... On the other hand, if your users redirect twitter or linkedin notifications from their domain to a gmail account, Google claims you are sending too fast and is suspicious (and throttles or blocks ip).
Hilarious.
Rhetorical question- but what is it going to take for the IT Community to start treating Gmail and the rest of the "too big to block" as adversarial entities and actually block them for their bad behavior. Pie in the sky I know.
Microsoft refuses to deliver legitimate emails to hotmail.com addresses so I tell clients how it is.
I’m not jumping through hoops when I’m not doing anything wrong. SPF, DMARC, DKIM, IP address not on a blacklist, and I send zero spam. Only human-written client communications 1:1.
So, my clients with hotmail.com addresses don’t get emails from me. I can call them, they can call me.
> IT Community
No such thing. And if you just want to assign anybody who works in IT to it in order to create the concept of such of a thing, a large percentage of this community would work at Google, a company that depends on Google, or a company that has the same attitude as google.
So it's less pie in the sky than nonsense. People don't talk about things changing in the physical world without talking about force, mass and inertia, but when it comes to people, the theory of power just evaporates and we start wishing for things to spontaneously happen because we've declared that they should happen.
With some weird definition of "should" which relies on our personal conception of the world. In the physical world, we say something "should" happen when we expect it to happen based on our theories of how the world works. With people we say things "should" happen when we personally want them hard enough.
There was a time before Google when various mailing lists of grumpy sysadmins in key institutions could decide the fate of a new mail sender, internet-wide. But yes that "internet community" is small fry now, and can only cut off their own noses if they don't like Google's mail policies.
Before Google, AOL were the previous big-beast mail host, and they did provide some tools to help diagnose why you couldn't get through to their users. It still felt like there was more of a balance of power towards the grumpy sysadmins.
I was getting spam called constantly every 5 minutes (blocked by Google call screening) and the attackers made an error if sending a message with their AWS bucket url. I was able to submit an abuse report to Amazon and puff Amazon dismantled the entire spam group. No more spam since then.
Maybe try saying the spam has porn or inappropriate images?
gmail, outlook and salesforce create about 90% of the spam that gets through blacklists. Salesforce is simple to fix: I just block anything from salesforce from our network, as it just seems to be 100% used by spammers. Gmail and outlook are the major problem, as there is no way of addressing their spam issue.
Add Mailchimp in there as well. I have never gotten an email from someone using Mailchimp that was not spam.
Although they does have proper abuse policies and do take action against spammers. I don't get any spam from them (except perhaps the very occasional one), and I know businesses that use mailchimp and similar services for valid marketing (to previous customers). Just looking through my received mailbox, I see many legitimate emails from mailchimp.
I'm not denying that they are sometimes used by spammers, but they are definitely a legitimate operation that takes action against spammers if you report them.
In my experience, everyone got their act together except Google. I also used to receive massive amounts of spam from Azure and Sendgrid but this eventually stopped. Now 80% of the spam I receive is from the Google network, mainly Google Cloud.
Why do you interpret that as everyone except Google getting their act together?
The obvious (and correct) explanation is deliverability. Spammers send from Google services because they can inbox, they don’t send from other services because those services will not inbox successfully.
For me outlook is just as bad as google in terms of the spam that gets through my spam filters, as neither of them care much about abuse reports.
> In my experience, everyone got their act together except Google.
I remember a bunch of spam and fishing emails from weird Outlook addresses. Don't remember any from Google.
You mean you receive unsigned email from a VPS in Google Cloud?
Yeah, Salesforce clearly has some kind of whitelisting at Gmail. I get so much nonsense from that domain.
Unfortunately, the only thing that would work is to hire a bot service that would report the offending account en masse.
Google took over email when they reject legitimate emails sent by small email vendors and at the same time sending this much spam.
Anyone interested in creating a CommunityEmailAlliance. Like dkim but with blocks on corporate email systems that allow spamming?
I'm getting a lot, and I mean A LOT, spam recently from various "<IP in reverse notation>.bc.googleusercontent.com" domains. Not sure what can be done about that. But the uptick is very noticeable.
I’m old enough to remember when the FSF said that blocking spam was censorship. Good to see them wake up.
It seems weird that Google wouldn't have some kind of observability alert on outgoing email. 10k emails per week is a lot.
What if someone (Google) used Google suite to send 10k emails to fire people. Wouldn’t that be considered normal for the server for a day let alone a week. Yes I know I could have come up with a better example.
Those would be internal so I'm not sure they'd even count against your quota.
The example was given to say you could be a gsuite customer and have 10k emails a week be very normal. Something that wouldn’t trigger any alarms unless set. The alarms would probably be set on a curve. Something unusual would be far off the curve.
ye olde corporate reply to all bomb .. no more emails this week everyone, we have used up our quota
I'm not sure it actually is. Free Gmail is limited to 500 emails a day, but Workspace accounts are allowed up to 2000, so this this spammer has to be using a Workspace account.
I've worked at a start up where the marketing team just had a `marketing@startup.com` email that was just like any other email in Google Workspace and used that for all marketing communications. Eventually they bumped up against that limit and a couple of engineers had to help them troubleshoot and there were enough blog and stack overflow posts at the time about hitting the limit to make make me think what they were doing wasn't uncommon.
When you consider the scale of Gmail and that this is almost certainly a Workspace account so they're mixed in with business customers, I'm not sure how much of an anomaly 10k emails a week actually is.
It may not be a single email, they might be using many throwaway accounts.
10k outgoing emails per week it NOT a lot.
Just imagine a weekly newsletter with 100k subscribers.
You can’t send bulk newsletters from gmail/outlook.
Well, you can't directly, but you can use SMTP, which you can plug into any garden-variety spamming tool as long as it supports that.
Yeah, you are using the wrong tool if you send your newsletter from a gmail account at that scale. You can get away with a few tens of people, perhaps a few hundreds.
Above that threshold you should use tools like moosend, benchmarkemail, or similar. And they ask a pretty penny when you reach that scale.
someone hooked up their web app to Google Workspace email and the web app got pwned.
Google Workspace email is very generous with the kind of outgoing email you can send via their SMTP servers.
I wonder if this has to do with the massive number of google calendar invites I’ve been getting as payment/billing notifications lately.
I’ve not been reporting them because I already know they aren’t valid and do not google’s work for them
I thought they fixed that spam method a while ago
I haven't seen that ooe lately. I currently get lots of Nortoon Lifelock invoices with hundreds of addresses in the to field.
I always report them with suggestions they teach their AI that invoices sent to large number of addresses are phishing.
we received several this week, so apparently not
Anyone getting hit with (Google) AppSheet-originating recruitment emails? Very well done. Imitating the biggest US brands.
Have reported AppSheet to FCC after seeing Google wasn't doing enough--same scam email format, same inbox-landing pathway, but still irked.
Also try forwarding the emails to the phishing emails of the misrepresented brands, when they have an address for it. Figure they're the ones who have any power.
It honestly is a bit dissapointing that most of the internet's "infrastructure" is tied up in large corporations that just get money for free by being the only provider and face little to no backlash (because of their monopoly) when they neglect things like basic customer service.
> get money for free
How do they get money for free? What is stopping everyone else from doing the same?
Advertising and eyeballs, I'd assume
A monopoly. It's hard for "everyone else" to develop a monopoly today, to suggest otherwise is a ridiculous assertion.
They aren't a monopoly, and especially not a monopoly on emails.
How did we get to the point where there can be 12 services, but the one with lots of customers is a "Monopoly". Its a complete destruction of the word. They aren't killing their competitors, nor making it illegal to compete. Yeah its harder in the current era to run your own mail server, for a variety of reasons involving spam. But can we just cut the shit on calling literally every company with more than 100 employees a Monopoly?
Postel's law means you can just mentally replace "monopoly" with "anticompetitive restraint of trade" and go on to address the substantive point.
But theres not even that going on.
Most of the problems people have spinning up their own email servers, like getting blacklisted by the big boys, are less bad societally than actually accepting and routing the quantity of spam they are blacklisting. Does it benefit them? Kind of. But its not anticompetitive in any real sense. These restrictions are obvious and basic. If you really wanted to, you could spend a significant, but in the grand scheme of things small, amount of money to break into the same game.
I mean theres a non zero chance that if Google, Microsoft and Amazon stopped being so damn picky, the government would turn around and regulate that they do exactly what they are doing now, to resist the plague of spam that would result.
Its like getting mad at Visa and Mastercard for insisting on the PCI DSS for people they transact with. If it wasn't mandated by Visa and Mastercard, it would become government regulation (and is already referenced by regulators in some jurisdictions)
"Ooooh no Visa is being anticompetitive making me secure my environment and prove that security to a trusted third party what a terrible monopoly they have".
You are missing the point.
The point is that they don't provide the level of services required by their position, which is dominant.
When you have a legitimate problem with Google, they don't reply to you. The news here is again an example of that. The only thing you can do is abide by their rules, which often requires you to subscribe to their services or be at their mercy.
Gmail is not a monopoly. When it comes to actual paying customers, it is not even the market leader
> ridiculous assertion.
What is ridiculous is the idea that running an email service a massive scale like Gmail is somehow free.
It's a figure of speech. I am not saying it is literally free. I'm being facitious. What I mean is they get money overwhelmingly because of their position in advertising and through android that essentially allows them to never worry about losing users. Who is going to going to attempt to delete their google account over poor customer service? You literally cannot access half of the internet today without a Google account.
> You literally cannot access half of the internet today without a Google account.
This must be the half I have never heard of then. What non-google websites specifically require a google account?
Try running your own SMTP server for a while. Gmail holds what appears to be monopoly power and uses it quite readily. Even ISPs with "free" customer email addresses aren't nearly as onerous as google is.
> Gmail is not a monopoly.
https://pdx.social/@evergreensewing/116388477430172491
> For the first time since we started the company back in January/February, we have a customer who does NOT use Gmail for their email address.
> In case you wanted to see what a monopoly looks like.
Most people use Gmail because they want to, not because they have to. It's a free, superior product. Pretending voluntary preference is a monopoly is nonsense, but it is a very Mastodon-brained take.
This is anecdotal but here's the breakdown of top 10 e-mail providers from my database, does not look like a monopoly:
There is a common misapprehension that the term "monopoly" can only be used when there a single supplier.
Quoting https://en.wikipedia.org/wiki/Monopoly : "In law, a monopoly is a business entity that has significant market power, that is, the power to charge overly high prices, which is associated with unfair price raises."
Or from Milton Freedman, "Monopoly exists when a specific individual or enterprise has sufficient control over a particular product or service to determine significantly the terms on which other individuals shall have access to it". https://archive.org/details/capitalismfreedo0000frie/page/12...
In the post-Borkian interpretation of monopoly, adored by the rich and powerful because it enables market concentration which would otherwise be forbidden, consumer price is the main measure of control, hence free services can never be a monopoly.
Scholars have long pointed out Bork's view results from a flawed analysis of the intent of the Sherman Antitrust act. For example, Sherman wrote "If we would not submit to an emperor, we should not submit to an autocrat of trade, with power to prevent competition and to fix the price of any commodity.” (Emphasis mine. Widely quoted, original transcript at p2457 of https://www.congress.gov/bound-congressional-record/1890/03/... ). Freedman makes a similar point (see above) that a negative effect of a monopoly is to reduce access to alternatives.
One well-known rejection of the Borkian view is in Lina Khan "Amazon's Antitrust Paradox" paper. https://yalelawjournal.org/pdf/e.710.Khan.805_zuvfyyeh.pdf
In it she quotes Robert Pitofsky in "The Political Content of Antitrust":
"A third and overriding political concern is that if the free-market sector of the economy is allowed to develop under antitrust rules that are blind to all but economic concerns, the likely result will be an economy so dominated by a few corporate giants that it will be impossible for the state not to play a more intrusive role in economic affairs"
(I can't find a copy of that source online, but you can see the quote at https://archive.org/details/traderegulationc0005pito/mode/2u... where Pitofsky rejects viewing antitrust law through an exclusively economic lens.)
Even if you support the Borkian interpretation, you should still worry about the temptation for the US government to "play a more intrusive role" with GMail accounts. I strongly doubt Google will follow Lavabit's lead and shut down email should the feds come by with a gag order to turn over the company's private keys.
In the name of national security, of course.
>How do they get money for free?
market power
>What is stopping everyone else from doing the same?
see above
Nice circular reasoning you got there. How do they have market power? Did they get it for free?
No, they got it by Gmail being a loss leader paid by Google AdSense in the search engine. Now they have AdSense in Gmail directly, so I guess it pays for itself.
So, Google built a superior product that is profitable and we are supposed to be mad about this?
No, we should be mad at Google or any other BigTech taking over a big enough chunk of a federated system to basically dictate what can be sent/received and what not. With no human in the loop if you don't agree with their decisions.
AT&T was once broken up and then after that you could connect a modem to a phone line. The whole public use of the Internet is a consequence of breaking up a “superior product” that became a bloated market incumbent resting on its laurels.
Gmail is free. How much customer support resources should someone reasonably expect a company to dedicate towards their free-of-charge services?
I don't know if it's that simple. As a litmus test, try to set up your own mail server. See how many milliseconds it takes for it to be blacklisted by gmail. And then observe the response time for their support, when you try to clear up the confusion that google has about your intentions.
I run my own mail server, not blacklisted. Now I'm a bit of a special case, I know mail well.
But when a moderately technical colleague wanted to do the same, I told her to use Mox, she set it up and Gmail doesn't block her either.
So... would you please elaborate?
I find there are three peopls who comment about hosting email. A small group like us who set it up correctly and never have problems. A larger group who set it up but get the dns wrong and warn people not to. And a third bigger group who never tried but listen to the second group and always comment that you'll have 1% deliverability
It is different than it once was.
It was dead-nuts simple in the 1990s: Just learn enough about DNS to put in an MX record that points to an A record, get sendmail working, and have it begin delivering mail. The end. (Open relay? No spam filter? No virus scanning? No nothin'? Yeah, that kind of was the style at the time...)
It's got a lot more steps today, but it's still do-able. Operationally, keeping a mail server online and treated well just takes one or two people to spend a little bit of time occasionally to stay proactively ahead of new expectations and requirements instead of reacting to them after things change.
It also helps if Carla, from marketing, doesn't wake up one day and decide to spam the entire customer list without asking for guidance first. Maybe I should have put some automatic mitigation into place for that, but whatever: We chatted about that and it never happened again.
(Or at least, I find that to be true with smaller companies. Bigger ones obviously may require more elaborate systems to handle more volume and/or provide better uptime. But the requirements of keeping the reputation up are about the same regardless of scale, and that still only takes one or two people to pay attention to things sometimes. [And the only reason two might be required is in case one of them gets hit by a bus.])
I've built mail servers before Gmail existed that lasted long enough to get blacklisted by Gmail.
Fixing it was always pretty simple -- or at least, non-mysterious. They'd bounce some things, I'd look at the headers of the bounced messages, and therein were links to instructions there that showed how to resolve whatever issue it was this year.
Just follow the steps, implement the new thing, and stuff started flowing again in rather short order. Not so bad.
IIRC, the only time it ever cost us any money was when the RBLs started keeping track of dynamic IP pools and we needed to finally shift over to something actually-static.
It’s free, but it’s not like they’re running Gmail as a charity, either. It has revenue and contributes to their other businesses.
> How much customer support resources should someone reasonably expect
Zero. OTOH, since I'm sure they are training on emails and archiving/profiling everything forever even if we delete messages.. those constant threats to become a paying customer before hitting some arbitrary small quota are still villainous
Google’s support for paying customers isn’t much better unless you’re spending well into the millions per year.
AWS, on the other hand has proven willing to move mountains for me as a $15/mo customer.
If it didn't provide value it wouldn't exist.
Maybe it's only legacy, but gmail brings customers to Google and their related services. Escalation then brings them on as paying Customers. As loss leader may make a loss if looked at in a bubble, but if looked at as part of the "Customer Lifecycle" then other areas of profit would likely be much smaller without the free gateway.
It takes me active resistance to avoid Google's paid services, and I'm staunchly independent in relatively rare air. The minor capitulation required to turn into a paying Customer would capture a good percentage of their erstwhile-free gmail users (I would think. Yes, conjecture, interested in explanations of alternative theories).
We might not be paying money, but we don't know what happens to our private data. Maybe it's not used at all, maybe used just internally, maybe could be even sold. Data of millions of users is very very valuable, even just thinking about how much targeted adverts could be placed with it.
It isn't sold directly. There are robust internal controls so random employees can't just snoop on eg ex girlfriends' email or be fired.
Source: Used to work there.
Gmail shows ads to make money so it is not loss making. Google Workspace charges money per user (and still offers abysmal support).
Increasingly of the opinion that "free service with no support that's structurally essential for an economy" is some kind of trap. Possibly just the most comfortable kind of trap, a local optimum from which it's difficult to escape.
This is starting to become important as countries (very unwisely!) start tying things like national ID and banking to smartphones.
Gmail is profitable. How much harm should profitable services be allowed to perpetuate in the world to enable their profit?
Enough that they're not facilitating abuse.
Lately I've been using SpamCop.net to make spam reports. It seems to work, and it's free. You are encouraged to donate, and they don't ask for much.
It's not perfect though. For some reason, it doesn't find (or deliberately ignores) OVH hosts that are relaying spam.
I've been using SpamCop for years (decades?) but lately I've been wondering if they're still relevant.
One example: they seem to have a size limit of 50KB when you report a spam mail via their web form. I've received quite some spam that exceeds that because they use base64 encoding of the body, add non-visible filler content to drown out the actual spam/phishing message, etc.
SpamCop suggests to cut off the message and still process it but then they miss e.g. the link to the phishing website and thus they can't send out a report for that.
Speaking of phishing links: a lot of the phishing mails I receive, link to some account on storage.googleapis.com. I've seen mails with links to the same account for weeks on end before they switch to a different one, implying that these links remain online for a long time. You would think that marking such mails as phishing in GMail (they are already flagged as spam) would get them on some kind of radar but apparently not...
I'm reporting every spamm mail that I get through Gmail from Gmail accounts but it doesn't seem to help!
(I haven't run my own mail-server in a while. It's getting harder and harder.)
Are the real-time-blackhole lists still a thing?
If they're regularly allowing spam and not responding to reports in any sort of timely manner, possibly they should be reported to those.
Not going to work though, is it. Too big to fail shouldn't be a thing. It's not like you can't be flexible about it or give them some room to deal with it within corporate policy; but they do need to deal with it, right?
Realistically, I think some companies have outgrown the size where internet can still self-regulate them. You'd hurt yourself more than gmail.
This either needs laws or new game theory.
Or -you know- deprecate the current email system. I know that's a perennial proposal; but that's because every year it gets even more broken in even more interesting ways. It's patch-on-patch-on-patch at the moment. Just spinning up sendmail on a random box won't quite cut it anymore, if you want to participate.
Crazy that you can even send that sort of volume from a gmail acc
I wonder if they do not take this kind of thank that seriously so to encourage the paid tier for storage. I am teetering nearer my end to the free, mostly from all the emails over the years.
Google removed humans, so ... anyone able to contact real people at Google?
Spammer must be a whale spending untold amounts on other Google services.
Had Google trying to send me mails to non-existing mail-addresses over months. You would think their logs might catch something like that or they would react to my complaints ... they don't and they just dont care.
It sometimes stops for weeks, then it continiues.
from my logs as an example: Nov 13 22:10:51 bert postfix/smtpd[2693931]: NOQUEUE: reject: RCPT from mail-oi1-x248.google.com[2607:f8b0:4864:20::248]: 450 4.1.8 <ki+bncBD77RLFFQACRBZOX3DEAMGQEU5V3LXY@zf.thesparklebar.com>: Sender address rejected: Domain not found; from=<ki+bncBD77RLFFQACRBZOX3DEAMGQEU5V3LXY@zf.thesparklebar.com> to=<rmayer13@nerd-residenz.de> proto=ESMTP helo=<mail-oi1-x248.google.com> Nov 13 22:12:07 bert postfix/smtpd[2696594]: NOQUEUE: reject: RCPT from mail-ua1-x948.google.com[2607:f8b0:4864:20::948]: 450 4.1.8 <ki+bncBD77RLFFQACRBZOX3DEAMGQEU5V3LXY@zf.thesparklebar.com>: Sender address rejected: Domain not found; from=<ki+bncBD77RLFFQACRBZOX3DEAMGQEU5V3LXY@zf.thesparklebar.com> to=<rmayer1000@nerd-residenz.de> proto=ESMTP helo=<mail-ua1-x948.google.com> Nov 13 22:12:18 bert postfix/smtpd[2696594]: NOQUEUE: reject: RCPT from mail-wm1-x346.google.com[2a00:1450:4864:20::346]: 450 4.1.8 <ki+bncBDO2ZDH5DIIOXB6ZZADBUBFIYC6HQ@zf.thesparklebar.com>: Sender address rejected: Domain not found; from=<ki+bncBDO2ZDH5DIIOXB6ZZADBUBFIYC6HQ@zf.thesparklebar.com> to=<rmayer13@nerd-residenz.de> proto=ESMTP helo=<mail-wm1-x346.google.com> Nov 13 22:12:37 bert postfix/smtpd[2696594]: NOQUEUE: reject: RCPT from mail-lf1-x146.google.com[2a00:1450:4864:20::146]: 450 4.1.8 <ki+bncBDO2ZDH5DIIOXB6ZZADBUBFIYC6HQ@zf.thesparklebar.com>: Sender address rejected: Domain not found; from=<ki+bncBDO2ZDH5DIIOXB6ZZADBUBFIYC6HQ@zf.thesparklebar.com> to=<rmayer333@nerd-residenz.de> proto=ESMTP helo=<mail-lf1-x146.google.com> Nov 13 22:13:08 bert postfix/smtpd[2696594]: NOQUEUE: reject: RCPT from mail-lj1-x248.google.com[2a00:1450:4864:20::248]: 450 4.1.8 <hc+bncBDO2ZDH5DIIOXB6ZZADBUBB2QEZ74@zf.thesparklebar.com>: Sender address rejected: Domain not found; from=<hc+bncBDO2ZDH5DIIOXB6ZZADBUBB2QEZ74@zf.thesparklebar.com> to=<rmayer@nerd-residenz.de> proto=ESMTP helo=<mail-lj1-x248.google.com> Nov 13 22:13:08 bert postfix/smtpd[2696594]: NOQUEUE: reject: RCPT from mail-wm1-x345.google.com[2a00:1450:4864:20::345]: 450 4.1.8 <ki+bncBDO2ZDH5DIIOXB6ZZADBUBFIYC6HQ@zf.thesparklebar.com>: Sender address rejected: Domain not found; from=<ki+bncBDO2ZDH5DIIOXB6ZZADBUBFIYC6HQ@zf.thesparklebar.com> to=<rmayerrmayer@nerd-residenz.de> proto=ESMTP helo=<mail-wm1-x345.google.com> Nov 13 22:14:03 bert postfix/smtpd[2696594]: NOQUEUE: reject: RCPT from mail-lj1-x248.google.com[2a00:1450:4864:20::248]: 450 4.1.8 <ki+bncBDO2ZDH5DIIOXB6ZZADBUBFIYC6HQ@zf.thesparklebar.com>: Sender address rejected: Domain not found; from=<ki+bncBDO2ZDH5DIIOXB6ZZADBUBFIYC6HQ@zf.thesparklebar.com> to=<rmayera@nerd-residenz.de> proto=ESMTP helo=<mail-lj1-x248.google.com>
As you can see, the to-address is generated and its different hosts at google trying to send mails.
Searching for zf.thesparklebar.com shows others having the same problem.
Not an expert, but AFAIK 450 is a non-permanent error that basically says "try again later".
Ah yes, the tried and true method of getting into contact with someone at google: sending a blast to social media for an actual human, because Google literally makes it impossible to talk to anyone at all. Worst customer support in all of tech.
Good luck. These big tech companies have no incentive to care about support or really anything that isn’t tied directly to making money. And unless you have a friend there, Google staff have no incentive either. Solving this won’t help with their promotions.
Cynicism helps no one.
I think there are lots of people that will see this story that either work at google or know someone who does, and I bet it will lead to their issue getting fixed. The squeaky wheel gets the grease.
It would help if they provided literally any way for a squeaky wheel to squeak at them aside from squeaking at the employees with a modicum of dignity (if they still exist)
Based on how much zendesk spam there is i doubt it.
> Google staff have no incentive either. Solving this won’t help with their promotions.
I don't think people appreciate that this is really the key observation here. In large institutions, for anything significant to happen, there have to be incentives and alternatives, and these are set by management. Management in turn usually cares about their incentives, and the company overall mostly cares about the bottom line and the financial reports.
As a result, this is unlikely to get addressed, unless there is significant pressure, like media coverage, people mass-resigning from Gmail, or major email servers blocking Google. But none of these are likely to happen.
Well yes, you get what you pay for and if you are on the free plan don't expect much.
I dont think this is limited to big tech.
Maybe they should try getting a paid Google Workspace subscription /s
This is a plausible explanation based on the amount of fraud tolerated in other parts of their business. But it's probably going to cost you more than one Workspace subscription.
Having a workspace subscription still doesn't get you a human to talk to.
It most certainly does in the UK.
Contact a human person at Google, one who can actually do something about a ticket? I also have a good selection of bridges for sale!
Send DMCA takedown, that's only thing big companies seem to react. Without checking validity of it of course
only big companies are allowed to abuse the dmca process, unfortunately.