Wednesday, 5. October 2005
PermaLink GSpam? - Part 2
GmailI seem to be getting a fair number of hits on this page (about Spamcop listing a Gmail IP - note 1) at the moment - possibly something to do with this.

It seems that at least Spamcop and possibly other DNSBLs fed by spamtraps are continuing to list IPs used to deliver Gmail.

To be sure I wasn't missing anything, I went back to my spam archive which has been collecting spam non-stop since 16 October 2002 (nothing very significant about that date) and which as of right now contains 15,766 spam samples and is accumulating new ones at the rate of c. 8-900 per month (note 2). I searched it for Gspam and found, in addition to that one I wrote about in February, one further sample.

Actually I found over 50 samples on the first search, but all but two of them were simply either forging gmail.com in HELO or bore forged Gmail received headers prior to the real received header. So, out of my nearly 16,000 spam samples I have two which are verifiably from Gmail.

OK, that's two too many but contrast this performance with that of Hotmail and Yahoo!. Both of these deliver spam to my traps with depressing regularity (almost always 419).

My second Gspam sample which I missed at the time - it was sidelined by a rule which checks X-Mailer (yes, The Bat! again) - is dated 6 June 2005 and came via wproxy.gmail.com. It was submitted not via the Gmail web interface but via Gmail's MSA using an SMTP client (note 3) and the originating IP is a dynamic one belonging to cox.net. Subject matter (as if you care - note 4) is rape.

Two sightings from one source is not enough here to gain anyone's attention. I just don't see Gmail as a spam problem in the same way that many other free mail services clearly are and in any case, we have Gmail whitelisted here so any Gmail DNSBL listings in Spamcop or SORBS will have no effect. But the interest coming this way from Spamcop's discussion forums suggests that Spamcop (and, I dare say, others) continue to list Gmail hosts as spam sources and I am curious.

Why are others seeing what I do not see? My spam trapping net is quite wide enough to pick up all sorts of unpleasantness. Indeed, spamtrap addresses here outnumber real user addresses by a factor of at least five and these are spread across a range of different domains (call me obsessive but I do believe it important to know one's enemy).

If you have Gspam samples, I would be very interested to see them. You can place MIME source in a .txt file, zip and email it to me (contact email is on every page at chris-linfoot.net). I am collecting these for statistical purposes only and will not publish any samples or reveal any details of people who supply them.

Thanks.

  1. And, last night, a comment on that original story with more Gmail IPs to whitelist - 72.14.204.0/27 in addition to 64.233.160.0/19 which is already whitelisted here.

  2. If that seems low, bear in mind that we typically reject 60-100,000 message per month using DNSBL and local deny lists - this number reflects the small number of spams that make it past the initial block. Given that we whitelist Gmail, this should serve to boost the proportion of Gspam sightings here.

  3. Probably not The Bat!, but some piece of malware masquerading as such.

  4. Spam is about consent, not content.

(I note that at least some Gmail hosts are also listed in the BondedSender whitelist.)



See also:
Spam from Gmail
SpamCop lists Gmail
Gmail, spam and blacklisting (this article explains the Gmail/Spamcop problem fully)



Category: GMail
Technorati:

Comments :

1. Mark Scrimshire13/05/2006 13:23:55
Homepage: http://ekive.blogspt.com


As a user of gmail I find Google's GMail to have a reasonable spam filter. However, as a user of other email services I am seeing a strange trend. I have a business account that is fronted by Postini and I don't remember seeing spam from a gmail account caught in their spam trap.

However, on a private account using a mac os x server I am seeing an increasing number of emails marked as spam that ostensibly have a source at gmail.

A sample reported by Spam Assassin
SPAM FROM [222.13.228.186] <jamison.millarw1e8@gmail.com>

Unsolicited bulk email from:
jamison.millarw1e8@gmail.com
Subject: [fwd] We found company ready to EXPLODE!!

First upstream SMTP client IP address: [222.13.228.186] zq228186.ppp.dion.ne.jp

According to the 'Received:' trace, the message originated at:
[66.249.83.27]
unknown (HELO alt1.gmail-smtp-in.l.google.com) (66.249.83.27)

------------------------- BEGIN HEADERS -----------------------------
Return-Path: <jamison.millarw1e8@gmail.com>
Received: from TOSHIBA-21B04B0 (zq228186.ppp.dion.ne.jp [222.13.228.186])
by mail.tunzo.com (Postfix) with ESMTP id 09D1B17D586F;
Fri, 12 May 2006 08:41:42 -0400 (EDT)
Received: from unknown (HELO alt1.gmail-smtp-in.l.google.com) (66.249.83.27)
by TOSHIBA-21B04B0 with SMTP; Fri, 12 May 2006 21:46:14 -0900
From: "Chester Perdue" <jamison.millarw1e8@gmail.com>
To: <help@mydomain.com>
Subject: [fwd] We found company ready to EXPLODE!!
Date: Fri, 12 May 2006 21:46:14 -0900
MIME-Version: 1.0
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Thread-Index: eqnbehapAzMfwMZfKvmeulyv3OpGQsqqIpi9
Content-Type: text/html;
charset="Windows-1252"
Content-Transfer-Encoding: 8bit
Message-Id: <20060512124142.09D1B17D586F@mail.mydomain.com>
-------------------------- END HEADERS ------------------------------



2. Chris Linfoot13/05/2006 13:41:02


That Gmail received line is a forgery and the top received header (the only real one) reveals the true source as a dynamic IP allocated to domestic broadband in Japan - probably a trojaned home system being used as a spam zombie.

This ain't Gmail spam at all.

See also: http://chris-linfoot.net/d6plinks/CWLT-6LRJNC



3. RustedOut28/12/2006 01:47:04


NOPE. More than a zombie.
Dion.NE.JP is an enormous spammer.
Reports to them are ignored. Last checked dion.ne.jp was about #24 in the world.
Perhaps as ominous, their parent organization KDDI.COM is part investor in Japan CERT- so do not expect any help/response from info@jpcert.or.jp



Unable to post a comment? Please read this for a possible explanation...
Add Manual Trackback
Please enter the details of the trackback post. Your trackback will not appear on the site until it has been verified. This won't be immediate, as trackbacks are validated on a scheduled basis. Be patient.











Search
Popular Categories
Blogs
Coffee and Cats
Computing Systems Fundamentals
DNSBLs
Domino Administration
Domino Whitelist
Dumb and Dumber
Flickr
IPv6
SMTP AUTH
Show n Tell
Software
Spam
Spam Statistics
T'Internet
Trunk Monkeys
Viruses and Worms
Wallace and Gromit
Whitelisting
Wii
Monthly Archive
2008
2008
2008
2008
2008
2008
Full Archive
Other stuff
Anti-Spam Tools
Misc Links
Land banking information
ClustrMaps
Locations of visitors to this page
Contact Me
email - Chris Linfoot
skypeme
Meta
Proudly powered by IBM Lotus Domino 8 Proudly powered by IBM Lotus Domino 8

Subscribe to articles Subscribe to articles feed

Subscribe to comments Subscribe to comments feed

ROR info ROR info


My Amazon wish list Wishlist


Wikio - Top Blogs - Technology
Like what I do?
Then please consider a donation to support the work of Research Autism.

Idea Jam
Planet Lotus
Dilbert