From: Mike Morris (mikeopennix.com)
Date: Thu Mar 20 2008 - 13:16:55 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 03/19/2008 09:09 AM, Mike Morris wrote:
> Hi Everyone,
>
> I realize this is off topic for this list, but I'm hoping someone has
> some insight in to the issue we're seeing on our MX servers.
>
> Remote email servers matching the pattern
> [a-z]{2}-out-[0-9]{4}\.google\.com are attempting to deliver to a high
> number of non-existent email addresses in our system. More correctly,
> the percentage of attempted deliveries to non-existent email addresses
> is quite high. Roughly 75% of the email traffic from these Google.com
> servers consists of a null envelope sender address with a non-existent
> envelope recipient. In my experience this generally means backscatter
> or possibly SAV probes. Our MX servers properly reject messages to
> non-existent users, so that is not the problem. Still, the traffic is
> high enough to take notice.
>
> This appears to have begun in December of 2007. The amount of attempts
> to non-existent addresses and the number of source email servers
> increased significantly sometime in February, by a few orders of magnitude.
>
> Does anyone know what Google may be doing here? Could this have
> anything to do with Google's acquisition of Postini? We're still
> getting traffic from servers with the old Postini host names, like
> *.obsmtp.com, so it doesn't look like those services have been converted
> to use host names in the google.com domain. Attempts to contact Google
> have thus far gone unanswered. Any insight would be appreciated.
>
> Thanks,
>
> Mike

After being ignored by Google yet again, and only being sent the "Trust
us, we aren't doing anything wrong" auto response, I decided to see if I
could get my hands on some of the messages to non-existent users to see
what was going on.

I set up catchalls for some of the domains that were getting hit the
hardest and aliased them to an actual email address, and then waited for
the flood to pour in. Some of what I saw were normal DSNs that appeared
to be generated because people were forwarding their Google-hosted email
address(es) to some third-party servers which then rejected the
messages. Nothing too exciting. After leaving everything alone for a
while a large amount of emails came in at once from the Google servers.

This large group of messages contained what I believe to be the major
culprit. They were bounce messages being sent to spoofed email
addresses for domains we host because the spammer was sending emails to
random googlegroups.com email addresses. The Google MX servers accept
email for any address in the googlegroups.com domain, whether it exists
or not. If that user/group does not exist then the Google servers send
a bounce message back to the spoofed sender. Anyone can try it; send an
email to a completely bogus address googlegroups.com. You will get a
bounce back that looks like this:

        Hello userexample.com,

        We're writing to let you know that the group that you tried to
        contact (7794........387274750277$slkdjflkasjdflahsdfas884--___)
        doesn't exist. There are a few possible reasons why this
        happened:

        * You might have spelled or formatted the group name
        incorrectly.
        * The owner of the group removed this group, so there's nobody
        there to contact.

        If you have questions about this or any other group, please
        visit the Google Groups Help Center at
        http://groups.google.com/support.

        Thanks, and we hope you'll continue to enjoy Google Groups.

        The Google Groups Team

This is backscatter. Personally I consider this to be a big deal, and
can be quite problematic. Emails to postmastergoogle.com,
abusegoogle.com, postmastergmail.com, and abusegmail.com go
unanswered, at least when sent by mere mortals such as myself. I'll
continue to try to contact them by other means as I find them.

Anyone have any ideas? Are my observations here flawed in some way,
such that I've drawn incorrect conclusions?

Thanks,

Mike

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]