OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: [OT] Gmail Backscatter?

From: Jorey Bump (listjoreybump.com)
Date: Thu Mar 20 2008 - 13:44:10 CDT

Mike Morris wrote, at 03/20/2008 02:16 PM:

> I set up catchalls for some of the domains that were getting hit the
> hardest and aliased them to an actual email address, and then waited for
> the flood to pour in. Some of what I saw were normal DSNs that appeared
> to be generated because people were forwarding their Google-hosted email
> address(es) to some third-party servers which then rejected the
> messages. Nothing too exciting. After leaving everything alone for a
> while a large amount of emails came in at once from the Google servers.
>
> This large group of messages contained what I believe to be the major
> culprit. They were bounce messages being sent to spoofed email
> addresses for domains we host because the spammer was sending emails to
> random googlegroups.com email addresses. The Google MX servers accept
> email for any address in the googlegroups.com domain, whether it exists
> or not. If that user/group does not exist then the Google servers send
> a bounce message back to the spoofed sender. Anyone can try it; send an
> email to a completely bogus address googlegroups.com. You will get a
> bounce back that looks like this:
>
>
> Hello userexample.com,
>
> We're writing to let you know that the group that you tried to
> contact (7794........387274750277$slkdjflkasjdflahsdfas884--___)
> doesn't exist. There are a few possible reasons why this
> happened:
>
> * You might have spelled or formatted the group name
> incorrectly.
> * The owner of the group removed this group, so there's nobody
> there to contact.
>
> If you have questions about this or any other group, please
> visit the Google Groups Help Center at
> http://groups.google.com/support.
>
> Thanks, and we hope you'll continue to enjoy Google Groups.
>
> The Google Groups Team
>
>
> This is backscatter. Personally I consider this to be a big deal, and
> can be quite problematic. Emails to postmastergoogle.com,
> abusegoogle.com, postmastergmail.com, and abusegmail.com go
> unanswered, at least when sent by mere mortals such as myself. I'll
> continue to try to contact them by other means as I find them.
>
> Anyone have any ideas? Are my observations here flawed in some way,
> such that I've drawn incorrect conclusions?

Excellent sleuthing! This clears up a mystery I encountered when
developing Nolisting/Unlisting. I would see connections from these
servers sporadically, and couldn't correlate them to any of my test
messages. This suggests that this has been a potential problem for some
time. I think your approach and observations are sound. Hopefully,
Google will take notice and start performing recipient validation for
its groups. I'll try your test and contact them if I get a bounce.
Perhaps enough complaints will result in some action.