From: Wietse Venema (wietseporcupine.org)
Date: Thu Mar 20 2008 - 13:48:52 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Mike Morris:
> I set up catchalls for some of the domains that were getting hit the
> hardest and aliased them to an actual email address, and then waited for
> the flood to pour in. Some of what I saw were normal DSNs that appeared
> to be generated because people were forwarding their Google-hosted email
> address(es) to some third-party servers which then rejected the
> messages. Nothing too exciting. After leaving everything alone for a
> while a large amount of emails came in at once from the Google servers.
>
> This large group of messages contained what I believe to be the major
> culprit. They were bounce messages being sent to spoofed email
> addresses for domains we host because the spammer was sending emails to
> random googlegroups.com email addresses. The Google MX servers accept
> email for any address in the googlegroups.com domain, whether it exists
> or not. If that user/group does not exist then the Google servers send
> a bounce message back to the spoofed sender. Anyone can try it; send an
> email to a completely bogus address googlegroups.com. You will get a
> bounce back that looks like this:
>
> Hello userexample.com,
>
> We're writing to let you know that the group that you tried to
> contact (7794........387274750277$slkdjflkasjdflahsdfas884--___)
> doesn't exist. There are a few possible reasons why this
> happened:

Confirmed. Mail to nonexistentgooglegroups.com is received first
and bounced later.

I checked my logs, and Google is responsible for 2/3 of the burst
of backscatter mail that hit my server yesterday.

        Wietse

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]