I got a human being at Google to look into my problem and take action after sending a police report to Google‘s legal department certified mail return receipt along with a letter describing how someone was impersonating me and my business using a Gmail address in an attempt to commit fraud.
Yes, it was a pain to take all of these steps and it probably took about 3 hours but it was absolutely necessary considering there was no avenue for me to shut down this person otherwise.
Wasn't expecting this comment to go far. This took place about a month ago. For those who are interested, here is the address I sent the police report and cover letter to:
Google LLC
Attn: Legal Department – Custodian of Records
1600 Amphitheatre Parkway
Mountain View, CA 94043
In the cover letter I outlined the problem and the desired remedy (shut down the gmail account and preserve IP and other information for law enforcement), and attached two other documents: an annotated printout of the email thread from a prospective victim of the scam (who sensed something was fishy and contacted me through my website) and the local police report I filed to document the attempted fraud in my name.
Someone at Google contacted me about a week later and confirmed that the account was shut down. I don't know if they did anything else regarding preserving data or shutting down any other Google services this person was using.
I also made a report to the FBI’s Internet Crime Complaint Center, although TBH it looks like a black hole that lets the feds say they are "doing something" for ordinary victims.
Having worked in compliance engineering I have also reported through the IC3 portal, and spoken with lawyers and analysts who register with FinCEN (which, to be clear, is maybe just a step beyond "My Uncle works at Nintendo...") and I have heard that those reports do get reviewed and often acted on, but yes, you will typically never hear back from them. (FinCEN has its own reporting structure, but we also submitted certain reports through the IC3 portal as well.)
Honestly, the "acted upon" part needs to be highlighted in tangible ways, otherwise people will be suspicious that nothing ever happens to our reports, leading to fewer reports being submitted.
During the IC3 reporting process I was asked to submit the name of people behind the scam, if known. I knew one of them because the scammer asked for a wire transfer to a named account at a bank in Oregon. Probably a mule.
Does anyone at the FBI or other agencies actually do anything with this information, such as contacting the bank in question or correlating it with other investigations? That's what I would expect if law enforcement were serious about enforcing the laws on the books. But there is no indication that anything happened, other than a confirmation number being spit out on a web page that my report had been received. That's why I made the "black hole" comment earlier.
If the IC3 portal highlighted specific cases or stats ("thanks to reports submitted to IC3, n investigations were initiated/suspects charged/convictions secured") that would really help convince ordinary victims that the government is taking tangible steps to fight this scourge of small-scale scams and frauds that affect millions of people every year.
There are strict rules about not talking about open investigations because of so-called "Tipping-off" rules. It can carry some pretty serious penalties - jail time, fines. I agree it would be nice if the FBI itself made some announcements about these sorts of things, and they might do that in aggregate, but if you're a bank or fintech employee and you're in communication with the FBI you absolutely cannot say anything about it. Even confirming that an investigation existed could be penalized.
> Even confirming that an investigation existed could be penalized.
I didn't know that. But that is another point that could be highlighted on the IC3 homepage or confirmation, along with aggregated data about enforcement actions resulting from submissions from ordinary victims.
My assumption is that they at least have an intern read them, but only act on reports likely to lead to major cases, for some value of "major" that includes cases where terrorism, large sums of money, or Important People are involved, or more generally cases that could lead to seriously good/bad PR if pursued/ignored.
De minimis non curat FBI.
They may also flag certain cases to be passed to other relevant authorities like FinCEN, the Secret Service, the Postal Inspection Service, various military investigative services, or even the intelligence community (assuming NSA doesn't already intercept the mailbox which would be a very reasonable thing to do).
"Acted upon" in these sorts of bulk data contexts typically means "charge them for an extra count when we pick them up for something else".
It's like the internet crimes version of putting the serial number of stolen property in a police report. They ain't looking for it, but they'll tack the charge when they inventory a crackhouse bust and that number pops up stolen.
They aren't dedicating serious resources to speculatively looking at the reports and trying to assess patterns like some TV cop looking at a series of dead hookers and saying "aha we have a serial killer on the loose".
Oh that's a good idea! I got locked out of my YouTube premium account and they kept charging me. Couldn't get in contact with anyone at YouTube because the YT premium support line is behind the YT login. So I had to change my credit card number. Somehow they still kept billing the card, so the credit card company said they'd have to close my account entirely to get Google to stop billing me for a service they wouldn't let me cancel.
That's a built-in thing; Visa, MasterCard, Amex all have updater services that ensure trusted merchants get the replacement card seamlessly. This leads to annoying edge cases like yours.
You have to realize that once Google flips the bit on you and they think you are trying to scam them (or others via them) you are absolutely dead to them. They don't want to hear from you ever again. You're banned to hell. The fact that a billing system didn't get switched off isn't so surprising; the internal architecture of their systems is so complicated that it would take multiple human lifetimes to explain how it all works.
I gave up on trying to report abuse to Google, Amazon or Microsoft. It seems reports simply get ignored and the big providers do nothing. I hope the FSF with its weight and media presence can finally do something.
Google, Microsoft, and Amazon are my major sources of spam. These days, this is where spam comes from.
At this point, they are also too big to block. We allowed this to happen, through neglect and laziness. Even in this discussion: how many people use Gmail as their primary email service?
Google suspend email accounts that get lots of spam reports. It happens a couple of times a year for salespeople in my company who use Gmass (a bulk email sending tool).
I mention it only as a useful data point, and in the absence of anyone else on the thread mentioning that Google have robust email abuse monitoring.
I have been observing this for the last 2-3 years (4 postfix servers sysadmin)
Gmail cannot be whitelisted anymore: spam, phishing,...
On the other hand, if your users redirect twitter or linkedin notifications from their domain to a gmail account, Google claims you are sending too fast and is suspicious (and throttles or blocks ip).
Somewhat related to spam coming from Google servers, maybe someone can shed some light on what could be the motivation behind this activity:
In recent months I'm seeing instances where random personal mail accounts on a server I run would receive a barrage of mail in a short amount of time.
Mail seems to be bounced via Google Groups - they are sent from Google's IPs and have headers like X-Google-Group-Id, List-*, etc. all pointing to Google Groups. The actual group ID changes after each individual instance of this. However when I actually check e.g. the List-Archive URL, the group appears to be already been deleted.
The content of mail looks like it originates from various (legit-looking) random public web services, support requests, issue trackers, web contact forms etc. For example, a common reoccurring one is Virginia Department of Motor Vehicles (as in something like "thank you for filing a document #123 with us").
No apparent phishing links, no attached malware, no short advertisements snuck into a text field etc. Just automated replies from "noreply@"-type addresses.
It does not seem to be the case of trying to hide another attack (as discussed here for example: https://news.ycombinator.com/item?id=47609882) - over many instances I've not seen any other malicious activity. And this mail is filtered out easily enough based on Google's headers.
It all looks like there is some bot that a) creates a Google group and subscribes (one or more) random email addresses to a Google group and then b) enters the group's mail address into a bunch of random web forms that then send their automated responses to the group.
What could be the motivation for this? After the fact it's filtered pretty easily based on headers. It's not nearly enough volume to DoS the server. But why would someone go through the trouble of setting this up?
Rhetorical question- but what is it going to take for the IT Community to start treating Gmail and the rest of the "too big to block" as adversarial entities and actually block them for their bad behavior. Pie in the sky I know.
I was getting spam called constantly every 5 minutes (blocked by Google call screening) and the attackers made an error if sending a message with their AWS bucket url. I was able to submit an abuse report to Amazon and puff Amazon dismantled the entire spam group. No more spam since then.
Maybe try saying the spam has porn or inappropriate images?
gmail, outlook and salesforce create about 90% of the spam that gets through blacklists. Salesforce is simple to fix: I just block anything from salesforce from our network, as it just seems to be 100% used by spammers. Gmail and outlook are the major problem, as there is no way of addressing their spam issue.
I'm getting a lot, and I mean A LOT, spam recently from various ".bc.googleusercontent.com" domains. Not sure what can be done about that. But the uptick is very noticeable.
It honestly is a bit dissapointing that most of the internet's "infrastructure" is tied up in large corporations that just get money for free by being the only provider and face little to no backlash (because of their monopoly) when they neglect things like basic customer service.
Good luck. These big tech companies have no incentive to care about support or really anything that isn’t tied directly to making money. And unless you have a friend there, Google staff have no incentive either. Solving this won’t help with their promotions.
(I haven't run my own mail-server in a while. It's getting harder and harder.)
Are the real-time-blackhole lists still a thing?
If they're regularly allowing spam and not responding to reports in any sort of timely manner, possibly they should be reported to those.
Not going to work though, is it. Too big to fail shouldn't be a thing. It's not like you can't be flexible about it or give them some room to deal with it within corporate policy; but they do need to deal with it, right?
Realistically, I think some companies have outgrown the size where internet can still self-regulate them. You'd hurt yourself more than gmail.
This either needs laws or new game theory.
Or -you know- deprecate the current email system. I know that's a perennial proposal; but that's because every year it gets even more broken in even more interesting ways. It's patch-on-patch-on-patch at the moment. Just spinning up sendmail on a random box won't quite cut it anymore, if you want to participate.
Ah yes, the tried and true method of getting into contact with someone at google: sending a blast to social media for an actual human, because Google literally makes it impossible to talk to anyone at all. Worst customer support in all of tech.
I wonder if they do not take this kind of thank that seriously so to encourage the paid tier for storage. I am teetering nearer my end to the free, mostly from all the emails over the years.
Had Google trying to send me mails to non-existing mail-addresses over months. You would think their logs might catch something like that or they would react to my complaints ... they don't and they just dont care.
It sometimes stops for weeks, then it continiues.
from my logs as an example:
Nov 13 22:10:51 bert postfix/smtpd[2693931]: NOQUEUE: reject: RCPT from mail-oi1-x248.google.com[2607:f8b0:4864:20::248]: 450 4.1.8 : Sender address rejected: Domain not found; from= to= proto=ESMTP helo=
Nov 13 22:12:07 bert postfix/smtpd[2696594]: NOQUEUE: reject: RCPT from mail-ua1-x948.google.com[2607:f8b0:4864:20::948]: 450 4.1.8 : Sender address rejected: Domain not found; from= to= proto=ESMTP helo=
Nov 13 22:12:18 bert postfix/smtpd[2696594]: NOQUEUE: reject: RCPT from mail-wm1-x346.google.com[2a00:1450:4864:20::346]: 450 4.1.8 : Sender address rejected: Domain not found; from= to= proto=ESMTP helo=
Nov 13 22:12:37 bert postfix/smtpd[2696594]: NOQUEUE: reject: RCPT from mail-lf1-x146.google.com[2a00:1450:4864:20::146]: 450 4.1.8 : Sender address rejected: Domain not found; from= to= proto=ESMTP helo=
Nov 13 22:13:08 bert postfix/smtpd[2696594]: NOQUEUE: reject: RCPT from mail-lj1-x248.google.com[2a00:1450:4864:20::248]: 450 4.1.8 : Sender address rejected: Domain not found; from= to= proto=ESMTP helo=
Nov 13 22:13:08 bert postfix/smtpd[2696594]: NOQUEUE: reject: RCPT from mail-wm1-x345.google.com[2a00:1450:4864:20::345]: 450 4.1.8 : Sender address rejected: Domain not found; from= to= proto=ESMTP helo=
Nov 13 22:14:03 bert postfix/smtpd[2696594]: NOQUEUE: reject: RCPT from mail-lj1-x248.google.com[2a00:1450:4864:20::248]: 450 4.1.8 : Sender address rejected: Domain not found; from= to= proto=ESMTP helo=
As you can see, the to-address is generated and its different hosts at google trying to send mails.
Searching for zf.thesparklebar.com shows others having the same problem.
226 comments
Yes, it was a pain to take all of these steps and it probably took about 3 hours but it was absolutely necessary considering there was no avenue for me to shut down this person otherwise.
Google LLC
Attn: Legal Department – Custodian of Records
1600 Amphitheatre Parkway
Mountain View, CA 94043
In the cover letter I outlined the problem and the desired remedy (shut down the gmail account and preserve IP and other information for law enforcement), and attached two other documents: an annotated printout of the email thread from a prospective victim of the scam (who sensed something was fishy and contacted me through my website) and the local police report I filed to document the attempted fraud in my name.
Someone at Google contacted me about a week later and confirmed that the account was shut down. I don't know if they did anything else regarding preserving data or shutting down any other Google services this person was using.
I also made a report to the FBI’s Internet Crime Complaint Center, although TBH it looks like a black hole that lets the feds say they are "doing something" for ordinary victims.
During the IC3 reporting process I was asked to submit the name of people behind the scam, if known. I knew one of them because the scammer asked for a wire transfer to a named account at a bank in Oregon. Probably a mule.
Does anyone at the FBI or other agencies actually do anything with this information, such as contacting the bank in question or correlating it with other investigations? That's what I would expect if law enforcement were serious about enforcing the laws on the books. But there is no indication that anything happened, other than a confirmation number being spit out on a web page that my report had been received. That's why I made the "black hole" comment earlier.
If the IC3 portal highlighted specific cases or stats ("thanks to reports submitted to IC3, n investigations were initiated/suspects charged/convictions secured") that would really help convince ordinary victims that the government is taking tangible steps to fight this scourge of small-scale scams and frauds that affect millions of people every year.
> Even confirming that an investigation existed could be penalized.
I didn't know that. But that is another point that could be highlighted on the IC3 homepage or confirmation, along with aggregated data about enforcement actions resulting from submissions from ordinary victims.
De minimis non curat FBI.
They may also flag certain cases to be passed to other relevant authorities like FinCEN, the Secret Service, the Postal Inspection Service, various military investigative services, or even the intelligence community (assuming NSA doesn't already intercept the mailbox which would be a very reasonable thing to do).
It's like the internet crimes version of putting the serial number of stolen property in a police report. They ain't looking for it, but they'll tack the charge when they inventory a crackhouse bust and that number pops up stolen.
They aren't dedicating serious resources to speculatively looking at the reports and trying to assess patterns like some TV cop looking at a series of dead hookers and saying "aha we have a serial killer on the loose".
https://stripe.com/resources/more/what-is-a-card-account-upd...
You can sometimes ask your bank to issue a card and not ping the updater service, but tier one support tends… not to know about it at all.
Google, Microsoft, and Amazon are my major sources of spam. These days, this is where spam comes from.
At this point, they are also too big to block. We allowed this to happen, through neglect and laziness. Even in this discussion: how many people use Gmail as their primary email service?
I mention it only as a useful data point, and in the absence of anyone else on the thread mentioning that Google have robust email abuse monitoring.
Gmail cannot be whitelisted anymore: spam, phishing,... On the other hand, if your users redirect twitter or linkedin notifications from their domain to a gmail account, Google claims you are sending too fast and is suspicious (and throttles or blocks ip).
Hilarious.
In recent months I'm seeing instances where random personal mail accounts on a server I run would receive a barrage of mail in a short amount of time.
Mail seems to be bounced via Google Groups - they are sent from Google's IPs and have headers like X-Google-Group-Id, List-*, etc. all pointing to Google Groups. The actual group ID changes after each individual instance of this. However when I actually check e.g. the List-Archive URL, the group appears to be already been deleted.
The content of mail looks like it originates from various (legit-looking) random public web services, support requests, issue trackers, web contact forms etc. For example, a common reoccurring one is Virginia Department of Motor Vehicles (as in something like "thank you for filing a document #123 with us").
No apparent phishing links, no attached malware, no short advertisements snuck into a text field etc. Just automated replies from "noreply@"-type addresses.
It does not seem to be the case of trying to hide another attack (as discussed here for example: https://news.ycombinator.com/item?id=47609882) - over many instances I've not seen any other malicious activity. And this mail is filtered out easily enough based on Google's headers.
It all looks like there is some bot that a) creates a Google group and subscribes (one or more) random email addresses to a Google group and then b) enters the group's mail address into a bunch of random web forms that then send their automated responses to the group.
What could be the motivation for this? After the fact it's filtered pretty easily based on headers. It's not nearly enough volume to DoS the server. But why would someone go through the trouble of setting this up?
Maybe try saying the spam has porn or inappropriate images?
I’ve not been reporting them because I already know they aren’t valid and do not google’s work for them
Google Workspace email is very generous with the kind of outgoing email you can send via their SMTP servers.
It's not perfect though. For some reason, it doesn't find (or deliberately ignores) OVH hosts that are relaying spam.
Are the real-time-blackhole lists still a thing?
If they're regularly allowing spam and not responding to reports in any sort of timely manner, possibly they should be reported to those.
Not going to work though, is it. Too big to fail shouldn't be a thing. It's not like you can't be flexible about it or give them some room to deal with it within corporate policy; but they do need to deal with it, right?
Realistically, I think some companies have outgrown the size where internet can still self-regulate them. You'd hurt yourself more than gmail.
This either needs laws or new game theory.
Or -you know- deprecate the current email system. I know that's a perennial proposal; but that's because every year it gets even more broken in even more interesting ways. It's patch-on-patch-on-patch at the moment. Just spinning up sendmail on a random box won't quite cut it anymore, if you want to participate.
It sometimes stops for weeks, then it continiues.
from my logs as an example: Nov 13 22:10:51 bert postfix/smtpd[2693931]: NOQUEUE: reject: RCPT from mail-oi1-x248.google.com[2607:f8b0:4864:20::248]: 450 4.1.8: Sender address rejected: Domain not found; from= to= proto=ESMTP helo=
Nov 13 22:12:07 bert postfix/smtpd[2696594]: NOQUEUE: reject: RCPT from mail-ua1-x948.google.com[2607:f8b0:4864:20::948]: 450 4.1.8 : Sender address rejected: Domain not found; from= to= proto=ESMTP helo=
Nov 13 22:12:18 bert postfix/smtpd[2696594]: NOQUEUE: reject: RCPT from mail-wm1-x346.google.com[2a00:1450:4864:20::346]: 450 4.1.8 : Sender address rejected: Domain not found; from= to= proto=ESMTP helo=
Nov 13 22:12:37 bert postfix/smtpd[2696594]: NOQUEUE: reject: RCPT from mail-lf1-x146.google.com[2a00:1450:4864:20::146]: 450 4.1.8 : Sender address rejected: Domain not found; from= to= proto=ESMTP helo=
Nov 13 22:13:08 bert postfix/smtpd[2696594]: NOQUEUE: reject: RCPT from mail-lj1-x248.google.com[2a00:1450:4864:20::248]: 450 4.1.8 : Sender address rejected: Domain not found; from= to= proto=ESMTP helo=
Nov 13 22:13:08 bert postfix/smtpd[2696594]: NOQUEUE: reject: RCPT from mail-wm1-x345.google.com[2a00:1450:4864:20::345]: 450 4.1.8 : Sender address rejected: Domain not found; from= to= proto=ESMTP helo=
Nov 13 22:14:03 bert postfix/smtpd[2696594]: NOQUEUE: reject: RCPT from mail-lj1-x248.google.com[2a00:1450:4864:20::248]: 450 4.1.8 : Sender address rejected: Domain not found; from= to= proto=ESMTP helo=
As you can see, the to-address is generated and its different hosts at google trying to send mails.
Searching for zf.thesparklebar.com shows others having the same problem.