Tag: google

Since a few weeks i got a lot of spam mails that are autoreponders from different companies. All of them have in common that they are had the Google Groups mailing list headers:

List-ID: <some.example.com>
X-Spam-Checked-In-Group: sdsdsdsdsdsdsdsdsdsdsdsdsdsdsd@example.com
X-Google-Group-Id: 5432154321
List-Post: <https://groups.google.com/a/example.com/group/some/post>, <mailto:some@example.com>
List-Help: <https://support.google.com/a/example.com/bin/topic.py?topic=25838>,
    <mailto:bt+help@example.com>
List-Archive: <https://groups.google.com/a/example.com/group/some/>
List-Subscribe: <https://groups.google.com/a/example.com/group/some/subscribe>,
    <mailto:some+subscribe@example.com>
List-Unsubscribe: <mailto:googlegroups-manage+5432154321+unsubscribe@googlegroups.com>,
    <https://groups.google.com/a/example.com/group/some/subscribe>

Looks like some spamers add mail addresses to Google Groups mailing lists and then send spam mails around the world and the autoresponders answer to these mails, the Google Group mailing list catches these mails and spreads them to all members of the group. Time to stop this. I cant remember that i subscribed to any Google Group mailing list in the last years. And when a subscription without my confirmation is possible, then this looks like a security issue to me on Google side. But for now, i want to stop the spam mails.

I use Mailcow as mail server and rspamd as spam filter. So i created a new rule in rspamd to block all mails that have the X-Google-Group-Id header. Its still possible to add exceptions for some trusted mailing lists.

Blocking Google Groups with Multimap Whitelist

Add the following rules at the end of your mailcow/data/conf/rspamd/local.d/multimap.conf:

ALLOW_GOOGLEGROUPS {
  type = "header";
  header = "From";
  map = "${LOCAL_CONFDIR}/custom/googlegroups_allow.map";
  action = "accept";
}

BLOCK_GOOGLEGROUPS {
  type = "header";
  header = "X-Google-Group-Id";
  action = "reject";
  map = "${LOCAL_CONFDIR}/custom/googlegroups_block.map";

  message = "Google Groups mailing lists are not permitted";
}

Then create the file mailcow/data/conf/rspamd/custom/googlegroups_allow.map and add the email addresses of the trusted mailing lists that you want to receive mails from:

# Example group for internal alerts
# ^internal-alerts@googlegroups\.com$

# Example group for operations reports
# ^ops-reports@googlegroups\.com$

# Example group for neighbourhood parents
# ^neighbourhood-parents@googlegroups\.com$

Finally create the file mailcow/data/conf/rspamd/custom/googlegroups_block.map. It maches all mails all "other" that have the X-Google-Group-Id header and blocks them:

# Block any ID
^.*$

Test your configuration with docker compose exec rspamd-mailcow rspamadm configtest. You can test the rule with docker compose exec -T rspamd-mailcow rspamc -i 1.2.3.4 < ../test.eml. Restart the rspamd container and enjoy your Google Groups mailing list spam free inbox.

References

• https://www.filipnet.de/google-groups-scan/
• https://borncity.com/blog/2024/08/28/problem-spam-welle-ber-mailing-listen-google-groups-microsoft/
• https://docs.rspamd.com/modules/multimap/
• https://forum.howtoforge.com/threads/rspamd-filter-for-google-groups-spam.94624/