Google doesn't get SPF

Someone has decided to use my email address for a spam source.  They have even used google to relay it which, given Googles current policies seems like a winning idea.

I keep getting emails from Google’s servers with header lines like this:

X-Original-Authentication-Results: mx.google.com; spf=hardfail (google.com: domain of [email protected] does not designate 66.80.26.66 as permitted sender)

You don’t say? You mean even though my SPF records do not include some dodgy server in California, even though Google knows I don’t include this in my SPF records… well we will let the email go through anyhow.

SPF records mean that’s where my email comes from. If the record has a -all at the end of it, like mine do, then it means don’t accept it from anywhere else. The hardfail means Google sees the -all and still does nothing about it.

Enhanced by Zemanta

WordPress password bots

Browsing through my logs I noticed that one particular IP address was continuously trying to go to wp-login.php After a few more greps, it seems he really likes this URL. So, Mr 37.115.188.210 congratulations for testing a few things and welcome to the blocklist.

I love fail2ban, but initially I didn’t have it for the wordpress login. That needed to get fixed real quick, so a visit to the wordpress plugins site and we have WP fail2ban up and running.

And doesn’t it work well:

2013-11-21 22:54:47,742 fail2ban.actions: WARNING [wordpress] Ban 37.115.188.210
2013-11-21 22:58:29,037 fail2ban.actions: WARNING [wordpress] Unban 37.115.188.210
2013-11-21 22:58:39,450 fail2ban.actions: WARNING [wordpress] Ban 37.115.188.210
2013-11-21 23:08:40,164 fail2ban.actions: WARNING [wordpress] Unban 37.115.188.210
2013-11-21 23:09:27,241 fail2ban.actions: WARNING [wordpress] Ban 37.115.188.210
2013-11-21 23:19:27,919 fail2ban.actions: WARNING [wordpress] Unban 37.115.188.210
2013-11-21 23:20:09,991 fail2ban.actions: WARNING [wordpress] Ban 37.115.188.210
2013-11-21 23:30:10,689 fail2ban.actions: WARNING [wordpress] Unban 37.115.188.210

You get the idea! I’ve sent a message off to the responsible ISP, we’ll see how that goes.

Goodbye mygbiz

Google seems to try to invent new and interesting ways for spammers to spam me (and many others).  I’ve still not worked out a good way to block “fake googlegroups” which follow this method:

  1. Make new fake gmail login
  2. Make new fake google group
  3. Add lots of people’s email addresses to the group
  4. Send lots of junk to these people
  5. Repeat when it gets closed down

I’m not sure why  groups aren’t opt-in. A rather simple and standard way to stop this exact problem.

Anyhow, the next new spammer enablement that the nice folks at Google have come up with is the mygbiz.com domain. These are temporary email addresses you can use when setting up Google apps. The only thing I have ever seen from them is spam. So I thought I’d try to report some to Google.  After looping around several help screens that were, despite their name, very unhelpful, I’ve come to the conclusion that Google isn’t too serious about fixing this problem.

If you have postfix, the solution is very simple:

  1. vi /etc/postfix/access_sender
  2. Add a line like “mygbiz.com  REJECT”
  3. postmap /etc/postfix/access_sender
  4. postfix reload

I find the results to this method far superior to trying to get Google interested in being responsible for a domain they run. If you want to use google apps then spend the $50 and get a domain. Alternatively don’t use something that spammers abuse.

Does it work? You bet it does!

Sep 18 23:26:38 elmo postfix/smtpd[19013]: NOQUEUE: reject: RCPT from mail-ye0-f208.google.com[209.85.213.208]: 554 5.7.1 <[email protected]>: Sender address rejected: Do not send from mygbiz.com domains; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<mail-ye0-f208.google.com>

More spam from nobistech.net

I get a lot of spam.  Most of it, thankfully is blocked by dspam but occasionally i get some through the filter.  One that particularly caught my eye was interesting not so much what it was advertising (I don’t read that part of the email) but where it came from and goes to.

Normally there are two service providers involved in spam.  The email comes from (or via) one and then the spamvertised website is another.  The interesting thing is for this spam both of these were the same service provider. The email came from 174.34.168.85 and the spamvertised website was 70.32.40.194. Both of these addresses are owned by nobistech.net.  I punted the email to spamcop and it said that they’re not interested in spam reports.

A few google queries shows that these guys seem quite happy to have spam sources and destinations and have been doing it for years.  They either appear as nobistech.net or unbiquity servers but they are one and the same organisation, or at least related.

I won’t bother to send anything to them, it seems this has been done many many times by others with no results. Instead some CIDR blocks will be put into my blacklist.

Enhanced by Zemanta