Spam domains that plague my email
gist.github.comSurprised to not see gmail.com in the list[1].
[1]: https://drewdevault.com/2021/02/25/Gmail-is-a-huge-source-of... , https://news.ycombinator.com/item?id=26265329
DARPA invented a communications network that could survive a nuclear war. Instead, everyone uses Gmail.
If any other source of spam was so resistant to receiving abuse reports, they would be blackholed by everyone.
Thanks, antitrust enforcement.
> DARPA invented a communications network that could survive a nuclear war. Instead, everyone uses Gmail.
So sad, but so true!
When I self-hosted email I used Spamhaus to as a block list and Spam Assassin to filter the rest. Gmail users made up the biggest chunk of spam that got through but it was never from Google/Gmail domains, it was almost always from a Gmail user with a custom domain.
I've used Postgrey, for Postfix, and it's greatly reduced my spam. However, first emails from new folk are delayed a bit.
grey listing seems to be the only reasonable way to keep the Email in the "free world" (namely where spammers are allowed to do their "thing").
But gmail will do everything to take over the Email using the "spammers" as an excuse.
The current round is using DKIM verified messages from the gmail.com domain.
DKIM: 'PASS' with domain gmail.com
I wonder if SPF / DKIM / DMARC have improved this.
Google domains doesnt make it quite as easy as other hosting providers, and to be honest if they were super serious about email abuse they should encourage every domain to use it.
There is a marketing company that is constantly adding me to new spammy lists they are creating. They are using AWS SES / SendGrid / other reputable providers.
The emails all pass SPF/DKIM/DMARC and filing abuse reports seems to get me taken off the list I complained about but I quickly get added to a different one.
I am this close to auto-blocking anything from these large providers and switching to allow-listing the legitimate domains that can send me e-mail.
Unfortunately Google doesn't let you filter on arbitrary headers, otherwise at this point I'd delete everything with a List-Unsubscribe header.
Hmm, it looks like you can do this with Apple's Mail client.
really?
edited:
yeah, add two rules to macOS Mail app:
* delete From: “info@twitter.com” rule
* delete From: “twitter” rule
I feel this. Because of a Google Group I briefly followed one of my email addresses got incorrectly associated with my Kickstarter account on some marketing list somewhere and gets added to so much "legitimate" marketing lists for fly-by-night Kickstarters. It's really frustrating and the accident of it being a "wrong" email at least makes it somewhat easier to manage (though I worry if I ignore that mailbox too much I may miss the rare once in a few years important email to it).
For a while MailChimp was the only one of the major/reputable providers I trusted the Unsubscribe button on because they had a "I did not sign up for this button" that supposedly dinged the mailing list owner's reputation with them, but more than that would supposedly make it a bit tougher for the next mailing list to just dump that email in without a verification step or a cool off period.
That button disappeared recently and I guess MailChimp no longer cares either. Shame.
> For a while MailChimp was the only one of the major/reputable providers I trusted the Unsubscribe button on
Mailchimp is up there with Marketo and Sendgrid for me. Getting unsubscribed from something I never opted into… well I still haven't figured out how to do that.
SPF does not protect you from a pown smtp server (neither DKIM/DMARC, then SPF is "enough" for self-hosted smtp servers, and does force you to use DNS (the SMTP protocol works without DNS).
Spammers use vpn nowadays. This make these spammhaus like services useless. They change IPs every week.
Most mail protection models against spam don't work.
I have an idea of a method that could help reduce spam and undesirable mails. It would be free for non-spammers and spammers would pay.
The problem is that I'm not sure if people would be ready to adopt it. There is also many different ways to execute, and I'm not sure which one to pick.
People don't set up email servers on VPN endpoints. That's not how email works.
You don't need a mail server to send mail. One can send mails through a VPN as client.
Then the spam is coming from the email servers which are used to relay that spam. Headers can be forged, so the source before the spam server can't be trusted as real.
spammhaus is blocking self-hosted smtp servers.
Have a look at grey listing.
With Sonic I have to use their servers for outbound stuff since they block outbound SMTP without a static IP (and they don't offer static IPs with fiber). It's a price I'm willing to pay since I typically don't see false positives (and ye I check my logs periodically) with Spamhaus.
Unfortunately I've moved to Proton and the increase in spam is pretty damn frustrating.
Spamhaus is blocking by IP which can be an smtp server or a client. The SMTP protocol does not allow to distinguish a sending SMTP server from a client.
By using a VPN, you "randomize" the IP address and thus make spamhaus and equivalent services useless. I created my own IP blacklist and tracked it.
The only method I found to filter my spammers is to reject mails from hosts without a name. This eliminated 80% of spam, but it won't last long.
The mail system is completely broken.
use grey listing
I have spammers retrying 20 times before giving up. This protection is well known and easily circumvented be spammers.
but it filters a lot already because many do retry 20 times in less than 20 minutes.
Despite the title, the article you linked has nothing whatsoever to do with spam coming from Gmail.
I am seeing Google constantly fail to catch obvious spam emails. At this point I suspect there is some institutional error on their part, where bad actors inside the org are allowing certain domains to simply not be spam filtered.
I've done some experiments with Gmail/Outlook/other spam detection clients on different types of spam/phishing etc. There's always someone who claims simple naive bayes algo would do better than Google.
I'm not able to share the research data, but Gmail filter is a lot better than everything else you see on the market, especially when it's not a newsletter-like advertisement spam, but an actual phishing attack on Org.
Some people say Outlook has better filtering func, but usually tests are not representative and Outlook simply has stricter rule for unwarmed-ip. Which is not that great of a feature in real world scenario.
Anecdotally, I have to say I rarely have issues with FastMail's spam filtering, which uses SpamAssassin (not sure what their setup is exactly of course). I rarely get spam in my inbox (maybe an email or two a month), and it almost never marks things as false positives (last one was years ago).
SpamAssasin does ok only on subset of spam emails.. The problem is that underlying model is not capable to differentiate fake email from your boss (unless it's really simple) VS many other external emails you get.
I guess you would still want that 2nd level of protection for your ORG with sensitive data even if some "please buy X" - spam emails are still getting in.
Ofc Google is also not ideal :)
> The problem is that underlying model is not capable to differentiate fake email from your boss (unless it's really simple) VS many other external emails you get.
But that's not really "spam", right? That's targetted phishing, which is quite a different thing.
If "spam == mail that user did not expect/want to receive", then phishing emails are also unwanted :)
It's all up to definitions, but yeah the two categories are different in nature.
My experience mirrors yours. Fastmail’s filtering is at least as good as Google’s for my inboxes, but Google and the other big players don’t seem to have spam filtering better than Fastmail’s on balance. Casually controlling for things like inbox age, I still get a bit more spam in my Google inboxes than in my Fastmail inboxes.
Once you’ve warmed up/activated the personal mail filter in Fastmail, it seems to work better than anyone else’s.
how do mail delivery services work with this in protecting users from spam because their aim is to reach the inbox for their customers, spammers included
I've been seeing some cleverly encoded emails with multiple MIME parts that bypass the spam filter. Gmail decodes one representation but displays another. Luckily the content they show to the spam filter is mostly static so a regular filter can catch it.
I mark email from someone spam over and over, and it can still get past Gmail. It's infuriating.
Create a custom filter in Gmail to delete it; let it bypass the inbox and go straight to trash.
(There's a "Filter messages like these" option somewhere)
Your fix is essentially "roll your own spam filter"
What's the other fix? Complain on Hacker News?
Yes, if something is bothering you enough - fix it on your own.
No. I'm just saying if there's an address you simply don't want to read mails from (for any reason), there's a way (among many ways) to do that.
I'm aware, but I would've thought that marking something as spam would stop more almost-identical messages from the exact same email address. Having to create a custom filter for all the individual spammers that make it through is frustrating.
“Never attribute to malice that which is adequately explained by stupidity.”
Sorry, a "your account has been locked, please reset your password" email to an .edu address from a gmail.com address is 100% always fraudulent, a 5th grader could tell you that, yet google lets it go through.
Could be a study to see how much response such an obviously fraudulent e-mail gets, sent from that same university conducting the study.
I admit that it's a fringe case, but it could be a thing.
Looks like a very personal list. I would not advice anyone using this as part of anything. Rohith[1] is in India and most of the spam domains (did a quick split) in the list are similar sounding names of a lot of Indian companies/Startups. Not that the companies do not spam (they do) but emails/domain registration has become so easy that there are tiny setups/operations in every nook and corner of the streets/chawls/shanties of India trying to spam people.
1. https://drive.google.com/file/d/1Z7bBo_rMQB0nJYUs8wl4pZeZVUv...
You appear to be trying to argue against something, but it reads as "this is a lot of Indian stuff, which is chock-full of spammers". Read like that, it seems like the list is a good one.
Ah! I'm sorry if it came out wrong. However, I was trying to make an observation when I saw the list. You want to start optimizing your spam-block list or something like that and realized you are not typically the target. You might end up looking and scouting to hit something that never came your way.
My email(s) on my own domains has been on the Internet for more than two decades and I'm always happy to look at ways to prevent spam on them.
In theory one can set any domain to "from" field, what about actual servers that sent the spam? How many of those spam emails have unsubscribe and/or complaint headers?
In theory the domain you set the "From:" field to will have DMARC, DKIM and SPF set up and in theory the recipient that implements those protocols will discard your mail as sent from an unauthorized server.
And if you don't have at least DKIM + SPF, then you will not even reach any public provider's inbox.
The spam emails pretty much ALL have unsubcribe headers now. I mean, they are all WORSE than useless since they are sending signal back to spammers, but Gmail is asking me to [Unsubscribe and Report Spam] anyway.
I have a similar list: https://gitlab.com/cmiksche/blacklists/-/blob/master/hosts
Did you think about adding your list to well known blocklists? You can add it to e.g. OISD
These are usually domains that belong to a disposable email service, be it public or private.
I maintain a 100% free API [1] to check if an email belongs to a disposable email service. We dogfood the same API endpoint to prevent users who abuse disposable emails to create fake accounts for free trial credits.
We use the domains found at https://www.stopforumspam.com/downloads amongst other sources of data. Works pretty well. We have close to eliminated fake account registration with the use of Recaptcha.
[1]: https://nubela.co/proxycurl/disposable-email-checker-api
> We dogfood the same API endpoint to prevent users who abuse disposable emails to create fake accounts for free trial credits.
I usually use disposable emails to test services but don't want to be spammed. Often, I later upgrade to a paid plan if I like the service. If they block disposable email addresses, I will not even try them at all.
Why does your API want the full email address? That becomes a privacy liability as surely the domain alone is enough.
Could be for aliases. foo+bar@gmail.com routes to foo@gmail.com, but you may prefer to only allow a single account for foo@.
Congratulations, you make the internet worse for actual humans and better for corporations. Making the world a net worse place, for everyone that matters.
I use a disposable email address because I don’t want the organization to have my email. Thank you for making that harder.
What exactly is "fake" about an account one creates with a disposable email address?
I suspect "fake" is the wrong word, maybe "very low reputation" is better. The parent post discusses avoiding giving unlimited free trials to people who just keep creating new accounts. You'll want to restrict that, especially if each trial costs a non-trivial amount of money. Efficiently detecting such abuse allows the company to offer generous free trials.
A side effect is that a small number of people who use disposable email addresses to manage the spam they receive will also be blocked (see other comments). A business looking at this issue may find it hard to prioritize, the group is small, and they can choose to use a non-disposable address if they want to continue.
The group of people that go through the hassle of signing up and setting up everything again to avoid paying is probably equally small. If the account setup is so frictionless that a lot of people do it again and again, you should work on adding benefits to loyal accounts instead of banning new users.
You can actually check how many users it impacts by watching how the bounce rate changes after a user with a disposable email address is told their address isn't accepted. Adjust course based on your metrics.
> We dogfood the same API endpoint to prevent users who abuse disposable emails to create fake accounts for free trial credits.
Some people just want to watch the world burn.
Curious about how did you built this? Do you maintain an internal list of domains?
I am surprised to see Washington state university emails used for spam to that extent.
The Democratic Party and ngp van?