Is there anyone at Google that is able to address the ongoing abuse problems that are coming out of your services like classroom, groups and otherwise? Wanting me to create a google account for the addresses that are receiving the abuse does not scale and as the reputation continues to get worse, I don't want to block all google services - but getting someone to work with on the issues would be appreciated. X-Notifications: COURSE_INVITATION:792026619952-1755166651116 X-Google-Group-Id: 1087901814827 X-Google-Group-Id: 328755863 X-Google-Group-Id: 864553705765 X-Google-Group-Id: 295922276390 X-Google-Group-Id: 534760014314 Decade+ old mailman has the end-user accept invitations to lists, but google seems to not even use it's own tools so isn't really meeting what would be a general standard. I saw others complain about this as well, and i've had to configure various blocking of different google services which is a moving target of abuse. It's fair to say that a human should be able to send e-mail to an owner alias for a mailing list, but not subscribe that to a group or classroom. - jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
On 14.08.2025 10:41 Jared Mauch via NANOG <nanog@lists.nanog.org> wrote:
Is there anyone at Google that is able to address the ongoing abuse problems that are coming out of your services like classroom, groups and otherwise?
It is a well know issue of a company named Google that supports spammers. It took months months until they switched of Google Groups Newsgroups It was being flooded with millions of spam posts and nobody took action. Google wants it that way. -- kind regards Marco Send spam to abfall1755160902@stinkedores.dorfdsl.de
On Thu, Aug 14, 2025 at 11:16 AM Marco Moock via NANOG <nanog@lists.nanog.org> wrote:
On 14.08.2025 10:41 Jared Mauch via NANOG <nanog@lists.nanog.org> wrote:
Is there anyone at Google that is able to address the ongoing abuse problems that are coming out of your services like classroom, groups and otherwise?
(with the caveat that i don't know anything about classroom, or groups really, but had walked down this path with reader back-when) The problem(s) from jared's original mail SOUND like a broken thing in some services that PROBABLY tried to provide protections, those either missed the mark or work broken along some timeline... and maybe need some attention to fix/course-correct.
It is a well know issue of a company named Google that supports spammers.
It took months months until they switched of Google Groups Newsgroups It was being flooded with millions of spam posts and nobody took action.
Google wants it that way.
I don't think this is accurate.
On Thu, 14 Aug 2025, Christopher Morrow via NANOG wrote:
The problem(s) from jared's original mail SOUND like a broken thing in some services that PROBABLY tried to provide protections, those either missed the mark or work broken along some timeline... and maybe need some attention to fix/course-correct.
I think part of what Jared is complaining about is something I've complained about for years. For many years, spammers have abused Google groups. i.e. They're apparently able to create a group, import address lists to it, and then spam by emailing the group. Abuse complaints are ignored. I eventually setup a procmail rule to automatically turn messages from one such Google group into ARF formatted complaints to abuse@google.com rather than deliver them to me. It sounds like you may have created additional vectors I'm not familiar with for spammers to abuse. ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Blue Stream Fiber, Sr. Neteng | therefore you are _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On 14.08.2025 12:23 Christopher Morrow <morrowc.lists@gmail.com> wrote:
The problem(s) from jared's original mail SOUND like a broken thing in some services that PROBABLY tried to provide protections, those either missed the mark or work broken along some timeline... and maybe need some attention to fix/course-correct.
It is broken by design - for years. Operating a public mailing list service that lets anybody create a list and subscribe bulks of addresses without confirmation is an invitation for spammers. Letting users post thousands of posts into a newsgroup in a small amount of time is also an invitation for spammers. -- kind regards Marco Send spam to abfall1755167006@stinkedores.dorfdsl.de
On Aug 14, 2025, at 13:49, Marco Moock via NANOG <nanog@lists.nanog.org> wrote:
Letting users post thousands of posts into a newsgroup in a small amount of time is also an invitation for spammers.
Unfortunately no matter what Google does spammers will always be able to abuse Google Groups. Even if Google restricted free-tier Groups to 5 users you’d only be hurting legitimate users who don’t abuse it. Spammers will just pay Google to continue spamming thousands of people as a cost of doing business meanwhile Google will happily pocket the cash and suspend the offending account for abuse after the fact. That’s just good business.
On 14.08.2025 14:12 Francis Booth via NANOG <nanog@lists.nanog.org> wrote:
On Aug 14, 2025, at 13:49, Marco Moock via NANOG <nanog@lists.nanog.org> wrote:
Letting users post thousands of posts into a newsgroup in a small amount of time is also an invitation for spammers.
Unfortunately no matter what Google does spammers will always be able to abuse Google Groups. Even if Google restricted free-tier Groups to 5 users you’d only be hurting legitimate users who don’t abuse it. Spammers will just pay Google to continue spamming thousands of people as a cost of doing business meanwhile Google will happily pocket the cash and suspend the offending account for abuse after the fact. That’s just good business.
Requiring confirmation from subscribers massively reduces the usefulness of this service for spammers. Limiting the amount of addresses that can be subscribed for new users too. If they can't send it to thousands, the spammer's customers cannot reach the audience they want. -- kind regards Marco Send spam to abfall1755173533@stinkedores.dorfdsl.de
You mean to tell me Google's AI can't tell... Nevermind I've used Gemini before -----Original Message----- From: Marco Moock via NANOG <nanog@lists.nanog.org> Sent: Thursday, August 14, 2025 2:36 PM To: nanog@lists.nanog.org Cc: Marco Moock <mm@dorfdsl.de> Subject: Re: Worsening google service reputation and abuse On 14.08.2025 14:12 Francis Booth via NANOG <nanog@lists.nanog.org> wrote:
On Aug 14, 2025, at 13:49, Marco Moock via NANOG <nanog@lists.nanog.org> wrote:
Letting users post thousands of posts into a newsgroup in a small amount of time is also an invitation for spammers.
Unfortunately no matter what Google does spammers will always be able to abuse Google Groups. Even if Google restricted free-tier Groups to 5 users you’d only be hurting legitimate users who don’t abuse it. Spammers will just pay Google to continue spamming thousands of people as a cost of doing business meanwhile Google will happily pocket the cash and suspend the offending account for abuse after the fact. That’s just good business.
Requiring confirmation from subscribers massively reduces the usefulness of this service for spammers. Limiting the amount of addresses that can be subscribed for new users too. If they can't send it to thousands, the spammer's customers cannot reach the audience they want. -- kind regards Marco Send spam to abfall1755173533@stinkedores.dorfdsl.de _______________________________________________ NANOG mailing list https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.nanog.org_archive...
On 8/14/25 11:35 AM, Marco Moock via NANOG wrote:
On 14.08.2025 14:12 Francis Booth via NANOG <nanog@lists.nanog.org> wrote:
On Aug 14, 2025, at 13:49, Marco Moock via NANOG <nanog@lists.nanog.org> wrote:
Letting users post thousands of posts into a newsgroup in a small amount of time is also an invitation for spammers. Unfortunately no matter what Google does spammers will always be able to abuse Google Groups. Even if Google restricted free-tier Groups to 5 users you’d only be hurting legitimate users who don’t abuse it. Spammers will just pay Google to continue spamming thousands of people as a cost of doing business meanwhile Google will happily pocket the cash and suspend the offending account for abuse after the fact. That’s just good business. Requiring confirmation from subscribers massively reduces the usefulness of this service for spammers. Limiting the amount of addresses that can be subscribed for new users too.
If they can't send it to thousands, the spammer's customers cannot reach the audience they want.
Here's what I don't understand: Gmail's spam filtering from everything I can tell is really good. Is the implication that they don't run their spam filters on posts to Google Groups? Wouldn't that hurt Google Groups' reputation for other spam filters? It seems like such an easy problem for them to solve. Mike
Michael Thomas <mike@mtcc.com> via NANOG
<nanog@lists.nanog.org> wrote: Here's what I don't understand: Gmail's spam filtering from everything I can tell is really good. Is the implication that they don't run their spam filters on posts to Google Groups? Wouldn't that hurt Google Groups' reputation for other >>>spam filters? It seems like such an easy problem for them to solve.
Google bought Postini and from all accounts simply dismantled it (WHYYYYYYYYYYY) maybe apply some of the technologies you purchase to some of your other technologies? Just a suggestion. Thanks, -Drew
On Thu, Aug 14, 2025 at 11:54 AM Michael Thomas via NANOG < nanog@lists.nanog.org> wrote:
Here's what I don't understand: Gmail's spam filtering from everything I can tell is really good. Is the implication that they don't run their spam filters on posts to Google Groups? Wouldn't that hurt Google Groups' reputation for other spam filters? It seems like such an easy problem for them to solve.
I disagree. Gmail spam filtering has been pretty bad for me. A lot of mailing list traffic (various IETF lists and even NANOG) and responses from businesses that I communicate with end up in my spam folder. And a lot of real spam and phishing messages end up in my inbox. If I could, I would disable it and do my spam filtering manually. It would be less work than undoing the mess that the current filter creates.
I'm so confused about how/why this thread focuses specifically on Google Groups spams. Some weeks ago, I calculated the percentage of spams vs legit-emails sent to my real-human-being users (a few thousand of them) for whom I host email (so, no spamtraps!), over a few-days period of time, and the amount of spam sent from Google servers was a full 1/3rd of everything sent to these users from Google servers. That's horrific. (this includes emails sent from both their gmail system and their google workspaces business email system) Also, the following is anecdotal, but as I was auditing a random sampling of those Google-server-sent spams at that time, I don't recall seeing even a single Google Groups spam, so at the least, that was a low percentage of all such spams. Rob McEwen, invaluement
Meanwhile, the tools Google has for you to manage your mail reputation with Google are dreadful. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "Rob McEwen via NANOG" <nanog@lists.nanog.org> To: nanog@lists.nanog.org Cc: "Rob McEwen" <rob@invaluement.com> Sent: Thursday, August 14, 2025 1:59:58 PM Subject: Re: Worsening google service reputation and abuse I'm so confused about how/why this thread focuses specifically on Google Groups spams. Some weeks ago, I calculated the percentage of spams vs legit-emails sent to my real-human-being users (a few thousand of them) for whom I host email (so, no spamtraps!), over a few-days period of time, and the amount of spam sent from Google servers was a full 1/3rd of everything sent to these users from Google servers. That's horrific. (this includes emails sent from both their gmail system and their google workspaces business email system) Also, the following is anecdotal, but as I was auditing a random sampling of those Google-server-sent spams at that time, I don't recall seeing even a single Google Groups spam, so at the least, that was a low percentage of all such spams. Rob McEwen, invaluement _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/EVE7AM44...
On Thu, Aug 14, 2025 at 12:23:26PM -0400, Christopher Morrow via NANOG wrote:
On Thu, Aug 14, 2025 at 11:16 AM Marco Moock via NANOG <nanog@lists.nanog.org> wrote:
On 14.08.2025 10:41 Jared Mauch via NANOG <nanog@lists.nanog.org> wrote:
Is there anyone at Google that is able to address the ongoing abuse problems that are coming out of your services like classroom, groups and otherwise?
(with the caveat that i don't know anything about classroom, or groups really, but had walked down this path with reader back-when)
The problem(s) from jared's original mail SOUND like a broken thing in some services that PROBABLY tried to provide protections, those either missed the mark or work broken along some timeline... and maybe need some attention to fix/course-correct.
yeah, i think there's a subtle thing here where the expectation is that someone will be willing to opt-in or add *all* the addresses that may end up in their mailbox, while i as postmaster need some way to say "hey these well-formatted list-like things maybe shouldn't be put on lists/groups/whatnot on your side"
It is a well know issue of a company named Google that supports spammers.
It took months months until they switched of Google Groups Newsgroups It was being flooded with millions of spam posts and nobody took action.
Google wants it that way.
I don't think this is accurate.
I agree, hence the note, but I think there's an element of this is a weird corner case that needs some [minor] attention to improve things. I may one day need access to google classroom, but not in the role/nature that I'm getting the mails today, and I don't want to toss all of google to /dev/null. This also isn't quite a google only problem, I see the same thing from outlook/o365/hotmail but to a lesser extent. YMMV. - Jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Yeah, it's a bit much to assert that G "wants" things this way. It's kind of a big FU to the people who do work on this stuff full time. Heard the same thing about Y for years, how we 'support spammers' , how we 'don't care', and 'never did anything'. All the while our anti-spam teams came up with absurdly genius ways to handle these problems that only people in that space ever knew about. The amount of shit spam that people don't see is many, many orders of magnitude more than what gets through. Email spam has been a problem for more than 30 years at this point. The fact that a ton of really smart people have worked on this for that long, and it's still an issue, should be a huge indicator that it's a complex issue with no easy solutions. Could Y have done many things better? Sure. Could Google be doing many things better? Sure. Nobody is perfect. Can we ask them to be better? Yes, we should. But assertions that companies *WANT* these problems to exist is , honestly, pretty damn ignorant. On Fri, Aug 15, 2025 at 10:27 AM Jared Mauch via NANOG < nanog@lists.nanog.org> wrote:
On Thu, Aug 14, 2025 at 12:23:26PM -0400, Christopher Morrow via NANOG wrote:
On Thu, Aug 14, 2025 at 11:16 AM Marco Moock via NANOG <nanog@lists.nanog.org> wrote:
On 14.08.2025 10:41 Jared Mauch via NANOG <nanog@lists.nanog.org>
wrote:
Is there anyone at Google that is able to address the ongoing abuse problems that are coming out of your services like classroom, groups and otherwise?
(with the caveat that i don't know anything about classroom, or groups really, but had walked down this path with reader back-when)
The problem(s) from jared's original mail SOUND like a broken thing in some services that PROBABLY tried to provide protections, those either missed the mark or work broken along some timeline... and maybe need some attention to fix/course-correct.
yeah, i think there's a subtle thing here where the expectation is that someone will be willing to opt-in or add *all* the addresses that may end up in their mailbox, while i as postmaster need some way to say "hey these well-formatted list-like things maybe shouldn't be put on lists/groups/whatnot on your side"
It is a well know issue of a company named Google that supports spammers.
It took months months until they switched of Google Groups Newsgroups It was being flooded with millions of spam posts and nobody took action.
Google wants it that way.
I don't think this is accurate.
I agree, hence the note, but I think there's an element of this is a weird corner case that needs some [minor] attention to improve things.
I may one day need access to google classroom, but not in the role/nature that I'm getting the mails today, and I don't want to toss all of google to /dev/null.
This also isn't quite a google only problem, I see the same thing from outlook/o365/hotmail but to a lesser extent. YMMV.
- Jared
-- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/LGJ42OUE...
i suspect that, when a net service gets large and useful, we start to view it as authoritative and have expectations and demands of correctness and rigor that are very hard to achieve at scale. and large organizations tend to fray at the edges. folk have less drive and motivation than they did when it was smaller. centralization and late stage capitalism at work. randy
On 14/08/2025 18:13, Marco Moock via NANOG wrote:
On 14.08.2025 10:41 Jared Mauch via NANOG <nanog@lists.nanog.org> wrote:
Is there anyone at Google that is able to address the ongoing abuse problems that are coming out of your services like classroom, groups and otherwise? It is a well know issue of a company named Google that supports spammers.
It took months months until they switched of Google Groups Newsgroups It was being flooded with millions of spam posts and nobody took action.
Google wants it that way.
I tend to agree in regards to abuse and lack of caring from Google. Since 2021 numerous street names have been changed in mass in my area and numerous towns nearby. I found this out when a delivery guy called me and said he couldn't find my street in Google maps. So I opened a ticket in Google Maps and had to supply proof of street name (pix of street signs showing the correct and valid street name). Took about 2 weeks and got my street name fixed, but dozens of streets around me still have invalid names. I do not have the time or patience to open a Google Maps ticket for each misnamed street name. These numerous street name renames could only have been done by someone internal to Google. No amount of contacting people inside Google helped. I have since given up and realize that not all aspects of Google are secure. Regards, Hank
On Sat, Aug 16, 2025 at 6:16 PM Damian Menscher <damian@google.com> wrote:
On Sat, Aug 16, 2025 at 6:08 PM Matthew Petach via NANOG < nanog@lists.nanog.org> wrote:
On Sat, Aug 16, 2025 at 5:47 PM John Levine via NANOG < nanog@lists.nanog.org> wrote:
It appears that Matthew Petach via NANOG <nanog@lists.nanog.org> said:
I think we should take a cue from cryptocurrencies, and have a "proof of stake" type of challenge for email messages sent out. The recipient machine doesn't accept a message until the sender has demonstrated they have put some skin in the game as well.
Dwork and Naor invented that in 1992. Clever idea, doesn't work in practice.
OK, I read the paper through, and they put considerably more thought into the calculation side; however, this paper explicitly calls for a centralized Pricing Authority, which is exactly what I'm advocating *against*.
And this would, in my opinion, be why it's a non-starter. You'll never get a system that requires everyone to adhere to dictates from a central authority.
Instead, I'm advocating for a decentralized, one-at-a-time type approach, where the penalty box is in the time domain, so it's easily implemented unilaterally by the receiving side. It's the very opposite of what the paper you're citing proposed.
Pretty sure what you're proposing is the equivalent of Hashcash? https://en.wikipedia.org/wiki/Hashcash
Ah, very cool! I wasn't aware of that, thank you for the pointer to it! I'm not sure that needing to maintain a database of used hash values would scale very well, though, but I like that it made it into SpamAssassin for a while. The need to manually configure address resources/domain patterns in order for it to be enabled sounds like it may have limited the scope to which it got applied, but that sounds like it was very similar to what I was thinking. Good to know smarter minds than mine already came up with it and tried it out. ^_^; Thanks! Matt
It appears that Matthew Petach via NANOG <nanog@lists.nanog.org> said:
OK, I read the paper through, and they put considerably more thought into the calculation side; however, this paper explicitly calls for a centralized Pricing Authority, which is exactly what I'm advocating *against*.
There's been lots of other work like their Penny Black, and Hashcash, that let recipients decide how much work they want to see. Dwork worked for Microsoft and for a while MS tried a version of it in their mail systems. They all failed for a variety of reasons, one of the most intractable being that criminals with botnets have a lot more CPU power available than legitimate senders. Tahe usual botnet blacklist techniques don't work since the botted machines talk to the senders, not the recipients. Wikipedia has a summary of these WKBIs: https://en.wikipedia.org/wiki/Cost-based_anti-spam_systems R's, John
On August 16, 2025 at 19:09 nanog@lists.nanog.org (John R. Levine via NANOG) wrote:
On Sat, 16 Aug 2025, bzs@theworld.com wrote:
"Electronic postage stamps" are one possible approach and might become the general term for whatever resource management is adopted.
But as a phrase it's too limiting and evokes certain counter-arguments as people stand up straw men and knock them down just based on those three words.
I don't understand, I say "electronic postage stamps" are probably not the right approach tho whatever happens someone might call it that and you want to argue that...electronic postage stamps are probably not the right approach? I just said that. All I've said thus far is that spammers' business models seem fragile and brittle and to rely on sending around a billion messages per day per each and perhaps it would be better to disrupt that business model than to engineer yet another filtering / validation technology. I haven't proposed a specific solution even if you keep wanting to read that into my words. At this point all I'm proposing is a paradigm shift, that we need to think differently about the problem.
It's a great idea if you wave away all of the practical questions like who's going to issue the postage, who's going to collect it, who's going to pay for the infrastructure to do the checking, and who's going to settle the claims when a crook breaks into your ISP and sends $10,000 worth of spam using your stamps.
My preferred solution is a mandatory button in each e-mail message that administers a small electric shock to the sender. Each individual shock would be no big deal but when thousands of people hit the button the cumulative effect would be painful or for big time spammers, fatal. It's sort of like the old Bonded Sender idea but with electricity. I have no idea how to implement that either, but people who claim it can't work are just opposed to creative, innovative ideas.
R's, John _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/D55VUHKF...
-- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
One of my staff once suggested we have a "Spam Appreciation Day", shut off all the filters for 24 hours to give customers an idea of what's really going on. Amusing, it had practical problems like no doubt many customers mailboxes would just fall over dead (e.g., out of quota, become totally unmanageable by them.) I still maintain a solution to most spam lies in the economic and business realm, not the technical realm of layering on yet another filter tho even an economic approach would require some sort of technical enforcement tho very different in nature. But as the old expression goes: When all you have is a hammer the whole world looks like a nail. On August 15, 2025 at 10:54 nanog@lists.nanog.org (Tom Beecher via NANOG) wrote:
Yeah, it's a bit much to assert that G "wants" things this way. It's kind of a big FU to the people who do work on this stuff full time.
Heard the same thing about Y for years, how we 'support spammers' , how we 'don't care', and 'never did anything'. All the while our anti-spam teams came up with absurdly genius ways to handle these problems that only people in that space ever knew about. The amount of shit spam that people don't see is many, many orders of magnitude more than what gets through.
Email spam has been a problem for more than 30 years at this point. The fact that a ton of really smart people have worked on this for that long, and it's still an issue, should be a huge indicator that it's a complex issue with no easy solutions.
Could Y have done many things better? Sure. Could Google be doing many things better? Sure. Nobody is perfect. Can we ask them to be better? Yes, we should.
But assertions that companies *WANT* these problems to exist is , honestly, pretty damn ignorant.
On Fri, Aug 15, 2025 at 10:27 AM Jared Mauch via NANOG < nanog@lists.nanog.org> wrote:
On Thu, Aug 14, 2025 at 12:23:26PM -0400, Christopher Morrow via NANOG wrote:
On Thu, Aug 14, 2025 at 11:16 AM Marco Moock via NANOG <nanog@lists.nanog.org> wrote:
On 14.08.2025 10:41 Jared Mauch via NANOG <nanog@lists.nanog.org>
wrote:
Is there anyone at Google that is able to address the ongoing abuse problems that are coming out of your services like classroom, groups and otherwise?
(with the caveat that i don't know anything about classroom, or groups really, but had walked down this path with reader back-when)
The problem(s) from jared's original mail SOUND like a broken thing in some services that PROBABLY tried to provide protections, those either missed the mark or work broken along some timeline... and maybe need some attention to fix/course-correct.
yeah, i think there's a subtle thing here where the expectation is that someone will be willing to opt-in or add *all* the addresses that may end up in their mailbox, while i as postmaster need some way to say "hey these well-formatted list-like things maybe shouldn't be put on lists/groups/whatnot on your side"
It is a well know issue of a company named Google that supports spammers.
It took months months until they switched of Google Groups Newsgroups It was being flooded with millions of spam posts and nobody took action.
Google wants it that way.
I don't think this is accurate.
I agree, hence the note, but I think there's an element of this is a weird corner case that needs some [minor] attention to improve things.
I may one day need access to google classroom, but not in the role/nature that I'm getting the mails today, and I don't want to toss all of google to /dev/null.
This also isn't quite a google only problem, I see the same thing from outlook/o365/hotmail but to a lesser extent. YMMV.
- Jared
-- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/LGJ42OUE...
NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/XU74PYK4...
-- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
It appears that Barry Shein via NANOG <nanog@lists.nanog.org> said:
I still maintain a solution to most spam lies in the economic and business realm, not the technical realm of layering on yet another filter tho even an economic approach would require some sort of technical enforcement tho very different in nature.
Most spam is already illegal. But it is hard to coordinate a response when the harm per individual spam is low and it's the cumulative effect that is a problem. R's, John
I think all of these big companies lack a meaningful feedback loop from reasonably vetted people, lending credibility to their feedback. Most of them don't provide the tools to diagnose, nor have the ability to receive support requests. Not just SPAM, but all kinds of sanitation type services. ----- Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP ----- Original Message ----- From: "Tom Beecher via NANOG" <nanog@lists.nanog.org> To: "North American Network Operators Group" <nanog@lists.nanog.org> Cc: "Marco Moock" <mm@dorfdsl.de>, "Tom Beecher" <beecher@beecher.cc> Sent: Friday, August 15, 2025 9:54:26 AM Subject: Re: Worsening google service reputation and abuse Yeah, it's a bit much to assert that G "wants" things this way. It's kind of a big FU to the people who do work on this stuff full time. Heard the same thing about Y for years, how we 'support spammers' , how we 'don't care', and 'never did anything'. All the while our anti-spam teams came up with absurdly genius ways to handle these problems that only people in that space ever knew about. The amount of shit spam that people don't see is many, many orders of magnitude more than what gets through. Email spam has been a problem for more than 30 years at this point. The fact that a ton of really smart people have worked on this for that long, and it's still an issue, should be a huge indicator that it's a complex issue with no easy solutions. Could Y have done many things better? Sure. Could Google be doing many things better? Sure. Nobody is perfect. Can we ask them to be better? Yes, we should. But assertions that companies *WANT* these problems to exist is , honestly, pretty damn ignorant. On Fri, Aug 15, 2025 at 10:27 AM Jared Mauch via NANOG < nanog@lists.nanog.org> wrote:
On Thu, Aug 14, 2025 at 12:23:26PM -0400, Christopher Morrow via NANOG wrote:
On Thu, Aug 14, 2025 at 11:16 AM Marco Moock via NANOG <nanog@lists.nanog.org> wrote:
On 14.08.2025 10:41 Jared Mauch via NANOG <nanog@lists.nanog.org>
wrote:
Is there anyone at Google that is able to address the ongoing abuse problems that are coming out of your services like classroom, groups and otherwise?
(with the caveat that i don't know anything about classroom, or groups really, but had walked down this path with reader back-when)
The problem(s) from jared's original mail SOUND like a broken thing in some services that PROBABLY tried to provide protections, those either missed the mark or work broken along some timeline... and maybe need some attention to fix/course-correct.
yeah, i think there's a subtle thing here where the expectation is that someone will be willing to opt-in or add *all* the addresses that may end up in their mailbox, while i as postmaster need some way to say "hey these well-formatted list-like things maybe shouldn't be put on lists/groups/whatnot on your side"
It is a well know issue of a company named Google that supports spammers.
It took months months until they switched of Google Groups Newsgroups It was being flooded with millions of spam posts and nobody took action.
Google wants it that way.
I don't think this is accurate.
I agree, hence the note, but I think there's an element of this is a weird corner case that needs some [minor] attention to improve things.
I may one day need access to google classroom, but not in the role/nature that I'm getting the mails today, and I don't want to toss all of google to /dev/null.
This also isn't quite a google only problem, I see the same thing from outlook/o365/hotmail but to a lesser extent. YMMV.
- Jared
-- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/LGJ42OUE...
NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/XU74PYK4...
Most spam is already illegal. But it is hard to coordinate a response when the harm per individual spam is low and it's the cumulative effect that is a problem.
I assume Barry was thinking about the "electronic post stamp", not to send the lawyers ;-) On 16 Aug 2025 13:56:54 -0400, John Levine via NANOG wrote:
It appears that Barry Shein via NANOG <nanog@lists.nanog.org> said:
I still maintain a solution to most spam lies in the economic and business realm, not the technical realm of layering on yet another filter tho even an economic approach would require some sort of technical enforcement tho very different in nature.
On 14/08/25 20:52, Michael Thomas via NANOG wrote:
Here's what I don't understand: Gmail's spam filtering from everything I can tell is really good. Is the implication that they don't run their spam filters on posts to Google Groups? Wouldn't that hurt Google Groups' reputation for other spam filters? It seems like such an easy problem for them to solve.
They probably don't. Google has an pattern where teams building new products to get themselves promoted, and then abandoning them. Eventually when the abandoned product becomes too much of a liability, it's turned off. It's not surprising each product is a silo. Google services with ongoing maintenance are the minority.
Mike
John is going to pop up instantly whenever I, or perhaps others, I can only follow me, suggest that we need a fresh approach to spam and related. He has done this for literally 20+ years going back to the days of the IRTF/ASRG ca 2003. The paper, or a similar paper, he flogs he also has offered as "mathematical proof" that bitcoin cannot possibly work 15 or so years ago. Perhaps we have different notions of "work". But I want to ask: John: Do you have any conflict of interest which might motivate you to shoot down even the most generally worded proposal regarding spam et al as quickly as you can type? At best my take is he wants to shut down any discussion, fast. So maybe we need to hear from new or at least encouraging voices because the current technological approaches aren't working no matter how much we tweak them over and over as evidenced by even the past few days' commiseration right here on nanog. In a sentence: Let's figure out how to put these spammers et al out of business. I've watched them for nearly 30 years and believe their business model is fragile and brittle but isn't going to be subdued by layering on yet another blind, general-purpose, verification layer. It's possible this might be a threat to some so-called "legitimate" bulk emailers who are currently getting an enormous free ride on the current architecture at the cost of end-users' attention time and those who have to provide the ever-growing infrastructure to carry their boondoggle*. * By the old business rule: If it's not worth anything to you it's CERTAINLY not worth anything to me! On August 16, 2025 at 13:56 nanog@lists.nanog.org (John Levine via NANOG) wrote:
It appears that Barry Shein via NANOG <nanog@lists.nanog.org> said:
I still maintain a solution to most spam lies in the economic and business realm, not the technical realm of layering on yet another filter tho even an economic approach would require some sort of technical enforcement tho very different in nature.
Most spam is already illegal. But it is hard to coordinate a response when the harm per individual spam is low and it's the cumulative effect that is a problem.
R's, John _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/R2PLEFOH...
-- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
On Sat, 16 Aug 2025, bzs@theworld.com wrote:
John is going to pop up instantly whenever I, or perhaps others, I can only follow me, suggest that we need a fresh approach to spam and related. He has done this for literally 20+ years going back to the days of the IRTF/ASRG ca 2003.
Well, sure, you keep saying the same things, I keep reminding people that they're known not to work.
The paper, or a similar paper, he flogs he also has offered as "mathematical proof" that bitcoin cannot possibly work 15 or so years ago.
Um, you have me confused with someone else. I'm the guy who blogged about buying coffee with bitcoin a decade ago. It was more hassle than it was worth, but it did work. At current BTC prices that coffee probably cost $50,000 (Canadian, I did it in Vancouver.) R's, John PS:
I've watched them for nearly 30 years and believe their business model is fragile and brittle but isn't going to be subdued by layering on yet another blind, general-purpose, verification layer.
Hey, we agree there. "Authenticate everyone" is one of those ideas that's well known not to work.
On August 16, 2025 at 21:32 nanog@lists.nanog.org (Marc Binderberger via NANOG) wrote:
Most spam is already illegal. But it is hard to coordinate a response when the harm per individual spam is low and it's the cumulative effect that is a problem.
I assume Barry was thinking about the "electronic post stamp", not to send the lawyers ;-)
Spammers' business models depend on sending O(1B) messages per day per each basically for free, or at a negligible cost. So anything which increases that cost or limits that behavior is likely to be a threat to their business model. Not too many honest sources need to send O(1B) msgs/day, and fewer still need to do that for free, probably zero almost by definition. That is, if they need to send that amount for free their business model is of questionable honesty, so ipso facto. "Electronic postage stamps" are one possible approach and might become the general term for whatever resource management is adopted. But as a phrase it's too limiting and evokes certain counter-arguments as people stand up straw men and knock them down just based on those three words.
On 16 Aug 2025 13:56:54 -0400, John Levine via NANOG wrote:
It appears that Barry Shein via NANOG <nanog@lists.nanog.org> said:
I still maintain a solution to most spam lies in the economic and business realm, not the technical realm of layering on yet another filter tho even an economic approach would require some sort of technical enforcement tho very different in nature.
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/5P5C5OAI...
-- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
On Sat, 16 Aug 2025, bzs@theworld.com wrote:
"Electronic postage stamps" are one possible approach and might become the general term for whatever resource management is adopted.
But as a phrase it's too limiting and evokes certain counter-arguments as people stand up straw men and knock them down just based on those three words.
It's a great idea if you wave away all of the practical questions like who's going to issue the postage, who's going to collect it, who's going to pay for the infrastructure to do the checking, and who's going to settle the claims when a crook breaks into your ISP and sends $10,000 worth of spam using your stamps. My preferred solution is a mandatory button in each e-mail message that administers a small electric shock to the sender. Each individual shock would be no big deal but when thousands of people hit the button the cumulative effect would be painful or for big time spammers, fatal. It's sort of like the old Bonded Sender idea but with electricity. I have no idea how to implement that either, but people who claim it can't work are just opposed to creative, innovative ideas. R's, John
On Sat, Aug 16, 2025 at 4:10 PM John R. Levine via NANOG < nanog@lists.nanog.org> wrote:
On Sat, 16 Aug 2025, bzs@theworld.com wrote:
"Electronic postage stamps" are one possible approach and might become the general term for whatever resource management is adopted.
But as a phrase it's too limiting and evokes certain counter-arguments as people stand up straw men and knock them down just based on those three words.
It's a great idea if you wave away all of the practical questions like who's going to issue the postage, who's going to collect it, who's going to pay for the infrastructure to do the checking, and who's going to settle the claims when a crook breaks into your ISP and sends $10,000 worth of spam using your stamps.
My preferred solution is a mandatory button in each e-mail message that administers a small electric shock to the sender. Each individual shock would be no big deal but when thousands of people hit the button the cumulative effect would be painful or for big time spammers, fatal. It's sort of like the old Bonded Sender idea but with electricity. I have no idea how to implement that either, but people who claim it can't work are just opposed to creative, innovative ideas.
"Electronic Postage Stamps" conjures up visions of a centralized Post Office type entity that issues postage. I think we should take a cue from cryptocurrencies, and have a "proof of stake" type of challenge for email messages sent out. The recipient machine doesn't accept a message until the sender has demonstrated they have put some skin in the game as well. I avoid the term "proof of work", because I'd like it to be broader than simply "please jump through these mathematical calculations for me" -- imagine a combination of either proof you've accepted a certain number of email messages from me (a tit-for-tat type of proof of skin in the game, where the sender can pass along a cryptographic hash of message-IDs that it accepted for its users from the domain to which it is now trying to send a message), or a recaptcha type "do some work for the good of the internet first, and then I'll accept your message" computational challenge. The idea would be to have a distributed challenge, one in which each connection between servers brings with it a "prove to me you bring value to the email ecosystem" from the receiver to the sender. For "white hat" types of sites, it should be easy to show that they accept mail for their users from the domain to which they are now sending a message. For sites which have not yet received any mail, the challenge might be to classify the contents of three images sent back from the receiving server to the sender. Or even just hold the connection open for three minutes, and make the sender wait on the connection for three minutes before the message will be accepted. Once a site has started to receive inbound mail, it can use the faster "here's a hash of message-IDs I've accepted from you in the past X time interval, please accept this new message from me", so the 3 minute cooldown would only be used for suspicious sites that haven't received email previously. This is completely off-the-cuff, and clearly needs much smarter people than me to turn it into something more workable; but the idea is to have a distributed "proof of stake" model, where senders have either shown that they are also participants in the global back-and-forth flow of email messages, and have a reason to work towards the improvement of the overall system, or that they are willing to hold a connection open for a long period of time to get their message accepted, because it really is that meaningful for their user. That way, the determination doesn't require any centralized "Post Office" type entity that everyone trusts, and it could be rolled out on an incremental basis. A receiving site can request proof-of-stake validation from the sender; if it has no idea what that is, the receiver can treat it as an unknown site, and put it in the three minute penalty box. Senders would have an incentive then to update their software to be able to answer the request for proof-of-stake with a valid answer, to reduce the wait times on their outbound message queues. For spammers, who don't accept mail, and have no good way to answer a proof-of-stake request, it puts a throttle on how many messages they can send out at a time, drastically reducing (but not eliminating) the spam volume they can send out. In short; I think John's right, but I also don't think Barry's entirely wrong either. ^_^; Thanks! Matt
On 8/16/25 4:42 PM, Matthew Petach via NANOG wrote:
On Sat, Aug 16, 2025 at 4:10 PM John R. Levine via NANOG < nanog@lists.nanog.org> wrote:
On Sat, 16 Aug 2025, bzs@theworld.com wrote:
"Electronic postage stamps" are one possible approach and might become the general term for whatever resource management is adopted.
But as a phrase it's too limiting and evokes certain counter-arguments as people stand up straw men and knock them down just based on those three words. It's a great idea if you wave away all of the practical questions like who's going to issue the postage, who's going to collect it, who's going to pay for the infrastructure to do the checking, and who's going to settle the claims when a crook breaks into your ISP and sends $10,000 worth of spam using your stamps.
My preferred solution is a mandatory button in each e-mail message that administers a small electric shock to the sender. Each individual shock would be no big deal but when thousands of people hit the button the cumulative effect would be painful or for big time spammers, fatal. It's sort of like the old Bonded Sender idea but with electricity. I have no idea how to implement that either, but people who claim it can't work are just opposed to creative, innovative ideas.
"Electronic Postage Stamps" conjures up visions of a centralized Post Office type entity that issues postage.
Barry has been going on about this idea for decades, I think. It wouldn't work then, it won't work now. Nobody can put up a coherent argument for why the current cat and mouse situation isn't the acceptable balance, rather than some FUSSP that will never happen. Spam filtering is just a cost of business like electricity. You'd probably save more by addressing that with dilithium crystals, or something. Mike
It appears that Matthew Petach via NANOG <nanog@lists.nanog.org> said:
I think we should take a cue from cryptocurrencies, and have a "proof of stake" type of challenge for email messages sent out. The recipient machine doesn't accept a message until the sender has demonstrated they have put some skin in the game as well.
Dwork and Naor invented that in 1992. Clever idea, doesn't work in practice. https://www.wisdom.weizmann.ac.il/~naor/PAPERS/pvp.pdf R's, John
It appears that Mike Hammett via NANOG <nanog@lists.nanog.org> said:
I think all of these big companies lack a meaningful feedback loop from reasonably vetted people, lending credibility to their feedback. Most of them don't provide the tools to diagnose, nor have the ability to receive support requests. Not just SPAM, but all kinds of sanitation type services.
I know people at the large mail providers and I have to have some sympathy for them. They have mailers endlessly screaming at them, outraged that the Valuable Offers from their Treasured Marketing Partners go into the spam folder or worse, and they're sure that someone manually made that filtering decision and just has to flip a switch to fix it. Vetting trusted reporters just doesn't scale. To repeat a cliche, any group large enough to be interesting is going to include people who shouldn't be there. R's, John
On Sat, Aug 16, 2025 at 5:47 PM John Levine via NANOG <nanog@lists.nanog.org> wrote:
It appears that Matthew Petach via NANOG <nanog@lists.nanog.org> said:
I think we should take a cue from cryptocurrencies, and have a "proof of stake" type of challenge for email messages sent out. The recipient machine doesn't accept a message until the sender has demonstrated they have put some skin in the game as well.
Dwork and Naor invented that in 1992. Clever idea, doesn't work in practice.
OK, I read the paper through, and they put considerably more thought into the calculation side; however, this paper explicitly calls for a centralized Pricing Authority, which is exactly what I'm advocating *against*. In their words: The system requires a single pricing function fs, with shortcut c, and a hash function h. The selection of the pricing function and the setting of usage fees are controlled by a pricing authority. All users agree to obey the authority. There can be any number of trusted agents that receive the shortcut information from the pricing authority. The functions h and fs are known to all users, but only the pricing authority and its trusted agents know c. And this would, in my opinion, be why it's a non-starter. You'll never get a system that requires everyone to adhere to dictates from a central authority. Instead, I'm advocating for a decentralized, one-at-a-time type approach, where the penalty box is in the time domain, so it's easily implemented unilaterally by the receiving side. It's the very opposite of what the paper you're citing proposed. I mean, I know I'm a complete idiot, but at least shoot down my idea for its own flaws, don't shoot it down using a paper that contemplates the exact opposite scheme. ;P Thanks! :) Matt
On Sat, Aug 16, 2025 at 6:08 PM Matthew Petach via NANOG < nanog@lists.nanog.org> wrote:
On Sat, Aug 16, 2025 at 5:47 PM John Levine via NANOG < nanog@lists.nanog.org> wrote:
It appears that Matthew Petach via NANOG <nanog@lists.nanog.org> said:
I think we should take a cue from cryptocurrencies, and have a "proof of stake" type of challenge for email messages sent out. The recipient machine doesn't accept a message until the sender has demonstrated they have put some skin in the game as well.
Dwork and Naor invented that in 1992. Clever idea, doesn't work in practice.
OK, I read the paper through, and they put considerably more thought into the calculation side; however, this paper explicitly calls for a centralized Pricing Authority, which is exactly what I'm advocating *against*.
And this would, in my opinion, be why it's a non-starter. You'll never get a system that requires everyone to adhere to dictates from a central authority.
Instead, I'm advocating for a decentralized, one-at-a-time type approach, where the penalty box is in the time domain, so it's easily implemented unilaterally by the receiving side. It's the very opposite of what the paper you're citing proposed.
Pretty sure what you're proposing is the equivalent of Hashcash? https://en.wikipedia.org/wiki/Hashcash Damian
participants (20)
-
Anoop Ghanwani -
bzs@theworld.com -
Christopher Morrow -
Damian Menscher -
Drew Weaver -
Francis Booth -
Hank Nussbacher -
Jared Mauch -
John Levine -
John R. Levine
-
Jon Lewis -
Marc Binderberger -
Marco Moock -
Matthew Petach -
Michael Thomas -
Mike Hammett -
nanog@immibis.com -
Randy Bush -
Rob McEwen -
Tom Beecher