Readit News logoReadit News
Posted by u/hollowturtle 3 years ago
Ask HN: What's happening with Gmail spam filtering?
In the last 2 weeks my gmail inbox went from zero spam to at least 2/3 spam/phishing emails per day on the inbox. I'm marking them as spam but nonetheless it keeps happening. I'm wondering if because spam traffic increased and spammers found a new way to trick anti-spam or if gmail engineers changed something on their end. Is anyone experiencing the same?

Not a big deal as it's been almost a year I'm migrating off gmail and I'm keeping it only for a few things, but still annoying

SyneRyder · 3 years ago
The spam is quite likely coming via Google itself.

Google's mail servers have been compromised for several weeks now. It's commonly being used for infected crypto spam (all those "new traderbot" emails with the attached infected PDF, for example). I'm not yet sure if these are just compromised GMail accounts, or if the mail servers themselves have been compromised. There seem to be some reports on AbuseIPDB of intrusion attempts coming directly from Google's mail servers.

I've tried reporting it to Google (eg via SpamCop), and Google declines to receive reports. I have been reporting it through AbuseIPDB as well. Here is one Google mail server that has had over 300 abuse reports:

https://www.abuseipdb.com/check/209.85.167.48

There are many more, and I linked to a few more when I posted about it here on HN over a month ago:

https://news.ycombinator.com/item?id=32434810

nwellnhof · 3 years ago
Yes, I've noticed this crypto/traderbot spam campaign a few weeks ago, and it definitely comes from Gmail itself. It's nice to see that it also affects other Gmail users. Maybe Google will finally get their act together and stop all the Gmail spam. Right now, I get about 100 spam emails from Gmail each month, making it the biggest source of spam for me. If it wasn't that half of the world uses their services, I'd have blocked Google's mail servers a long time ago.
0___0 · 3 years ago
weeks? more like months. Yep, can't report them via SpamCop. I always report them via https://support.google.com/mail/contact/abuse?hl=en Not sure why they can't fix their crap.
SyneRyder · 3 years ago
Thank you! I somehow never came across that URL before. It's worth a try, though I'm not very optimistic it will help!

I'd genuinely be interested to know from someone working at Google why Google can't / won't solve this, even for the narrow clearly-defined cases I see.

tallanvor · 3 years ago
Unfortunately every major provider has this happen. Google and Microsoft especially since they have their productivity platforms that send mail through the same infrastructure as their free email services. They also have to deal with more problems through compromised education accounts - students aren't that great at protecting their school credentials, and some businesses aren't much better.
sodality2 · 3 years ago
I don't think that it's common for a Google mail server to be brute forcing SMTP logins for other servers, and also sending high amounts of spam. It looks like the server has been compromised, or else why would Google be making SMTP login requests?
jeffbee · 3 years ago
Those outbound VIPs aren’t attached to “a mail server”. If some outside party has gained the level of access you are suggesting, to just freely use these VIPs, then they have compromised the entire Google.
mc32 · 3 years ago
Whatever happened to the Postini acquisition, did they get diluted over the years?
chrisjc · 3 years ago
> compromised GMail accounts

If it is coming from compromised Gmail accounts, I wonder if these same accounts are also being used to post the handful of deep-fake Elon Musk crypto YouTube Shorts that inundate the Shorts feeds.

There's hundreds, maybe thousands of these videos being posted making Shorts practically unusable. And no amount of reporting or downvoting seems to affect their algorithm.

bluedino · 3 years ago
I get about 10 per day. They all seem to come from hacked O365/Gmail accounts. All 4 of my Gmail accounts are affected.

It's all the same crap that's obviously spam.

"Dear Friend, I hope this email finds you well. I need your assistance in a matter..."

"You've been chosen!"

"Home Depot/TruGreen/Dicks Sporting Goods/ADT-Security"

"Invoice enclosed"

"You've received a direct deposit..."

"Hot sex <insert emojis>"

I would guess that Gmail is simply a legacy/commodity function at Google, so they have spam handled by lower-end employees or even contractors.

tgraham · 3 years ago
The "Dicks Sporting Goods" email is insane - probably hourly at the moment, from what would appear obviously bogus email senders. What is the non-obvious answer as to why these get through?
lumost · 3 years ago
These are so absolutely ridiculous. The only (dumb) reason I can think of is that there is a large ML model which got used to seeing certain character sequences as not spam and spammers are starting to exploit it.

It's kinda shocking as Gmail spam filtering was virtually flawless for over a decade, and now it's falling apart.

bluedino · 3 years ago
I received 3 of these the other day. For those not aware, Dicks is the largest sporting goods store chain in the USA.

DICKS SPORTINGGOODS!! <wqrwrsss-@acohhovldzbqmulu.ml>

Subject: You've beean chosen! SPF: PASS with IP 40.107.117.103 Learn more DKIM: 'PASS' with domain acohhovldzbqmulu.ml

Dicks Sporting Goods Winner <eushfyuefdsf-@chistezlhekofu.ml> Subject: -You've been chosen! SPF: PASS with IP 40.107.215.70 Learn more DKIM: 'PASS' with domain chistezlhekofu.ml Learn more

Google detects them all as Persian, and asks if I want to translate.

Also interesting:

Message ID <6324876e.050a0220.efb1a.fe7bSMTPIN_ADDED_BROKEN@mx.google.com>

The only text in the message:

Your Name Came Up For a YETI Hopper M//20 Cooler customer Gift

Ends up linking to here: https://templarswoards.com/39adf46955f3971c805bc32b65a2cb08

After filling out a 'survey' it asks for name, address, email, phone

https://www.simplediscountshop.com/staging/backpack/refresht...

It then asks for a credit card number to pay the $6.95 shipping

janef0421 · 3 years ago
I would guess that gmail is using some kind of sender address reputation system, and these hacked accounts have high reputation on account of being used for legitimate mail traffic for a significant amount of time.
davidbarker · 3 years ago
Yes! I'm getting around 10 Dick's Sporting Goods emails per day. It's a relief to know it's not just me.
SteveNuts · 3 years ago
I'm expecting my Yeti cooler any day now
dwighttk · 3 years ago
I got one Dicks sporting goods spam and it was almost convincing because I’m pretty sure I signed up for a raffle in store recently

Haven’t been seeing any more since that one though.

martinko · 3 years ago
Same here, started a few months ago.
civilized · 3 years ago
Weirdly awed and relieved to know that I'm just a small part of the Dick's Sporting Goods spam epidemic.
estebarb · 3 years ago
In my case is a meeting invite: "Invitación: Great, you are now the winner of the mega prize! ⬅ Cada día de 18:00 a 19:00 (CST)" every day, although I marked it as phishing. I would have thought that at this point all prizes had been marked as spam.
lupire · 3 years ago
There are no humans "handling" spam. It's done by AI.
enlyth · 3 years ago
To offer a singular data point, contrary to other posters here, I am not seeing this at all, and I pretty actively use my two Gmail addresses which have been active since 2005. My spam inbox regularly gets correctly categorized spam, and important emails still correctly land in my inbox.
crazygringo · 3 years ago
Same here. I haven't had Gmail let a single spam email through in years.

To the contrary, I find myself going through my spam folder to mark as NOT spam things like monthly newsletters from arts organizations. There are a bunch of concerts and plays I've sadly missed because of this. (Which I can only assume comes from people abusing the mark-as-spam button instead of properly unsubscribing, which sucks because it leads to other people missing the legitimate emails.)

Also things like invoices from Apple purchases (e.g. a paid app or AppleCare) show up in spam. Which isn't a biggie, but it does seem like bizarre that Gmail could ever get that wrong.

rconti · 3 years ago
It is incredibly strange to hear from you (and others in this thread) who don't have a spam problem with GMail. From everyone I've talked to, it seemed endemic. From my experiences with my own account (circa 2004), GMail has moved backwards in recent years. I'd say it became a serious problem a few years ago. Marking things as spam is useless because then you immediately start getting legitimate mail marked as spam. Marking those as not-spam just leads directly to getting more spam. It happens with a single click. It's a 2 position slider at this point.
twic · 3 years ago
Zero spam in my inbox, zero items in the spam folder (where they are deleted after 30 days).

GMail is not my primary email, though. I use it for Meetup.com, Slack, Steam, maybe one or two other things. A quick google search suggests that my email address does not appear on the internet. Maybe people not suffering from spam have similarly private addresses?

dwringer · 3 years ago
I get an unfiltered spam message in my inbox maybe once every month on average. I always assumed these are new campaigns with the newest "zero-day" exploits of the spam filter. Much more common is getting newsletters for which I have actually signed up, and marked as "Not Spam" in the past, delivered straight to my Spam folder.

The number of spam messages I get in general, judging from what shows up in the Spam folder, varies wildly from week to week. Sometimes I'll get five over a two-week period, and then get a week where I receive about 15 per day.

enlyth · 3 years ago
I agree it seems that there is a very polarized effect happening, according to the comments some people get constant spam in their inbox and some people have never gotten anything.

It would be interesting to know the cause. I have actually signed up to loads of dodgy websites over the years, my email has been "pwned" according to haveibeenpwned, etc. So there's nothing particular that I've been doing to shield myself from spam, but Google still catches it all perfectly.

But then again, I completely believe all the other people saying they _have_ had spam come through, so it remains a mystery as to why. Is it some specialized spam list of a certain group that know how to bypass the spam filter? Is it Google A/B testing their spam filter? Who knows.

nkozyra · 3 years ago
It comes periodically for me - I'll get 4-5 in a week and then months or a year will go by without one.

I have manually marked a large amount of prior emails as spam, not sure how personalized the filters are.

mFixman · 3 years ago
As a middle point between the main post and your comment, I have been getting 1 or 2 spam emails every week for the last couple of months.

Gmail's spam filtering was perfect before, so something is going on on my account (although not as dramatic as OP's).

1123581321 · 3 years ago
I could’ve written your post (except I would’ve said 2004 instead of 2005) until a few months ago. Since then, about 10-20 of these types of emails get through the spam filter daily. I’ve had some luck creating filters after they hit my inbox, but about half of them don’t have predictable elements.

So I do believe something has changed and I wish I was still in your situation.

jader201 · 3 years ago
+1. I have a ridiculous number of Gmail accounts (like 20+), and regularly monitor 5 of them, and none are seeing regular spam.

I will say I’ve gotten what I consider spam from Experian where they claim to be MSAs (mandatory service announcements) on my account, but they’re clearly marketing, and I’ve just set up a rule to delete those. Done.

I also have gotten on political lists where unsubscribing doesn’t seem effective, so set up another rule to block those. Done.

Other than these 2 edge cases (that don’t seem to be blatant spam, just dark patterns), my inboxes are clean of spam.

I also have family (wife and two older sons) on Gmail, and haven’t heard them complain about spam.

One potential hint though: all of my Gmail comes through personal domains. So maybe these spam attempts are targeting gmail.com domain? I do have a gmail.com email, though, that gets forwarded to my personal domain one, and I still haven’t noticed any spam, FWIW.

jeffbee · 3 years ago
Also just offering anecdata, the last 10 messages in my spam folder have these origins:

1) 3 "legitimate" spams, i.e. unsolicited messages that the senders believe they should have sent. 3 of these. 2 via Constant Contact and 1 via Salesforce.

2) 1 random porn spam, via random spammer domain with valid SPF and DKIM.

3) 2 phishing scams with the same body arriving from random commercial domains without DKIM. These are almost certainly spread via malware/viruses/worms.

4) 1 Google promotion originating from Google with valid DKIM, because I mark all these as spam.

5) 2 phishing messages, with the phishing warning, that originated from gmail itself via HTTP. These are pwned google accounts or google accounts logged in on machines with malware (effectively, same thing).

6) 1 idiot Republican politician, via Mailchimp.

fluoridation · 3 years ago
Same. I haven't gotten any spam in my inbox in years. The spammiest mails I get are mailing lists that some business subscribed me to.
noirbot · 3 years ago
I have the middle of this - I have a couple Gmail adddresses/accounts. One of them is reliably getting spammed, often to the order of messages every hour some days, and has been for months. The others are all clean/getting their spam caught in the filter.
PascLeRasc · 3 years ago
Same thing here, I can't think of a single spam email I've received since before the pandemic.

As a side topic, I've heard a lot of people say that the Gmail UI has changed and that it's unusable now. This is what mine looks like and I really like it, is it not how everyone else's looks too? https://imgur.com/a/3ahD0Ta

dpkirchner · 3 years ago
Same -- I have three accounts on gmail that I check regularly and I haven't seen spam make it past the filters for months. One of the accounts uses an email address that is, I think, 20 years old and that I have used publicly throughout (and thus gets a fair amount of spam).
gambiting · 3 years ago
Same here - I've had 6 different gmail accounts for years and years, and the frequency with which spam gets through is maybe 1-2 emails a year, if even that.
HideousKojima · 3 years ago
I'm not getting as much as the OP, but I'm getting 1-3 obvious spam emails in my inbox a week, whereas it was once a month if ever before.
ChrisRR · 3 years ago
Same here. I've had one or two that slip through the cracks once every few months, but otherwise all spam gets sent to the spam box
mavhc · 3 years ago
99% fine here too
aceazzameen · 3 years ago
I'm having the opposite problem. I have a custom domain email address through a webhost, which gets forwarded to Gmail. I've been using Gmail as my client since day 1 (around whenever Gmail first came out). Some time in early summer I stopped getting emails from my wife, who uses a plain Gmail address. I was missing messages in threads if she was the sender. This has never happened before. So I checked the logs on the webhost, and it turns out Gmail was rejecting mail sent from her with an error that her address is spam. And I don't mean it went into the spam folder. It straight up rejected the messages and wouldn't go to the Gmail servers at all. I found this crazy, because it was rejecting a Gmail address that has been used for years. And in message threads that included others with Gmail addresses. And if she emailed me to my actual Gmail address, it was fine and not spam. But her address (and only hers) gets marked as spam if sent to my domain.

So my solution was to start using Thunderbird. Her messages were never being rejected by my domain and all the threads are there intact.

Edit: This was the SMTP error that Google was telling my domain: "Our system has detected that this message is likely unsolicited mail. To reduce the amount of spam sent to Gmail, this message has been blocked."

bashonly · 3 years ago
i used to have a custom domain email forwarded to gmail that would receive github notification emails and the same thing happened to me with those a couple months ago
pcorsaro · 3 years ago
For me, it just goes in cycles. For a couple of weeks, I'll get these spam emails from "Dick's Sporting Goods" telling me I won a chance at a Yeti cooler or something like that. These emails will make it through gmail's filter for a while, then they catch them, then they figure out how to get through again. That particular set of emails seems to be the only spam that ever makes it through the filter, but the cycle has been happening for quite a while now.
vidanay · 3 years ago
I'm currently in the "Dick's Sporting Goods" cycle....a few months ago I was in the "Norton Renewal" cycle. In between was 5-6 weeks of silence.
smt88 · 3 years ago
I also get the Dick's Sporting Goods emails and am baffled and amazed that such a stupid, obvious scam is beating the world's best spam filters that have billions of data points in their training set.
JoeOfTexas · 3 years ago
It's funny cause the from email is like: aklsdjflkasdjf@dkaljklsdjfls.com
lkrubner · 3 years ago
The opposite is also happening: I'm increasingly classified as a "promotion" when I write to my friends. I wrote to my close friend Natalie and I was like "Did you see my email?" and she said "No" and went to search for it, and eventually found it in promotions. I'm now treated as marketing or as spam, for some of my friends. This has been going on for some weeks now.
projectramo · 3 years ago
By any chance, were you informing Natalie about a discount at Dick's sporting goods?
HideousKojima · 3 years ago
I've had a few emails in the last year that were clearly shipping confirmations with tracking numbers etc. that got classified as promotions
cfeduke · 3 years ago
I started experiencing this myself a couple months ago, and of course searching for any sort of solution with modern search engines is a path to insanity.

Because almost all of the spam that is getting through - to me, at least - follows a very simple template - something that spam blockers should be incredibly good at handling - I was able to concoct a reasonable solution.

Google has this Apps Script thing* where you can deposit JavaScript and then schedule that JavaScript to run every minute. They expose a Gmail API and once you've given your script access to your Gmail inbox, you can process the unread messages and look for telltale signs of spam (for me, inspecting the subject for a regex match of `/confirmation#/i` has been adequate[0]) and finally move the message to spam. Since it runs every minute instead of on an event of new mail, new messages may appear unread for a short period of time.

* though there are options to deploy your project it is not necessary to do so in order to run the script on a schedule

0. https://gist.github.com/cfeduke/1dfb7f650b9abbfce549eddffc96...

elondaits · 3 years ago
The crazy thing is that on the last year I found emails from Google, and Apple, in the spam folder. Apple's were invoices... of which I get a couple a month (iTunes purchases, subscriptions). Google's I think were announcements for services, etc. tied to a Workspaces work account.

I can't think of no actions I did (in terms of identifying email as spam) that could suggest I might consider emails from Google or Apple, or any emails with that content, as spam. I mark things regularly, but almost always actual spam / phishing, or commercial mass emails from companies I have no relation with (banks, etc.)

tnolet · 3 years ago
Yep. Same on Outlook (née Hotmail). Announcements from Microsoft in spam.
ridgered4 · 3 years ago
> Google's I think were announcements for services, etc. tied to a Workspaces work account.

That kind of sounds like spam to me!