[avian]

Somewhat related to spam coming from Google servers, maybe someone can shed some light on what could be the motivation behind this activity:

In recent months I'm seeing instances where random personal mail accounts on a server I run would receive a barrage of mail in a short amount of time.

Mail seems to be bounced via Google Groups - they are sent from Google's IPs and have headers like X-Google-Group-Id, List-*, etc. all pointing to Google Groups. The actual group ID changes after each individual instance of this. However when I actually check e.g. the List-Archive URL, the group appears to be already been deleted.

The content of mail looks like it originates from various (legit-looking) random public web services, support requests, issue trackers, web contact forms etc. For example, a common reoccurring one is Virginia Department of Motor Vehicles (as in something like "thank you for filing a document #123 with us").

No apparent phishing links, no attached malware, no short advertisements snuck into a text field etc. Just automated replies from "noreply@"-type addresses.

It does not seem to be the case of trying to hide another attack (as discussed here for example: https://news.ycombinator.com/item?id=47609882) - over many instances I've not seen any other malicious activity. And this mail is filtered out easily enough based on Google's headers.

It all looks like there is some bot that a) creates a Google group and subscribes (one or more) random email addresses to a Google group and then b) enters the group's mail address into a bunch of random web forms that then send their automated responses to the group.

What could be the motivation for this? After the fact it's filtered pretty easily based on headers. It's not nearly enough volume to DoS the server. But why would someone go through the trouble of setting this up?

[ethan_smith]

This is almost certainly subscription bombing / email bombing. The goal is to flood someone's inbox with hundreds of legitimate-looking automated emails so they miss a real one - typically a password reset confirmation, a purchase receipt, or a "new device login" alert. The actual attack is happening on some other service where the victim has an account. The fact that you don't see it on your server doesn't mean much, the target is the victim's primary inbox elsewhere.

[avian]

Thanks. It might still turn out to be this.

My thinking so far against was 1) after a few months I'm pretty sure I would hear about the real attack 2) Repeating too frequently. People aren't getting hacked all the time (I hope).

But who knows? Now I'm thinking that maybe some other step in the attack is failing and maybe the attackers just trigger the email bomb part pre-emptively in case they actually succeed in resetting the password/purchasing/whatever.

[silvershell]

Yes. I got the same issue… and when someone replies, all users in the mailing list receive it… that’s why I would see a ton of replies saying please remove me from your mailing list. Very annoying. The only solution I found was to create an inbox rule to reject those, as I couldn’t unsubscribe

[vk6flab]

The headers actually contain an unsubscribe email address that actually works.

The format is something like googlegroups-manage+{groupName}+unsubscribe@googlegroups.com

Just send an email there and they stop coming (for that list).

Source: I was getting spam like this, a fellow victim did some tests and confirmed that it stopped the onslaught of messages.

[avian]

I just block the group address on the MTA, but it doesn't matter. In all instances so far when it came to my attention the group was already deleted. Next time they will use a different group and I don't want to blanket ban all Google Group mail for my users.

It's not even that much of a hassle. What worries me is that I don't understand why someone would go through the trouble of doing this for no apparent benefit. I hope I'm not somehow unknowingly enabling some sort of an attack on any of the entities sending these automated replies.