Operating System & Version
Centos7
cPanel & WHM Version
11.90.0.17

pcreadycl

Registered
May 22, 2018
4
0
1
Viña del Mar
cPanel Access Level
Root Administrator
cPanel WHM v90.0.17

Hello, I have been receiving Spam from Google Forms for a week now and I have not been able to stop it, since they are Google Ips I cannot just block them.

I found this information on google forums, but it didn't help me at all, Google support very slow:

https://joshdance.medium.com/new-type-of-spam-google-form-spam-3871663a2b43
https://support.google.com/docs/thread/65992755?hl=en#

This is a sample of the spam (Header):
Code:
Received: from ***.***.**
    by ***.***.** with LMTP
    id VmW2BQUhvl+ZSwAAPXiKVA
    (envelope-from <[email protected]gle.com>)
    for <[email protected]***.**>; Wed, 25 Nov 2020 06:16:53 -0300
Received: from mail-qv1-f70.google.com ([209.85.219.70]:54443)
    by ***.***.** with esmtps  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    (Exim 4.93)
    (envelope-from <[email protected]gle.com>)
    id 1khqux-00051M-CQ
    for [email protected]***.**; Wed, 25 Nov 2020 06:16:52 -0300
Received: by mail-qv1-f70.google.com with SMTP id q6so1761679qvr.21
        for <[email protected]***.**>; Wed, 25 Nov 2020 01:16:29 -0800 (PST)
Reply-To: <[email protected]>
From: <[email protected]>
To: <[email protected]***.**>
Subject: [SPAM] YOUR COMPENSATIONAL SETTLEMENTS OF ESCROW ACCOUNTS US$6,000,000.00
Date: Wed, 25 Nov 2020 06:16:08 -0300
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="----=_NextPart_000_09F9_01D6C2F2.95A522B0"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQLUF7638SKsHLPesKGWapVUJ/S93Q==
X-EsetId: 37303A29BF7BF96A607D66
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:reply-to:message-id:date:subject
         :from:to;
        bh=dTLa+ePLsbe1vOhcTPOFZiLXlN+f/vD4riBkL3hX0LY=;
        b=hMO56763E3d+bfPGwKDq92ZsF/Zwr3DVYmh2bbYUYHst7/+hBVS0uso006dFJ+YW+W
         fcpn27IImusNuI3CmpaMCCHeZWku1s5dNDB3CHXFIDBrFyRh9cwRQSP7CdbMuJ8X95o5
         Cgq1e4fsh0edv7Tc0ltLDv/baZ2Wf9XahRUH7hMk7jLEUbEYBG8gnZnlvu4447eEaKFy
         v2mFOq+gE5flcdM2kvQ6suZiI7hM9RKm17T7oYK/gB+zGh2pW7a2aVIBjwg8aFw/URG0
         8KrMO/VoK+iXcFMmtwVd3zPqPOUnTKn/DSxqxnWm264Ow9J6NfsmQN/X156tA+jSxG1A
         O6JQ==
X-Gm-Message-State: AOAM530l5qH5yEmaxMVuMYbKE1sA+CrM7XjefMDjW1gsfCogDJwmBU3s
    1I+oH5JShk4LqcDwKV/+zgbr0p6ZTYQnfYV4ilE5
X-Received: by 2002:a25:df87:: with SMTP id w129mt2241104ybg.480.1606295767373;
Wed, 25 Nov 2020 01:16:07 -0800 (PST)
X-No-Auto-Attachment: 1
This is the content of the message (Body):

HTML:
<html><body style="font-family: Roboto,Helvetica,Arial,sans-serif; margin: 0; padding: 0; height: 100%; width: 100%;"><table border="0" cellpadding="0" cellspacing="0" style="background-color:rgb(103,58,183);" width="100%" role="presentation"><tbody><tr height="64px"><td style="padding: 0 24px;"><img alt="Google Forms" height="26px" style="display: inline-block; margin: 0; vertical-align: middle;" width="143px" src="https://www.gstatic.com/docs/forms/google_forms_logo_lockup_white_2x.png"></td></tr></tbody></table><div style="padding: 24px; background-color:rgb(237,231,246)"><div align="center" style="background-color: #fff; border-bottom: 1px solid #e0e0e0;margin: 0 auto; max-width: 624px; min-width: 154px;padding: 0 24px;"><table align="center" cellpadding="0" cellspacing="0" style="background-color: #fff;" width="100%" role="presentation"><tbody><tr height="24px"><td></td></tr><tr><td><span style="display: table-cell; vertical-align: top; font-size: 13px; line-height: 18px; color: #424242;" dir="auto">INTERNATIONAL MONETARY FUND<br>HUMANITARIAN AFFAIRS DEPARTMENT<br>1900 PENNSYLVANIA AVE NW,<br>WASHINGTON,<br><br><br>COMPENSATIONAL SETTLEMENT OF ESCROW ACCOUNTS US$6,000,000.00 <br> <br>It is a pleasure to write you that we have reconciled with our logistic department on the reimbursement of some fund spent by you during the cause of your inadequate dealings with some imposters who claim to be staff in banks and other regional payment centers. <br> <br>Our reconciliation teams with the prospectus instrument of the United Nations after freezing suspected imposters account. This support was fully effective with the help of World Bank after a summit meeting in United States, on the financial analysis on financial stability issues fluctuating their economy with the international global standard. <br> <br>After gathering of this sum, our logistic department gave us a list of customers to be paid who fall victims to this imposters due to unawareness. And mode of payment was as well specified for proper conducts and financial regulations to kick against criminality during process of payment. <br> <br>We have arranged your payment through our Paying Bank, which is the latest instruction from International Monetary Fund Reconciliation Office.  You are hereby selected as an honor for this payment approval, which you are to acknowledge the receipt of this mail in returning the required below to the Logistic Department by email listed below for the  Bank to Bank Online Transfer to your Bank Account.<br> <br>Contact the Office of Reconciliation and Logistics Vaults, International Monetary Fund (IMF),for your fund release and payment.<br> <br>Contact Manager: Kristalina Georgieva <br>Email:                   [email protected]                <br> <br>1. Full Name:<br>2. Phone Number:<br>3. Your age and Current Occupation:<br>4. Home Address, <br>5. Bank Account where you want the fund to be credited. <br> <br>For your information, you have to stop any further communication with any other person (s) or office (s) to avoid any hitches in receiving your payment.<br> <br>Because of Impostors, we hereby issued you our code of conduct, which is (FUND-0147) so you have to indicate this code when contacting  the Office of Reconciliation and Logistics Vaults, International Monetary Fund (IMF), for your fund release and payment.<br> <br>Yours in Service,<br><br>Mr.Naoyuki Shinohara. <br>Deputy Managing Director, <br>International Monetary Fund, <br>Washington, DC 20431, USA.<br><br><br><br></span></td></tr><tr height="20px"><td></tr><tr style="font-size: 20px; line-height: 24px;"><td dir="auto"><a href="https://docs.google.com/forms/d/e/1FAIpQLSdjEzPr8HJ4tDb5gRH6ZIUmVHC6nXOR51uDv6lvXWstqKo1ow/viewform?vc=0&amp;c=0&amp;w=1&amp;flr=0&amp;usp=mail_form_link" style="color: rgb(103,58,183); text-decoration: none; vertical-align: middle; font-weight: 500">Untitled form</a><div itemprop="action" itemscope itemtype="http://schema.org/ViewAction"><meta itemprop="url" content="https://docs.google.com/forms/d/e/1FAIpQLSdjEzPr8HJ4tDb5gRH6ZIUmVHC6nXOR51uDv6lvXWstqKo1ow/viewform?vc=0&amp;c=0&amp;w=1&amp;flr=0&amp;usp=mail_goto_form"><meta itemprop="name" content="Fill out form"></div></td></tr><tr height="24px"></tr><tr><td><table border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td><a href="https://docs.google.com/forms/d/e/1FAIpQLSdjEzPr8HJ4tDb5gRH6ZIUmVHC6nXOR51uDv6lvXWstqKo1ow/viewform?vc=0&amp;c=0&amp;w=1&amp;flr=0&amp;usp=mail_form_link" style="border-radius: 3px; box-sizing: border-box; display: inline-block; font-size: 13px; font-weight: 700; height: 40px; line-height: 40px; padding: 0 24px; text-align: center; text-decoration: none; text-transform: uppercase; vertical-align: middle; color: #fff; background-color: rgb(103,58,183);" target="_blank" rel="noopener">Fill out form</a></td></tr></tbody></table></td></tr><tr height="24px"></tr></tbody></table></div><table align="center" cellpadding="0" cellspacing="0" style="max-width: 672px; min-width: 154px;" width="100%" role="presentation"><tbody><tr height="24px"><td></td></tr><tr><td><a href="https://docs.google.com/forms?usp=mail_form_link" style="color: #424242; font-size: 13px;">Create your own Google Form</a></td></tr></tbody></table></div></body></html>
Is there any way to block the "(envelope-from)", all spam comes from:
Code:
... *@trix.bounces.google.com
But the "(From)" is different:
Code:
What I can do? Thank you.
 
Last edited by a moderator:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
2,194
298
213
cPanel Access Level
Root Administrator
Hey there! In cPanel >> Global Email Filters, could you use the option for "Any Header" and "Contains" to include the "trix.bounces.google.com" data? That seems like it would be the easiest solution. My only concern is that if you had a legitimate bounce from a Gmail address it may not get delivered.
 
  • Like
Reactions: pcreadycl

pcreadycl

Registered
May 22, 2018
4
0
1
Viña del Mar
cPanel Access Level
Root Administrator
Hey there! In cPanel >> Global Email Filters, could you use the option for "Any Header" and "Contains" to include the "trix.bounces.google.com" data? That seems like it would be the easiest solution. My only concern is that if you had a legitimate bounce from a Gmail address it may not get delivered.
Hello, I can't find the option you indicate in WHM.