On 12/3/23 17:07, Wally J wrote:
> Hi Grant,
Hi Wally,
> Oh. DE-PEER! Duh. Sorry. I never heard the term before but I should have
> been able to figure it out on my own.
Apology returned to sender as unnecessary.
> Thanks for being nice about my faux
> pas. It was stupid of me to not realize that's what it had meant.
You're welcome.
I believe that people trying to engage in civil conversation deserve
civil responses.
I don't think stupid. If anything, unaware. But, you are now aware,
and therefor a little bit better off. :-)
> Especially since that was my whole point.
;-)
> How do you de-peer the spams (which I suspect are not coming from Google).
You don't de-peer individual messages. You de-peer ... peer news servers.
Few news servers directly peer with Google.
Most news servers peer with other news server(s) that eventually peer
with Google.
So the only way that most news server administrators have to de-peer
Google, in a manner of speaking, is to not allow messages from Google
into their news server.
Yep.
> I am almost 86 so I lived through the days when we'd complain to a host
> admin that someone spammed us once in a month or two, and then I lived
> through making my own procmail filters on SunOS, so I'm familiar with the
> fact that it's just plain stupid to filter out everything from Google.
I too make *EXTENSIVE* use of procmail for my email. Filtering Usenet
is a little bit different.
You may think it stupid that I have blocked all Google messages on my
server. But you are as free to have your opinion as I am to have mine. ;-)
The question is how much time is a news administrator willing to spend
combating spam before they block a site entirely?
Would you continue to accept messages from a small individual news
server if 1 in 1,000 server legitimate and the other 999 were blatant
spam? What if that was a university? What if it was google? What if
it was more like 1 in 10,000 / 100,000 / 1,000,000? Is there a point
when you would block an entire site because of the ratio of ham to spam?
Does the size of the site make any difference?
For me personally, I was spending an hour or more a day fighting Google
spam and only getting to enjoy participating in conversations like this
for about 15 minutes a day. After about two weeks of that, I decided to
try filtering Google for a few days to see what I thought of it. I've
got to say that I'm enjoying that 15 minutes on Usenet again and the
hour (plus) of time that I've gotten back every day.
Given that Usenet is flood full, all my peers that peer with someone
other than me can get their messages from Google another way.
I get to run my server the way that I want to. I choose to run my
server in a way that makes me happy, or at the very least doesn't
actively make me unhappy and want to shut it down.
> People do it all the time.
> But only stupid people do it.
I guess I'm a stupid person then.
> A smart admin would have a smarter filter than "everything".
> Worse....
I suspect you aren't intending to make a personal attack. But I'll ask
you politely to not insult people who make their own choice, even if you
don't agree with it.
> I suspect NONE of this spam is actually coming from Google anyway.
> (But I just saw below that you suspect they _are_ coming from Google.)
>
> For a filter, it's the same thing of course, but isn't it different to an
> nntp server who can tell where it's coming from better than I can tell?
NNTP servers have a modicum of trust in each other. As in only NNTP
peers are allowed to specify the Path header. Meaning that it's
considerably more difficult for a /client/ to provide a forged path.
All of the Google spam samples that I looked at had everything indicate
that it was from Google; Path, Message-ID, From, etc. -- I no longer
have any articles that originated from Google on my server as I had my
server search through nearly 28 million messages to remove any messages
from Google. -- That's how strongly I believe the spam originates from
Google.
Just about everybody else I've talked to believes the messages originate
from Google.
I can't recall anyone actually saying that the messages originate elsewhere.
There are those that keep an open mind and allow for the possibility
that they originate elsewhere.
Google is notoriously non-responsive for dealing with problems
originating from them into many ecosystems, Usenet is just the one being
discussed here.
As a former Google employee, I know how the people who supposedly are
responsible for -- what I call -- the Google Groups Usenet gateway treat
it at best as an also ran service.
Google has a quite bad reputation as being a source of spam in the email
community. All you need to do is look at the mailop / NANOG / Spammers
Don't Like Us / SpamAssassin / ClamAV mailing lists and you will find
hundreds of people talking about Google being the source of spam email
and Usenet articles.
There is exceedingly little doubt that Google is a source of massive
amounts of spam.
I have not seen any evidence that supports that someone is trying to
frame Google by pretending to be them. -- I'd be quite curious to see
any such statements.
Google has responded to previous complaints about a few groups by making
them read-only. At which point the spammers shift to different
newsgroups. But this game of whack-a-mole is untenable and extremely slow.
While at Google I witnessed them take 18 months to halfheartedly and
ineffectively slow down, but not actually stop, spam originating from
calendar invites.
I experienced Google refusing to allow creation of new newsgroups for
something that had a long history and pattern of newsgroups. I was
ready to submit a change for the Windows 10 newsgroup to be created but
was told that my change would be rejected and to not bother. I asked
about the Firefox and Thunderbird newsgroups when Mozilla announced
discontinuation of their (outsourced) news servers and was told to not
even bother.
I wholeheartedly believe that Google /is/ the source of the spam that
appears to be from them and that they are not the victim of an attack.
> I'm sure that's why they seem to be changing up the subject, headers, from,
> injection information, etc. in those headers.
I think one of the reasons that there are so many different clusters of
similarities is because there are so many spammers each sending their
own type of spam.
A quote from a well known science fiction movie comes to mind, "You will
never find a more wretched hive of scum and villainy." Mos Eisley^W^W
Google.
> I'm almost certain (based on the modus operandi) that NONE of them are
> actually coming from Google servers but I saw below that you're sure they
> are, so I'd just ask how you know since almost everything in the header can
> be forged (as far as I know) except for the final path in the header.
I'd be very interested in how / why you are as certain that the messages
aren't originating from Google as I am that they are.
Please elaborate with a rebuttal to my comments above.
> Oh. Really? I didn't see this until now. I was pretty sure none was coming
> from Google simply because they'd put a stop to abuse pretty quickly you'd
> think. And this is clearly abuse.
Google want's you to think that they put a stop to spam quickly. But in
effect, they don't. (See above about well respected places to see
complaints.)
> Is there a way (that works) to _complain_ to Google about it?
> Maybe they care?
I'm not aware of anything that works.
> I understand belatedly that you believe that - but how can you tell?
> I can't tell.
Deduction / accumulation of many observations / experience working with
the beast that is Google.
> Sure the message-ID is an indication.
> And the newsreader. But that can be forged.
The Path: header is quite a bit more difficult to forge without being a
news peer.
I'm not aware of any (reputable) news server daemon / configuration that
allows someone to spoof the Path: header.
Sure, news servers can feed peers spoofed Path: headers. But it's quite
difficult to do the original spoof without a corroborating news server.
I strongly suspect that if there was a corroborating news server /
administrator that was the source of the articles, the multiple people
spending hours a day fighting this blight would have identified it and
de-peered them without filtering Google.
The vast majority of people want to not filter Google. The sad reality
is that just about everybody has some point that filtering Google seems
reasonable to them. It's simply a question of what that point is. --
There's a crude joke that finishes with "we've already established that,
now we're just negotiating price".
> About the only thing that can't be forged are sections of the path.
Exactly.
> But they can 'inject' stuff into the path that is meaningless.
As I indicated above, injecting something into the Path can only be done
by /news/ /servers/. It's not something that properly configured news
servers allow clients to do.
As such, the injection is not something that end users can do.
> So how do you know that it's really coming from Google servers?
> (I strongly suspect it is not for the reasons I already stated.)
Deja vu. ;-)
> We have to confirm if it's coming from Google because the solution then is
> at Google whereas if they're just spoofing Google, the solution is
> elsewhere.
I hope that I've elaborated why I'm convinced that the spam is
originating at Google.
But I think it's worse than just needing to talk to Google.
At this point I believe that Google is actually complicit in their
negligent to do anything about it.
N.B. I don't consider making specific groups read-only in a game of
whack-a-mole to be sufficient.
N.B. I consider that Google's action of making some groups read-only to
be tantamount to admission that said group was a source of spam.
> By now I see that you feel strongly it's coming from Google.
> But how do you know?
Deja vu.
> And more importantly, how does "de-peering" happen so that it stops?
There is actual de-peering wherein the news servers that are actually /
directly peered with Google turn off the connection with Google.
Then there is filtering like what some of us have done wherein we make
our down-stream servers simply refuse to accept any articles that come
from Google.
There are multiple ways to detect if an article comes from Google. The
best is to look for
postnews.google.com and / or
google-groups.googlegroups.com in the Path. Some choose to filter based
on part of the Message-ID: header. Still others choose to filter based
on the From: email address.
I have configured cleanfeed on my news server to reject messages from
postnews.google.com and
google-groups.googlegroups.com. As such, my
server is happy to have articles from @
gmail.com email addresses. -- I
doubt that anyone will bother spoofing a Message-ID:. But I'm happy to
have @
gmail.com users send email through non-Google news servers.
> I lived through DejaNews so I'm aware of what you say, and I certainly know
> a google search on the real
google.com is different in functionality than a
> search on
http://groups.google.com/g/<put.name.of.usenet.group.here> but at
> least DejaGoogle exists.
As time passes, more and more of the access to Usenet articles through
Google Groups is taken away.
I wanted to see if I could see the Path: for spam in Google Groups as it
would be remarkably short if the spam existed in Google Groups and was
originating in Google Groups. But, sadly, "Show original message" is
greyed out.
> I use it only for a lookup/search/reference engine, which it's very good at
> but I wouldn't even think of posting using Google Groups for all the
> reasons that nobody would be caught dead using AOL in the olden days.
In my not so humble opinion, AOL at it's worst still has a better
reputation than Google currently does amongst news and email administrators.
If Google wasn't as big as they are, more admins would have blocked them
already.
It is only Google's size that causes admins to hesitate.
> OK. So you think it's coming from Google. And that means Google either
> doesn't know about it - or - Google isn't doing anything about it.
I very strongly believe that it's the latter; Google isn't doing
anything (effective) about it.
> Is there any way to "complain" to Google to figure out which it is?
I wasn't able to find anything effective while I was on the inside. In
fact, I was given -- let's go with -- the cold shoulder brush off and
actively discouraged to try to make things better.
> The PATH (read right to left of course) isn't meaningful when anyone clever
> can inject components into it.
But my understanding and working premises is that /not/ /just/ /anyone/
can spoof the Path: header.
> I don't know what portion of the path is inviolable though.
> Do you?
Both all of it for the average user and none of it for a news administrator.
My working understanding / premises is that news servers do not accept a
Path: header from end users. News servers only accept Path: headers
from other news servers. The news server appends it's name / path to
the left side of the Path: header contents.
As such, the only way to get
postnews.google.com and / or
google-groups.googlegroups.com into the path without actually passing
through it is for a news server, or someone with news peer level access.
As you can probably see from a number of newsgroups, the text-only news
server community is relatively small and cooperative as well as being
well motivated to stop the spam.
I remain convinced that if there was someone pretending to be Google
originating this spam, that the community would have an idea and would
be working to depeer them.
> Assuming they're injecting into the path, what part of the path in the
> previously listed spams do you think are actually real?
I have not seen any reason to doubt the Path: because of the special
nature of the Path: header.
Maybe I'm wrong. If I am, please correct / enlighten me. I'd like to
learn more.
But everything that I've experienced thus far either directly indicates
or supports that the spam is originating from Google Groups.