Hacker News

Having worked in compliance engineering I have also reported through the IC3 portal, and spoken with lawyers and analysts who register with FinCEN (which, to be clear, is maybe just a step beyond "My Uncle works at Nintendo...") and I have heard that those reports do get reviewed and often acted on, but yes, you will typically never hear back from them. (FinCEN has its own reporting structure, but we also submitted certain reports through the IC3 portal as well.)

No, I did not identify myself as a lawyer. I just wrote the letter as a victim of a scammer using Google services to impersonate me.

But I was careful to use certified mail return receipt as google’s legal office knows that this can be used for documentation and proof if the case ever goes further.

In other words, having a paper trail is more likely to get acted upon.

That's a built-in thing; Visa, MasterCard, Amex all have updater services that ensure trusted merchants get the replacement card seamlessly. This leads to annoying edge cases like yours.

https://stripe.com/resources/more/what-is-a-card-account-upd...

You can sometimes ask your bank to issue a card and not ping the updater service, but tier one support tends… not to know about it at all.

You have to realize that once Google flips the bit on you and they think you are trying to scam them (or others via them) you are absolutely dead to them. They don't want to hear from you ever again. You're banned to hell. The fact that a billing system didn't get switched off isn't so surprising; the internal architecture of their systems is so complicated that it would take multiple human lifetimes to explain how it all works.

Switch to Mercury banking. https://mercury.com/

You can create as many virtual cards as you want. And surprisingly, I've rarely encountered a vendor that rejects them. I set one up for pretty much every recurring service charge, just because it's so easy to do.

It costs a few hundred a year for personal banking, but if you register an LLC (which in MO costs ~$10) you can use your EIN to get a business account. Did it a couple times, once for my non-profit and once for my consulting LLC.

Did you try to demand a charge-back every time?

Yes, they could easily spin up another gmail address.

The other part of the scam involved sending money to a bank account in Oregon with someone else's name attached to it. I notified the bank in a similar manner and hope they shut it down (not confirmed; my next step is to notify the Oregon banking regulator about the incident).

The hope is that once the bank account and gmail account are shut down the scammer will stop or move on. But I am concerned this could be a whack-a-mole problem that doesn't go away.

Motivation I guess

You can't send high volume through new accounts. Usually when a gmail account is being used for real spamming, it's an established one that's been taken over and the spammers are just discharging the accumulated reputation of the account.

They're not trying. I've seen an advertiser remain active for months with literally tens of thousands of ads where clicking them directly downloads a malicious exe file that most antivirus scanners flag.

Google makes loads of money through scam ads and fake/AI slop videos. Anyone trying to get in the way of that is putting Google's profits at risk, hence why they shut down legitimate accounts but scammers just run free.

Bot comments and uploads count in KPIs. Blocking/Removing bots = KPIs look worse.

DMARC isn't really that big of an issue to wrestle with, and I don't see how it gives anybody influence or power.

Most of the salespeople in any company are spammers.

Was going to say there’s a good reason lots of people use services like mailchimp now. You’re not sensibly managing it yourself with the current (very sensible) regulations in the US / EU, nor do you want to be sending from your own domain en masse.

I did some tiny digging because I remembered that there is a way to report individual messages in a structured machine readable way to abuse@ for these things --- i suspect that this is technically supported by gmail (if not given a lot of signal weight)

https://en.wikipedia.org/wiki/Abuse_Reporting_Format

How to bulk do this is interesting too. https://en.wikipedia.org/wiki/Feedback_loop_(email) says that gmail has a bulk format and that sendgrid is seeing some success.

Not defending just trying to see what a technical solution looks like

https://support.google.com/mail/contact/abuse

You can use this form

>They should at least be good citizen on the sending side, which it seems they're not. They are killing email.

Eh? They do tons in anti-bot detection. But the value in exploiting and using Google's service is extremely high so bot authors are increasingly getting creative. Google stops running Gmail and simply another service becomes a high value target.

At least Microsoft fixed their Azure abuse after 10 years of not giving a fuck. It used to be stupid fucking easy to setup a trial O365 tenant and spam the fucking internet through "onmicrosoft.com" domains. And they let that go for 10 years.

Spam reporting is pretty standardized? If your email client doesn't support it that's not Google's fault.

edit: I might be incorrect on this and was thinking about how unsubscribing is standardized instead.

How would it even be possible to name a service "Google helpdesk - password reset" or something like that, without being insta banned? Obvious fraud in the making, not getting recognized?

Thanks. It might still turn out to be this.

My thinking so far against was 1) after a few months I'm pretty sure I would hear about the real attack 2) Repeating too frequently. People aren't getting hacked all the time (I hope).

But who knows? Now I'm thinking that maybe some other step in the attack is failing and maybe the attackers just trigger the email bomb part pre-emptively in case they actually succeed in resetting the password/purchasing/whatever.

The headers actually contain an unsubscribe email address that actually works.

The format is something like googlegroups-manage+{groupName}[email protected]

Just send an email there and they stop coming (for that list).

Source: I was getting spam like this, a fellow victim did some tests and confirmed that it stopped the onslaught of messages.

There was a time before Google when various mailing lists of grumpy sysadmins in key institutions could decide the fate of a new mail sender, internet-wide. But yes that "internet community" is small fry now, and can only cut off their own noses if they don't like Google's mail policies.

Before Google, AOL were the previous big-beast mail host, and they did provide some tools to help diagnose why you couldn't get through to their users. It still felt like there was more of a balance of power towards the grumpy sysadmins.

You mean you receive unsigned email from a VPS in Google Cloud?

> In my experience, everyone got their act together except Google.

I remember a bunch of spam and fishing emails from weird Outlook addresses. Don't remember any from Google.

Why do you interpret that as everyone except Google getting their act together?

The obvious (and correct) explanation is deliverability. Spammers send from Google services because they can inbox, they don’t send from other services because those services will not inbox successfully.

Although they does have proper abuse policies and do take action against spammers. I don't get any spam from them (except perhaps the very occasional one), and I know businesses that use mailchimp and similar services for valid marketing (to previous customers). Just looking through my received mailbox, I see many legitimate emails from mailchimp.

I'm not denying that they are sometimes used by spammers, but they are definitely a legitimate operation that takes action against spammers if you report them.

ye olde corporate reply to all bomb .. no more emails this week everyone, we have used up our quota

Those would be internal so I'm not sure they'd even count against your quota.

Yeah, you are using the wrong tool if you send your newsletter from a gmail account at that scale. You can get away with a few tens of people, perhaps a few hundreds.

Above that threshold you should use tools like moosend, benchmarkemail, or similar. And they ask a pretty penny when you reach that scale.

You can’t send bulk newsletters from gmail/outlook.

I haven't seen that ooe lately. I currently get lots of Nortoon Lifelock invoices with hundreds of addresses in the to field.

I always report them with suggestions they teach their AI that invoices sent to large number of addresses are phishing.

we received several this week, so apparently not

Increasingly of the opinion that "free service with no support that's structurally essential for an economy" is some kind of trap. Possibly just the most comfortable kind of trap, a local optimum from which it's difficult to escape.

This is starting to become important as countries (very unwisely!) start tying things like national ID and banking to smartphones.

I don't know if it's that simple. As a litmus test, try to set up your own mail server. See how many milliseconds it takes for it to be blacklisted by gmail. And then observe the response time for their support, when you try to clear up the confusion that google has about your intentions.

It’s free, but it’s not like they’re running Gmail as a charity, either. It has revenue and contributes to their other businesses.

Google’s support for paying customers isn’t much better unless you’re spending well into the millions per year.

AWS, on the other hand has proven willing to move mountains for me as a $15/mo customer.

If it didn't provide value it wouldn't exist.

Maybe it's only legacy, but gmail brings customers to Google and their related services. Escalation then brings them on as paying Customers. As loss leader may make a loss if looked at in a bubble, but if looked at as part of the "Customer Lifecycle" then other areas of profit would likely be much smaller without the free gateway.

It takes me active resistance to avoid Google's paid services, and I'm staunchly independent in relatively rare air. The minor capitulation required to turn into a paying Customer would capture a good percentage of their erstwhile-free gmail users (I would think. Yes, conjecture, interested in explanations of alternative theories).

We might not be paying money, but we don't know what happens to our private data. Maybe it's not used at all, maybe used just internally, maybe could be even sold. Data of millions of users is very very valuable, even just thinking about how much targeted adverts could be placed with it.

> How much customer support resources should someone reasonably expect

Zero. OTOH, since I'm sure they are training on emails and archiving/profiling everything forever even if we delete messages.. those constant threats to become a paying customer before hitting some arbitrary small quota are still villainous

Enough that they're not facilitating abuse.

Gmail shows ads to make money so it is not loss making. Google Workspace charges money per user (and still offers abysmal support).

Gmail is profitable. How much harm should profitable services be allowed to perpetuate in the world to enable their profit?

A monopoly. It's hard for "everyone else" to develop a monopoly today, to suggest otherwise is a ridiculous assertion.

>How do they get money for free?

market power

>What is stopping everyone else from doing the same?

see above

Advertising and eyeballs, I'd assume

It would help if they provided literally any way for a squeaky wheel to squeak at them aside from squeaking at the employees with a modicum of dignity (if they still exist)

Based on how much zendesk spam there is i doubt it.

It most certainly does in the UK.