Cloudtastrophe

Screenshot of erroneous error message

A VIRUS spoofing my return email address has apparently been emailing many people. I know this because some of these viral email messages bounce back to my Gmail account as undeliverable. Mistaking these reports for actual messages sent by me, Gmail has decided I’m too active a user, and forbidden me to send any more mail today.

I’m a Google Apps user with a multi-gigabyte Gmail account and I’ve sent less than a dozen actual messages today because I am home sick with a cold. But Gmail doesn’t know that. And Gmail doesn’t care. Because Gmail isn’t real, not even in the David Sleight sense. It’s a set of equations programmed by fallible human beings, and it controls my life and yours.

There is no one to talk to at Google about my service problem because there is no there there. The services I pay for are delivered by robot magic in the cloud. When something goes wrong, it just goes wrong. There’s nobody to track down the virus’s origin and make it stop. There’s nobody to say, “This user hasn’t actually sent these messages.” (I keep marking the returned mails as “spam,” but Google hasn’t caught on, probably because customer service problems aren’t supposed to be reported by inference.)

My friend wears a shirt that says “The Cloud Is A Lie,” but that isn’t quite the truth. More like, the cloud is a customer service problem. One I just found myself on the wrong end of.

Google to customer: Go fuck yourself. In the cloud.

21 thoughts on “Cloudtastrophe

  1. Hi,

    i would rather guess that either your PC or your password got hacked. AFAIK Google doesn’t count replies. So they really seen “you” sending to many. If you are paying for your apps account, there is a 7*24 hotline where you can call real people.

    Yours, Martin

  2. Gmail certainly doesn’t control my (email) life. For a reason. as you just found out the hard way. I am sorry for you.
    But if i recall correctly, you even run a hosting company, so use that to gain back control.

  3. The only customer service I’ve experienced from Google was that provided to “apps for business” clients. The sales number is 866-954-1565. I wonder if they can get you to a real person?
    (I’d love to hear of a satisfactory resolution to this soon, but kind of doubt it.)

  4. Do you have a SPF entry for your domain? This entry will make evident for all other e-mail servers that only Google Apps is responsible to handle the e-mails for your domain, making evident the flood of e-mails are bogus messages.

  5. You are not Google’s customer, you’re their product! The customers are the ad agencies.

  6. I had something similar happen to me. The culprit was something I thought was smart but it had unintended consequences.

    I added a catch-all email address under my Google Apps account as: *@example.com

    As far as I could work out, this was subverting the SPF protection for Google Apps. People could use any prefix/user for the domain as long as it wasn’t for an existing user.

    Since I removed it I have had no sign of spoofing from my domain.

    Also, just checked your domain and you might want to add a SPF record (to your DNS) for Google Apps as follows: “v=spf1 include:_spf.google.com ~all”

  7. Just a nerdy addendum to Alex’s SPF comment above. Your current TXT record for zeldman.com is:
    “v=spf1 ip4:216.243.171.0/24 mx ptr ?all”

    Which is entirely neutral due to the ‘?all’, so anyone can currently ‘Joe job’ you and your domain’s SPF record won’t actively refute it:
    http://en.wikipedia.org/wiki/Joe_job

    This might be why Google’s decided to penalise you, cold comfort as that is. Running email servers is a harsh, mean game, as I’m sure you know.

    It may be worth investigating and changing your SPF record to something like the following:
    “v=spf1 ip4:216.243.171.0/24 mx include:_spf.google.com ptr ~all”

    Or possibly just:
    “v=spf1 a mx include:_spf.google.com ~all”

    Adding the A record will mean that any mail sent from the corresponding A record in your DNS (e.g. if doing a ‘dig zeldman.com A’ matches the sending IP) will pass. As the ‘a’ option should cover the usual “PHP/other web app on your webserver sending mail” scenario, does the Happy Cog IP range need to be there? It shouldn’t hurt to leave the range in unless one of the other HC-hosted sites is compromised and the hacker decides to impersonate you, which is rather unlikely, but removing the remote possibility may be prudent if you’re paranoid. Or change it to ‘a/24′ to provide similar functionality.

    Removing the PTR might be a good idea as it’s to be avoided in SPF if possible, due to the large amount of expensive DNS queries it produces, and also because this site doesn’t currently have its own PTR ‘reverse DNS’ record (it resolves to private-075.happycoghosting.com. rather than http://www.zeldman.com.) so if your WordPress install sends email using PHP directly from your server it won’t pass the ‘ptr’ SPF option. I’d define things explicitly in the rules to the left and leave it out, anyway.

    Regardless of the above choices, the important thing to change is the ‘all’ part. I’d go with ‘~all’ which is a SoftFail. This means that anything that doesn’t pass your tests – is it in Happy Cog’s IP netblock? Is it an A record? Is it an MX record? Is it a Google mailserver? – it will cause a SoftFail result and get penalised in transit (usually it incurs a heavy negative spamassassin score, for instance). So anyone Joe jobbing you would get caught out here, rather than just being classed as neutral as they are currently. This is softer than a ‘-all’ hard Fail, which will cause any mailserver to reject it outright, so it won’t even arrive in the recipient’s spam folder.

    Anyway, if that’s not bored you to tears, there’s more on all the SPF details here:
    http://www.openspf.org/SPF_Record_Syntax#all

    (I haven’t done SPF in a while and it’s late, so apologies if there are any mistakes above.)

  8. Google screws people over all of the time. Someone stole my identity and profile picture and spamming Google Groups with untrue information about me. I reported it to Google as the group owner lost control of his admin account because he didn’t renew his domain name in time and his email was tied to that and he lost his password and couldn’t reset it. I gave Google proof of who I was, drivers license, birth certificate, etc but they did nothing to stop the user or remove his posts. So he still spams Google Groups as me, and I get blamed for it.

    Do no evil? It is just marketing BS.

  9. First thing I would do is check you account activity for any suspicious use. I would really be surprised if Google was fooled by spoofed email addresses. My money’s on something actually using your account.

    If you don’t see any suspicious logins, I would start disconnecting legitimate devices (phone, laptop, etc) and see if the problem goes away.

  10. You’re an idiot. First you let your account get compromised and now you state lies that you have nobody to contact within Google. Idiots shouldn’t be allowed on the internet.

  11. You can actually get support through Google Apps as mentioned above. It’s quite amazing, I talked to them once, and then they said I would have to pay $5/month, per email, to talk to them more. Haven’t talked to them since haha

  12. You are not alone. I’m seeing a lot of the same bounce messages coming to my wife’s account.

    To all the people saying, “you got hacked”: What part of “…spoofing my return email…” do you not understand? This is not the same as the “send a poison link to every contact in the address book” hack.

    The bigger point is that the email system is hopelessly broken, and this is textbook illustration of how/why it’s broken. There is no security for content, and there is no way to verify a return address as valid. These are only two examples of the brokenness.

    What is needed is a new protocol that mimics and improves on the Post Office: something that secures mail content end-to-end, something where a recipient knows FOR SURE who/what sent a message, and that discourages spam (perhaps thru a minimal postage fee… something that won’t affect casual day-to-day email users, but will make blasters think twice before they blast).

    Such a protocol may be best administered by a quasi-government agency, and I know one such agency that’s been hurt by the rise of email, but is fundamental in our communication infrastructure: The US Postal Service.

    An idea that’s been stewing in my head for a while, thanks for the venue to spew it out.

  13. We don’t need more government, thank you. The USPS needs to go away, FedEx and UPS can and do a better job at it. As for secure messages use a key, encrypted emails. If the key matches it came from you, if not no one will ever read it.
    On the side there are plenty of digits to reach Google at, call and ask for a transfer.

  14. I’m sorry that Google cannot keep retards from downloading viruses or using `mywifesname` as their password. No matter how good Chrome gets at pointing out a site is unsafe some idiot like you will still go to fakebook.com and enter their credentials. On top of that they’ll use that same email and password every where else on the web. Then after things go wrong they’ll get on their stupid blog and post about how Gmail “isn’t real” and keep saying shit about the “the cloud” even though they have no idea how any of these things actually work.

Comments are closed.