Google Mail Servers Enable Backscatter Spam

Mike Morris writes "Google email servers are responsible for a large volume of backscatter spam. No recipient validation is being performed for the domains googlegroups.com and blogger.com — possibly for other Google domains as well, but these two have been confirmed. (You can test this by sending an email to a bogus address in either of the domains; you'll quickly get a Google-generated bounce message.) Consequently spammers are able to launch dictionary attacks against these domains using forged envelope sender addresses. The owners of these forged addresses are then inundated with the bounce messages generated by the Google mail servers. The proper behavior would be for the mail servers to reject email traffic to non-existent users during the initial SMTP transaction. Attempts at contacting them via abuse@google.com and postmaster@google.com have gone unanswered for quite some time. Only automated responses are received which say Google isn't doing anything wrong."

Translation

[conner_bw (120497)]

My mom's was getting a ton of spam and she kept calling me day and night, saying her computer was broken. I tried to resolve the problem by contacting Google but they ignored me. The only option left was to badmouth them on the front page of Slashdot so the bad PR would force them to fix her problem. MOM, YOU CAN STOP CALLING ME NOW OK!!!

Re:Translation

[by Anonymous Coward]

Don't worry. GoogleBackscatter is currently in Beta. When it goes into production backscatter will be even better!

*goes change his gmail password*

[aleph42 (1082389)]

*goes change his gmail password*

Seriously though, there's something else that bothers me about gmail (not the only one to do it): that apparently anyone can get your contact list if they have your address.

Ever happened to you? I was signing up on a music website with a gmail address, and then they asked me if I wanted to send invites to all my contacts, which magicaly appeared on their page. Even if it is apparently a common practice, I find it very disturbing.

Re:*goes change his gmail password*

[by Anonymous Coward]

Did you have an active session with gmail going at the time? As in, you didn't click "log out"?

Mod Parent Up

[by Anonymous Coward]

This is *exactly* why I do my email separate from all other browsing. It's not even unique to Google, they're just the biggest target.

If you want to use email securely:
* Use 'clear private data' to wipe everything out.
* Visit your webmail site (copy any links you want to visit to a text file for later).
* Read/send email.
* Log out.
* Use 'clear private data' again.

Anything less risks having information stolen.

Re:Mod Parent Up

[techno-vampire (666512)]

If you want to use email securely:

Use POP3 for all your email. That way no website can ever get access to your contacts or personal data.

Re:Mod Parent Up

[netcrusher88 (743318)]

Warning: offtopic

IMAP and MAPI are two separate protocols. IMAP is a standard protocol used for semi-connected work on folders actually hosted on a server (it can work disconnected and sync up later), whereas MAPI is a Microsoft proprietary protocol that accomplishes approximately the same thing.

I tend to think that the name MAPI is a typical Microsoft attempt to get people to confuse (it worked, didn't it?) open, widely used standards and Microsoft proprietary crap. See also OOXML vs ODF (formerly OOXML, before Microsoft even dreamed of that acronym...)

MAPI != anti-IMAP

[stereoroid (234317)]

Actually, MAPI (Mail API) is the old Microsoft standard for mail-related communication between Windows applications. I remember using it in Windows 3, long before IMAP was widely adopted. It was later extended to MAPI/RPC for communication with Exchange servers. This is one case where anti-Microsoft paranoia isn't justified...

Re:*goes change his gmail password*

[conner_bw (120497)]

No, this has never happened to me.

Ever.

What kind of "music" site were you on?

The "russian" kind?

Re:*goes change his gmail password*

[aleph42 (1082389)]

What kind of "music" site were you on?
The "russian" kind?

No. I think it was on http://imeem.com/ [imeem.com] , or one of those webiste with mp3s of indy bands (amiestreet ?).

And I'm absolutely positive I didn't give them my gmail password.

Re:

[DarkAxi0m (928088)]

Facebook can do it too. As can several other social networking sites. Typically, you have to give permission to access your contacts.

I think you have to give them you gmail password, or hotmail or whatever as well as permission

Re:*goes change his gmail password*

[i.of.the.storm (907783)]

Yeah, Facebook actually asks for your gmail password, so do other sites. A bit shady, but I trust those sites not to store it because there'd be hell to pay if anyone found out otherwise.

Re:*goes change his gmail password*

[Inoshiro (71693)]

You are the most trusting person here, then. Already Google admitted to being in cahoots with the NSA/FBI/CIA (etc) in providing them with data on their Google web app usage. Facebook is just as bad with their beacon source, etc.

Seriously, I barely trust myself with my personal info -- why trust a complete stranger (or set of strangers) that are based out of a country where the gov't can just lean on a company to get private data?

The staff at Facebook don't give two shits about privacy, otherwise all those stupid "apps" which you add to your profile wouldn't be able to spider your friends or send them stupid form letters to encourage them to allow/add them (furthering the data-mining by the app writer). Try turning the privacy settings up by disabling everything when adding an app. It won't let you, because then the app "wouldn't work" correctly.

Re:*goes change his gmail password*

[jlarocco (851450)]

What? Some site asked for your email password, and you gave it to them? Shouldn't people reading Slashdot know better than this?

Re:*goes change his gmail password*

[dfay (75405)]

I had the same thing happen.

LinkedIn asks me if I want to "connect" to certain people that I know for sure my only contact with them has been through mail on my gmail account. LinkedIn *can* mine your gmail account for you if you provide your account info to them, but I certainly never used that feature, so it was a bit alarming to see all of my gmail contacts showing up.

Personally, I don't care if they are not the only ones to do it. They shouldn't be giving out our personal info. I did expect them to use my info to provide context-sensitive ads, but I did not expect them to share my info with other companies without my explicit permission.

Not to mention, if you and I both saw it on sites that ostensibly have no relationship with google, it's possible that anyone that can hook to their Soap API can get your contact list.

Re:*goes change his gmail password*

[by Anonymous Coward]

Strange things happen in the internet, The other day I was navigating in the internet and my wife was watching the screen, and when I was typing a url, a nasty porn site appeared as autocompleted, I swear I never visited the site. I'll show this google account problem to my wife, she might believe me now.

Re:*goes change his gmail password*

[stephanruby (542433)]

Ever happened to you? I was signing up on a music website with a gmail address, and then they asked me if I wanted to send invites to all my contacts, which magicaly appeared on their page. Even if it is apparently a common practice, I find it very disturbing.

It may have appeared on their page, but it wasn't coming from their site -- it was coming from google. Both the list of your contacts, and the request for permission to send, was coming from google. It does NOT [google.com] mean the actual music site knew the email addresses of your contacts.

Here is an actual example of what I'm talking about. Log into http://www.google.com/calendar [google.com], stick this iframe in your web site, replace the left and right parenthesis with the right symbols, and see what happens.

(iframe src="http://www.google.com/calendar/embed?title=Slashdot%20Calendar&height=250&wkst=2&bgcolor=%23FFFFFF&ctz=America%2FLos_Angeles" style=" border:solid 1px #777 " width="300" height="250" frameborder="0" scrolling="no")(/iframe)

Assuming your calendar is marked private, having the private data from your calendar appearing within the iframe of your browser doesn't mean it's accessible by the web site hosting the iframe (nor does it mean it's accessible by the javascript outside that iframe either).

And google wonders why ...

[micheas (231635)]

They are getting tagged with the moniker "the new evil".

I wonder how much of this has to do with the Microsoft to Google employee migration bringing the corporate culture with the people?

Re:And google wonders why ...

[conner_bw (120497)]

Won't somebody please think of the driveways!

Re:

[Slotty (562298)]

Google lost the right to title of being the good guys when they went public. Their only loyalty is now owed to that of the shareholders. They seek out an improved shareprice as the primary goal. Anything less betrays the investors. Blaming the "evil" on migrating employees fails to take into account of the simple fact that the culture once linked with google can not exist as it once was because the wonderful $ has once again swooped in.

Re:And google wonders why ...

[dnoyeb (547705)]

Scapegoating the shareholders as an excuse for executive abuse is getting old.

Re:And google wonders why ...

[synx (29979)]

not to mention the class A/B shares - the company isn't actually answerable to shareholders!

Besides which, google had basically no choice but to go public - the SEC rule would have require them to file financial papers as if they were public - so why not get the benefit as well?

Re:And google wonders why ...

[gumbi west (610122)]

So let me get this straight, the share holders want google to allow backscatter spam?

1. allow backscatter spam
2. ???
3. profit!

Re:And google wonders why ...

[mingot (665080)]

Wow, only on slashdot does microsoft get the blame for google being evil.

just point it out to them more clearally.

[by Anonymous Coward]

forged from: abuse@[domain]
to: bogus@[domain]
You have issues.

If they have back scatter, they get it. If they don't have back scatter, they don't.

Re:just point it out to them more clearally.

[c6gunner (950153)]

forged from: abuse@[domain] to: bogus@[domain] You have issues. If they have back scatter, they get it. If they don't have back scatter, they don't.

Hah.

abuse@gmail.com has an auto-response. bogus@gmail.com has an auto-response.

I'm sending the e-mail right now. I wish I could see the "abuse" account's inbox in a few hours....

Proper?

[EdIII (1114411)]

The proper behavior would be for the mail servers to reject email traffic to non-existent users during the initial SMTP transaction.

Ummm, how about the only behavior .

It never ceases to amaze me how some mail server administrators setup policies on their networks. If you are running a mail server you are THE POSTMASTER. If you don't know where it should go, or who it is supposed to be going to, how can you accept it?

Refusing email and stopping the transaction when you do not control the domain, service the domain, or even know the mailbox user is about as obvious a policy as not relaying for domains outside of your control.

If it is an honest mistake on the part of the sending server, acting as an agent for the user, then a simple message informing the sender that the account does not exist is a trivial matter.

To do anything else just amazes me.

Re:

[by Anonymous Coward]

Maybe they're concerned about bots using those responses as a means to harvest valid email addresses. If you send it for invalid ones, then I can assume that when you don't send it, it's a legit account.

Re:Proper?

[schon (31600)]

If you send it for invalid ones, then I can assume that when you don't send it, it's a legit account.

That's absurd logic.

got a tip for you:

spammers don't care if the addresses are valid or not

What you describe is called a 'rumplestiltskin' attack - it's well known, and nobody has ever suggested that the best way to counter it is to start spamming people with backscatter.

Re:Proper?

[nametaken (610866)]

Actually both are crap.

Unfortunately there are no good ways to handle it, that I know of. They all allow for harvesting or backscatter. The only way to avoid both would be to accept everything and never respond. But then every blackholed email is potentially a genuine error for which there is no indication.

Re:Proper?

[EdIII (1114411)]

Actually that's how they're doing it.

I am not sure what "it" refers to. We are talking about two different things here, which is what occurs inside a SMTP transaction and what occurs outside of it.

Inside these SMTP transactions nothing is occurring that is facilitating the delivery of SPAM directly. Just the harvesting of good addresses for those domains. Afterwards, they can use the good addresses to send SPAM directly to those mail boxes.

What is stupid here, and I use that word deliberately, is Google's apparent policies. Regardless of any other considerations, you should not be sending bounce messages to FROM headers. Any action taken should occur within the SMTP transaction with 5xx or 2xx codes. Doing so is, for lack of a better word, just plain STUPID. When those FROM headers contain users within your own domains makes it just that much more retarded. Why would you be sending a bounce message to your own user from activity that did not originate within your own systems? Last time I checked you would not be doing so.

Any messages that came from your own users would be through authenticated SMTP transactions and any recipient errors would have bounce messages routed locally back to the sender. You don't even need the FROM header if it is in an authenticated session from your own user. You already knew which user it was from the authentication process. If you have SMTP transactions, that are not authenticated in most cases, coming from systems outside of your direct control, then it can't be from your users and therefore you should not be sending messages to them.

As for the SMTP transactions themselves being used for harvesting there are other methods to deal with that. You don't need to bug the crap out of your own users doing it either.

If I have a SMTP transaction attempt delivery to an unknown address outside of my domains (relaying), I explicitly add them to the block lists for 60 minutes. Sending mail servers should be using the domain in the TO header to obtain MX records of my mail server. For my mail server to get a message for domains that I don't control is a huge red flag. If it is to an unknown address within my domains I block them for 20 minutes, but only after 3 such transactions within 10 minutes. That will allow any honest typos from stopping service from valid mail servers.

When you get a ton of these SMTP transactions in a row maybe, just maybe now, you should be adding that IP address to a dynamic suppression system for longer periods of time, like say weeks. Here is the kicker too, if these SMTP transactions came from a Zombie machine then you are not even interfering with that person's ability to send mail since they will be doing through a web based email system such as Google or an email client that will send their email (through an authenticated session) to a real mail server that will then send it out.

There is a LOT more to this, but I can tell you that Google is doing it in about the stupidest way possible right now. That's just my opinion, but I do operate several mail servers right now and I can't see anything smart about these policies.

In beta

[SkullOne (150150)]

Didn't anyone notice that Gmail is still in beta?

FWIW, I use Google Apps to host my e-mail, and I have found Google to have horrible support.
Instead of fixing the problem, they'll just point you to a loosely moderated Google Groups newsgroup for Google apps, and you'll rarely receive a response, let alone a workable fix for an issue.

Do no evil? Or do nothing at all?

Not Gmail.

[SanityInAnarchy (655584)]

I tested this on Google Apps for my (company's) domain.

Turns out that yes, they will drop it on the floor if you give them an invalid address. It's probably not gmail.com, and definitely not yourdomain.com -- but rather, blogger.com and googlegroups.com -- which seem to be accepting mail and bouncing, rather than rejecting via SMTP.

A quick demonstration:

david@biostar:~$ host -t MX scribestorm.com
scribestorm.com mail is handled by 0 ASPMX.L.GOOGLE.com.
david@biostar:~$ nc -vv aspmx.l.google.com 25
DNS fwd/rev mismatch: aspmx.l.google.com != qb-in-f27.google.com
aspmx.l.google.com [72.14.205.27] 25 (smtp) open
220 mx.google.com ESMTP z21si10855881qbc.21
helo slashdot.org
250 mx.google.com at your service
mail from: anonymous_coward@slashdot.org
555 5.5.2 Syntax error. z21si10855881qbc.21
mail from: <anonymous_coward@slashdot.org>
250 2.1.0 OK
rcpt to: <bogus@scribestorm.com>
550-5.1.1 This Gmail user does not exist. Please try double-checking
550-5.1.1 the recipient's email address for typos or unnecessary spaces.
550-5.1.1 Learn more at
550 5.1.1 http://mail.google.com/support/bin/answer.py?answer=6596 z21si10855881qbc.21
rcpt to: <david.masover@scribestorm.com>
250 2.1.5 OK
quit
221 2.0.0 mx.google.com closing connection z21si10855881qbc.21
sent 181, rcvd 518
david@biostar:~$

As you can see, it not only dropped my message on the floor, it also demanded brackets around the address -- something Postfix and Exim do for me, and I think even Qmail tolerated addresses without brackets.

I imagine it works pretty much the same way for gmail.com, so if you're going to take advantage of the bouncing to have Google DoS Google, keep that in mind. Send mail from bogus_01234@blogger.com to alsobogus_56789@googlegroups.com. (I think adding a GUID to it would be a nice touch, thus guaranteeing that it will never match an actual address.)

Inaccurate title/summary

[Schraegstrichpunkt (931443)]

Sending to example12345@googlegroups.com, I get this (my email address replaced with name@example.com):

Hello name@example.com,

We're writing to let you know that the group that you tried to contact (example12345) doesn't exist. There are a few possible reasons why this happened:

* You might have spelled or formatted the group name incorrectly.
* The owner of the group removed this group, so there's nobody there to contact.

If you have questions about this or any other group, please visit the Google Groups Help Center at http://groups.google.com/support [google.com].

Thanks, and we hope you'll continue to enjoy Google Groups.

The Google Groups Team

In other words, while this causes backscatter, this is not an avenue for "backscatter spam", since Google isn't delivering the contents of arbitrary messages to arbitrary users.

It sounds like the submitter wants to blow this out of proportion by equating general backscatter (which nearly all mailing list managers on the Internet generate with their "confirmation" messages) with backscatter spam.

Re:Inaccurate title/summary

[ceejayoz (567949)]

*checks*

Hey, look. It's a kdawson article!

Re:Inaccurate title/summary

[ikkonoishi (674762)]

Just because some spam is advertising does not mean that all spam is advertising. The point here would be to fill someone's inbox with bogus messages.

Re:Inaccurate title/summary

[NMerriam (15122)]

You're being either overly literal, or trying to create a distinction where there isn't much of one.

No, the responses don't contain an original message, nor are they commercial or anything like that, but the spammy thing about this form of backscatter is about the VOLUME and indiscriminate nature of the mail, not the content.

This isn't being blown out of proportion at all. It's nothing like a mailing list sending a confirmation. No spammer is going to send a million messages with different forged addresses to a single email address (the subscribe address) -- that defeats the whole purpose of spamming, which is to contact DIFFERENT addresses!

What google has done is open a wildcard on some domains so that anyone launching a dictionary attack on googlegroups.com will send a million messages TO a million different addresses FROM a million different forged addresses. Google then sends a million bounces back to a million different addresses, and if you run a domain that the spammer used as their "from", you suddenly get tens or hundreds of thousands of identical bounce messages from Google. THAT is backscatter spam -- thousands of useless messages sent to forged addresses on your domain, regardless of content. And no mail server in 2008, much less one run by a major tech company, should make that possible.

MOD PARENT UP

[martin-boundary (547041)]

The google fanboys are wrong on this one.

Re:

[FliesLikeABrick (943848)]

There are a few important differences

1) mailing list confirmations can't be used by spammers to identify existing or non-existing e-mail addresses
2) spammers, unlike your test, will use spoofed From: headers, making the mail you got be bounced back to someone who wasn't involved in the first place
3) yes, right now (1) isn't true for Google either, since they accept all mail, but that is indeed the problem right now, and there are stupid spammers out there who will blast thousands upon thousands of e-mails o

A suggestion for Gmail spam-fighting

[shanen (462549)]

Basically Gmail is losing value for all of us as it becomes spam
soaked. Even their filtering is having troubles with false positives
and false negatives--and the spam is just increasing. Therefore I
think Google should act more aggressively to drive the spammers away
from Gmail.

My latest anti-spam idea is a SuperReport option. (Kind of like
SpamCop, but not so lazy.) If you click on the SuperReport option,
Gmail would explode the spam and try to analyze it for you to help go
after the spammers more aggressively. Here is one approach to
implementing it:

The first pass analysis would be a low-cost quickie that would also
act like a kind of CAPTCHA. This would just be an automated pass
looking for obvious patterns like email addresses and URLs. The email
would then be exploded and shown to the person making the report (=
the targeted recipient of the spam AKA victim). The thoughtful
responses for the second pass would guide the system in going after
the spammers--making Gmail a *VERY* hostile environment for spammers
to the point that they would stop spamming Gmail.

For example, if the first pass analysis finds an email address in the
header, the exploded options might be "Obvious fake, ignore",
"Plausible fake used to improve delivery", "Apparently valid drop
address for replies", "Possible Joe job", and "Other". (Of course
there should be pop-up explanations for help, which would be easy if
it's done as a radio button. Also, Google always needs to allow for
"Other" because the spammers are so damn innovative. In the "Other"
case, the second pass should call for an explanation of why it is
"Other".)

If the first pass analysis finds a URL, the exploded options should be
things like "Drugs", "Stock scam", "Software piracy", "Loan scam",
"419 scam", "Prostitution", "Fake merchandise", "Reputation theft",
"Possible Joe job", and "Other". I think URLs should include a second
radio button for "Registered Domain" (default), "Redirection",
"Possible redirection", "Dynamic DNS routing", and "Other". (Or
perhaps that would be another second-pass option?)

If the first pass finds an email address in the body, the exploded
options should include things like "Fake opt-out for address
harvester", "419 reply path", "Joe job", and "Other".

At the bottom of the expanded first pass analysis there should be some
general options about the kind of spam and suggested countermeasures,
and the submit SuperReport button. This would trigger the heavier
second pass where Gmail's system would take these detailed results of
the human analysis of the spam and use them to really go after the
spammers in a more serious way. Some of the second pass stuff should
come back to the person who received the spam for confirmation of the
suggested countermeasures.

Going beyond that? I think Gmail should also rate the spam reporters
on their spam-fighting skills, and figure out how smart they are when
they are analyzing the spam. I want to earn a "Spam Fighter First
Class" merit badge!

If you agree with these ideas--or have better ones, I suggest you try
to call them to Google's attention. Google still seems to be an
innovative and responsive company--and they claim they want to fight
evil, too. More so if many people write to them? (I even think they
recently implemented one of my suggestions to improve the Groups...
However, it doesn't matter who gets credit--what matters is destroying
the spammers.)

Re:

[danpat (119101)]

Ever seen this list?

http://craphound.com/spamsolutions.txt [craphound.com]

Please tick the appropriate boxes....

Re:

[shanen (462549)]

Quite familiar with it, and it doesn't really apply to this suggestion, though I could shoehorn it into several categories. The form is broad enough that it will absorb anything, including your lunch. If you think it does apply without the big shoehorn, then please say why.

That form was a funny joke the first few times it was used. Since thing it has simply become a generic excuse for "No, we cannot."

Actually, I don't think there is any way to truly address the spam problem without dealing with the TANSTAAF

Re:

[calebt3 (1098475)]

Your post advocates a

( ) technical ( ) legislative ( ) market-based (*) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the mone

Re:

[shanen (462549)]

I guess that's the thing that most amazes me about the spam problem... Many of the big-time spammers are clearly large-scale criminals advertising their criminal wares, and apparently we are unable to do anything about it?

Just this week they apparently discovered a botnet larger than Storm. (http://www.theregister.co.uk/2008/04/07/kraken_botnet_menace/) The report says that the botnet was spewing out vast quantities of spam for the usual quasi-legal scams. So how the heck could they miss it? Possible answer

250 Accepted

[by Anonymous Coward]

Yes, mail to an unknown recipient should be rejected with a 550 code during the initial SMTP dialogue. But not only that - lots of people believe that *any* message you don't intend to deliver should be rejected during the SMTP dialogue. The current fashion is to say "250 OK" and then silently delete the message later, which is wrong.

I hate to toot my own horn here, but I wrote tarmail [ablative.org] with this express purpose in mind (among others). GPLed and everything. Messages that you won't accept get rejected during the SMTP dialogue.

If you don't like my MTA, then please feel free to mod this down so that others won't be needlessly bothered. But I really to believe that Tarmail is the right answer to this specific problem. Thank you for your time.

Re:

[flyingfsck (986395)]

Neat. It is a pity I wasn't aware of your project earlier. It seems that it will make a straight and simple mail filter to place in front of an existing crappy insecure mail system like Exchange.

Re:250 Accepted

[prockcore (543967)]

The current fashion is to say "250 OK" and then silently delete the message later, which is wrong.

Since SMTP is defective by design, this is an acceptable response. Doing anything else allows spammers to confirm valid accounts using dictionary attacks.

Re:250 Accepted

[fortunato (106228)]

Yes actually I have. Postfix is extremely easy to set up with SpamAssassin. It requires cutting and pasting two configuration lines if you can't understand the manual and can do a google search. I suppose you could make the pedantic argument that it's twice as hard as tarmail since tarmail requires one line.

In fact setting up ClamAV and SpamAssassin alone is orders of magnitude more complex.

I might argue that if you have a hard time understanding the postfix manual you have no business running a mail server.

In any case, I wasn't trying to compare, just trying to understand why it was worth the effort of yet another SMTP server.

Google Groups must DIE

[Greg_D (138979)]

Google is one of the biggest culprits in the utter destruction of the highest traffic Usenet discussion newsgroups. The volume of spam that comes from those servers is ridiculous, not to mention all the former AOL idiots that were the scourge of the groups.

It is not that easy....

[gweihir (88907)]

There are three possibilities for email to non-existent addresses: Silent drop, initial bounce and delayed notification. All have problems.

If the sender address is legitimate, but a relay is in the transmission chain, you have only bad choices: Silent drop may cause problems for legitimate emails. Initial bounce causes the observed problem, once removed and with real-time characteristics. The observed delayed notification behavior at least has the advantage that you can control the rate these messages are outgoing. A good strategy would be to intitially send one of these and then accumulate these per sender messages over, say 24h and send only one further notification per day. Incidentially, this strategy is something known to most people that ever implemented automatic notification emails on system failures...

I think there is just no good way to deal with this issuse, as long as open, badly configures relays are around. It is also quite possible that the gmail designers never anticipated this and not are not readily able to respont in an adequate fashion (see the 24h accumulation, e.g.). That would possibly indicate a lack of competent security people involved in the design process. As these people are scarce everywhere, Google will also likely not have enough of them.

On my own mailservers (small), I use silend drop for relay requests (which is definitely a good idea) and "drop into spambox" for unknown destinations. I look over these occasionally, and I have found legitimate email in there.

I do agree that initial bounce sounds like the right strategy, but unfortunately it does have serious problems.