Understanding the Google Groups Spam Problem

Over the past year, I’ve noticed a significant increase in spam messages originating from Google Groups. This issue stems from the way Google Groups is designed: It gives spammers an easy way to distribute large volumes of unwanted mail using legitimate Google mail servers, which makes filtering much harder.

Why it Happens

There are a few fundamental problems with how Google Groups works that make it particularly attractive to spammers:

No opt-in required: Spammers can freely add any email address to a Google Group without the recipient’s consent.
Unsubscribing is often impossible: Many spam groups are set to private, meaning that victims cannot even access the group page to unsubscribe.
Amplified spam through auto-responders: Some of these groups include automated mail systems (like ticketing or vacation responders). When these systems reply to the initial spam message, the responses are redistributed to all group members multiplying the traffic in unwanted mails.

The Challenge and Approach

While analyzing these messages, I discovered that several legitimate organizations also use Google Groups to distribute newsletters or announcements. That means simply blocking all mail coming from Google Groups would cause false positives and disrupt valid communication.

To handle this more effectively, I developed a solution that integrates directly with Rspamd, our spam filtering system:

Custom Lua plugin: Detects messages originating from Google Groups and assigns a custom symbol.
Composite rules: Use this symbol, combined with other spam indicators, to decide whether a message should be classified as spam.

This approach allows us to target the abusive patterns specifically, without penalizing legitimate use of Google Groups.

Technical Configuration

To tackle the Google Groups spam issue, I built a small custom Lua plugin for Rspamd that detects messages originating from Google Groups and assigns a custom symbol to them. Once tagged, we can use composite rules to decide whether a message should be treated as spam based on additional indicators.

Step 1: Create the Custom Lua Plugin

Start by creating a new file at /etc/rspamd/plugins.d/kits_header_google_group.lua:

rspamd_config:register_symbol{
    name = "KITS_HEADER_GOOGLE_GROUP",
    score = 0.1,
    group = "headers",
    description = "Message contains X-Google-Group-Id header or List-Unsubscribe header with googlegroups",
    callback = function(task)
      -- Check for X-Google-Group-Id header
      if task:get_header('X-Google-Group-Id') then
        return true
      end
      
      -- Check for List-Unsubscribe header containing 'googlegroups'
      local list_unsubscribe = task:get_header('List-Unsubscribe')
      if list_unsubscribe and string.find(list_unsubscribe:lower(), 'googlegroups') then
        return true
      end
      
      return false
    end
}

This plugin checks for either of the following headers:

X-Google-Group-Id
List-Unsubscribe containing the string googlegroups

If either is present, the message is tagged with the symbol KITS_HEADER_GOOGLE_GROUP.

Step 2: Enable the Plugin

Next, register a module with the same name by creating an empty configuration file at /etc/rspamd/modules.d/kits_header_google_group.conf:

# Empty config to enable lua plugin
kits_header_google_group { }

At this point, every email that originates from a Google Group will be tagged with the symbol KITS_HEADER_GOOGLE_GROUP and given a score of 0.1.

Step 3: Create Composite Rules

The next step is to define composite rules that evaluate whether a tagged message is likely to be spam. Create the following entries in /etc/rspamd/override.d/composite.conf:

# Google Group origin with bulk or freemail origin
KITS_GOOGLE_GROUP_BAD {
  expression = "KITS_HEADER_GOOGLE_GROUP and (DCC_REJECT | FUZZY_BULK | FREEMAIL_FROM)";
  score = 8.0;
}

# Google Group origin with bulk and freemail origin
KITS_GOOGLE_GROUP_WORST {
  expression = "KITS_HEADER_GOOGLE_GROUP and DCC_REJECT and FUZZY_BULK and FREEMAIL_FROM";
  score = 20.0;
}

These rules assign higher scores to messages that originate from Google Groups and match known spam indicators such as DCC_REJECT, FUZZY_BULK, or FREEMAIL_FROM.

The naming scheme, scores, and logic here are tailored to my environment. Always adjust the scoring and expressions to fit your setup and verify changes before applying them.

Conclusion

After deploying this configuration, the amount of spam originating from Google Groups dropped noticeably. Legitimate messages from companies still passed through correctly, while unwanted group spam was effectively flagged or quarantined by Rspamd.

If you’re running a mail server, fighting spam is one of the more tedious and ongoing challenges. Thankfully, with Rspamd, we have some of the best and most flexible spam-fighting tools available.

Battling spam will always be a cat-and-mouse game, and I’m sure spammers will find new and clever ways to distribute unwanted mail sooner rather than later, but Rspamd will be here to help. I hope to share more useful posts in the future about keeping our mail systems clean with Rspamd.

Understanding the Google Groups Spam Problem#

Why it Happens#

The Challenge and Approach#

Technical Configuration#

Step 1: Create the Custom Lua Plugin#

Step 2: Enable the Plugin#

Step 3: Create Composite Rules#

Conclusion#