How is it possible for spammers to keep pestering me with FAKE domains when all e-mail sending providers have these insane obstacles to go through?

Question

I keep getting e-mails to my Gmail account from made-up domains such as:

@mtixusu9shbyusyr6.org.uk
@mpqyriexqpvramtkn.org.uk

And so on... (Yes, I checked some of them and they are not actually registered.)

Please note that I already know the messy story behind e-mail and how it used to be possible to send e-mail which appears to come from anyone, but for the last "many years", I've had to jump through insane numbers of hoops and triple-verify both my registered, "aged" domain and myself in order to be allowed to send a single e-mail with any kind of service such as Mailgun.

Sending e-mails directly from my own server has not worked for eons; they just get "eaten" by some entity along the way and never reach the recipients (no, not even in the "spam folder").

Yes, there are countless very sketchy companies in India and Russia and China and whatnot, but no matter how shady they are, and no matter who they do business with, they still face the same problem as me: at the end of the day, they have to communicate with Google and the few other gigantic "western" mega corporations with extremely strict rules for receiving e-mails.

Yet, somehow, I keep getting these extremely spammy e-mails slipping through every single day. How is this possible?

They are horribly badly written, they are full of "emojis" in the subject line, they use completely faked "from" addresses, they do everything so horribly wrong as one can possibly imagine, and their "spam score" should be a trillion points or something... yet, somehow, Gmail's "AI" slips them through.

I'm baffled. I truly don't understand it.

Why are a bunch of stupid spammers able to send obvious garbage e-mails to me freely, but I have to sign my life away to send a single damn e-mail (and have it actually reach the recipient)? How is that possible? Why do they not even have to validate their domain? Why would such an e-mail ever enter any "folder" or mailbox in my Gmail account, rather than getting rejected at the very latest at Google's "e-mail mainframe" as "obviously broken trash"?

Is Mailgun and the whole industry lying to me? Is the jumping through burning hoops for verification and all this setting up just pointless busywork? Do e-mails just go through no matter what?

If these spammers are some sort of geniuses who can somehow bypass fundamental established technical rules, why are they sending such low-intelligence messages?

None of this makes any sense to me. Even if we assume that the vast majority (99% or more) of completely faked/broken spam messages do get stopped, how can some of them evidently slip through?

It seems like certain people are truly not playing by the same rules as me, and I don't mean just in terms of ruthlessness/evilness -- I mean they are literally, technically not required to adhere to the same rules as I.

I would love to hear a satisfying explanation for this, and not just "e-mail is broken, you can send e-mail from anyone by faking the from header, etc.", which is clearly not true for many years, at least not for "most of us".

Answer 1

Unfortunately, there is no single solution to the e-mail SPAM problem. The fake accounts you mentioned use an IP address when sending an e-mail and since no action has been taken by the company announcing this IP address, SPAM shipments continue over that IP address for a certain period of time. There are a lot of SPAM intelligence reports to IP service providers, but due to its economic dimension, the service providers cannot completely block the IP that does SPAM. Because it sells each IP and service over IP. With the widespread use of cloud computing and fast purchase / creation options, someone from any country can create a virtual machine from a different country in minutes and spam. The vulnerabilities left by users who do not have information about the system also cause this situation. Many reasons like this still cause us to receive SPAM emails.

Email service providers like Mailgun want to verify you. Because it wants not to endanger its own IP health and to take measures in case of possible constitutional violation. In this regard, Mailgun, SendGrid, MandrillApp; DKIM requests DMARC, SPF and many more configuration settings.

The rules defined in mail gateways used by Gmail and other e-mail service providers are important. As I mentioned above, strict rule definition on IP does not block it first as it will affect the accessibility of the respective IP. Of course, I cannot say they do not prevent them all, as in the example you have encountered, there may be that they cannot. The healthiest e-mail sending / receiving operation takes place when you have an MTA configured on a dedicated server and an e-mail gateway that protects this system. Considering that billions of SPAM messages are sent daily to Gmail and counterpart mail providers and there are clean IPs, you may unfortunately come across such content.

As I mentioned, SPAM mails can still be sent, as there is no one-sided solution to the issue.

The following question can be asked. "Why don't they look at SPF records?"

SPF records are not yet used for all users. Many emails of real users will fall into SPAM when SPF records are required to be checked. I think e-mail users must be informed here and service providers must pay a penalty for every SPAM e-mail they issue. However, it can be prevented in this way, otherwise it takes a long time or no measures are taken, unfortunately, since there are no sanctions.