Spammers are using Google Forms to send their messages and Google hasn’t addressed the problem despite many discussions about it.
If you are using Rspamd, Regex multimaps can help tackle the issue:
First add a new rule for blacklisting based on content:
# local.d/multimap.conf
CONTENT_BLACKLISTED {
type = "content";
filter = "oneline"; # can be headers, full, oneline, text, rawtext
map = "${LOCAL_CONFDIR}/custom/bad_content.map";
symbols = ["IS_GOOGLE_FORM"];
regexp = true;
}
Then add some regex rules. You could add new rules here in the future. Note that I’m using oneline as filter target, which pre-filters the text and contains “decoded and stripped text content (without HTML tags and newlines)”.
# custom/bad_content.map
/.*Create your own Google Form.*/ IS_GOOGLE_FORM
Last, let’s use this new IS_GOOGLE_FORM feature to assign a score
# local.d/composites.conf
GOOGLE_FORMS_SPAM {
expression = "FREEMAIL_FROM & IS_GOOGLE_FORM";
description = "Google Form sent via Gmail";
score = 6.0;
policy = "leave";
}
This would assign a score of 6 to emails containing the Google Forms footer and being sent from Gmail.
If you have legitiamte Google Forms users, you may want to further customize the last rule to avoid false positives.