前两天给 Chromium 交了一个简单的补丁，因为他们系统的限制，不得不用了一次 Gmail，然后没两天我的 Gmail 也中招了，被人用带点 . 和加号 + 的邮件地址订阅了大量新闻稿。

Gmail 官方的态度是不处理任何此类滥用行为，非常不粘锅，那只能自己来投诉了。

看了一下，目前为止收到的所有新闻稿都来自于 Salesforce.com (SFDC)，先给他们发一封邮件看看态度吧，顺便抄送了他们这个客户所使用域名的注册商。邮件原文下附，移除了提供给各相关方参考的邮件头。

Hi,

I never subscribe to any newsletter from Deadline (or any of its affinities, like Variety and Billboard), but suddenly they send hundreds of emails to me, utilizing dotted versions and plus addressing versions of my email address. Furthermore, many of my friends reported the same situation as me.

I think this is a malicious action, a DDoS-like attack, targeting Gmail.com users.

Per Anti-Spam Policy of SFDC:

> You should only receive commercial emails and text messages sent through the services that you have agreed to receive from SFDC Customers. SFDC Customers certify that all email addresses and phone numbers used in the services for Messages are opt-in contacts for people who have given permission to SFDC Customers to send them emails and/or text messages. As indicated above, SFDC does not allow any SFDC Customer to use the services to send unwanted text messages or commercial emails. If you do not recognize who sent you a message, you can report it to SFDC as spam by sending it (or, in the case of a non-email message, by sending an explanation) to abuse@salesforce.com. SFDC receives, investigates, catalogs, and takes appropriate action based on complaints SFDC receives.

However, it's unrealistic for me to unsubscribe from all these newsletters via the unsubscribe option appended, for the following reasons:

- I didn't agreed to receive any of these newsletters, it's unfair for me having to manually unsubscribe from them.
- The attacker utilizes dotted versions and plus addressing versions of my email address, meaning there're unlimited subscriptions waiting for me to unsubscribe, which is technically impossible.

So I'm emailing for the following appeals:

- Unsubscribe me, kexybiscuit@gmail.com, and any dotted versions and plus addressing versions of this email address, from all customers of SFDC.
- Provide an automated way to unsubscribe any dotted versions and plus addressing versions of one's email address from receiving future emails from any particular customer on SFDC.

Note that most part of this email, except my personal information, will be made public.

The header of the first email a customer of SFDC sent me is attached below for reference.

[REDACTED]

Best Regards,
Kexy Biscuit

From: Salesforce MC/PD Privacy & Abuse Management <abuse@abuse.salesforce.com>

Hello,

Thank you for your report.

We are investigating this sender, and will take the necessary actions to resolve this issue. Please note that due to privacy concerns, we cannot disclose details of the investigation or provide direct ongoing updates.

Again, thank you. Reports like yours help our team in our anti-abuse and anti-spam efforts.

Kind regards,

Salesforce Marketing Cloud Abuse & Compliance

来自于 SFMC 客户的新闻稿于北京时间 13 日早六时左右戛然而止，随后晚间七点至十一点收到了两封来自于 SFMC Abuse 的回信，目前未发现进一步的恶意行为，尚不确定是哪一方采取了行动，总之可能暂时没事了。

From: Salesforce Security <security@salesforce.com>

Hello,

Thank you for contacting the Salesforce Security team.

We have reviewed the information in the header and found that the email was sent by one of our customers.

We have strongly advised the customer to remove the reporter's email address from their subscriber list. In addition, we reminded them to include an Unsubscribe button in all emails going forward.

Regards,

Salesforce Security Team
security@salesforce.com