I'm hoping someone in here knows someone at Google ;) I just received spam on an email address that does NOT have an associated Google account, relayed through mail-qk1-f197.google.com (209.85.222.197). The email was sent through a Google Group and contains header "X-Google-Group-Id: 266929046196" and an unsubscribe link "https://groups.google.com/a/cat.streamingscommunity.beer/group/cxe/subscribe". However, that unsubscribe link is not accessible, even though the spam-spewing group still exists and is forwarding messages. Sending an email to "googlegroups-manage+266929046196+unsubscribe@googlegroups.com", I get an auto-reply from Google, thereby confirming my assessment that this is a valid Google Group. The abuse link "https://groups.google.com/a/cat.streamingscommunity.beer/forum/#!forum/cxe/abuse" again doesn't work, because I don't have access to cat.streamingscommunity.beer because the recipient email does not have an associated Google account. But replying to the auto-reply got me an official confirmation from Google that I have been unsubscribed.

In short:

1. Spammer creates a private Google Group

2. Spammer subscribes victims into that Google Group and sadly Google allows that without any opt-in.

3. Spammer sends spam into Google Group

4. Google will dutifully forward the spam to all victims through the official Google mail infrastructure and with valid SPF and DMARC, thereby all but assuring that the victims will, indeed, receive the spam messages into their INBOX.

5. Google prevents victims from unsubscribing through the website because the Group is private