If you use the SMTP relay service to send email through Google servers, you might get an email alert if we detect large amounts of spam coming from any of your registered G Suite user accounts, non-registered user accounts, or both. Non-registered user accounts either belong to your domain, or your domain name was presented in the HELO argument during SMTP relay.
After 24 hours, if a registered G Suite user account is still sending spam, the account is suspended. You'll receive a second alert letting you know about the suspension. You can restore an account after the issue is resolved.
You’ll also receive a second alert if any non-registered G-Suite user accounts are still sending spam after 24 hours. We recommend that you suspend these accounts until you determine the source of the spam and resolve the issue.
Why are my accounts sending relay spam?
Sometimes, user devices get infected with malware and send large amounts of spam. Devices configured as open relays can also be the cause of high spam volume. Find out more by investigating the source of the spam.
How can relay spam harm your legitimate mail?
Large amounts of spam can can damage the reputation of your domain, causing legitimate emails to get sent to the spam folder of the recipient or rejected. It can also cause you to hit your relay rate limits, resulting in delayed or failed mail delivery.
Why does Google suspend user accounts?
To help protect your domain reputation and keep your mail flow healthy, Google suspends accounts that continue to send large volumes of relay spam. Messages are still delivered to suspended accounts, but the user can’t sign in or send messages.
How do I identify and fix spam problems?
Review the sending patterns of the accounts listed in the alert email.
Understand user sending patterns
Use Email Log Search to see the quantity and types of messages relayed by the user. Put the relay IP in the Sender IP search field to search by the combination of sender and relay IP.
If you use Gmail for bulk sending, review the sending guidelines.
Investigate user devices
Investigate user devices based on the IPs listed in the Originating Device IP column.
The notification lists up to 10 of the IPs most recently used by the sender. If multiple IPs are listed, check device logs to determine which may be responsible for the high volume of spam, and scan it for potential viruses.
If the Originating IP is a private IP address, it's likely the internal address for a device on your network.