Hi Stefano, Replies inline.
On Wed, 2017-06-14 at 19:24 +0200, Stefano Bagnara wrote: > I have a good understanding about what is spoofing and what is DMARC > alignment (i also developed java implementations of SPF and DKIM and an > SMTP server, just to le you know I know the whys and whats of spoofing). While you are entitled to have a personal definition of spoofing, mailbox providers and filter appliance vendors in general consider senders who make the From address the same as the To address to be engaged in spoofing. The From address not being an accurate representation of the sender is good enough for most. > My question is WHY gmail alert me when from and to are equals and > received from an external server but at the same time doesn't care to > alert me if the from is another gmail address or if the to doesn't > contain my address (because I was in CCN). Spoof emails usually try to > make you believe the sender is a friend/customer/coworker/supplier, not > yourself: that's why this message surprised me (Google preferred to deal > with a minor use case before the bigger use case). As Laura already pointed out - this is a common spammer tactic. Some of it relates to how threaded messages (conversations in Gmail's parlance) are displayed but trust me, it's not a fringe use case to alert a user to this. Platforms other than just Gmail identify and filter this condition also. [..snip...] > You know, there are a lot of WRONG/BAD/LEGACY "web forms" that will send > you a notification using your email in From and To: this is of course > wrong and it won't work when the domain is protected through DMARC, but > in this case gmail.com is not protected by DMARC and if it was a DMARC > evaluation it should trigger also for different gmail senders, instead > they decided to trigger only this specific case. The owners of those legacy forms that spoof the From address have deliverability problems even with domains that don't have DMARC. It's not an acceptable practice any more and most providers / vendors filter accordingly. [...snip...] > PS: maybe this list is used to "complaints" and "how to get a contact at > a given provider", so I don't know if this generic discussion about > Google approach to user spam/spoofing warnings is an > interesting/appropriate topic. > It's a very easy going list with lots of knowledgeable people. If you ask a specific question here, you'll probably get a very qualified answer. Ken. -- Ken O'Driscoll / We Monitor Email t: +353 1 254 9400 | w: www.wemonitoremail.com Need to understand deliverability? Now there's a book: www.wemonitoremail.com/book _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
