> On Jun 14, 2017, at 1:55 PM, Stefano Bagnara <mai...@bago.org> wrote: > > On 14 June 2017 at 22:28, Laura Atkins <la...@wordtothewise.com > <mailto:la...@wordtothewise.com>> wrote: >> On Jun 14, 2017, at 12:52 PM, Stefano Bagnara <mai...@bago.org >> <mailto:mai...@bago.org>> wrote: >> >> BTW please note that the message is "sent from your account." not "by <email >> address>", so a very specific case. > > Interesting. When I did it (to myself, from myself from this SMTP server) the > message was exactly what I copied and pasted above. > > Very interesting! Did you test a gmail.com <http://gmail.com/> address or a > GSuite address? > What is your SPF DKIM result for that message?
SPF softfail. It went to/from the gmail.com <http://gmail.com/> address I use for a small number of things, including ad hoc testing for some clients. But because it went out of my mail client, it used the 5322.From as the 5321.From. It also wasn’t DKIM signed because it wasn’t a domain we have set up to sign. > I found "my" version of the message in at least 5 gmail inboxes I've tested > and I never seen the message you say. I think that’s a clear indicator that these messages are attempting to convey different information > Maybe they are still in the middle of deploying updates (I'll retest > tomorrow!). No. Your test and my test were different. So they were handled differently. >> I would have been less surprised if they showed this message for EVERY dmarc >> failing message (not for that specific use case). > > It’s not a DMARC failure, though. It has nothing do to with DMARC. They just > recorded the DMARC failure in the headers because they record DMARC status of > EVERY message going into Gmail. > > Are you sure? If I'm not wrong technically DMARC failed for that message. It > is just that gmail.com <http://gmail.com/> DMARC record expose a p=none so > the gmail domain doesn't ask to reject or quarantine the message when DMARC > fails. If it was p=reject the message would have been rejected. What I’m saying is: the message isn’t getting that label because DMARC failed. The message is getting that label because the 5322.From and the To: address are identical @gmail.com addresses and the message was not sent through the gmail MTA. > DMARC fails because SPF and DKIM pass but none of them align to the From > "gmail.com <http://gmail.com/>" domain (at least in my test case). Yes. But that’s not what’s causing the warning you’re seeing. > It’s not. Nothing to do with authentication. Nothing to do with SPF, DKIM, > DMARC or ARC. It’s all about the 5322.from and the To: address are identical. > > Not what I saw here: if I send a message with the same rfc5322.from/to > (ema...@gmail.com <mailto:ema...@gmail.com>) to ema...@gmail.com > <mailto:ema...@gmail.com> I don't see warnings. I think this is where you’re misunderstanding me. Those are not the same email address, therefore, you do not get the warning. ema...@gmail.com <mailto:ema...@gmail.com> and ema...@gmail.com <mailto:ema...@gmail.com> are not the same address. So they’re not triggering the warning message. >> Just to be sure I'm not being misunderstood I'm not saying this from=to >> doesn't have correlation with phishing. It simply feels to me a very shy >> target in 2017 where SPF/DKIM/DMARC are available (unless I'm missing a big >> thing, and I've opened this discussion because I never exclude it). > > > I’m not sure why you think it has something to do with authentication. I > don’t believe it does. It’s solely about the To: and From: being the same and > the message coming from a non Google source. > > The only public webpage indexed by google and discussing that message have an > answer saying it is about SPF/DKIM: I don't believe it is something about > SPF/DKIM. BUT maybe it is related to DMARC. I found the link you’re talking about - https://productforums.google.com/forum/#!topic/gmail/Lp9wlAKcFAU <https://productforums.google.com/forum/#!topic/gmail/Lp9wlAKcFAU>. Best I can tell, that’s not an official answer or anything, just a person who is trying to help. Let me ask you this, does the warning box have a “learn more” button on it? What happens when you click that? Does it take you to a page like: https://support.google.com/mail/answer/185812?visit_id=1-636330759213411049-1547491413&p=sent_warning&hl=en&rd=2 <https://support.google.com/mail/answer/185812?visit_id=1-636330759213411049-1547491413&p=sent_warning&hl=en&rd=2> (that’s the page I get from “not sent from your account”) Note, that support.google.com <http://support.google.com/> link provides instructions on how to remove the warning. > How does gmail detect the message may not have been sent by my account? Because it has no record of the outgoing mail. There isn’t an outgoing message in your sent mail folder. It KNOWS that gmail didn’t send the message through your gmail account. > An easy way to detect this is that DMARC fails. Otherwise they have to add > some "senderid like" buest-guess (I refer to the way senderid protocol abuses > SPF records and the "buest-guess" applied by some receivers for SPF checking > domains not publishing SPF records). Otherwise it couldd be an hardcoded > check. You’re not getting the message because DMARC fails. Honest. You’re getting the message because your 5322.from and the To: address are identical and the message did not go through gmail’s servers. >> This doesn't harm me, I trust google and I try to understand what's behind >> their moves because I think there's always something to learn from others :-) > > Far be it from me to make up motives, but I think this is simply low hanging > fruit with a low chance of screwing up mail. They have the data to implement > it - so … why not? > > In my sample there are more false positives than spam email matching the > criteria. But I admit I have a very limited sample. So I trust you when you > say it is a very common spam technique.. Maybe I already filter those spam at > SMTP level using spamhaus or that I'm just "lucky" ;-) It’s not a false positive! It’s an accurate statement: this message sent to you, from you was not sent through gmail’s servers. It’s simply a descriptive message. It’s making sure you notice something about this message. Yes, DMARC is showing failed, but DMARC fails when you send from addre...@gmail.com <mailto:addre...@gmail.com> to addre...@gmail.com <mailto:addre...@gmail.com>. Those messages don’t get the warning. Therefore: the warning is not about a DMARC failure. Particularly in the case of Google, not everything they do is about spam. Sometimes they’re just telling subscribers more about the mail. A prime example of this - like the TLS indicators. TLS has zero to do with spam. Yet, they show the TLS status of every message coming into google. It’s a security piece. This, too. laura -- Having an Email Crisis? 800 823-9674 Laura Atkins Word to the Wise la...@wordtothewise.com (650) 437-0741 Email Delivery Blog: http://wordtothewise.com/blog
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
