zip up the log before you send it. -Joe -- Joe Hamelin, W7COM, Tulalip, WA, +1 (360) 474-7474
On Wed, Oct 23, 2019 at 5:20 PM Constantine A. Murenin <muren...@gmail.com> wrote: > Dear NANOG@, > > I'm not sure where else to post this, and this is not really new, either, > but I think I have a new take here. > > I use my own personal domain name for various UNIX stuff, including > sending log-related things to myself out of cron, which end up in my own > Gmail.com account, either directly, or through forwarding (w/o SRS). (I do > not use G Suite for my own domain name, for obvious reasons; just the > consumer-based gmail.com email address from the old times of > invitation-based registrations.) > > Over the years, I sometimes had certain messages rejected by Gmail, but it > was a very low rate of rejection (less than 5% for any mail I cared about), > and wasn't a major problem (usually only some automated messages would be > rejected). > > A couple of months ago, I setup some new scripts that would send me new > nightly emails. It's all plain text, but had a few dozen of domain names > present (it's logs). Absolutely no links, just plenty of domains which I > don't control. So, Gmail has been presenting most of these messages with > their red warning label that the email contains malicious links, even > though all of these emails contained zero links, zero URLs to any of these > unknown domain names, zero URL schemes, zero "http://";, zero "https://"; > etc. You get the idea. > > Since about a few weeks ago, I am now seeing at least a 95% rejection rate > for my domain name, for ALL email, including the forwards. Including > emails which I send to myself from within Google, and which get forwarded > back to Gmail by my UNIX machine (which is not known to break Gmail's DKIM, > either, although it's also difficult to test, because when it does get > through, it's automatically marked as a duplicate by Gmail, so, you don't > get DKIM status from Gmail by looking at the headers, since you only get to > examine the original copy that was sent, not the forwarded duplicate that > was subsequently accepted). I.e., emails with a passing DMARC still get > rejected. > > The funny thing is, Google doesn't actually blacklist my primary IPv6 > address in my own /48 from which all of my messages originate; even though > the rDNS resolves to a subdomain on the very same domain name which they've > blacklisted "due to the very low reputation". They've blacklisted just the > main domain name that I use for my own non-Gmail-hosted mail. Sending the > same messages into my Gmail.com from a different domain name in MAIL FROM, > which is served from the same zone file DNS-wise (e.g., an SPF pass), > through sendmail's `-f` option, or with Mutt, makes the messages go through > (even with rDNS being "low reputation"); sending it from my primary domain > name in MAIL FROM results in the following: > > >>> DATA > <<< 550-5.7.1 [2001:470:xxxx:: 19] Our system has detected that this > message is > <<< 550-5.7.1 likely suspicious due to the very low reputation of the > sending > <<< 550-5.7.1 domain. To best protect our users from spam, the message has > been > <<< 550-5.7.1 blocked. Please visit > <<< 550 5.7.1 https://support.google.com/mail/answer/188131 for more > information. 135si403977wma.43 - gsmtp > 554 5.0.0 Service unavailable > > The support article suggests using Postmaster Tools; great, never heard of > it, sounds cool; let's verify our domain, and try it out, hopefully, > there's a solution right there. > > However, after verifying my domain name through DNS for Postmaster Tools, > it is revealed that Postmaster Tools cannot tell me anything at all, with > all tabs and screens being 100% blank, allegedly because I'm not actually a > mass email sender (I don't send hundreds of emails a day or whatnot), and > they're too afraid that I'll figure out why my mail doesn't actually go > through, instead of signing up for G Suite. > > Right now, I've had a business need to reply to a work-related email from > some other business. > > This is what I got after sending my reply from my primary domain name > through mutt — a nice double rejection by both the G Suite and Gmail in a > single bounce generated by my server: > > > ----- Transcript of session follows ----- > ... while talking to aspmx.l.google.com.: > >>> DATA > <<< 550-5.7.1 [2001:470:xxxx:: 19] Our system has detected that this > message is > <<< 550-5.7.1 likely suspicious due to the very low reputation of the > sending > <<< 550-5.7.1 domain. To best protect our users from spam, the message has > been > <<< 550-5.7.1 blocked. Please visit > <<< 550 5.7.1 https://support.google.com/mail/answer/188131 for more > information. z11si12494671wrw.137 - gsmtp > 554 5.0.0 Service unavailable > ... while talking to gmail-smtp-in.l.google.com.: > >>> DATA > <<< 550-5.7.1 [2001:470:xxxx:: 19] Our system has detected that this > message is > <<< 550-5.7.1 likely suspicious due to the very low reputation of the > sending > <<< 550-5.7.1 domain. To best protect our users from spam, the message has > been > <<< 550-5.7.1 blocked. Please visit > <<< 550 5.7.1 https://support.google.com/mail/answer/188131 for more > information. 135si403977wma.43 - gsmtp > 554 5.0.0 Service unavailable > > > Changing MAIL FROM into a non-primary domain name (served out of an > identical zone file, basically) gets the message accepted, without DKIM, > without the 4-minute delay that many "suspicious" messages have had for > months now, from the very same IPv6 address with the rDNS pointing to the > domain name with "the very low reputation", and it shows up in both my own > Gmail as well as, presumably, in the G Suite account of the business > partner I was replying to. (Note that this trick where the rDNS domain > gets ignored works only for new emails with a passing SPF; I presume the > rDNS still prevails in bringing the "low reputation of the sending domain" > for forwards, as they don't seem to succeed any longer now.) > > > There are a number of possible tl;dr: takeaways here: > > * don't spread the monoculture — don't use G Suite for your organisation; > > * don't send crontab output to your Gmail from your primary domain name; > > * don't use Gmail. > > > What is my own takeaway here? > > * Without being an anti-Google zealot, from a purely practical > perspective, since my Gmail account no longer contains the mail I care most > about, as it gets rejected on the SMTP layer, I'll have fewer reasons to > use it. > > * I'll now have no other choice but to modify my setup to stop forwarding > to Gmail, because my business contacts don't need to see all these bounces > that are now taking place. > > * Since so many businesses are G Suite useds, I'm still looking for a > solution to get rid of the "the very low reputation of the sending domain" > from a domain name I've been using since 2007, and which I'm 100% convinced > was blacklisted by Google entirely for me sending crontab with system logs > (zero HTML, zero URLs) to my own Gmail. I have SPF and DMARC all setup and > passing since years ago, which doesn't stop this issue from occurring. > Merely switching the name of the domain in From and MAIL FROM to any other > domain I own (which points to the very same MX) appears to be my workaround > for now. > > > Some possible suggestions for Google, if I may: > > * Maybe don't convert schemeless domain names which are non-URLs into > "malicious" URLs? (They already do seem to block them from being presented > as links in the UI in such an instance, but there's little reason for > trying to convert these domain names into links in the first place.) > > * Maybe don't consider harmless plain text emails with a bunch of domain > names to contain malicious links when they don't? > > * Maybe don't assume everyone with a domain name runs a G Suite? (Their > whole troubleshooting guide is built around it.) > > * Maybe don't assume everyone with a domain name sends hundreds of emails > from their domain name per day? (They seem to limit Postmaster Tools based > on such a criterion.) > > * Maybe don't blacklist a domain name for sending harmless logs to a Gmail > account that lists said domain name as an alternative From address? > > > Cheers, > Constantine. >
