On 14 June 2017 at 22:28, Laura Atkins <la...@wordtothewise.com> wrote: > > On Jun 14, 2017, at 12:52 PM, Stefano Bagnara <mai...@bago.org> wrote: > > BTW please note that the message is "sent from your account." not "by > <email address>", so a very specific case. > > > Interesting. When I did it (to myself, from myself from this SMTP server) > the message was exactly what I copied and pasted above. >
Very interesting! Did you test a gmail.com address or a GSuite address? What is your SPF DKIM result for that message? I found "my" version of the message in at least 5 gmail inboxes I've tested and I never seen the message you say. Maybe they are still in the middle of deploying updates (I'll retest tomorrow!). > I would have been less surprised if they showed this message for EVERY > dmarc failing message (not for that specific use case). > > > It’s not a DMARC failure, though. It has nothing do to with DMARC. They > just recorded the DMARC failure in the headers because they record DMARC > status of EVERY message going into Gmail. > Are you sure? If I'm not wrong technically DMARC failed for that message. It is just that gmail.com DMARC record expose a p=none so the gmail domain doesn't ask to reject or quarantine the message when DMARC fails. If it was p=reject the message would have been rejected. DMARC fails because SPF and DKIM pass but none of them align to the From " gmail.com" domain (at least in my test case). > It’s not. Nothing to do with authentication. Nothing to do with SPF, DKIM, > DMARC or ARC. It’s all about the 5322.from and the To: address are > identical. > Not what I saw here: if I send a message with the same rfc5322.from/to ( ema...@gmail.com) to ema...@gmail.com I don't see warnings. > Just to be sure I'm not being misunderstood I'm not saying this from=to > doesn't have correlation with phishing. It simply feels to me a very shy > target in 2017 where SPF/DKIM/DMARC are available (unless I'm missing a big > thing, and I've opened this discussion because I never exclude it). > > > I’m not sure why you think it has something to do with authentication. I > don’t believe it does. It’s solely about the To: and From: being the same > and the message coming from a non Google source. > The only public webpage indexed by google and discussing that message have an answer saying it is about SPF/DKIM: I don't believe it is something about SPF/DKIM. BUT maybe it is related to DMARC. How does gmail detect the message may not have been sent by my account? An easy way to detect this is that DMARC fails. Otherwise they have to add some "senderid like" buest-guess (I refer to the way senderid protocol abuses SPF records and the "buest-guess" applied by some receivers for SPF checking domains not publishing SPF records). Otherwise it couldd be an hardcoded check. > This doesn't harm me, I trust google and I try to understand what's behind > their moves because I think there's always something to learn from others > :-) > > Far be it from me to make up motives, but I think this is simply low > hanging fruit with a low chance of screwing up mail. They have the data to > implement it - so … why not? > In my sample there are more false positives than spam email matching the criteria. But I admit I have a very limited sample. So I trust you when you say it is a very common spam technique.. Maybe I already filter those spam at SMTP level using spamhaus or that I'm just "lucky" ;-) Stefano
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
