Hmm, the obvious choice would be an unsub link in the message, but that would break DKIM. I guess one could add it as a header, but that will seriously limit who would see it
Probably the best would be a periodic reminder of the forward with the undo link similar to what happens in the initial verification message. Also, it's not a heavy abuse vector since the receiver has to opt-in to enabling the forward... I think that wasn't true very early on in Gmail, but has been true for well over a decade at this point. The ultimate recourse is the same as any other unwanted mail, to block it. With Gmail, you can set up filters to auto-delete the forwarded messages. It's not satisfying, and an abuser will just move on to some other route, of course. The open nature of email makes fighting this level of high touch low volume abuse extremely challenging. A long time ago, we considered adding a "contact only" email option for folks getting a lot of unwanted messages, and I know hey.com went really deep into that as well. There were a lot of concerns with unintended consequences and being worried if the ecosystem would perceive this as a step towards Gmail closing the open nature of email. Ie, we know that one reason that abusers will mailbomb an address is to make it more likely the recipient misses some other email notifications about account changes and such, so having folks switch to contact only would make that easier for the scammer.... and then we start getting into trying to be magic about what gets in and what doesn't, which folks will totally love. Anyways, as I said, I'm sure there's improvements that could be made, but priorities are what they are. Brandon On Mon, Oct 24, 2022 at 12:06 PM Tara Natanson <tara+mai...@natanson.net> wrote: > Brandon, > > Yes, I could setup a rule at our edge servers to trash the mail or bounce > it. I was just wondering if there's some other way to break a google > forward that I wasn't aware of. It is being used in an abusive way, the > stuff we receive via that forward seems deliberate. I was hoping there was > some way I could report that and make it stop, or some mechanism I had > missed. I have access to the folks that can setup those mail rules. But > it occurred to me that not every user does and what would the average end > user do in this situation? > > This came to mind after a recent session at M3AAWG about the victims of > cyber abuse and harassment. Lets say I allowed mail to forward to me, > with my permission and then at some future point, that forwarded mail was > being used to harass and abuse me. There's no unsub, no way to stop > getting the mail if I don't control the original mailbox its being sent > to. The end user has no recourse. I do, because I work closely with our > mail admins on a daily basis but that is likely not the case with most > users. > > Cheers! > > Tara Natanson > > > On Mon, Oct 24, 2022 at 2:17 PM Brandon Long <bl...@google.com> wrote: > >> I'm confused, I thought you were saying that a gmail account was >> autoforwarding mail to your postmaster@ address (ie, with +caf_ in >> envelope sender). >> >> In which case, you can set up a specific block for mail from that caf >> address to your postmaster address. >> >> With Google Workspace, you can use a content match >> https://support.google.com/a/answer/1346934 >> >> Inbound Messages >> Advanced content match, Location Envelope sender, and then the email >> address with the +caf in it, and Equals or contains match type >> Reject Message >> >> Brandon >> >> >> >> On Mon, Oct 24, 2022 at 11:01 AM Tara Natanson <tara+mai...@natanson.net> >> wrote: >> >>> Brandon, >>> >>> The forward is set up to send out our postmaster@ address, So I can't >>> let it bounce. :( >>> >>> Tara >>> >>> >>> On Mon, Oct 24, 2022 at 1:49 PM Brandon Long via mailop < >>> mailop@mailop.org> wrote: >>> >>>> >>>> >>>> On Mon, Oct 24, 2022 at 9:09 AM Bill Cole via mailop <mailop@mailop.org> >>>> wrote: >>>> >>>>> On 2022-10-24 at 09:30:29 UTC-0400 (Mon, 24 Oct 2022 09:30:29 -0400) >>>>> Tara Natanson via mailop <tara+mai...@natanson.net> >>>>> is rumored to have said: >>>>> >>>>> > Yes I know the address @gmail the messages are being sent to. I do >>>>> not >>>>> > control that gmail inbox though. >>>>> >>>>> Well, you surely understand that to be a (correct ethical) choice, >>>>> right? You do control an inbox which GMail believes is confirmed as that >>>>> GMail user, yes? >>>>> <evil grin> >>>>> >>>>> But seriously, just give it a '550 5.7.1' reply at RCPT if possible, >>>>> or '554 5.7.1' after DATA. Make Google figure it out. >>>>> >>>> >>>> autoforwards should be automatically disabled if they bounce, though >>>> like with all such things there are heuristics involved (a certain number >>>> of bounces in a given time). >>>> I'm sure there are a bunch of ways it could be improved, I think it >>>> disables it without warning the user, which isn't great (especially if you >>>> only read mail that's being forwarded), >>>> but it can probably be re-enabled without re-verifying the address as >>>> well, which isn't great for this case either. >>>> >>>> Brandon >>>> _______________________________________________ >>>> mailop mailing list >>>> mailop@mailop.org >>>> https://list.mailop.org/listinfo/mailop >>>> >>>
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
