Brandon, Thank you for the well balanced response. That makes perfect sense. "I'm sure there's improvements that could be made, but priorities are what they are." <----I live this daily
I had hoped there was some secret incantation I wasn't aware of. I'll just keep filtering it. Cheers, Tara On Mon, Oct 24, 2022 at 3:34 PM Brandon Long <bl...@google.com> wrote: > Hmm, the obvious choice would be an unsub link in the message, but that > would break DKIM. I guess one could add it as a header, but that will > seriously limit who would see it > > Probably the best would be a periodic reminder of the forward with the > undo link similar to what happens in the initial verification message. > > Also, it's not a heavy abuse vector since the receiver has to opt-in to > enabling the forward... I think that wasn't true very early on in Gmail, > but has been true for well over a decade at this point. > > The ultimate recourse is the same as any other unwanted mail, to block > it. With Gmail, you can set up filters to auto-delete the forwarded > messages. > It's not satisfying, and an abuser will just move on to some other route, > of course. The open nature of email makes fighting this level of high > touch low > volume abuse extremely challenging. > > A long time ago, we considered adding a "contact only" email option for > folks getting a lot of unwanted messages, and I know hey.com went really > deep > into that as well. There were a lot of concerns with unintended > consequences and being worried if the ecosystem would perceive this as a > step towards > Gmail closing the open nature of email. Ie, we know that one reason that > abusers will mailbomb an address is to make it more likely the recipient > misses > some other email notifications about account changes and such, so having > folks switch to contact only would make that easier for the scammer.... and > then > we start getting into trying to be magic about what gets in and what > doesn't, which folks will totally love. > > Anyways, as I said, I'm sure there's improvements that could be made, but > priorities are what they are. > > Brandon > > On Mon, Oct 24, 2022 at 12:06 PM Tara Natanson <tara+mai...@natanson.net> > wrote: > >> Brandon, >> >> Yes, I could setup a rule at our edge servers to trash the mail or bounce >> it. I was just wondering if there's some other way to break a google >> forward that I wasn't aware of. It is being used in an abusive way, the >> stuff we receive via that forward seems deliberate. I was hoping there was >> some way I could report that and make it stop, or some mechanism I had >> missed. I have access to the folks that can setup those mail rules. But >> it occurred to me that not every user does and what would the average end >> user do in this situation? >> >> This came to mind after a recent session at M3AAWG about the victims of >> cyber abuse and harassment. Lets say I allowed mail to forward to me, >> with my permission and then at some future point, that forwarded mail was >> being used to harass and abuse me. There's no unsub, no way to stop >> getting the mail if I don't control the original mailbox its being sent >> to. The end user has no recourse. I do, because I work closely with our >> mail admins on a daily basis but that is likely not the case with most >> users. >> >> Cheers! >> >> Tara Natanson >> >> >> On Mon, Oct 24, 2022 at 2:17 PM Brandon Long <bl...@google.com> wrote: >> >>> I'm confused, I thought you were saying that a gmail account was >>> autoforwarding mail to your postmaster@ address (ie, with +caf_ in >>> envelope sender). >>> >>> In which case, you can set up a specific block for mail from that caf >>> address to your postmaster address. >>> >>> With Google Workspace, you can use a content match >>> https://support.google.com/a/answer/1346934 >>> >>> Inbound Messages >>> Advanced content match, Location Envelope sender, and then the email >>> address with the +caf in it, and Equals or contains match type >>> Reject Message >>> >>> Brandon >>> >>> >>> >>> On Mon, Oct 24, 2022 at 11:01 AM Tara Natanson <tara+mai...@natanson.net> >>> wrote: >>> >>>> Brandon, >>>> >>>> The forward is set up to send out our postmaster@ address, So I can't >>>> let it bounce. :( >>>> >>>> Tara >>>> >>>> >>>> On Mon, Oct 24, 2022 at 1:49 PM Brandon Long via mailop < >>>> mailop@mailop.org> wrote: >>>> >>>>> >>>>> >>>>> On Mon, Oct 24, 2022 at 9:09 AM Bill Cole via mailop < >>>>> mailop@mailop.org> wrote: >>>>> >>>>>> On 2022-10-24 at 09:30:29 UTC-0400 (Mon, 24 Oct 2022 09:30:29 -0400) >>>>>> Tara Natanson via mailop <tara+mai...@natanson.net> >>>>>> is rumored to have said: >>>>>> >>>>>> > Yes I know the address @gmail the messages are being sent to. I >>>>>> do not >>>>>> > control that gmail inbox though. >>>>>> >>>>>> Well, you surely understand that to be a (correct ethical) choice, >>>>>> right? You do control an inbox which GMail believes is confirmed as that >>>>>> GMail user, yes? >>>>>> <evil grin> >>>>>> >>>>>> But seriously, just give it a '550 5.7.1' reply at RCPT if possible, >>>>>> or '554 5.7.1' after DATA. Make Google figure it out. >>>>>> >>>>> >>>>> autoforwards should be automatically disabled if they bounce, though >>>>> like with all such things there are heuristics involved (a certain number >>>>> of bounces in a given time). >>>>> I'm sure there are a bunch of ways it could be improved, I think it >>>>> disables it without warning the user, which isn't great (especially if you >>>>> only read mail that's being forwarded), >>>>> but it can probably be re-enabled without re-verifying the address as >>>>> well, which isn't great for this case either. >>>>> >>>>> Brandon >>>>> _______________________________________________ >>>>> mailop mailing list >>>>> mailop@mailop.org >>>>> https://list.mailop.org/listinfo/mailop >>>>> >>>>
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop