Hi, FWIW we're indeed seeing a large influx of fake intuit emails on our corporate mail. IMHO A company like intuit should go full DMARC reject, not just the bare minimum of SPF and DKIM cross the board. their SPF is invalid due to many excessive lookups (26 at time of writing). If anybody has contacts there or at least access to some inmails, they'd be doing everyone a big favour.
Regards, Gil Bahat, DevOps/Postmaster, Magisto Ltd. On Tue, Nov 3, 2015 at 7:59 PM, Brandon Long <bl...@google.com> wrote: > It goes to spam because we think it's phishy. It sometimes doesn't go to > spam if there are enough whitelisting signals in the user's account. > Apparently we're seeing a high volume of intuit.com/mint.com phishing > messages. > > I agree with the recommendation to add an intuit.com DKIM key. > > If you aren't with Intuit or Salesforce, the best you can do is add a > "never flag as spam" filter. > > Brandon > > On Tue, Nov 3, 2015 at 9:32 AM, Franck Martin <fmar...@linkedin.com> > wrote: > >> I would suggest to add a DKIM d=intuit.com to the email... It is now >> possible with Salesforce. >> >> On Tue, Nov 3, 2015 at 8:11 AM, Steve Atkins <st...@blighty.com> wrote: >> >>> >>> > On Nov 2, 2015, at 10:59 PM, Yang Yu <yang.yu.l...@gmail.com> wrote: >>> > >>> > Lately I see a lot of emails from >>> > mintcustomersupport-no-re...@intuit.com (sent from salesforce) are in >>> > gmail spam folder with message "Our systems couldn't verify that this >>> > message was really sent by intuit.com". However not all emails go into >>> > spam (a few slipped through, I just can't tell the difference from the >>> > headers). The emails are legitimate support tickets. >>> >>> Intuit are publishing invalid SPF records, so if Google is checking >>> whether this mail is plausibly from intuit.com based on a combination >>> of the 822.From >>> and the peer IP (a check that wouldn't be recorded in the Received-SPF >>> field) that >>> won't be working the way that Intuit might like it to - and would likely >>> lead to the >>> "couldn't verify that this message was really sent by intuit.com" and >>> to treating the >>> mail with some suspicion. >>> >>> Cheers, >>> Steve >>> >>> >>> > >>> >>>> >>> > >>> > Header from email that went into spam >>> > >>> > Delivered-To: mygm...@gmail.com >>> > Received: by 10.28.113.210 with SMTP id d79csp2061485wmi; >>> > Mon, 2 Nov 2015 22:09:55 -0800 (PST) >>> > X-Received: by 10.13.237.4 with SMTP id >>> w4mr18970504ywe.110.1446530995490; >>> > Mon, 02 Nov 2015 22:09:55 -0800 (PST) >>> > Return-Path: <mintcustomersupport-no-reply= >>> intuit.com__1swqj00nzvzul...@ky00ew61ipso.e-a8tlmay.na14.bnc.salesforce.com >>> > >>> > Received: from smtp14-sjl.mta.salesforce.com >>> > (smtp14-sjl.mta.salesforce.com. [204.14.234.77]) >>> > by mx.google.com with ESMTPS id >>> 14si11140665ywe.241.2015.11.02.22.09.55 >>> > for <mygm...@gmail.com> >>> > (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 >>> bits=128/128); >>> > Mon, 02 Nov 2015 22:09:55 -0800 (PST) >>> > Received-SPF: pass (google.com: domain of >>> > mintcustomersupport-no-reply= >>> intuit.com__1swqj00nzvzul...@ky00ew61ipso.e-a8tlmay.na14.bnc.salesforce.com >>> > designates 204.14.234.77 as permitted sender) client-ip=204.14.234.77; >>> > Authentication-Results: mx.google.com; >>> > spf=pass (google.com: domain of >>> > mintcustomersupport-no-reply= >>> intuit.com__1swqj00nzvzul...@ky00ew61ipso.e-a8tlmay.na14.bnc.salesforce.com >>> > designates 204.14.234.77 as permitted sender) >>> > smtp.mailfrom=mintcustomersupport-no-reply= >>> intuit.com__1swqj00nzvzul...@ky00ew61ipso.e-a8tlmay.na14.bnc.salesforce.com >>> > Return-Path: <mintcustomersupport-no-reply= >>> intuit.com__1swqj00nzvzul...@ky00ew61ipso.e-a8tlmay.na14.bnc.salesforce.com >>> > >>> > Received: from [10.236.9.132] ([10.236.9.132:58425] >>> helo=ops-mta1-3-was) >>> > by mx2-sjl.mta.salesforce.com (envelope-from >>> > <mintcustomersupport-no-reply= >>> intuit.com__1swqj00nzvzul...@ky00ew61ipso.e-a8tlmay.na14.bnc.salesforce.com >>> >) >>> > (ecelerity 3.6.8.47404 r(Core:3.6.8.0)) with ESMTPS >>> (cipher=DES-CBC3-SHA) >>> > id 52/43-37971-2BF48365; Tue, 03 Nov 2015 06:09:54 +0000 >>> > Received: from [10.236.71.19] ([10.236.71.19:56145] >>> > helo=na14-app1-6-was.ops.sfdc.net) >>> > by mx1-was.mta.salesforce.com (envelope-from >>> > <mintcustomersupport-no-reply= >>> intuit.com__1swqj00nzvzul...@ky00ew61ipso.e-a8tlmay.na14.bnc.salesforce.com >>> >) >>> > (ecelerity 3.6.8.47404 r(Core:3.6.8.0)) with ESMTPS >>> (cipher=DES-CBC3-SHA) >>> > id 09/75-31440-2BF48365; Tue, 03 Nov 2015 06:09:54 +0000 >>> > Date: Tue, 3 Nov 2015 06:09:54 +0000 (GMT) >>> > From: "mintcustomersupport-no-re...@intuit.com" >>> > <mintcustomersupport-no-re...@intuit.com> >>> > Sender: nore...@salesforce.com >>> > To: "mygm...@gmail.com" <mygm...@gmail.com> >>> > Message-ID: < >>> 7n1op000000000000000000000000000000000000000000000nx86gh00i5hchvc7snmhepgoq2q...@sfdc.net >>> > >>> > Subject: Mint.com Support has received your email Mint-General >>> > MIME-Version: 1.0 >>> > Content-Type: text/plain; charset=ISO-8859-1 >>> > Content-Transfer-Encoding: 7bit >>> > X-SFDC-LK: 00DE0000000a8TL >>> > X-SFDC-User: 005d0000001mv0t >>> > X-Sender: postmas...@salesforce.com >>> > X-mail_abuse_inquiries: http://www.salesforce.com/company/abuse.jsp >>> > X-SFDC-TLS-NoRelay: 1 >>> > X-SFDC-EmailCategory: workflowActionAlert >>> > X-SFDC-EntityId: 01Wd00000000fLR >>> > X-SFDC-Binding: 1WrIRBV94myi25uB >>> > X-SFDC-Interface: internal >>> > >>> > >>> >>>> >>> > Header from email that did not go into spam >>> > >>> > Delivered-To: mygm...@gmail.com >>> > Received: by 10.28.113.210 with SMTP id d79csp2000823wmi; >>> > Mon, 2 Nov 2015 18:27:11 -0800 (PST) >>> > X-Received: by 10.55.71.146 with SMTP id >>> u140mr33117598qka.17.1446517631172; >>> > Mon, 02 Nov 2015 18:27:11 -0800 (PST) >>> > Return-Path: <mintcustomersupport= >>> intuit.com__0-8zwx1w6zmvd...@3k2i3a0a5qw8r5.e-a8tlmay.na14.bnc.salesforce.com >>> > >>> > Received: from smtp06-asg.mta.salesforce.com >>> > (smtp06-asg.mta.salesforce.com. [204.14.232.69]) >>> > by mx.google.com with ESMTPS id >>> p65si20897248qge.50.2015.11.02.18.27.10 >>> > for <mygm...@gmail.com> >>> > (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 >>> bits=128/128); >>> > Mon, 02 Nov 2015 18:27:11 -0800 (PST) >>> > Received-SPF: pass (google.com: domain of >>> > mintcustomersupport= >>> intuit.com__0-8zwx1w6zmvd...@3k2i3a0a5qw8r5.e-a8tlmay.na14.bnc.salesforce.com >>> > designates 204.14.232.69 as permitted sender) client-ip=204.14.232.69; >>> > Authentication-Results: mx.google.com; >>> > spf=pass (google.com: domain of >>> > mintcustomersupport= >>> intuit.com__0-8zwx1w6zmvd...@3k2i3a0a5qw8r5.e-a8tlmay.na14.bnc.salesforce.com >>> > designates 204.14.232.69 as permitted sender) >>> > smtp.mailfrom=mintcustomersupport= >>> intuit.com__0-8zwx1w6zmvd...@3k2i3a0a5qw8r5.e-a8tlmay.na14.bnc.salesforce.com >>> > Return-Path: <mintcustomersupport= >>> intuit.com__0-8zwx1w6zmvd...@3k2i3a0a5qw8r5.e-a8tlmay.na14.bnc.salesforce.com >>> > >>> > Received: from [10.236.9.132] ([10.236.9.132:25760] >>> helo=ops-mta1-3-was) >>> > by mx4-asg.mta.salesforce.com (envelope-from >>> > <mintcustomersupport= >>> intuit.com__0-8zwx1w6zmvd...@3k2i3a0a5qw8r5.e-a8tlmay.na14.bnc.salesforce.com >>> >) >>> > (ecelerity 3.6.8.47404 r(Core:3.6.8.0)) with ESMTPS >>> (cipher=DES-CBC3-SHA) >>> > id 50/DF-04894-E7B18365; Tue, 03 Nov 2015 02:27:10 +0000 >>> > Received: from [10.236.71.58] ([10.236.71.58:47660] >>> > helo=na14-app2-13-was.ops.sfdc.net) >>> > by mx1-was.mta.salesforce.com (envelope-from >>> > <mintcustomersupport= >>> intuit.com__0-8zwx1w6zmvd...@3k2i3a0a5qw8r5.e-a8tlmay.na14.bnc.salesforce.com >>> >) >>> > (ecelerity 3.6.8.47404 r(Core:3.6.8.0)) with ESMTPS >>> (cipher=DES-CBC3-SHA) >>> > id E2/3C-31440-E7B18365; Tue, 03 Nov 2015 02:27:10 +0000 >>> > Received: from [199.16.139.35] by intuit.my.salesforce.com via HTTP; >>> > Mon, 02 Nov 2015 18:27:10 -0800 >>> > Date: Tue, 3 Nov 2015 02:27:10 +0000 (GMT) >>> > From: "mintcustomersupp...@intuit.com" <mintcustomersupp...@intuit.com >>> > >>> > Sender: nore...@salesforce.com >>> > To: "mygm...@gmail.com" <mygm...@gmail.com> >>> > Message-ID: < >>> 7n1op000000000000000000000000000000000000000000000nx7w5a00k2683_utqdmp92zuj66...@sfdc.net >>> > >>> > Subject: Re: Support Topic [ ref:_%%ticket_number%%:ref ] >>> > MIME-Version: 1.0 >>> > Content-Type: multipart/alternative; >>> > boundary="----=_Part_9590_1264306672.1446517630971" >>> > X-SFDC-LK: 00DE0000000a8TL >>> > X-SFDC-User: 005d0000004Ca35 >>> > X-Sender: postmas...@salesforce.com >>> > X-mail_abuse_inquiries: http://www.salesforce.com/company/abuse.jsp >>> > X-SFDC-TLS-NoRelay: 1 >>> > X-SFDC-EmailCategory: emailPublisherEmail >>> > X-SFDC-EntityId: 500d000000cHSWx >>> > X-SFDC-Binding: 1WrIRBV94myi25uB >>> > X-SFDC-Interface: internal >>> > >>> > ------=_Part_9590_1264306672.1446517630971 >>> > Content-Type: text/plain; charset=ISO-8859-1 >>> > Content-Transfer-Encoding: quoted-printable >>> > >>> >>>> >>> > The only reason I can think of is missing DKIM leading to a higher >>> > spam score. Are there recent changes at Gmail that could have caused >>> > this ? No luck through normal support channel at mint.com. >>> > >>> > Thanks. >>> > >>> > _______________________________________________ >>> > mailop mailing list >>> > mailop@mailop.org >>> > http://chilli.nosignal.org/mailman/listinfo/mailop >>> >>> >>> _______________________________________________ >>> mailop mailing list >>> mailop@mailop.org >>> http://chilli.nosignal.org/mailman/listinfo/mailop >>> >> >> >> _______________________________________________ >> mailop mailing list >> mailop@mailop.org >> http://chilli.nosignal.org/mailman/listinfo/mailop >> >> > > _______________________________________________ > mailop mailing list > mailop@mailop.org > http://chilli.nosignal.org/mailman/listinfo/mailop > >
_______________________________________________ mailop mailing list mailop@mailop.org http://chilli.nosignal.org/mailman/listinfo/mailop
