Re: [mailop] Google: Increase in false positives?

[Renaud Allard via mailop]

On 02/09/16 18:35, Aaron C. de Bruyn wrote:

On Fri, Sep 2, 2016 at 1:39 AM, Renaud Allard via mailop
mailto:mailop@mailop.org>> wrote:

On 09/02/2016 10:28 AM, Brandon Long via mailop wrote:
> The spam team would love to send all unauthed mail to the spam label or
> even reject it (they call it no auth no entry).
>

IMHO, that would be a good idea. If one big player does it, no-one can
ignore it, so this enables the others to do it.


On that note, wouldn't that just 'move the problem'?  If we waved our
magic wands and made all e-mail require SPF, DKIM, and DMARC or it goes
to junk, a mail server compromise would lead to a bunch of spam that was
SPF-allowed, DKIM-signed, and DMARC-policy-acceptable.  And we'd still
have spam in our inbox.  ;)



Yes, but that limits the problem as the compromised server is easier to 
detect and block.




smime.p7s
Description: S/MIME Cryptographic Signature
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Google: Increase in false positives?

[Jim Popovitch]

On Fri, Sep 2, 2016 at 11:12 PM, John Levine  wrote:
>>But I'm not sure what native would look like.  After Lavabit, would the
>>type of folks who use pgp actually trust our implementation if they
>>couldn't see it and verify it?
>
> In my experience there are two kinds of PGP users.  One is the hard
> core who go to key signing parties with their passports in their
> pockets. The other is the casual ones who get keys from keyservers
> when they send moderately touchy stuff.
>
> The latter group would probably be OK with your implementation.  The
> others would not, so they'd have to use POP/IMAP/SUBMIT and do the
> crypto at home.
>
>>Also, the spam problem becomes challenging in that environment...
>
> For the latter group, you can ask them if it's OK to use their keys
> for spam filtering and they'll probably say it is.  For the former
> group, it's a problem.  Of course, they're only likely to exchange
> encrypted mail with a tiny set of friends, so perhaps you could say
> that the sender's key isn't in someone's address book, rate limit it
> down to one or two messages per day.  That gives an opportunity for
> initial contact, at least until the spammers figure out that their
> botnets have plenty of CPU to invent a new identity and a new key for
> every spam.

In addition to what John said, I think a very useful first step
component would be for Google (Microsoft too!) to run an internal PGP
keyserver (if you don't already have one) and then use it reject
signed msgs that fail a basic sig test.  You don't need anyone's
private key, and you could sync your keyserver the same way all the
other keyservers do.   This would go a long way towards true message
integrity.

-Jim P.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Google: Increase in false positives?

[John Levine]

>But I'm not sure what native would look like.  After Lavabit, would the
>type of folks who use pgp actually trust our implementation if they
>couldn't see it and verify it?

In my experience there are two kinds of PGP users.  One is the hard
core who go to key signing parties with their passports in their
pockets. The other is the casual ones who get keys from keyservers
when they send moderately touchy stuff.

The latter group would probably be OK with your implementation.  The
others would not, so they'd have to use POP/IMAP/SUBMIT and do the
crypto at home.

>Also, the spam problem becomes challenging in that environment...

For the latter group, you can ask them if it's OK to use their keys
for spam filtering and they'll probably say it is.  For the former
group, it's a problem.  Of course, they're only likely to exchange
encrypted mail with a tiny set of friends, so perhaps you could say
that the sender's key isn't in someone's address book, rate limit it
down to one or two messages per day.  That gives an opportunity for
initial contact, at least until the spammers figure out that their
botnets have plenty of CPU to invent a new identity and a new key for
every spam.

R's,
John

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Google: Increase in false positives?

[Brandon Long via mailop]

We obviously have the web extension, though I haven't seen any updates
there recently either.

But I'm not sure what native would look like.  After Lavabit, would the
type of folks who use pgp actually trust our implementation if they
couldn't see it and verify it?

Also, the spam problem becomes challenging in that environment...

On Sep 2, 2016 5:15 PM,  wrote:

> On Fri, 02 Sep 2016 14:27:39 -0400, Jim Popovitch said:
> > On Fri, Sep 2, 2016 at 4:28 AM, Brandon Long via mailop
> >  wrote:
> > > The spam team would love to send all unauthed mail to the spam label
> or even
> > > reject it (they call it no auth no entry).
>
> > I'd love to see "no auth no entry", but I'd prefer to see native PGP.
>  ;-)
>
> Only if you agree to handle all the support calls regarding web-of-trust.
> :)
>
> (This is a major problem for deploying e-mail crypto at scale -
> http://pgp.cs.uu.nl/plot/ says the strongly connected set in the
> web-of-trust
> is right around 60,000 keys - which amounts to about 0.001% of the world
> population. You want PGP to take off, you need to find a sane way for the
> *other* 99.999% of the population to do keys correctly)
>
>
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Google: Increase in false positives?

[Valdis . Kletnieks]

On Fri, 02 Sep 2016 14:27:39 -0400, Jim Popovitch said:
> On Fri, Sep 2, 2016 at 4:28 AM, Brandon Long via mailop
>  wrote:
> > The spam team would love to send all unauthed mail to the spam label or even
> > reject it (they call it no auth no entry).

> I'd love to see "no auth no entry", but I'd prefer to see native PGP.   ;-)

Only if you agree to handle all the support calls regarding web-of-trust. :)

(This is a major problem for deploying e-mail crypto at scale -
http://pgp.cs.uu.nl/plot/ says the strongly connected set in the web-of-trust
is right around 60,000 keys - which amounts to about 0.001% of the world
population. You want PGP to take off, you need to find a sane way for the
*other* 99.999% of the population to do keys correctly)



pgpfFCPKJ5xY8.pgp
Description: PGP signature
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Google: Increase in false positives?

[Jim Popovitch]

On Fri, Sep 2, 2016 at 4:28 AM, Brandon Long via mailop
 wrote:
> The spam team would love to send all unauthed mail to the spam label or even
> reject it (they call it no auth no entry).


I'd love to see "no auth no entry", but I'd prefer to see native PGP.   ;-)

-Jim P.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Google: Increase in false positives?

[Michael Peddemors]

On 16-09-02 09:35 AM, Aaron C. de Bruyn wrote:

On that note, wouldn't that just 'move the problem'?  If we waved our
magic wands and made all e-mail require SPF, DKIM, and DMARC or it goes
to junk, a mail server compromise would lead to a bunch of spam that was
SPF-allowed, DKIM-signed, and DMARC-policy-acceptable.  And we'd still
have spam in our inbox.  ;)



Spammers were often the first ones using those :)

As a matter of fact, there are some spammer specific filtering rules 
that use that as an identifier already :)


All it really does is stop accepting legitimate email that has been 
forwarded on to destination (SPF fail).. but again, remote forwarding 
should go the way of the dodo..


And remember, SPF/DKIM/DMARC are NOT used for spam identification, it is 
used for a very different purpose. (Verifying/Confirming Source)


The fact that forgeries are often spam, is simply a by product..


--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic

A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and 
intended solely for the use of the individual or entity to which they 
are addressed. Please note that any views or opinions presented in this 
email are solely  those of the author and are not intended to represent 
those of the company.


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Google: Increase in false positives?

[Wosotowsky, Adam]

That is correct.  With IPv6 coming into implementation this moves the problem 
from the intractable problem of identifying infected IP addresses, to the 
tractable problem of identifying good and bad domains and detecting deviation 
from the norm.  It allows you to trash spam that fails basic checking and 
reduce your primary problem to domain reputation and dealing with compromised 
accounts on trusted domains.  It has never been claimed that it was a silver 
bullet to rid the world of spam (many snowshoe spammers already pass spf and 
dkim checks), but it does keep the combat arena out of the swamp.

--adam



From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Aaron C. de Bruyn
Sent: Friday, September 2, 2016 12:36 PM
To: Renaud Allard 
Cc: mailop@mailop.org
Subject: Re: [mailop] Google: Increase in false positives?

On Fri, Sep 2, 2016 at 1:39 AM, Renaud Allard via mailop 
mailto:mailop@mailop.org>> wrote:
On 09/02/2016 10:28 AM, Brandon Long via mailop wrote:
> The spam team would love to send all unauthed mail to the spam label or
> even reject it (they call it no auth no entry).
>

IMHO, that would be a good idea. If one big player does it, no-one can
ignore it, so this enables the others to do it.

On that note, wouldn't that just 'move the problem'?  If we waved our magic 
wands and made all e-mail require SPF, DKIM, and DMARC or it goes to junk, a 
mail server compromise would lead to a bunch of spam that was SPF-allowed, 
DKIM-signed, and DMARC-policy-acceptable.  And we'd still have spam in our 
inbox.  ;)

-A
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Google: Increase in false positives?

[Aaron C. de Bruyn]

On Fri, Sep 2, 2016 at 9:22 AM, Laura Atkins 
wrote:

> Gmail is pretty smart, they do a “best guess” SPF where if the sending IP
> is the same as your MX then it’s considered authed even if it’s not
> explicitly set. That covers a lot of small servers that aren’t
> professionally maintained.
>

Yeah, but I'm seeing a lot of stuff from their own Google Groups going to
spam.  And the messages don't appear to be spammy in any way.  (i.e.
django-dev, proxmox-dev, samba-dev stuff).  Clicking 'Not Spam' for the
last few days doesn't appear to have affected it.

I've even had one from my squeaky-clean SPF-enabled, DKIM-signed,
DMARC-policy'd work domain go to spam.

-A
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Google: Increase in false positives?

[Aaron C. de Bruyn]

On Fri, Sep 2, 2016 at 1:39 AM, Renaud Allard via mailop 
wrote:

> On 09/02/2016 10:28 AM, Brandon Long via mailop wrote:
> > The spam team would love to send all unauthed mail to the spam label or
> > even reject it (they call it no auth no entry).
> >
>
> IMHO, that would be a good idea. If one big player does it, no-one can
> ignore it, so this enables the others to do it.
>

On that note, wouldn't that just 'move the problem'?  If we waved our magic
wands and made all e-mail require SPF, DKIM, and DMARC or it goes to junk,
a mail server compromise would lead to a bunch of spam that was
SPF-allowed, DKIM-signed, and DMARC-policy-acceptable.  And we'd still have
spam in our inbox.  ;)

-A
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Google: Increase in false positives?

[Laura Atkins]

> On Sep 2, 2016, at 2:02 AM, Louis Crossing  
> wrote:
> 
> 
> On Fri, Sep 2, 2016 at 4:28 PM, Brandon Long  > wrote:
> or even reject it (they call it no auth no entry)
> 
> I would think that's a step too far lol. Far too many people don't have SPF 
> or DKIM.
> Going to spam doesn't seem too unreasonable though.

Gmail is pretty smart, they do a “best guess” SPF where if the sending IP is 
the same as your MX then it’s considered authed even if it’s not explicitly 
set. That covers a lot of small servers that aren’t professionally maintained. 

laura 

-- 
Having an Email Crisis?  800 823-9674 

Laura Atkins
Word to the Wise
la...@wordtothewise.com
(650) 437-0741  

Email Delivery Blog: http://wordtothewise.com/blog  





___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Google: Increase in false positives?

[Louis Crossing]

On Fri, Sep 2, 2016 at 4:28 PM, Brandon Long  wrote:

> or even reject it (they call it no auth no entry)


I would think that's a step too far lol. Far too many people don't have SPF
or DKIM.
Going to spam doesn't seem too unreasonable though.

Cheers,

Louis Crossing | VentraIP Australia
*Lead Technical Administrator*

-- 
*The contents of this email are strictly private and confidential unless 
otherwise noted and is intended for the marked recipients only. If you are 
not a marked recipient please disregard and delete this email.*
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Google: Increase in false positives?

[Renaud Allard via mailop]

On 09/02/2016 10:28 AM, Brandon Long via mailop wrote:
> The spam team would love to send all unauthed mail to the spam label or
> even reject it (they call it no auth no entry).
> 

IMHO, that would be a good idea. If one big player does it, no-one can
ignore it, so this enables the others to do it.



smime.p7s
Description: S/MIME Cryptographic Signature
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Google: Increase in false positives?

[Brandon Long via mailop]

The spam team would love to send all unauthed mail to the spam label or
even reject it (they call it no auth no entry).

We're not there yet, though.  Though, we mostly do that for ipv6 at this
point, and we're cranking on all of the big pieces that are remaining.

But that's probably not the cause of the false positives at this point.

Brandon

On Thu, Sep 1, 2016 at 11:05 PM, Louis Crossing <
lcross...@staff.ventraip.com> wrote:

> Google announced some changes with regards to warnings a few weeks ago:
> http://googleappsupdates.blogspot.com.au/2016/08/
> making-email-safer-with-new-security-warnings-in-gmail.html
>
> I haven't seen a big increase in stuff going to my spam folder but I have
> seen a big increase in emails flagged with the question mark (even your
> email because mailop mailing list relays it and therefore breaks the
> validation).
>
> Maybe it's related?
> Particularly if a domain has SPF or DKIM and it fails that validation. I
> can't imagine Google would send emails to spam simply because there's no
> SPF or DKIM though.
>
> Cheers,
>
> Louis Crossing | VentraIP Australia
> *Lead Technical Administrator*
>
> On Fri, Sep 2, 2016 at 12:47 PM, Aaron C. de Bruyn 
> wrote:
>
>> Just wondering if anyone else has noticed a *huge* uptick in false
>> positives with GMail or Google Apps?
>>
>> Before this week, I'd get one legit messages in spam folder every month
>> or two.
>>
>> This week, lots of stuff from mailing lists (several on Google Groups) is
>> going to spam as well as a few messages from friends and family using major
>> providers like Yahoo and Hotmail.
>>
>> Is anyone else seeing this, or did my kids sneak in while I was at work
>> and hammer the 'Spam' button?
>>
>> -A
>>
>>
>>
>> ___
>> mailop mailing list
>> mailop@mailop.org
>> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>>
>>
>
> *The contents of this email are strictly private and confidential unless
> otherwise noted and is intended for the marked recipients only. If you are
> not a marked recipient please disregard and delete this email.*
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
>
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Google: Increase in false positives?

[Louis Crossing]

Google announced some changes with regards to warnings a few weeks ago:
http://googleappsupdates.blogspot.com.au/2016/08/making-email-safer-with-new-security-warnings-in-gmail.html

I haven't seen a big increase in stuff going to my spam folder but I have
seen a big increase in emails flagged with the question mark (even your
email because mailop mailing list relays it and therefore breaks the
validation).

Maybe it's related?
Particularly if a domain has SPF or DKIM and it fails that validation. I
can't imagine Google would send emails to spam simply because there's no
SPF or DKIM though.

Cheers,

Louis Crossing | VentraIP Australia
*Lead Technical Administrator*

On Fri, Sep 2, 2016 at 12:47 PM, Aaron C. de Bruyn 
wrote:

> Just wondering if anyone else has noticed a *huge* uptick in false
> positives with GMail or Google Apps?
>
> Before this week, I'd get one legit messages in spam folder every month or
> two.
>
> This week, lots of stuff from mailing lists (several on Google Groups) is
> going to spam as well as a few messages from friends and family using major
> providers like Yahoo and Hotmail.
>
> Is anyone else seeing this, or did my kids sneak in while I was at work
> and hammer the 'Spam' button?
>
> -A
>
>
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
>

-- 
*The contents of this email are strictly private and confidential unless 
otherwise noted and is intended for the marked recipients only. If you are 
not a marked recipient please disregard and delete this email.*
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Google: Increase in false positives?

[Aaron C. de Bruyn]

Just wondering if anyone else has noticed a *huge* uptick in false
positives with GMail or Google Apps?

Before this week, I'd get one legit messages in spam folder every month or
two.

This week, lots of stuff from mailing lists (several on Google Groups) is
going to spam as well as a few messages from friends and family using major
providers like Yahoo and Hotmail.

Is anyone else seeing this, or did my kids sneak in while I was at work and
hammer the 'Spam' button?

-A
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop