Gmail Spam Attack on June 30th

Did you receive more spam than usual in your Gmail account at the end of June? Or did you receive more spam IN YOUR INBOX than usual? It might have been due to this. Google just released a root cause analysis of an issue from June 30th, where "Google's email delivery service was targeted in what we believe was an attempt to bypass spam classification." Sounds like the issue resulted in email delivery delays and some messages not getting spam filtered properly. Find more details here.

I *think* this is the same issue that Ben Schoon from 9to5Google is reporting on here.

Hey good senders, this is just another reminder that sometimes ISPs/webmail providers have bigger things to attend to, beyond whatever our problems are. It's good to remember that we may not be the only problem on a provider's plate. And let's not forget that there are lots of bad guys out there trying to send BILLIONS of spam messages every day. You'd never believe the amount of spam a large webmail provider like Gmail or Yahoo Mail (Verizon) or Microsoft OLC (Hotmail) are forced to process or reject every day. The unwanted junky stuff made up around 45% of internet email traffic as of March.

Re-visiting mail forwarding in a DMARC world

Forwarding email messages automatically can be tricky, as evidenced by recent conversation on the Mailop list. Email forwarding always breaks SPF authentication, and can easily break DKIM authentication if you modify any of the headers (and knowing which headers to stay away from can take a bit of work). But it's still doable if you take some care.

For me, this was a solved problem way back in 2015. In a nutshell, I have a script that will just grab the mail, rewrite the headers, send it on with my domain and IP as the sender (properly authenticated with DKIM and SPF). (Funny how I thought ARC would eventually help with email forwarding, but its use case seems perhaps only suited to the biggest providers.)

Last night, I updated my email forwarding script slightly and here's where you'll find the new version. It's still potentially pretty fragile in that it makes a lot of assumptions about the case sensitivity of headers, but in my (admittedly limited) use case, I actually haven't had any trouble with this in years. If you capture mail on a Linux server running postfix/Maildir set up, you could easily modify this script to edit the username, sender address, and recipient address, and drop it into your server to be called by cron periodically and it'll happily pick up mail, rewrite the headers to prevent DMARC-related forwarding issues, and then email it onward it on as directed.

Here's my top five best practices for email forwarding, if you want to do as I do:
  1. Don't forward spam. Have a spam filter in front of this. Otherwise you'll damage your own IP/domain reputation. (Perhaps even have a separate sending IP address or at lease a separate DKIM domain for forwarding, if you're really worried about this.)
  2. Send as you, not as them. The forwarded mail should have your from domain and you should sign the forwarded mail with your DKIM signature. I strip away the old signature (change the header name to X-DKIM-Signature) to fully remove it from the equation.
  3. Make sure that the mail is fully authenticated. DKIM as noted above, sending IP address is in the SPF record of the return-path domain, domain has a DMARC record. All help with deliverability, directly or indirectly.
  4. Rewrite the return-path address. Why? If you don't, you'll potentially run afoul of DMARC policy due to SPF authentication failure, and some of the forwarded mail will be rejected. (I don't recommend bothering that you configure it to play nice with Sender Rewriting Scheme as SRS is not widely implemented.)
  5. Preserve the original from address in the reply-to field, if at all possible. That way users can still respond to the original sender, in spite of the DMARC-necessary header rewriting. This doesn't always work perfectly, as Gmail has some safeguards to prevent what they think may be funny business in from/reply-to combinations. But it generally works. (And Gmail's limitations aren't set in stone.)
And finally, keep in mind that email forwarding can be complex and imperfect. The biggest providers do it, but I think some of their success with it is due to bending email authentication checks and/or whitelisting forwarding IP addresses, which are options not always available to the hobbyist or smaller enterprise. That doesn't mean you can't or shouldn't do it, but like with so many things deliverability-related, it's important to "keep your nose clean" and do whatever you can to ensure that your IP address and domain are only sending (or in this case forwarding) wanted mail.

(And don't complain to me about how this "breaks email" -- no, email has changed, email has evolved, and the old ".forward" method of email forwarding hasn't been very compatible with most large mailbox providers for years. I strongly feel that you have to adapt and evolve if you want continued success.)

BYE: My first impressions

If you recall my recent review of the new HEY email service, you'll remember that I wasn't convinced that it was the right email tool for me. Maybe you felt the same way? Maybe not. But if you didn't feel like HEY was the next big thing, BYE might just be the right email service for you! Clearly inspired by HEY, BYE promises to be "the first email service to automatically respond with an insult, and then delete every email sent to you." I think I'm in love. Read all about it here

Joking aside -- I am struck by another comparison with HEY. That still, this is stuff you can just as easily do with Gmail. How do I know? A couple of years ago, my wife published a particular op-ed in the Washington Post and this is exactly what we ended up having to do just afterward. We configured a Gmail account to auto-reply with a "go away" message and delete everything. We had to. Stop and think about what kind of angry emails you might get in response to political speech. And then double the abuse to account for how jerks treat women online. That mailbox was wholly radioactive -- we could feel the heat all the way from the next room, even with the laptop closed.

Huh, you know, the more I think about it, maybe we do need an email service like BYE.

Quick List: ESP Abuse/Spam Contact List

There are useful tools out there that can help you figure out where to send a spam report to. I use the ARIN Regional Internet Registry and abuse.net nearly every day to look up spam reporting (abuse) contacts for IP addresses and domains. Some folks use SpamCop (which historically does not play nice with ESPs, so it's not as valuable to me). I don't necessarily have the time or skills to build something as technically complex or useful as these tools, but I did want to try to make it easier for people to find spam/abuse contact information for various sending email platforms (ESPs, email service providers). To that end, I've reached out to various providers and asked them to share contact info so that I can share it with you here.

HEY: My first impressions

HEY is a new email service with webmail and a mobile client, recently launched by the folks behind Basecamp, a web-based project management tool. HEY users receive email at the domain hey.com.

They're selling email service for $99/year (or more). If you're really just interested in a taste of deliverability and rendering testing, you can get a free trial account that lasts for two weeks (and HEY gets to pick your username). You can initiate that free trial from inside the mobile app or on the web. (I tested the iOS app; YMMV on Android.)

Reporting Spam to Apple from your iCloud Mail account

Apple's iCloud Mail doesn't have an ISP Feedback Loop (the mechanism that sends spam reports back to the sender or sending email platform), but even so, I think it is good to tell them when you believe a particular email message to be spam.

Full headers: What are they and how to access them

Internet email messages have hidden headers (that email technology people commonly call "full headers") that can help you trace the source of a message and these can come in very handy for troubleshooting email delivery issues or reporting spam.

Reporting spam with Outlook on iOS

Good news! The latest version of the Outlook email client for iPhone (version 4.42.0) now supports user submission of spam and phishing reports. TL; DR? When viewing a message in Outlook on your iPhone, open the "more" (three dots) menu and select "report junk" to tell Microsoft that you think a particular email message is spam.

You WANT spam folder delivery?

You don't want your mail to go to the inbox? What? Why would you want that?

But OK, if you truly want to send an email message and ensure that it goes to the spam folder, The Next Web reports on a tool called Straight2Spam, for those times when you want to email somebody but want them to possibly miss the email by having it delivered to the spam folder. It sounds like a fine opportunity to engage in passive aggressive behavior, if you ask me.

You might be wondering, how well does it work? I have no idea. I've got a full time job and no spare cycles to test this kind of nonsense myself. You should try it out and let me know if it gets the job done.