Peter N. M. Hansteen asks the question, "Does Your Email Provider Know What A "Joejob" Is?" in his blog and provides some data and discussion. He provides anecdotal evidence which seems to indicate that Google and possibly other mail service providers are either quite ignorant of history when it comes to email and spam, or are applying unsavory tactics to capture market dominance.
[Ed Note: I had to look up "joe job" to find out what it is. According to wikipedia:
A joe job is a spamming technique that sends out unsolicited e-mails using spoofed sender data. Early joe jobs aimed at tarnishing the reputation of the apparent sender or inducing the recipients to take action against them (see also e-mail spoofing), but they are now typically used by commercial spammers to conceal the true origin of their messages.
]
(Score: 5, Informative) by Anonymous Coward on Monday April 25 2016, @12:04AM
It is kind of a PITA to get all 3 set up and working. Their separate but connected status reflects the piecemeal/evolution of email authentication over the years.
SPF [wikipedia.org]
DKIM [wikipedia.org]
DMARC [wikipedia.org]
Also I've noticed that google "remembers" SMTP relays associated with senders. I switched my outbound SMTP server and email from one of my addresses to one specific gmail address started bouncing - those two addresses talked to each other a lot. Switched back to the original relay and the bounces stopped. No problems with other low volume correspondance to other gmail accounts.
(Score: 4, Interesting) by Whoever on Monday April 25 2016, @12:38AM
I believe that you are correct. The problem is that Google allows this historic data to override SPF. When I changed my outgoing mail server, my emails sent to gmail started going into spam folders, despite having valid SPF.
I think that many large email providers just make sure that they accept emails from other large providers and they don't care beyond that. The end goal for Google is to make it impossible to run your own mail server and hence increase the number of domains hosted at Google.
I have set up SPF, DKIM and DMARC records. I think that they make very little difference. For support of this proposition, look at the scores for DKIM in SpamAssassin.
(Score: 3, Interesting) by TheRaven on Monday April 25 2016, @08:37AM
I have set up SPF, DKIM and DMARC records. I think that they make very little difference. For support of this proposition, look at the scores for DKIM in SpamAssassin.
I'm not sure about the more recent things, but someone did a study a few years after SPF was introduced and found that over 90% of domains with valid SPF records were owned by spammers. It's easy to register a new domain and add SPF records.
That's fine, because SPF was never intended to say 'this mail is not spam', it was intended to say 'all emails that come from the wrong server are spam and if messages from this domain are spam then it's safe to bounce them back to this server'. In spite of that, the last time I was on the receiving end of a Joe Job it was from a domain that had SPF records set up correctly and the server responsible for bouncing all of the spam at me as GMail.
sudo mod me up
(Score: 0) by Anonymous Coward on Monday April 25 2016, @11:59AM
> 'this mail is not spam', it was intended to say 'all emails that come from the wrong server are spam and if messages from this domain are spam then it's safe to bounce them back to this server'.
No that is not what SPF is intended to do. For one thing, who bounces spam? That goes into spam folders or is null routed. All SPF is intended to do is say whether or not the sending host is authorized to deliver the message or not. Its up to the receiving host to decide what to do with that information.
> In spite of that, the last time I was on the receiving end of a Joe Job it was from a domain that had SPF records set up correctly and the server responsible for bouncing all of the spam at me as GMail.
It doesn't matter if the spammer's domain had an SPF record, what matters is if your domain had a restrictive SPF record.
Even then it is possible to set up SPF in such a way as to permit anyone to impersonate your domain. I've seen lots of SPF guides that recommend ~all or even +all at the end of the SPF record.
(Score: 0) by Anonymous Coward on Monday April 25 2016, @10:53AM
Yep, they don't care. My employer runs their own email server, and we have constant headaches with emailed reports we send out being sent to the spam folder or sometimes just disappeared entirely.
My standard response has been to forward the copy of the email (report engine saves this) and just say something to the effect of let your IT department or consultant know. If they want an escalation, the server admin will forward info from the mailserver log showing that we did our part and delivered it "to the next relay."
Of course, nobody ever does anything about it to resolve the problem. I suspect there's a lot of apathy out there among small businesses that use gmail in particular. Everybody knows that if Google doesn't want to do something, Google doesn't want to do something, and they'll tell you "fuck you" for trying to contact them about a problem.
I forget if we've got DMARC set up, but SPF and DKIM are there. Doesn't make a damn difference.
(Score: 0) by Anonymous Coward on Monday April 25 2016, @04:17PM
> For support of this proposition, look at the scores for DKIM in SpamAssassin.
So I took you up on that and did go looking.
The rule that would be most useful is still just a test-mode rule - T_DKIM_INVALID - the message fails DKIM validation.
Apparently the reason they have not promoted that to a full-blown rule is that too many domains have screwed up their DKIM implementation and it would give too many false positives if they made it an official rule.
That's not really an indictment against DKIM being effective, but rather a problem of too many sloppy sysadmins.
(Score: 0) by Anonymous Coward on Monday April 25 2016, @01:34AM
You know GPG is effective because nobody looks at the signature just like you know SPF and DKIM and DMARC are totally effective because nobody gives a shit and everyone just sees your name as the sender and fucking shitcans you forever.
Hint: none of your eggheadery technical "solutions" do jack-shit on the receiving end.
(Score: 1, Insightful) by Anonymous Coward on Monday April 25 2016, @01:50AM
(Score: -1, Troll) by Anonymous Coward on Monday April 25 2016, @02:06AM
If your recipients actually use an email client that understands GPG,
... and you fail.
If you can expect your recipients to use special tools to read your email, then you can negotiate to use something other than email instead. Email is the absolute worst form of communication and you should not be using it for anything ever unless you literally have no other option.
Stop trying to fix email, you moron. Email is broken. Stop using email.
(Score: 1, Informative) by Anonymous Coward on Monday April 25 2016, @02:13AM
Except that every client on the planet, short of webmail, does S/MIME, which is GPG for grownups (the DOD uses it). Your smartphone can do S/MIME. kMail and Thunderbird did S/MIME since forever. Outlook, Apple Mail, hell even Alpine and Mutt do S/MIME. Nothing special about it, nothing needed beyond what you have, unless you're reading your mail on a webmail client, in which case your privacy was fucked from the start. Except for webmail, i.e. the power of Google's Gmail, there's absolutely no excuse for all mail not already being end-to-end clientside encrypted: the tech is already in place. Google is what's standing in the way.
(Score: 3, Interesting) by TheRaven on Monday April 25 2016, @08:35AM
The problem with S/MIME is similar to that of GPG. If you're using it for signing, it's trivial to strip the signature and then modify the message. How many users will notice that the signature is not there? Most mail clients have a UI that prominently displays when a signature is present (though I notice Apple Mail has made that less visible in recent versions), but when it's not present they display nothing. Unless you train users to actively look for the signature, it doesn't help. Ideally, mail clients should recognise senders and warn when you get messages from someone who normally signs mail but hasn't this time.
If you're using it for encryption, then you are back to the key distribution problem. You need to get the recipient's public key to be able to encrypt the message and that then ensures that no one other than the recipient can read it (so no mailing lists, for example - though it would be nice if the list software could have its own key pair for the list, decrypt and then encrypt with each list member's public key).
sudo mod me up
(Score: 0) by Anonymous Coward on Monday April 25 2016, @06:41PM
S/MIME already works with mailing lists. See https://www.sympa.org/manual/x509 [sympa.org].
(Score: 1, Insightful) by Anonymous Coward on Monday April 25 2016, @02:32AM
Email is the absolute worst form of communication and you should not be using it for anything ever unless you literally have no other option.
Indeed. Just wanted to second this. Just like HTML / CSS / JS, it all needs to be refactored. Everycoder knows refactoring is a necessity to stave off codebase entropy after a while, and yet many morons throw their arms up in hopeless stupor and proclaim it's impossible to do with email, or other web technologies. Yes, yes, "migration resistant", blah blah blah. Telegraphs were migration resistant too...
(Score: 2) by butthurt on Monday April 25 2016, @02:12AM
A joe-jobber is free to send messages to anyone, not only the highly computer-literate correspondents you've cultivated.
(Score: -1, Troll) by Anonymous Coward on Monday April 25 2016, @02:22AM
Elitist fools still think they can fix email. Everyone else uses Facebook instead.
(Score: 0) by Anonymous Coward on Monday April 25 2016, @03:55AM
(Score: 0) by Anonymous Coward on Monday April 25 2016, @04:00AM
(Score: 0) by Anonymous Coward on Monday April 25 2016, @02:54AM
Wow.
I never expected to hear hotmail [office.com], gmail, [threatpost.com] yahoo mail [yahoo.com] and aol [aol.com] users referred to as "highly computer-literate," least of all here on soylent.
This place is really slipping. Eternal september!
(Score: 2) by butthurt on Monday April 25 2016, @04:13AM
While I'm certain that some users of all those services are also users of PGP/GPG, I'm not aware of anything those services do to facilitate or encourage the use of PGP or GPG. None of the pages you've linked contain the terms "PGP" nor "GPG." I don't think I'm mistaken in assuming that the users of that software are, globally, a small minority of the people who use e-mail.
The grandparent post asserted:
I thought it obvious that my response alluded to that bit. Sorry for the misunderstanding.
(Score: 0) by Anonymous Coward on Monday April 25 2016, @05:25AM
Even if you were not being disingenuous about PGP, the fact remains that a joe-jobber is NOT free to send messages to any of those email services because his messages will be tagged as spam or even routed straight to /dev/null before any PGP signatures are even parsed.
(Score: 2) by butthurt on Monday April 25 2016, @08:02AM
LOL, in what way might I be "disingenuous about PGP," pray tell?
"Attempt to send," then, if you prefer. A spammer can attempt to send messages to any e-mail address in the world, as well as nonexistent ones. Spammers exchange lists comprising millions of addresses. There are plenty of mail servers in the world that, when they identify a message as spam or malware, or as having an invalid recipient, will send a DSN (often including the original message) to the address on its "To:" line. Get joe-jobbed, and your mailbox will be deluged with crap. You got all your correspondents to use Google Mail, Yahoo Mail, Hotmail and AOL? Great, and do those services keep you from seeing DSNs from other e-mail providers?
(Score: 0) by Anonymous Coward on Monday April 25 2016, @11:45AM
> LOL, in what way might I be "disingenuous about PGP," pray tell?
>
> "Attempt to send," then, if you prefer. A spammer can attempt to send messages to any e-mail address in the world,
Same way you are being disingenuous now. What an utterly meaningless, goal-post moving restatement.
But whatever it takes to make you feel like you weren't just being a snarky idiot, right?
Did you know how apropos your username was when you picked it?
(Score: 2) by butthurt on Monday April 25 2016, @03:43PM
Not at all. I was simply offering a clarification. You prefer to misunderstand, fine.
(Score: -1, Redundant) by Anonymous Coward on Monday April 25 2016, @03:58AM
(Score: 0) by Anonymous Coward on Monday April 25 2016, @01:57AM
Hey jack-off!
All the major email services now verify spf/dkim/dmarc. They don't necessarily process that information identically, but they all use it as part of their anti-spam process. So climb under whatever rock you live under and keep your trap shut in front of your betters.
(Score: 0) by Anonymous Coward on Monday April 25 2016, @02:18AM
You must love spam since you feel the need to process the hell out of your messages to keep that Spam Message Transport Protocol alive.
(Score: 2) by maxwell demon on Monday April 25 2016, @10:13AM
So what do you propose a replacement should look like?
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by zocalo on Monday April 25 2016, @06:36AM
UNIX? They're not even circumcised! Savages!