[openssl-users] Fwd: CONGRATULATION____REF#87670

Jakob Bohm jb-openssl at wisemo.com
Mon Apr 4 16:03:11 UTC 2016

Key Fact: Not all e-mail is sent by or through 800 pound
gorilla providers such as Google.

Many organizations and businesses (including the OpenSSL
project) run their own e-mail servers and simply don't
have the manpower to track and implement every new
"anti-spam flagging" fad that comes along.

For example SMTP2SMTP encryption (aka SMTP with STARTTLS
and various configuration option choices) is default in
some MTA implementations, yet nearly impossible to add
in others.

Therefore setting up rules banning any domains not
implementing the latest "standard" anti-spam measures
would be extremely stifling and would force many more
people to send through surveillance-happy organizations
such as Google.

And anyway, this seems to be a case where the genuine
operator of an e-mail domain is failing to correctly
authenticate submissions by their own users, which no
amount of 3rd party automation (other than blacklisting
the failing provider, in this case gmail) could stop.

On 03/04/2016 00:30, Ben Humpert wrote:
> Fun Fact: (For me) Gmail often marks completely legit emails from
> mailing lists as spam and you manually have to mark them as "no spam".
> The fun comes in when you notice that actual spam is not marked as
> such at all.
> Looks like strong encryption is much easier to develop than a decent
> spam filter.
> The main problem I guess is that neither Google nor any other major
> email provider actually block other email providers who do not offer
> SPF, SMTP2SMTP encryption or whatever else. If they would do so, we
> would have solved most major (email) problems within a week or at
> least a month. Either by forcing those to offer these security
> features or by "killing" these providers indirectly.
> 2016-04-02 17:41 GMT+02:00 Jeffrey Walton <noloader at gmail.com>:
>> On Sat, Apr 2, 2016 at 11:24 AM, Salz, Rich <rsalz at akamai.com> wrote:
>>>> why is junk like this not being caught?
>>> Almost all of it is.  Nothing is perfect.  Thanks for your understanding and patience.
>> I was looking at some of it landing in my Inbox. Its all from Gmail
>> users. The headers are Gmail headers submitted via the web. The DKIM
>> signatures are OK. There are no headers to indicate its been
>> forwarded. The {from|return|reply to} address does not appear to
>> forged. Here's an example header from another Gmail user who contacted
>> me: http://pastebin.com/hRAtRt7S.
>> I've also had a couple of people contact me asking me to stop spamming
>> them. I looked at two of those headers, and it clearly appears to be
>> coming from me though I did not send it (and no evidence in my
>> Outbox).
>> I'm thinking there's a vulnerability in the Gmail or Google servers we
>> have not heard about.
>> Jeff
>> --
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Jakob Bohm, CIO, partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Soborg, Denmark. direct: +45 31 13 16 10 
This message is only for its intended recipient, delete if misaddressed.
WiseMo - Remote Service Management for PCs, Phones and Embedded


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list