<div dir="ltr"><div>You're assuming that IPv6 is at fault, but as I've already mentioned, if I change the From and MAIL FROM to one of the other domains with a DNS zone similar to the primary one with crontab-acquired "very low reputation", without changing anything else, then the identical messages do get through at the SMTP stage — and show up directly in Inbox — i.e., don't even end up in the Spam folder, either.</div><div><br></div><div>So, sorry, but I'm not going to go around blocking my IPv6 for no reason.<br></div><div><br></div><div>C. <br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, 24 Oct 2019 at 07:41, Alain Hebert <<a href="mailto:ahebert@pubnix.net">ahebert@pubnix.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
"Trust Andrew(tm) when I say this."<br>
<br>
Disable your IPv6 access to their mail server.<br>
<br>
At Google, something hasn't worked, well since the beginning of
time, when it come to propagating your domain reputation to
<something> handling incoming emails using IPv6.<br>
<br>
I just had the case last week when a customer account go abused
and dropped their domain reputation to 0 for GMail/GSuite. Nothing
worked until I made outgoing emails connection "icmp unreachable"
thru IPv6.<br>
<br>
Example with ipfw.<br>
<br>
ipfw add [rule number] reject ip6 from me6 to any 25<br>
ipfw add [rule number] reject ip6 from me6 to any 587<br>
<br>
Good luck.<br>
<pre cols="72">-----
Alain Hebert <a href="mailto:ahebert@pubnix.net" target="_blank">ahebert@pubnix.net</a>
PubNIX Inc.
50 boul. St-Charles
P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
Tel: 514-990-5911 <a href="http://www.pubnix.net" target="_blank">http://www.pubnix.net</a> Fax: 514-990-9443
</pre>
<div>On 2019-10-23 20:18, Constantine A.
Murenin wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>Dear NANOG@,<br>
<br>
I'm not sure where else to post this, and this is not really
new, either, but I think I have a new take here.<br>
<br>
I use my own personal domain name for various UNIX stuff,
including sending log-related things to myself out of cron,
which end up in my own Gmail.com account, either directly,
or through forwarding (w/o SRS). (I do not use G Suite for
my own domain name, for obvious reasons; just the
consumer-based <a href="http://gmail.com" target="_blank">gmail.com</a> email address from
the old times of invitation-based registrations.)<br>
<br>
Over the years, I sometimes had certain messages rejected by
Gmail, but it was a very low rate of rejection (less than 5%
for any mail I cared about), and wasn't a major problem
(usually only some automated messages would be rejected).<br>
<br>
A couple of months ago, I setup some new scripts that would
send me new nightly emails. It's all plain text, but had a
few dozen of domain names present (it's logs). Absolutely
no links, just plenty of domains which I don't control. So,
Gmail has been presenting most of these messages with their
red warning label that the email contains malicious links,
even though all of these emails contained zero links, zero
URLs to any of these unknown domain names, zero URL schemes,
zero "http://", zero "https://" etc. You get the idea.<br>
<br>
Since about a few weeks ago, I am now seeing at least a 95%
rejection rate for my domain name, for ALL email, including
the forwards. Including emails which I send to myself from
within Google, and which get forwarded back to Gmail by my
UNIX machine (which is not known to break Gmail's DKIM,
either, although it's also difficult to test, because when
it does get through, it's automatically marked as a
duplicate by Gmail, so, you don't get DKIM status from Gmail
by looking at the headers, since you only get to examine the
original copy that was sent, not the forwarded duplicate
that was subsequently accepted). I.e., emails with a
passing DMARC still get rejected.<br>
<br>
The funny thing is, Google doesn't actually blacklist my
primary IPv6 address in my own /48 from which all of my
messages originate; even though the rDNS resolves to a
subdomain on the very same domain name which they've
blacklisted "due to the very low reputation". They've
blacklisted just the main domain name that I use for my own
non-Gmail-hosted mail. Sending the same messages into my
Gmail.com from a different domain name in MAIL FROM, which
is served from the same zone file DNS-wise (e.g., an SPF
pass), through sendmail's `-f` option, or with Mutt, makes
the messages go through (even with rDNS being "low
reputation"); sending it from my primary domain name in MAIL
FROM results in the following:<br>
<br>
>>> DATA<br>
<<< 550-5.7.1 [2001:470:xxxx:: 19] Our system
has detected that this message is<br>
<<< 550-5.7.1 likely suspicious due to the very low
reputation of the sending<br>
<<< 550-5.7.1 domain. To best protect our users
from spam, the message has been<br>
<<< 550-5.7.1 blocked. Please visit<br>
<<< 550 5.7.1 <a href="https://support.google.com/mail/answer/188131" target="_blank">https://support.google.com/mail/answer/188131</a>
for more information. 135si403977wma.43 - gsmtp<br>
554 5.0.0 Service unavailable<br>
<br>
The support article suggests using Postmaster Tools; great,
never heard of it, sounds cool; let's verify our domain, and
try it out, hopefully, there's a solution right there.<br>
<br>
However, after verifying my domain name through DNS for
Postmaster Tools, it is revealed that Postmaster Tools
cannot tell me anything at all, with all tabs and screens
being 100% blank, allegedly because I'm not actually a mass
email sender (I don't send hundreds of emails a day or
whatnot), and they're too afraid that I'll figure out why my
mail doesn't actually go through, instead of signing up for
G Suite.<br>
<br>
Right now, I've had a business need to reply to a
work-related email from some other business.<br>
<br>
This is what I got after sending my reply from my primary
domain name through mutt — a nice double rejection by both
the G Suite and Gmail in a single bounce generated by my
server:<br>
</div>
<div><br>
</div>
<div><br>
----- Transcript of session follows -----<br>
... while talking to <a href="http://aspmx.l.google.com" target="_blank">aspmx.l.google.com</a>.:<br>
>>> DATA<br>
<<< 550-5.7.1 [2001:470:xxxx:: 19] Our system
has detected that this message is<br>
<<< 550-5.7.1 likely suspicious due to the very low
reputation of the sending<br>
<<< 550-5.7.1 domain. To best protect our users
from spam, the message has been<br>
<<< 550-5.7.1 blocked. Please visit<br>
<<< 550 5.7.1 <a href="https://support.google.com/mail/answer/188131" target="_blank">https://support.google.com/mail/answer/188131</a>
for more information. z11si12494671wrw.137 - gsmtp<br>
554 5.0.0 Service unavailable<br>
... while talking to <a href="http://gmail-smtp-in.l.google.com" target="_blank">gmail-smtp-in.l.google.com</a>.:<br>
>>> DATA<br>
<<< 550-5.7.1 [2001:470:xxxx:: 19] Our system
has detected that this message is<br>
<<< 550-5.7.1 likely suspicious due to the very low
reputation of the sending<br>
<<< 550-5.7.1 domain. To best protect our users
from spam, the message has been<br>
<<< 550-5.7.1 blocked. Please visit<br>
<<< 550 5.7.1 <a href="https://support.google.com/mail/answer/188131" target="_blank">https://support.google.com/mail/answer/188131</a>
for more information. 135si403977wma.43 - gsmtp<br>
554 5.0.0 Service unavailable<br>
<br>
<br>
Changing MAIL FROM into a non-primary domain name (served
out of an identical zone file, basically) gets the message
accepted, without DKIM, without the 4-minute delay that many
"suspicious" messages have had for months now, from the very
same IPv6 address with the rDNS pointing to the domain name
with "the very low reputation", and it shows up in both my
own Gmail as well as, presumably, in the G Suite account of
the business partner I was replying to. (Note that this
trick where the rDNS domain gets ignored works only for new
emails with a passing SPF; I presume the rDNS still prevails
in bringing the "low reputation of the sending domain" for
forwards, as they don't seem to succeed any longer now.)<br>
<br>
<br>
There are a number of possible tl;dr: takeaways here:<br>
<br>
* don't spread the monoculture — don't use G Suite for your
organisation;<br>
<br>
* don't send crontab output to your Gmail from your primary
domain name;<br>
<br>
* don't use Gmail.<br>
<br>
<br>
</div>
What is my own takeaway here?</div>
<div><br>
</div>
<div>* Without being an anti-Google zealot, from a purely
practical perspective, since my Gmail account no longer
contains the mail I care most about, as it gets rejected on
the SMTP layer, I'll have fewer reasons to use it.<br>
</div>
<div><br>
</div>
<div>* I'll now have no other choice but to modify my setup to
stop forwarding to Gmail, because my business contacts don't
need to see all these bounces that are now taking place.<br>
</div>
<div><br>
</div>
<div>* Since so many businesses are G Suite useds, I'm still
looking for a solution to get rid of the "the very low
reputation of the sending domain" from a domain name I've been
using since 2007, and which I'm 100% convinced was blacklisted
by Google entirely for me sending crontab with system logs
(zero HTML, zero URLs) to my own Gmail. I have SPF and DMARC
all setup and passing since years ago, which doesn't stop this
issue from occurring. Merely switching the name of the domain
in From and MAIL FROM to any other domain I own (which points
to the very same MX) appears to be my workaround for now.<br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>Some possible suggestions for Google, if I may:</div>
<div><br>
</div>
<div>* Maybe don't convert schemeless domain names which are
non-URLs into "malicious" URLs? (They already do seem to
block them from being presented as links in the UI in such an
instance, but there's little reason for trying to convert
these domain names into links in the first place.)<br>
</div>
<div><br>
</div>
<div>* Maybe don't consider harmless plain text emails with a
bunch of domain names to contain malicious links when they
don't?</div>
<div><br>
</div>
<div>* Maybe don't assume everyone with a domain name runs a G
Suite? (Their whole troubleshooting guide is built around
it.)<br>
</div>
<div><br>
</div>
<div>* Maybe don't assume everyone with a domain name sends
hundreds of emails from their domain name per day? (They seem
to limit Postmaster Tools based on such a criterion.)</div>
<div><br>
</div>
<div>* Maybe don't blacklist a domain name for sending harmless
logs to a Gmail account that lists said domain name as an
alternative From address?<br>
</div>
<div>
<div><br>
</div>
<div><br>
Cheers,</div>
<div>Constantine.</div>
</div>
</div>
</blockquote>
<br>
</div>
</blockquote></div><br></div>