<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hi,<br>
<br>
This is not an assumption, it is my experience.<br>
<br>
Sorry it didn't fit your case.<br>
<pre class="moz-signature" cols="72">-----
Alain Hebert <a class="moz-txt-link-abbreviated" href="mailto:ahebert@pubnix.net">ahebert@pubnix.net</a>
PubNIX Inc.
50 boul. St-Charles
P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
Tel: 514-990-5911 <a class="moz-txt-link-freetext" href="http://www.pubnix.net">http://www.pubnix.net</a> Fax: 514-990-9443
</pre>
<div class="moz-cite-prefix">On 2019-10-24 17:10, Constantine A.
Murenin wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAPKkNb7q07kZBHPN4eUB+RFUgVaVU8v2Q5Hi29ou4kKZUF2Ofw@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div>You're assuming that IPv6 is at fault, but as I've already
mentioned, if I change the From and MAIL FROM to one of the
other domains with a DNS zone similar to the primary one with
crontab-acquired "very low reputation", without changing
anything else, then the identical messages do get through at
the SMTP stage — and show up directly in Inbox — i.e., don't
even end up in the Spam folder, either.</div>
<div><br>
</div>
<div>So, sorry, but I'm not going to go around blocking my IPv6
for no reason.<br>
</div>
<div><br>
</div>
<div>C. <br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, 24 Oct 2019 at
07:41, Alain Hebert <<a href="mailto:ahebert@pubnix.net"
moz-do-not-send="true">ahebert@pubnix.net</a>> wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF"> "Trust Andrew(tm) when I say
this."<br>
<br>
Disable your IPv6 access to their mail server.<br>
<br>
At Google, something hasn't worked, well since the
beginning of time, when it come to propagating your domain
reputation to <something> handling incoming emails
using IPv6.<br>
<br>
I just had the case last week when a customer account
go abused and dropped their domain reputation to 0 for
GMail/GSuite. Nothing worked until I made outgoing emails
connection "icmp unreachable" thru IPv6.<br>
<br>
Example with ipfw.<br>
<br>
ipfw add [rule number] reject ip6 from me6 to any 25<br>
ipfw add [rule number] reject ip6 from me6 to any 587<br>
<br>
Good luck.<br>
<pre cols="72">-----
Alain Hebert <a href="mailto:ahebert@pubnix.net" target="_blank" moz-do-not-send="true">ahebert@pubnix.net</a>
PubNIX Inc.
50 boul. St-Charles
P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
Tel: 514-990-5911 <a href="http://www.pubnix.net" target="_blank" moz-do-not-send="true">http://www.pubnix.net</a> Fax: 514-990-9443
</pre>
<div>On 2019-10-23 20:18, Constantine A. Murenin wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>Dear NANOG@,<br>
<br>
I'm not sure where else to post this, and this is
not really new, either, but I think I have a new
take here.<br>
<br>
I use my own personal domain name for various UNIX
stuff, including sending log-related things to
myself out of cron, which end up in my own
Gmail.com account, either directly, or through
forwarding (w/o SRS). (I do not use G Suite for
my own domain name, for obvious reasons; just the
consumer-based <a href="http://gmail.com"
target="_blank" moz-do-not-send="true">gmail.com</a>
email address from the old times of
invitation-based registrations.)<br>
<br>
Over the years, I sometimes had certain messages
rejected by Gmail, but it was a very low rate of
rejection (less than 5% for any mail I cared
about), and wasn't a major problem (usually only
some automated messages would be rejected).<br>
<br>
A couple of months ago, I setup some new scripts
that would send me new nightly emails. It's all
plain text, but had a few dozen of domain names
present (it's logs). Absolutely no links, just
plenty of domains which I don't control. So,
Gmail has been presenting most of these messages
with their red warning label that the email
contains malicious links, even though all of these
emails contained zero links, zero URLs to any of
these unknown domain names, zero URL schemes, zero
"http://", zero "https://" etc. You get the idea.<br>
<br>
Since about a few weeks ago, I am now seeing at
least a 95% rejection rate for my domain name, for
ALL email, including the forwards. Including
emails which I send to myself from within Google,
and which get forwarded back to Gmail by my UNIX
machine (which is not known to break Gmail's DKIM,
either, although it's also difficult to test,
because when it does get through, it's
automatically marked as a duplicate by Gmail, so,
you don't get DKIM status from Gmail by looking at
the headers, since you only get to examine the
original copy that was sent, not the forwarded
duplicate that was subsequently accepted). I.e.,
emails with a passing DMARC still get rejected.<br>
<br>
The funny thing is, Google doesn't actually
blacklist my primary IPv6 address in my own /48
from which all of my messages originate; even
though the rDNS resolves to a subdomain on the
very same domain name which they've blacklisted
"due to the very low reputation". They've
blacklisted just the main domain name that I use
for my own non-Gmail-hosted mail. Sending the
same messages into my Gmail.com from a different
domain name in MAIL FROM, which is served from the
same zone file DNS-wise (e.g., an SPF pass),
through sendmail's `-f` option, or with Mutt,
makes the messages go through (even with rDNS
being "low reputation"); sending it from my
primary domain name in MAIL FROM results in the
following:<br>
<br>
>>> DATA<br>
<<< 550-5.7.1 [2001:470:xxxx:: 19]
Our system has detected that this message is<br>
<<< 550-5.7.1 likely suspicious due to
the very low reputation of the sending<br>
<<< 550-5.7.1 domain. To best protect our
users from spam, the message has been<br>
<<< 550-5.7.1 blocked. Please visit<br>
<<< 550 5.7.1 <a
href="https://support.google.com/mail/answer/188131"
target="_blank" moz-do-not-send="true">https://support.google.com/mail/answer/188131</a>
for more information. 135si403977wma.43 - gsmtp<br>
554 5.0.0 Service unavailable<br>
<br>
The support article suggests using Postmaster
Tools; great, never heard of it, sounds cool;
let's verify our domain, and try it out,
hopefully, there's a solution right there.<br>
<br>
However, after verifying my domain name through
DNS for Postmaster Tools, it is revealed that
Postmaster Tools cannot tell me anything at all,
with all tabs and screens being 100% blank,
allegedly because I'm not actually a mass email
sender (I don't send hundreds of emails a day or
whatnot), and they're too afraid that I'll figure
out why my mail doesn't actually go through,
instead of signing up for G Suite.<br>
<br>
Right now, I've had a business need to reply to a
work-related email from some other business.<br>
<br>
This is what I got after sending my reply from my
primary domain name through mutt — a nice double
rejection by both the G Suite and Gmail in a
single bounce generated by my server:<br>
</div>
<div><br>
</div>
<div><br>
----- Transcript of session follows -----<br>
... while talking to <a
href="http://aspmx.l.google.com" target="_blank"
moz-do-not-send="true">aspmx.l.google.com</a>.:<br>
>>> DATA<br>
<<< 550-5.7.1 [2001:470:xxxx:: 19]
Our system has detected that this message is<br>
<<< 550-5.7.1 likely suspicious due to
the very low reputation of the sending<br>
<<< 550-5.7.1 domain. To best protect our
users from spam, the message has been<br>
<<< 550-5.7.1 blocked. Please visit<br>
<<< 550 5.7.1 <a
href="https://support.google.com/mail/answer/188131"
target="_blank" moz-do-not-send="true">https://support.google.com/mail/answer/188131</a>
for more information. z11si12494671wrw.137 - gsmtp<br>
554 5.0.0 Service unavailable<br>
... while talking to <a
href="http://gmail-smtp-in.l.google.com"
target="_blank" moz-do-not-send="true">gmail-smtp-in.l.google.com</a>.:<br>
>>> DATA<br>
<<< 550-5.7.1 [2001:470:xxxx:: 19]
Our system has detected that this message is<br>
<<< 550-5.7.1 likely suspicious due to
the very low reputation of the sending<br>
<<< 550-5.7.1 domain. To best protect our
users from spam, the message has been<br>
<<< 550-5.7.1 blocked. Please visit<br>
<<< 550 5.7.1 <a
href="https://support.google.com/mail/answer/188131"
target="_blank" moz-do-not-send="true">https://support.google.com/mail/answer/188131</a>
for more information. 135si403977wma.43 - gsmtp<br>
554 5.0.0 Service unavailable<br>
<br>
<br>
Changing MAIL FROM into a non-primary domain name
(served out of an identical zone file, basically)
gets the message accepted, without DKIM, without
the 4-minute delay that many "suspicious" messages
have had for months now, from the very same IPv6
address with the rDNS pointing to the domain name
with "the very low reputation", and it shows up in
both my own Gmail as well as, presumably, in the G
Suite account of the business partner I was
replying to. (Note that this trick where the rDNS
domain gets ignored works only for new emails with
a passing SPF; I presume the rDNS still prevails
in bringing the "low reputation of the sending
domain" for forwards, as they don't seem to
succeed any longer now.)<br>
<br>
<br>
There are a number of possible tl;dr: takeaways
here:<br>
<br>
* don't spread the monoculture — don't use G Suite
for your organisation;<br>
<br>
* don't send crontab output to your Gmail from
your primary domain name;<br>
<br>
* don't use Gmail.<br>
<br>
<br>
</div>
What is my own takeaway here?</div>
<div><br>
</div>
<div>* Without being an anti-Google zealot, from a
purely practical perspective, since my Gmail account
no longer contains the mail I care most about, as it
gets rejected on the SMTP layer, I'll have fewer
reasons to use it.<br>
</div>
<div><br>
</div>
<div>* I'll now have no other choice but to modify my
setup to stop forwarding to Gmail, because my
business contacts don't need to see all these
bounces that are now taking place.<br>
</div>
<div><br>
</div>
<div>* Since so many businesses are G Suite useds, I'm
still looking for a solution to get rid of the "the
very low reputation of the sending domain" from a
domain name I've been using since 2007, and which
I'm 100% convinced was blacklisted by Google
entirely for me sending crontab with system logs
(zero HTML, zero URLs) to my own Gmail. I have SPF
and DMARC all setup and passing since years ago,
which doesn't stop this issue from occurring.
Merely switching the name of the domain in From and
MAIL FROM to any other domain I own (which points to
the very same MX) appears to be my workaround for
now.<br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>Some possible suggestions for Google, if I may:</div>
<div><br>
</div>
<div>* Maybe don't convert schemeless domain names
which are non-URLs into "malicious" URLs? (They
already do seem to block them from being presented
as links in the UI in such an instance, but there's
little reason for trying to convert these domain
names into links in the first place.)<br>
</div>
<div><br>
</div>
<div>* Maybe don't consider harmless plain text emails
with a bunch of domain names to contain malicious
links when they don't?</div>
<div><br>
</div>
<div>* Maybe don't assume everyone with a domain name
runs a G Suite? (Their whole troubleshooting guide
is built around it.)<br>
</div>
<div><br>
</div>
<div>* Maybe don't assume everyone with a domain name
sends hundreds of emails from their domain name per
day? (They seem to limit Postmaster Tools based on
such a criterion.)</div>
<div><br>
</div>
<div>* Maybe don't blacklist a domain name for sending
harmless logs to a Gmail account that lists said
domain name as an alternative From address?<br>
</div>
<div>
<div><br>
</div>
<div><br>
Cheers,</div>
<div>Constantine.</div>
</div>
</div>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>