this post was submitted on 02 Apr 2024
171 points (95.7% liked)

Technology

56097 readers
3673 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s@lemmy.world
enu@lemm.ee
fry@fry.gs
L3s@fry.gs
enu@lemmy.world
L4s@fry.gs
L4s@lemmy.world
171
Google now blocks spoofed emails for better phishing protection (www.bleepingcomputer.com)
submitted 3 months ago by higgsboson@dubvee.org to c/technology@lemmy.world
41 comments fedilink hide all child comments
 

Google has started automatically blocking emails sent by bulk senders who don't meet stricter spam thresholds and authenticate their messages as required by new guidelines to strengthen defenses against spam and phishing attacks.

As announced in October, the company now requires those who want to dispatch over 5,000 messages daily to Gmail accounts to set up SPF/DKIM and DMARC email authentication for their domains.

you are viewing a single comment's thread
view the rest of the comments
[–] 0x0@programming.dev 21 points 3 months ago* (last edited 3 months ago) (6 children)

I.e. it's now even harder to run your own mail server. If it was crypto-related the argument would be Think of the children™, since it's email the excuse is spam.

[–] shininghero@kbin.social 22 points 3 months ago

Having managed an exchange instance for my old job, I can safely say that DKIM and DMARC are just some extra DNS entries for out-of-band verification. They can be boiled down to a pair of checkboxes on a compliance sheet.
I can also say that most of the companies we got emails from didn't have DKIM, and even fewer had DMARC. Or worse, they had DMARC set to p=ignore. Which is honestly even more infuriating.

[–] EncryptKeeper@lemmy.world 18 points 3 months ago* (last edited 3 months ago)

Is it though? Is your self hosted mail server sending 5,000+ emails to various Gmail inboxes daily? If not, this doesn’t seem like it would affect you. And even if it did, all they appear to be asking is that you enable DKIM and DMARC for your mail server, which is something both trivial to do and you should be doing anyway.

I’m not going to claim that a company like Google wouldn’t love to make life harder for the consumer, but I don’t see how anything related to this change would do that.

[–] thomasdouwes@sopuli.xyz 16 points 3 months ago* (last edited 3 months ago)

I know a there are a lot of issues with self-hosting email, but I just don't thing this is one of them. First, it probably won't affect a self-hosted servers anyway unless you send a lot of emails, this requirement is only for servers sending 5,000 messages daily to Gmail. And even if you are, the requirements are not that harsh, it's a couple DNS records and a DKIM signing daemon, and if you are using a pre-build email package like mailcow it's probably already doing it.

[–] cooopsspace@infosec.pub 8 points 3 months ago (1 children)

If you can't set DKIM and DMARC records you shouldn't be hosting email.

[–] AnUnusualRelic@lemmy.world 0 points 3 months ago (1 children)

You can't anyway because your whole address block is blackholed in every spam filtering list in existence for "reasons".

[–] cooopsspace@infosec.pub 2 points 3 months ago

Mine works fine

[–] BrianTheeBiscuiteer@lemmy.world 6 points 3 months ago (1 children)

I'm sure they won't do this because it's too community friendly but they should just require all emails be digitally signed. If you don't sign it goes to spam and if you do sign, and abuse the system, it'll be much easier to find out who you are.

[–] Opisek@lemmy.world 0 points 3 months ago (1 children)

TLS has become too easy to acquire for it to have any effect, I'm afraid. Didn't Chromium remove the padlock signifying HTTPs connection due to just that? That it doesn't really mean anything anymore in terms of illegitimate websites (still obviously crucial against MitM)?

[–] BrianTheeBiscuiteer@lemmy.world 1 points 3 months ago (1 children)

Easy to acquire, yes, but not anonymously. The cert has to tie back to a domain or subdomain and there's a process to prove a domain belongs to whomever requested the cert. Long story short, if you wanted to sue or file complaint against a spammer that signs their emails then it's not really a challenge to trace back to the person or company doing the spamming.

This still relies on domain name registrars, hosts (e.g. Gmail), and certificate authorities keeping proper records.

[–] Opisek@lemmy.world 1 points 3 months ago

Not sure about that. Phishing scams make sure to hide their identity really well and while something like .com might require your personal information, I can imagine .ru allowing anonymous registration. Once you've got a domain, getting a certificate for it with Let's Encrypt happen in seconds with no personal information iirc. Even if you'd need to disclose something, you could just lie. Let's Encrypt is highly automatized and I doubt anyone would check the information for some random domain. Yeah that cert/domain will be taken down quickly, but they're incredibly cheap and easy to create.

[–] deafboy@lemmy.world 5 points 3 months ago

Without SPF and DKIM, I could send messages pretending to be from you to anybody. Average user has no way to know that the "From:" field does not really mean what it says.