[exim] The Google Lie

Pàgina inicial
Delete this message
Reply to this message
Autor: Christian Balzer
Data:  
A: exim-users@exim.org
Assumpte: [exim] The Google Lie

Hello,

we've been seeing these (and customer reports/complaints) increasingly in
the last weeks:
---
    host gmail-smtp-in.l.google.com [64.233.189.26]
    SMTP error from remote mail server after end of data:
    550-5.7.1 This message does not have authentication information or fails to pass
    550-5.7.1 authentication checks. To best protect our users from spam, the
    550-5.7.1 message has been blocked. Please visit
    550-5.7.1  https://support.google.com/mail/answer/81126#authentication for more
    550 5.7.1 information. q2si10845639pgv.124 - gsmtp
---


And come to name it here as "The Google Lie".

On the face of it this looks like another attempt to ram the
unpalatable SPF/DKIM/DMARC cocktail down everybody's throat because of
course Google knows best and is also a cute 800kg gorilla that won't do
evil (honest guv!).

However as it turns out this is one really bright spark over there going
off the deep end.

These errors don't show up during tests to my gmail address, in fact
Google correctly guesses our mail network and inserts a self-generated SPF
pass (no SPF/DKIM on that domain) for it even. All roses and sunshine:
---
Received-SPF: pass (google.com: best guess record for domain of chibi@??? designates 203.216.5.73 as permitted sender) client-ip=203.216.5.73;
---

So why do we see those failures then?

As it turns out, Google uses Spamhaus (they're a customer, but won't admit
to using their RBLs in public) and in particular checks mails for their
origin IP against XBL (CBL).
All the rejects come from otherwise squeaky clean mails that originated
from XBL'ed IPs, which is when using hot spots or cable networks with few
outside IPs of course a high probability.

So Google:
a) lies, the error is based on the origin-IP.
b) implies that it would ignore the bad origin if it were DKIM signed or
from a SPF'ed domain.
Which is either bullshit (remember the self-generated SPF pass above) or a
total fallacy, because that mail didn't get one iota less bad because of
such "authentication".

Just a heads up for others who might be seeing this and scratching their
heads.

Regards,

Christian
-- 
Christian Balzer        Network/Systems Engineer                
chibi@???       Rakuten Communications