
Gmail spam-filters PayPal security messages - nh2
https://github.com/nh2/gmail-spamfilters-paypal-security-messages#if-paypal-cant-get-past-gmails-spam-filter-then-who-can
======
abraham
> 'service@paypal.co.uk' via redacted <redacted>

It looks to me that Paypal is not sending the emails in a secure and
verifiable method. Emails that are sent from a domain that's different than
the from address are legitimately suspicious, especially when they contain
financial keywords.

[https://support.google.com/mail/answer/1311182?hl=en](https://support.google.com/mail/answer/1311182?hl=en)

~~~
cm2187
I recently received an email claiming to be from paypal (the SPF+DKIM passed)
but inviting me to click on links in "epl.paypal-communication.com". How do I
know this is not phishing? It certainly looks like phishing, and I certainly
wouldn't click on those. But if it is not, how stupid must these guys be to
use "paypal-communication.com"?

~~~
bduerst
Whois says it's owned by Paypal on MarkMonitor, but that can be faked, right?
Or does MarkMonitor require email address validation? (hostmaster@paypal.com
in this case)

~~~
cm2187
Correct. But even if the whois wasn't fakeable, do I really need to run a
whois before I click on a link in an email?

~~~
bduerst
Almost like we need an ssl-like authority for email now. Ugh.

------
ben509
I use a redirection service and use a unique address for paypal. And I have to
change that periodically because it leaks on to spam lists. In $current_year
there's absolutely no reason for them to be sending your actual email address
to anyone outside their company.

Now, that shouldn't be something Google takes into account, but given that
Paypal is inexcusably lax in how they manage customer privacy, my inclination
is they're not sticking to best practices as a mass sender and are running
afoul of Google's spam filters as a result.

BTW, if you use a redirection service and thus have unique emails for all
companies you correspond with, you know those emails are private and won't get
spam. (Or you turn them off.) It works well enough that I have a gmail rule
that blanket prevents them from being filtered.

~~~
gleb
What redirection service do you use for this?

------
gnicholas
Gmail also inappropriately spam-filters Stripe emails. I have received
thousands of these messages and have a rule set up to file them away (skip
inbox, apply a label). I don't want them in my inbox, but I like to know how
many are coming in each day because it gives me a sense of payment flow for
our most popular product.

You would think that gmail would be smart enough to realize that if I've
received thousands of emails from an address and NEVER marked as spam/deleted,
it probably isn't spam. Also, if I have a rule set up to file these messages
(and keep unread), that should also throw a flag that it's not spam. But I've
had to go in and create another special rule to never have this mail marked as
spam.

I then had to broaden that rule because the Stripe customer service emails
started getting marked as spam...

~~~
zackbleach
I'm sorry to hear that your Stripe emails are being spam-filtered. I work for
Stripe as part of their engineering team responsible for email deliverability
and would love to see some examples of email that has been incorrectly
classified so we can try to prevent this from happening in the future. Would
you be able to forward a few examples with full headers[0] to zack [at] stripe
[dot] com?

[0]
[https://support.google.com/mail/answer/29436?hl=en](https://support.google.com/mail/answer/29436?hl=en)

~~~
haroldp
What would you do to prevent it from happening in the future? Don't you find
that google pretty opaque about why it classifies something as spam?

~~~
zackbleach
Spam classification by email service providers is generally quite opaque but
we can at least check that we're doing everything in our power to prove that
the email is legitimate. Like ensuring it passes SPF, DKIM and DMARC, and that
it is being sent from an IP that is only used for transactional emails. Beyond
that we would need to try to work with individual providers.

------
futureastronaut
It's probably due to Gmail users reporting PayPal's ToS/Privacy Policy notices
as spam. I swear they send one out every week.

------
thedrake
It is because of the DMARC setup that Paypal has put in place which is doing
exactly what they want it to do which is put any non verified and in alignment
(not coming from the paypal.com domain) - this is why you see the via in the
from. The current DMARC policy for Paypal.com is dmarc=pass (p=REJECT
sp=REJECT dis=NONE) header.from=paypal.com

~~~
nh2
This doesn't sound perfectly accurate for my case (since the DMARC policy
seems to be for paypal.co.uk, not .com), but quite related / perhaps the other
way around?

I see in the headers:

    
    
        ARC-Authentication-Results: i=1; mx.google.com;
           dkim=pass header.i=@paypal.co.uk header.s=pp-dkim1 header.b=UsIpWUs9;
           spf=pass (google.com: domain of service@paypal.co.uk designates 173.0.84.226 as permitted sender) smtp.mailfrom=service@paypal.co.uk;
           dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=paypal.co.uk
        Received: from mx0.slc.paypal.com (mx1.slc.paypal.com. [173.0.84.226])
                by mx.google.com with ESMTPS id q195si2496022ita.120.2019.02.05.13.10.37
    

> this is why you see the via in the from

I am not sure, it may also appear due to what I said in
[https://news.ycombinator.com/item?id=19100315](https://news.ycombinator.com/item?id=19100315)

------
nh2
I got a response from Google, see:

[https://github.com/nh2/gmail-spamfilters-paypal-security-
mes...](https://github.com/nh2/gmail-spamfilters-paypal-security-
messages#update-googles-response)

------
type0
> If Paypal's security team can't reliably send email to Gmail users, then who
> can?

Other Gmail users!

~~~
hsk0823
You'd think so, but no even internal G Suite emails that never leave the
domain, still subject to GMail's generic all users spam filters. And even as a
paying user, you can't get out of them.

------
hsk0823
It be really great if they allowed G Suite admins to have fine grained control
over what is and isn't SPAM in their own domain. Alas even that's subject to
consumer Gmail spam filters.

~~~
VRay
Sounds like G Suite really just isn't suitable for a larger enterprise.. I'm
enjoying it, but my company is just myself and 3 others

~~~
hsk0823
There are orgs with thousands of corporate G Suite accounts. I mean if you are
in the 10k or larger size, running your services internally might make sense
but for the rest of us, G Suite should work well enough for corporate email.

------
orbitingpluto
All email from Microsoft ends up in my spam folders, regardless of
whitelisting. I assume it is bad faith on Google's part.

------
jedberg
The gmail filters have been wonky for the last week or so. I keep getting
messages marked as "potentially unsafe". Messages I've been getting daily for
years and have marked as high priority.

So either the introduced a bug or flipped a switch to make it a lot more
restrictive.

~~~
hsk0823
They introduced more stringent controls around what constitutes spam.

~~~
blennon
Any idea what they are? We've seen an uptick in users reporting transactional
emails going to spam.

~~~
jjeaff
We've seen an uptick in the messages not getting through at all. Like not even
showing up in the spam folder.

------
trm42
This happens even in the best families. Yesterday Outlook365 informed me that
there's a suspicious and blocked message coming from Github. And yep, that was
the email confirmation I should've received from the real Github. I would
assume that whitelisting bought services could be a thing within Microsoft...

------
mikelward
If you didn't have the filter, it would say why the message was classified as
spam.

That would be very useful information.

------
dzhiurgis
Lot's of email security specialists in this thread. May I ask (hijack) what
allows xtra.co.nz users to receive emails from self?

They seem to have SPF and DKIM setup, but a friend keeps receiving extortion
emails (with his old passwords from probably old password leaks).

~~~
haroldp
SPF and DKIM test the "Envelope-From" address that is part of the SMTP
conversation, and separate from the "From" that is typically displayed in the
message. If you examine the full "Return-Path:" header you will see that it
was not sent from your friends address after all.

Everyone is receiving those (bogus) phishing emails.

------
shereadsthenews
It is crowdsourced; the best thing you can do is mark it as not spam. The most
likely explanation for what happened here is PayPal are a bunch of filthy
spammers, lots of users marked their mail as spam, and they use the same IPs
or envelope senders to send service messages. Always use gold-plated IPs and
return addresses for critical service messages.

~~~
frankydp
While the tone of this post was a little tongue in check, it is certainly the
most likely answer. PayPal does send marketing/sales traffic on the same pipe
as their transactional traffic, which as expected ends up with lots of spam
flags. ie I didn't ask for a line of credit.

Side note: There are only 3 major webmail/freemail services left, so running
afoul can be a very serious issue. Speaking about the postmaster level.

GMail, Verizon, Microsoft

Verizon might be bigger than Gmail at this point with acquisitions.

------
hprotagonist
Poe's Law: the phishing edition?

(Are phishing attempts so similar to real things now that the ROC shifts?)

------
xianb
Houzz and Nest security emails also got filtered

