Tell HN: Gmail flagged my Firefox account MFA email as “dangerous”
I recently attempted to log into a new Firefox instance with my Firefox account. As expected, I received an email with a verification code from accounts@firefox.com to my gmail account as part of the login flow.
This email was flagged by gmail. Above the body of the message, gmail inserted a scary looking red banner with the following text:
This message seems dangerous Similar messages were used to steal people's personal information. Avoid clicking links, downloading attachments, or replying with personal information.
A link with the text "Looks safe" was presented (which I did click).
I made sure to check all the headers in the original message, and everything looked correct.
58 comments
[ 2.8 ms ] story [ 37.8 ms ] threadSomewhat related but I finally relented this week and now route my self-hosted email through SMTP2Go thanks to a tip from another commenter here. Over the past few months I've noticed an acceleration of my email going to Gmail user's spam folders and just couldn't deal with it anymore.
Perhaps given how big Firefox is they actually prune this one.
I'd change to "Not enough Gmail users are leaving over (just) this yet".
Yes Gmail is big enough and popular enough that any one change that pisses off a small chunk of their users won't kill the juggernaut, plus any any one thing like this is so small it won't change someone from a lover to a hater overnight, but gradually users do either find they dislike a product enough to move to one of the many much better paid but cheap options, or to one of the differently-flawed but perhaps now preferable rival free options, and gradually the users who make business decisions of whether or not their company uses Google's business suite also may find that the next time they need to make a decision, little annoyances in Gmail are the thing that tips them into considering putting a business on something like 365 instead.
Personally I'd like to see more and more smaller companies that really specialise and excel in their one area without either bloating into trying to do too many weird things (cough Mozilla) or being acquired by Google/Microsoft etc. but I've not always been good at voting with my wallet due to the convenience of for example having a single Microsoft license to cover everything from the Word license somebody wants to their custom domain email hosting.
If you can't get off of gmail maybe you just like gmail.
What is the problem?
One latte per month? Go away kid, you bother me.
And, I run my own mail servers for other reasons, but Fastmail is really great, especially for small groups or small companies.
I use the $1/month DMARC monitoring from uriports and it’s a little scary how many emails only pass due to DKIM.
Would be nice to have an page detailing how the spam algorithm of google is a blackbox and might put legit email to the spam folder... This page could be added to email signatures to reverse the trend... Why am I in spam? ask google/your email provider.
The best part is that on one mail server I used to run this got bad enough that SpamAssassin started weighting down gmail.com in terms of domain reputation, which generated enough user complaints that we had to add a manual bump back up. Then that generated user complaints that our spam filtering wasn't working...
Do they really come from gmail servers or it's just fake "from" header?
I had an issue last year with it not detecting or learning a particular Russian spammer but as of ~4 months ago they all now correctly go to spam. Otherwise it's been very good.
I don't understand how this happens.
I think you're referring to this: https://news.ycombinator.com/item?id=31180604
> I host my own email server with Vultr on an OpenBSD VM using OpenSMTPD and Dovecot, relaying all outbound mail through SMTP2Go (their free tier more than meets my needs). I have all of the necessary DNS entries set to mark my mail as legit, and I sign all outgoing mail using strong 2048-bit RSA keys. Thus far, I'm able to send mail and not have it marked as spam (at least to everyone that I've corresponded with thus far). It was a lot of work to get to that point, but not terrible.
Been interested in doing the same since reading it and meant to bookmark for later!
I mean, if everyone uses a service like this aggregating user data from many brokers could become significantly harder. And this in turn may make online advertisement less profitable in the future.
So I think this could be a tactic to delay widespread adoption of such services.
I'm aware this sounds like thin foil hat paranoia and I'm not trying to imply this is whats happening, but I wouldn't be surprised if there is something like this going on.
Headers are a bad heuristic for discerning sketchy emails I've found, since they're a garbled mess & hard to make sense of without some specialized tool, and clearly Gmail doesn't understand the headers either and had a false positive.
I imagine because the from address being `accounts@firefox.com` probably raised some flags since there's obviously some ongoing phishing campaign to takeover Firefox accounts, that you're unaware of, until now.
This is where I derive the level of respect I hold for Google engineers.
A customer recently filed a PP dispute that she never got the software she ordered. She didn't get my emails as all support and welcome emails were going to spam.
There has got to be better way to communicate without so many closed-source gatekeepers deciding your fate. It's been decades since the internet was invented yet we still use such a fragile non-deterministic approach for handing basic communication.
Unfortunately most of those "better ways" are not federated.
Many people who are capable of doing things on their own are now running into systematic issues because they can’t correctly follow the Byzantine two-factor rules that are continually being added.
It’s bad enough at work where people can reach out for assistance. Who knows how many people are now blocked from communications because they couldn’t figure out the two factor dance?
The solution is probably one that modern tech companies absolutely loathe: A modern equivalent to Extended Validation certificates, where trusted activities can be extremely clearly defined to be happening on sites and emails run by plain language companies that have some significant amount of vetting.
I've had Microsoft flag their own legitimate notices and announcements go to junk.
I can't be the only one. I didn't set a rule for this.
They flag Steam Guard codes as well.