Tell HN: Gmail flagged my Firefox account MFA email as “dangerous”

117 points by JeremyNT ↗ HN
I recently attempted to log into a new Firefox instance with my Firefox account. As expected, I received an email with a verification code from accounts@firefox.com to my gmail account as part of the login flow.

This email was flagged by gmail. Above the body of the message, gmail inserted a scary looking red banner with the following text:

This message seems dangerous Similar messages were used to steal people's personal information. Avoid clicking links, downloading attachments, or replying with personal information.

A link with the text "Looks safe" was presented (which I did click).

I made sure to check all the headers in the original message, and everything looked correct.

58 comments

[ 2.8 ms ] story [ 37.8 ms ] thread
Their AI or whatever algorithm they've built for spam (or in this case, phishing) is getting worse and they have no incentive to care. Gmail users aren't leaving Gmail over this and their market size means everyone must cater to Gmail.

Somewhat related but I finally relented this week and now route my self-hosted email through SMTP2Go thanks to a tip from another commenter here. Over the past few months I've noticed an acceleration of my email going to Gmail user's spam folders and just couldn't deal with it anymore.

Perhaps given how big Firefox is they actually prune this one.

> Gmail users aren't leaving Gmail over this

I'd change to "Not enough Gmail users are leaving over (just) this yet".

Yes Gmail is big enough and popular enough that any one change that pisses off a small chunk of their users won't kill the juggernaut, plus any any one thing like this is so small it won't change someone from a lover to a hater overnight, but gradually users do either find they dislike a product enough to move to one of the many much better paid but cheap options, or to one of the differently-flawed but perhaps now preferable rival free options, and gradually the users who make business decisions of whether or not their company uses Google's business suite also may find that the next time they need to make a decision, little annoyances in Gmail are the thing that tips them into considering putting a business on something like 365 instead.

Personally I'd like to see more and more smaller companies that really specialise and excel in their one area without either bloating into trying to do too many weird things (cough Mozilla) or being acquired by Google/Microsoft etc. but I've not always been good at voting with my wallet due to the convenience of for example having a single Microsoft license to cover everything from the Word license somebody wants to their custom domain email hosting.

And where exactly are you going to move to from gmail? The alternatives either cost money, suck more, or both
Free Email providers? There are alternatives some popular and niche. Some cost and others don't. Some offer different features gmail doesn't.

If you can't get off of gmail maybe you just like gmail.

A good paid email account is like $50 a year.

What is the problem?

$5 vs free is hard sell - let alone $50.
10% of an Internet bill?

One latte per month? Go away kid, you bother me.

Yes, the masses of the internet who've grown accustomed to free e-mail while being locked to an gmail domain are definitely going to shill out $50/y for...better spam flagging?
Well, they should try Fastmail. It's amazingly good.

And, I run my own mail servers for other reasons, but Fastmail is really great, especially for small groups or small companies.

purelymail is probably about $10/year (actual billing specifics more complicated) and that's not billed per seat, they bill on actual usage.
I have been sending through Ionos (was 1&1) for a decade, with only occasional problems (shared IPs getting on a blacklist). I have SPF working, and in the last few months I am getting routed into Spam 100% of the time. Even when I reply to email from my own family. It does not seem to matter if the recipients move the message out of Spam, you'd think a false negative on a legitimate message would be a wakeup call, ten false negatives should be an alarm. But there's no way to even help this. Google's online support has you set up tools that don't even measure the single-digit volumes I'm sending from my 20-year-old custom domain. I did confirm with DKIM that no one else is sending messages spoofing it, either. The Google monopoly is a real problem.
Last time I checked, IONOS doesn’t implement DKIM, so if that’s still true I’m not surprised. Especially since, due to the inability to create true aliases, so many GMail users use forwarding that breaks SPF.

I use the $1/month DMARC monitoring from uriports and it’s a little scary how many emails only pass due to DKIM.

Correct, I misspoke. I am only getting the DMARC reports from the domains to which I send email. Ionos doesn't support it and seems to have no plans to.
> and their market size means everyone must cater to Gmail.

Would be nice to have an page detailing how the spam algorithm of google is a blackbox and might put legit email to the spam folder... This page could be added to email signatures to reverse the trend... Why am I in spam? ask google/your email provider.

Gmail's AI spam detection is a joke. Most of the spam I receive on my fastmail is from @gmail.com accounts. Most are a naked list of links offering "cheap guest post services", and it's been going for a year. The dumbest Bayesian filter would catch that.
Overall email spam was 1000x worse 12 years ago.. Google has had the fastest and most thorough filters for a decade+.. many capable people and companies have failed badly in public trying to do similar things. Complaining in exaggerated terms does nothing for either side of this.
You're arguing that Google had great spam detection and I agree. My point is that it's gone noticeably downhill since then.
I have Fastmail and Google email addresses which have been active for over ten years each. The Google account sees several emails bypassing the spam filter every day and, worse, several ham mail being flagged as spam each month. Fastmail, despite that address being more exposed (it's my own domain name which I have used for over twenty years) and having higher overall traffic, sees maybe one or two spam a day hitting my mailbox and only one or maybe two ham to spam a month. I don't get where Google reputation for good spam filtering comes from. It's barely passable when it comes to detecting spam AND ham mail.
It is. We provide consulting on email deliverability so I see many different emails coming from many different backgrounds. They go to Gmail Spam randomly, even follow-up emails. In fact, Gmail works with two Spam folders: SpamSpam and SpamSocial, and with latest it is a joke too.
Gmail seems to have a remarkably serious issue with outbound abuse. I've been dealing on and off with spam originating from gmail for years. In one case I submitted nearly daily abuse reports about a sender pasting around 600 addresses into the To: and Cc:, but Google took no action for at least four months. I had to edit the headers to even submit the abuse complaint because the number of recipient addresses made the headers so long the abuse complaint form rejected them... with the incorrect error message "headers are required." This was around 2013 and the issue seems to remain basically the same today. Every time I end up on someone's list that they're just pasting into gmail it persists for months, but I no longer bother with abuse reports.

The best part is that on one mail server I used to run this got bad enough that SpamAssassin started weighting down gmail.com in terms of domain reputation, which generated enough user complaints that we had to add a manual bump back up. Then that generated user complaints that our spam filtering wasn't working...

I've seen an increase in phishing/scam sites hosted on google's services too. The automated system shuts them down fast enough once the URLs are reported, but Googles not so good at preventing new (even identical) sites/forms from being created or at locating other copies already on their platform.
Are email headers still easy to forge? I'd like to think there have been significant improvements in 15 years, but I know it used to be common for some email to to have falsified return paths (among other things).
I would check the actual IP address that was sending the spam and sure enough it was genuine Google IP addresses. I once tried black listing them only to stop receiving mail from friends so it was definitely the same IPs being used for both spam and actual ham mail. At the time I ran my own mail server it was not unusual for north of 50 per cent of spam to be originating from Google.
Valid DKIM signature is the best confidence marker that these are actually originating with Gmail. I have always seen the DKIM signature check out to a Gmail public key.
> Most of the spam I receive on my fastmail is from @gmail.com accounts.

Do they really come from gmail servers or it's just fake "from" header?

What are you doing for spam filtering?
Just spamassassin and postgrey that ship with mail-in-a-box (https://github.com/mail-in-a-box/mailinabox).

I had an issue last year with it not detecting or learning a particular Russian spammer but as of ~4 months ago they all now correctly go to spam. Otherwise it's been very good.

Yes, this month emails in my organization have been marked as spam. Those are emails from an @nyu.edu account to another @nyu.edu account, sent from the Gmail webmail, and nyu.edu is a (big) Google Apps domain.

I don't understand how this happens.

That happened for us (basically the same situation) many times over the whole time we used Google Apps, and I've seen other reports of the same over the last five years. It probably happened more than we noticed, because we only noticed when people happened to follow it up via some other mechanism. It also happens to non-commercial users - emails sent as a reply from gmail webmail to gmail in an existing conversation sometimes get spam-binned without obvious reason.
>now route my self-hosted email through SMTP2Go thanks to a tip from another commenter here

I think you're referring to this: https://news.ycombinator.com/item?id=31180604

> I host my own email server with Vultr on an OpenBSD VM using OpenSMTPD and Dovecot, relaying all outbound mail through SMTP2Go (their free tier more than meets my needs). I have all of the necessary DNS entries set to mark my mail as legit, and I sign all outgoing mail using strong 2048-bit RSA keys. Thus far, I'm able to send mail and not have it marked as spam (at least to everyone that I've corresponded with thus far). It was a lot of work to get to that point, but not terrible.

Been interested in doing the same since reading it and meant to bookmark for later!

This has happened to me just today.
This could be some sort of feature or I'm just too paranoid ?

I mean, if everyone uses a service like this aggregating user data from many brokers could become significantly harder. And this in turn may make online advertisement less profitable in the future.

So I think this could be a tactic to delay widespread adoption of such services.

I'm aware this sounds like thin foil hat paranoia and I'm not trying to imply this is whats happening, but I wouldn't be surprised if there is something like this going on.

Gmail has been letting through absolutely blatant spam and blocking many legitimate emails these days, it seems as though it is in complete maintenance mode.
> I made sure to check all the headers in the original message, and everything looked correct

Headers are a bad heuristic for discerning sketchy emails I've found, since they're a garbled mess & hard to make sense of without some specialized tool, and clearly Gmail doesn't understand the headers either and had a false positive.

I imagine because the from address being `accounts@firefox.com` probably raised some flags since there's obviously some ongoing phishing campaign to takeover Firefox accounts, that you're unaware of, until now.

I keep hearing about how bad Gmail is at spam filtering and yet I haven't seen a single spam message get through in ages and only a handful legitimate messages seem to have been blocked in the many years I've used the service.
I have seen several spam messages get through lately - has been a noticeable decline in quality.
For me it's mostly been good. The exception is scams about renewing my Norton subscription. It's odd that with 20+ signals of this exact type of message being spam / phishing they keep getting through.
Seems pretty accurate to classify Norton as spam these days.
The Democratic Party spams like crazy NGP VAN or something. It's wild - nothing can stop it.
Maybe it's better because I'm European and have no connections to any American institutions.
I've seen some slip through, but it looks like I get around 25 spam emails daily. One slipping through every now and then isn't too bad. I can't remember the last time it trapped a legit email.
Gmail flags Google’s own email, originated and sent by Google, as dangerous. Regularly.

This is where I derive the level of respect I hold for Google engineers.

And then they let scammers send email with Gmail, getting past their filters fairly often.
Gmail has become very aggressive with spam filtering and it's understandable with the amount of emails being sent. But this whole thing about spam filtering, dkim, spf, feel like band-aids over band-aids all the way down.

A customer recently filed a PP dispute that she never got the software she ordered. She didn't get my emails as all support and welcome emails were going to spam.

There has got to be better way to communicate without so many closed-source gatekeepers deciding your fate. It's been decades since the internet was invented yet we still use such a fragile non-deterministic approach for handing basic communication.

> There has got to be better way to communicate

Unfortunately most of those "better ways" are not federated.

Two factor is getting out of control in general.

Many people who are capable of doing things on their own are now running into systematic issues because they can’t correctly follow the Byzantine two-factor rules that are continually being added.

It’s bad enough at work where people can reach out for assistance. Who knows how many people are now blocked from communications because they couldn’t figure out the two factor dance?

The problem is two factor isn't actually solving most people's problems: That they can't identify a trusted site or message. Everything hence is a gameable activity of duping the employee in increasingly more complicated phishing flows.

The solution is probably one that modern tech companies absolutely loathe: A modern equivalent to Extended Validation certificates, where trusted activities can be extremely clearly defined to be happening on sites and emails run by plain language companies that have some significant amount of vetting.

I see this as Google ratfucking Firefox. It doesn’t matter if this is really a deliberate attack or merely poor filtering. These companies need to be held to account for automated actions taken by their algorithms just as surely as if the CEO himself had given the direction to do this.
This also happened with the password reset email from BR Live. You couldn't even mark it as safe from the Gmail app (at least I couldn't figure out how), had to open it with the browser.
I got this alert on an Amazon auth-confirm email.
I'm not sure this is Gmail specific.

I've had Microsoft flag their own legitimate notices and announcements go to junk.

I can't be the only one. I didn't set a rule for this.

They flag Steam Guard codes as well.

This has happened to me every single time I've logged into a new device on my Firefox account over the last 3+ years. Probably over 25 times. I have to ask it to re-send, and often I had to quickly memories the code as it would close the email (move it to spam) while I had it open.
I use Google Suite for my small company; out of the last 12 monthly invoices by Google, 3 were marked as spam by Google itself.
This happens all the time on a lot of platforms. Even Protonmail would sometimes flag my work MFA emails as spam.