Page MenuHomePhabricator

Some emails coming from Gerrit are being tagged as suspicious by Gmail
Open, Needs TriagePublic

Description

Some emails I receive from Gerrit are being tagged as suspicious by Gmail. Looking at the message headers, it looks like those softfail SPF checks and fail on DMARC.

The messages that arrive with no warning do softfail on SPF checks but PASS on DKIM and DMARC.

Please let me know if you wish me to provide further information/data.

Email example with full headers:
{P8688}

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 29 2019, 11:13 AM
MarcoAurelio renamed this task from Some emails comming from Gerrit tagged as suspicious by Gmail to Some emails comming from Gerrit are being tagged as suspicious by Gmail.Jun 29 2019, 11:13 AM
herron added a subscriber: herron.Jul 1 2019, 1:05 PM

Could you please include the headers from an affected message? Thanks in advance!

@herron Certainly. You can find at P8688 the headers from a random affected message. Regards.

Aklapper renamed this task from Some emails comming from Gerrit are being tagged as suspicious by Gmail to Some emails coming from Gerrit are being tagged as suspicious by Gmail.Jul 1 2019, 1:30 PM

Thanks, based on these headers it looks that an @tools.wmflabs.org alias which points to an @gmail.com address is being used as the email in gerrit.

The problem appears to be happening because from google's perspective tools.wmflabs.org is attempting to relay a message on behalf of wikimedia.org, which indeed it not permitted by SPF policy.

Specifically:

ARC-Authentication-Results: i=1; mx.google.com;
       spf=softfail (google.com: domain of transitioning gerrit@wikimedia.org does not designate 185.15.56.63 as permitted sender) smtp.mailfrom=gerrit@wikimedia.org;
$ host 185.15.56.63
63.56.15.185.in-addr.arpa domain name pointer instance-tools-mail-02.tools.wmflabs.org.
63.56.15.185.in-addr.arpa domain name pointer mailsender.tools.wmflabs.org.
63.56.15.185.in-addr.arpa domain name pointer mail.tools.wmflabs.org.

Can the desired gmail address be used directly in Gerrit, instead of the @tools.wmflabs.org alias?

MarcoAurelio added a comment.EditedJul 1 2019, 2:20 PM

@herron I've been using the tools.wmflabs address on gerrit for quite some time already without any issues. This started to happen recently. The vast majority of emails I get from Gerrit ain't tagged. I wonder why it fails selectively. If it were the tools.wmflabs address, wouldn't all emails be tagged as suspicious? See P8690 for another email which isn't tagged.

DMARC pass
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@wikimedia.org header.s=wikimedia header.b=fYYTSIZ3;
       spf=softfail (google.com: domain of transitioning gerrit@wikimedia.org does not designate 185.15.56.63 as permitted sender) smtp.mailfrom=gerrit@wikimedia.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=wikimedia.org

Compare with the previous paste:

DMARC fail
ARC-Authentication-Results: i=1; mx.google.com;
       spf=softfail (google.com: domain of transitioning gerrit@wikimedia.org does not designate 185.15.56.63 as permitted sender) smtp.mailfrom=gerrit@wikimedia.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=wikimedia.org

It's DMARC what seems to be failing randomly.

Apparently this happens on initial emails sent to me by Reviewer bot for patches submitted against some repositories I watch. I'll check later in deep, but IIRC this is where most of the reported issue happens.

hashar updated the task description. (Show Details)Jul 1 2019, 3:56 PM
bd808 added a subscriber: bd808.Jul 1 2019, 8:06 PM

Is this a case where we need SRS on the mail.tools.wmflabs.org exim setup?

I do not understand the mixed dmark={pass,fail} results at all.

In general I will say that the email forwarding that <user>@tools.wmflabs.org does to the email address associated with the backing LDAP record is a pain on the server side and of dubious value on the user side. The "hidden" user email address is trivially available to anyone with a Cloud VPS account and should be considered public. If anyone is using this as an identity hiding mechanism in git history or otherwise I would advise them to consider finding another means.