Anti-phishing Notification Feature - Please make opt-in only

[mwmason]

Recently, I received a forwarded email via one my SL aliases that had been altered to be prefixed by a red text banner that read: "This email failed anti-phishing checks when it’s received by SimpleLogin, be careful with its content."

Honestly, it was a little disconcerting because I didn't know for sure that it had be altered by SimpleLogin. I contacted customer support and was told that this is indeed a new feature.

While this may be of use and interest to some, I believe this is just stepping too far in terms of the intent of the forwarding service.

Please make this an opt-in feature rather than the default behavior.

[thibaultmol]

I like the feature, but was also surprised by it.
I think from a security standpoint it makes sense to have this enabled by default.
But it would need more context as to WHY the mail was marked as phising.
Also would have been best if they atleast had communicated before hand "Hey, we'll be enabling a new feature starting next month where we'll say if an email might be suspect of phising and this is how you'll see that in action"

[nguyenkims]

Due to a security audit we've gone through recently, the phishing risk is quite important and we want to make sure this is handled properly before this info becomes public. That's why we decided to roll out this feature as soon as possible. In the next iteration, we'll make sure to make it optional (maybe on the alias level?) so you can turn it off.

[mwmason]

Were the recommendations of the audit that you should modify email content? Is there no other header info where risk of phishing info could be flagged? I think my reaction to this is based on the fact that there was no announcement, if feels intrusive, the email that was modified was actually a false positive - everything seems rushed. I wasn't sure it even came from SL - not something I would think you'd want with your service.

What mechanism is being used to determine if it's a phishing attempt?

I would like to opt out altogether - I can't see any benefit at the alias level.

[nguyenkims]

The detection isn’t based on the email content at all, it’s based on the IP address and the domain the email comes from so at no moment in the process, SimpleLogin analyses the email content.

We'll make sure to create a way to opt out of this feature in our next version.

[thibaultmol]

From what I understand from support. It's probably purely dmarc based. The anti phishing system is triggered when the dmarc records aren't correct (basically a way to verify that an email is indeed coming from a correct source. Using dns records https://youtu.be/qP9ODdimHvM

…

On Fri, Apr 8, 2022, 18:44 mwmason ***@***.***> wrote: Were the recommendations of the audit that you should modify email content? Is there no other header info where risk of phishing info could be flagged? I think my reaction to this is based on the fact that there was no announcement, if feels intrusive, the email that was modified was actually a false positive - everything seems rushed. I wasn't sure it even came from SL - not something I would think you'd want with your service. What mechanism is being used to determine if it's a phishing attempt? I would like to opt out altogether - I can't see any benefit at the alias level. — Reply to this email directly, view it on GitHub <#877 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAHWUMVYHHEMMPIMR3MZAS3VEBO6HANCNFSM5S2MEMMQ> . You are receiving this because you commented.Message ID: ***@***.***>

[thibaultmol]

I think this is very useful as a safety feature and personally would like to keep it enabled. It's just best if we got more transparency as to WHY something got flagged, so that it gives us, the user, info on what we should check to verify if the email is indeed legit PS, congrats on the Proton(mail) acquisition. I actually messaged proton last year saying that it's a shame they don't have an alias system as advanced and well done as SL. Well that's fixed now I guess XD Cheers, Thibault

…

On Fri, 8 Apr 2022 at 20:33, Son Nguyen Kim ***@***.***> wrote: The detection isn’t based on the email content at all, it’s based on the IP address and the domain the email comes from so at no moment in the process, SimpleLogin analyses the email content. We'll make sure to create a way to opt out of this feature in our next version. — Reply to this email directly, view it on GitHub <#877 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAHWUMRELRKBVEMUL3DJEBTVEB3XNANCNFSM5S2MEMMQ> . You are receiving this because you commented.Message ID: ***@***.***>

[nguyenkims]

Yes we'll make sure to add more info about this feature. Currently it's quite simple and based on dmarc check.

[marvin8]

As others have said... this is a good feature in principle and I'll likely continue using it when / if it becomes optional.

However I feel the introduction of the anti-phishing checks was rushed and not well or at all communicated. The lack of communication before introduction of such a new and what feels invasive feature feels weird for an organization that claims to follow a 'user first' philosophy.

Anyway, congratulations on implementing something for phishing protection.

My wish list in regards to anti-phishing:

• Provide some kind of explanation why a particular email has failed the implemented anti-phishing checks.
• Make adding of the message in actual content of the email optional.
• Maybe include a specific email header instead / as well... maybe something like X-SimpleLogin-Anti-Phishing: Failed
• In the future, please communicate changes to your users before or at least at the time of activating major new features.

[nguyenkims]

Thanks for the idea! We'll implement the suggestions in the next version. And we'll make sure to inform users before rolling out the next important feature :).

[rowatt]

I'd like to echo the comments re. making this feature optional and communicating better before launching significant user impacting features. I'd also like to echo the congratulations for the Protonmail acquisition - that sounds like a really positive step!

To add to the discussion, I can say that the feature is completely useless for me. I am getting the message on a number of emails, most of which I have been receiving mails from for years. So much so, that if the message were genuinely flagging a phishing attempt I am likely to ignore it unless something else in the mail gives me cause to be suspicious. For me, it would not work as a warning with a well crafted phishing email.

I've also had a significant increase in mails getting blocked altogether - again mails which I have been happily receiving from for a long time.

So net, net - for me - the new security features are net negative. All false positives so far, intrusive and inconvenient - and therefore much less likely to have the intended impact when there is a bad email.

I am not against security related features, just make them opt in, or if not opt in, make sure they are very well tested and work in practice before rolling out for everyone.

@nguyenkims Is there any way behind the scenes you can turn this off on my account, or could you give a timeframe for when this can be a settings based opt-in or opt-out?

[thibaultmol]

While I understand your points @rowatt I think this is a good opportunity to see what email senders actually have badly configured email servers/accounts.
The couple emails that have been either blocked or had the suffix message added at the top ,I have contacted and informed them about their DMARC settings not being correct. They're happy with the feedback, as other email systems also look at dmarc to verify if an email is real or potentially spam (not immediately block it, but def use it as one of many metrics to judge an email on spam or not)

[rowatt]

I agree that helping senders understand that their systems are misconfigured is a good thing. However, I don't think it's the responsibility of a SimpleLogin user to do that. Personally I don't have time to write back to all the lists where I have had this message, and in some cases it's not even clear who I would write to.

Is there a way where the SimpleLogin system could automatically send a message back to people with misconfigured DMARC (or anything else)? That would be a great service, and could help spread awareness of SimpleLogin (and ProtonMail).

[mwmason]

Looks like Protonmail has been providing this check for a while - https://protonmail.com/blog/prevent-phishing-attacks/ . And as I suspected, there's a non-obtrusive UI element in the email summary of PM that alerts you to the failed DMARC check.

While I realize not all your users are also PM users, it further supports the ask to make this an optional feature - since it would be redundant for PM users.

[nguyenkims]

As the email is actually sent from SimpleLogin server, the current anti phishing measure provided by an email provider doesn't work. SimpleLogin wants to provide the same protection for every email provider. That being said, we might add in the future dedicated integration in ProtonMail that better mitigate the phishing risk.

[jmreekes]

I have dmarc enabled on my domains per the instructions. I was wondering if anything would break if I were to add additional items like fo=1, rua address, ruf address to my DMARC Record on my SimpleLogin domains

[nguyenkims]

No everything will work fine if you have SPF and DKIM correctly set up.

[trikotret]

Its almost going to 4 months now. Any idea when you would have the option to opt out for an alias? I used SL for work related instead of Google workspace. I don't want to reply to someone and accidently have SL verbiage about anti phishing.

[nguyenkims]

@trikotret with this option disabled, there's no way to inform users about the phishing risk. Usually this can be fixed easily on the sender side (they can fix their DMARC or just remove DMARC) and I suggest to ask the sender to fix it. Their emails can also be put into Spams anywhere else.

[trikotret]

Its from T-Mobile Corp. No way I can get them to make changes on their end.

[rowatt]

there's no way to inform users about the phishing risk.

What about users who don't want to be informed? Since you enabled this feature I have received 100's of mails warning me of phishing risk, but not 1 was phishing or spam - with so many false positives, the chance of me taking notice of the warning in a real case are much diminished. All my mails are routed to Google Workspace, which already does an excellent job of finding these mails and sending them to spam.

Usually this can be fixed easily on the sender side (they can fix their DMARC or just remove DMARC) and I suggest to ask the sender to fix it.

As trikotret points out, this just isn't practical in many cases.

I love the Simple Login service in every respect except this one, but this issue is a big deal for me - I am actively looking for alternatives and will cancel my subscription if I find a viable alternative. Turning it off for specific aliases would be excellent (and completely solve the too many false positives issue for me), but just being able to turn it off globally would be a good start.

[trikotret]

@trikotret with this option disabled, there's no way to inform users about the phishing risk. Usually this can be fixed easily on the sender side (they can fix their DMARC or just remove DMARC) and I suggest to ask the sender to fix it. Their emails can also be put into Spams anywhere else.

Is there a way to not include this warning in the reply email? I can delete before sending but sometimes Ill forget. It'll be better if it doesnt get included with replies.

[JtwoA]

I am actively looking for alternatives and will cancel my subscription if I find a viable alternative.

That seems a bit drastic. Feels like you were looking for a way out already and this is just giving you the excuse.

[weiw11]

@nguyenkims any update on this? There shouldn't be a reason for SL to add notification messages on the email body for reasons outside user's control.

[trikotret]

ya this is really annoying. Unfortunately, I can't tell T-Mobile, Microsoft, Starbucks, etc. etc. to fix their email. I do have lots of emails going back and forth with T-Mobile and I accidentally slipped a few red warnings.

[trikotret]

Anyway, to add this Anti-phishing red notification under our email address and not in email body? Thats how proton adds its header "This email has failed its domain's authentication requirements. It may be spoofed or improperly forwarded." This way we can reply to email and not have to delete that red warning.

[nolith]

Any chance we could at least disable it for mailing lists?

Every message I receive from open source mailing list is flagged as phishing. The mail server adds a footer to each message invalidating the signature of the message.

I've asked about implementing some of the mitigations described in https://docs.mailman3.org/projects/mailman/en/latest/src/mailman/handlers/docs/dmarc-mitigations.html but I was told the ML runs on mailman v2 that does not support those features.