[HN Gopher] Mailgun doesn't validate the email headers of email ...
___________________________________________________________________
Mailgun doesn't validate the email headers of email sent through
their system
Author : kxrm
Score : 131 points
Date : 2021-11-13 15:29 UTC (7 hours ago)
(HTM) web link (twitter.com)
(TXT) w3m dump (twitter.com)
| jbverschoor wrote:
| Mailgun doesn't even validate their own headers. I get daily
| emails from mailgun, which pass every check (spf, dkim, etc).
|
| Reported it a bunch of times, but gave up. No response, no fix...
| unfrotunate, because mailgun was a reaaally cool product
| emn13 wrote:
| Another anecdote of mailgun issues: we recently had an issue
| where a staging environment of ours started sending mails to
| real people.
|
| We use this staging environment to do as-much-as-possible end-
| to-end dry-runs of real work, and thought that mailgun's
| sandbox functionality would be an ideal fit for this - we get
| to test everything up to and including the mailgun api to find
| regressions or other issues.
|
| ...until it started sending real mails; and when we talked to
| their support staff the response was the frankly astonishing
| "yeah, that's by design, sandboxes will send real mail out of
| the sandbox when under unusually high load" (paraphrased).
|
| Seriously, W.T.F.
|
| Now, of course we can and do do normal testing with entirely
| fake data, but data-distribution dependent failures happen;
| that's kind of the whole point of a staging environment. I'm
| not sure what the point of mailgun's sandbox even is if it's
| useless for staging.
| i_have_an_idea wrote:
| If you're worried someone might spoof your domain, then use
| DMARC.
| Asmod4n wrote:
| Any Mail Server I encountered allowed you to put anything you
| want as the From header. With Microsoft Exchange being the
| exception.
| kxrm wrote:
| True, but do you just allow them to borrow the reputation of
| your other customers? If a scammer knows example.com is a
| customer (DNS records will tell me this quickly) and a scammer
| decides to open an account and send as example.com through the
| service. Does Mailgun have no responsibility or ability to stop
| this behavior?
|
| Seems easy enough to stop from what I know of email. Otherwise
| DKIM and SPF are worth nothing in systems like this.
| Asmod4n wrote:
| Hm, strato, 1and1 and t-online only have one mx and spf
| record for all customers. Allowing you to send as anyone they
| have in their system and make it look authentic.
| pbhjpbhj wrote:
| Surely they can cut off emails before it reaches the SMTP
| server though? Don't they have a milter that drops email
| sent by accounts that don't have the domain registered?
| They don't really forward spoofed mail do they??
| cdot2 wrote:
| Mailjet stops this by simply requiring domains to be
| registered to accounts before an account can send from that
| domain. Registering a domain requires adding a DNS record or
| file on that domain with a random unique guid
| kxrm wrote:
| Yep, and Mailgun requires a domain as well, they just don't
| do anything with it for filtering this behavior.
| jeroenhd wrote:
| The problem is that those basic fakes are normally rejected by
| the spam filter because they fail the SPF/DKIM checks on the
| receiving site.
|
| If you actually use mailgun yourself then you add mailgun to
| the list of permitted senders and probably add a DKIM key as
| well. When someone else then fakes your email address without
| any validation, mailgun might sign the message and bypass every
| anti spam measure there is.
|
| This could be solved without validation (for example by using
| dedicated IP addresses and DKIM keys per domain and attaching
| those to your specific account and API keys) but that'd take
| some significant engineering effort (and address space, loads
| of servers are still configured IPv4 only for some reason).
|
| From the screenshot, I gather that the DKIM checks failed
| already. That still makes mailgun an open relay, though, so
| they should be added to the necessary IP blacklists if they
| can't fix this problem.
| dazbradbury wrote:
| Mailgun used to be a HN favourite, great service, great customer
| support, and quickly resolving issues / providing solutions to
| problems like this (and many others). Email is hard, and mailgun
| made it less hard, helping you solve problems along the way.
|
| Several years ago, the customer service got worse, and the fixes
| / solutions stopped coming. I don't hold my breath that this (or
| any other issue) will be solved any time soon sadly.
|
| What service do HN recommend these days?
| a2tech wrote:
| I've been using Amazon SES for a few years with my larger
| clients. No real complaints about deliverability and since
| we're aggressively not spam, haven't run afoul of any of their
| automated tools.
| albertgoeswoof wrote:
| I built and launched my own provider: https://ohmysmtp.com
| welder wrote:
| Mailgun was acquired, which sometimes has a side-effect of
| product quality decreasing.
|
| I wish Cloudflare would launch an email API service, seems a
| good fit for them.
| alx__ wrote:
| A private-equity company bought them couple years ago, and
| felt like the quality took a hit after that.
|
| Looks like they were recently aquired by another company
| trying to compete with Twilio. So maybe things will improve?
|
| https://techcrunch.com/2021/09/30/sinch-acquires-pathwire-
| th...
| jiux wrote:
| Another +1 for Postmark. Reliable and insightful.
|
| What really sold me personally as a bootstrapper was how they
| offer initial credit for their services to help get going.
| mikeodds wrote:
| Would be interesting to map at which point in time customer
| service comments turned from positive to negative. Not that I'm
| suggesting PE buyouts typically lead to this...
|
| https://techcrunch.com/2019/04/01/mailgun-changes-hands-agai...
| z3ugma wrote:
| Postmark, for sure. Run by a small dev shop called Wildbit that
| is bootstrapped, treats their employees fairly, and grows in
| small sustainable ways.
|
| https://postmarkapp.com/
|
| https://wildbit.com/
| FearlessNebula wrote:
| What's the advantage here over SendGrid? SendGrid has an
| unlimited free tier of 100 emails per day, and for $15/mo you
| can send up to 40k emails/mo.
|
| Postmark does have a lower $10/mo starting price for 10k
| emails per month. But the next jump is $50/mo for 50k emails.
|
| I'm currently working on a project and intended to use
| SendGrid, so I'm wondering if there's any benefits of
| Postmark.
| theptip wrote:
| Postmark has way better visibility into what is being sent.
| You get per-email history/status, so you can easily tell if
| something is queued or bouncing. Trying to debug errors on
| Sendgrid is less fun.
|
| On the other hand, postmark is a bit more flaky - I track
| delivery RTT and had had a few cases in my first year with
| them where Postmark had > 30m delays (and no outage
| reported). Sendgrid has always been bombproof on delivery
| times over many years of usage.
|
| I still prefer Postmark on balance.
| petercooper wrote:
| Heavy SG user here and while it's still pretty functional
| and not problematic enough to move away from, it's not as
| good as it used to be.
|
| _Before_ being acquired, SG 's support was _fantastic_.
| There are also various oddities that have cropped up, such
| as how they 're currently hitting our webhook endpoint with
| the same event every 20 seconds for the past 8 days (a
| similar problem occurred last year too). They also seem to
| have suffered some dings to their IP reputation in numerous
| places due to, I assume, this:
| https://krebsonsecurity.com/2020/08/sendgrid-under-siege-
| fro... .. I continue to encounter numerous systems that
| flat out refuse any email from any IP I can muster at
| Sendgrid and we have a bunch on different subnets. So
| anyone who works at Red Hat, Packt, Akqa, Zendesk, etc..
| they're not getting our mail.
|
| We use Postmark as a fallback for users when we get the
| inevitable error messages back, and they have been pretty
| good, although I find their API a little too slow to move
| everything over to them and SG has a fantastic "delayed
| send" feature which is a must for deliverability to iCloud
| addresses.
|
| Pragmatically I prefer Sendgrid, but Postmark is very good
| and feels somewhat more wholesome to use, particularly if
| your levels are low. I'd use Postmark for the same reason
| I'd rather use a local bakery than buy presliced at a
| supermarket.
| jjeaff wrote:
| To me, there is one big difference with postmark. Their
| focus is on transactional emails. Not marketing emails. I
| believe they have a separate service now for marketing
| emails, but the big reason I chose them is that they are
| very focused on keeping their IP addresses clean. One way
| they do this is by only allowing users of their service to
| send transactional emails like invoices, password resets,
| or thing that have been specifically requested by users. I
| assume they keep all that on IP addresses reserved only for
| that. Most people won't mark a password reset email as
| spam. But they will frequently mark recurring marketing
| emails as such.
|
| I use Postmark for everything that is very important that
| it gets through. I actually use mailgun for mass emails,
| marketing, announcements, etc.
| hericium wrote:
| > What's the advantage here over SendGrid?
|
| I am not familiar with products mentioned above but
| SendGrid is often discussed as a source of spoofed
| messages. They allow sending as 3rd party domains, or at
| least allowed it until recently. I suspect that this may be
| affecting their deliverability.
| aledalgrande wrote:
| I opened an account with Sendgrid for a new project the
| other week. Account got banned right away, didn't even log
| in one time and they said to contact support to get it
| unblocked. Only issue is to contact support you have to be
| logged in and their alternative form also wants you to log
| in.
|
| Sendgrid is not friendly.
| prophesi wrote:
| Cool, a highly unlikely anomaly that can't be proven.
| maxk42 wrote:
| Are you using linux, by chance? Recently I've noticed
| Amazon, Google, and others reporting my logins from linux
| as "suspicious activity". I've never logged-in from
| another OS, so I'm wondering if they're all relying on
| some third-party service that automatically equates linux
| with "suspicious".
| 1vuio0pswjnm7 wrote:
| Yet Amazon, Google, and others all use, produce and offer
| Linux themselves. How can logging into a server running
| Linux from a desktop/laptop/handheld computer running
| Linux be "suspicious" activity. Is Android not Linux.
| j45 wrote:
| It could be that Linux drive spam bots are using their
| system.
| sodality2 wrote:
| Spoofing the user agent is probably the first thing these
| spam bots would do.
| aledalgrande wrote:
| I am on Mac OS on a residential IP -\\_(tsu)_/-
| unclebucknasty wrote:
| Recently opened a SendGrid account on their $14.95 tier for
| a new project and found the shared IP blocked by MS domains
| (outlook.com, live.com, hotmail.com). MS servers confirmed
| the reason in the SMTP negotiaton as owed to the
| IP/provider.
|
| We reported it to SendGrid and their only option was to
| upgrade to their $89.95 plan to get a dedicated IP. That
| plan comes with 100K monthly sends and we are nowhere near
| that.
|
| So, the choice was to have a significant portion of
| important transactional emails, like registration, not go
| through or overpay for a plan that is wildly overmatched
| for us.
|
| Email is hard, but this borders on unethical. Customers pay
| for and integrate a service that simply doesn't work as
| advertised. They make no offer to mitigate (e.g. change to
| a new shared IP). It's just "oh yeah, if you want the
| service to actually work reliably, you need to pay us 6X
| more".
| rsoto wrote:
| Same story here, but being a Sendgrid customer for 6+
| years, suddenly the shared IP is blocked as well. After
| opening a lot of support tickets and getting no response,
| I had to nag someone here in HN who mentioned working for
| Sendgrid, he escalated but the response was the same: pay
| a lot more to get what you used to have.
|
| Migrated to Postmark right away and we've been a happy
| customer for 2+ years now.
| muppetman wrote:
| Off topic: What does "he scaled" mean in this context?
| unclebucknasty wrote:
| I'd guess "escalated", meaning engaged someone higher up
| in the company with more authority.
| unclebucknasty wrote:
| Yeah, I'd used SendGrid's higher tier on other projects
| for years, as the send volume justified it. So, generally
| had the dedicated IP address.
|
| They need to do a better job of managing their shared IP
| pool. As it is, they are offering paid plans that are
| unsuitable for many common use cases. Really, unless you
| have control of all possible receiving domains (e.g
| you're using it for an internal app), you're rolling the
| dice.
|
| Else, at a minimum, they should disclose deliverability
| metrics on their various plans so customers can make
| informed choices. As it is, their marketing is
| deliberately misleading.
|
| Thanks for the feedback on Postmark. I'll have another
| look at them.
|
| EDIT: Just glanced at Postmark and they're already
| looking much stronger than SendGrid, and with much better
| pricing. The "deliverability without a dedicated IP"
| language seems to be directly aimed at providers like
| SendGrid. Are they able to live up to that promise?
|
| Also like their policy around content retention.
|
| Will be exploring switching costs.
| nyolfen wrote:
| i use sendgrid for a small project because it's free and
| has template support, but the site is _unbelievably_
| unresponsive. it takes 30+ seconds for anything to load. we
| have a paid account at work and it 's exactly the same, so
| it's not my connection or the free tier. my assumption is
| that twilio has left it on autopilot.
| Spone wrote:
| Their customer support is really top-notch!
| agrunyan wrote:
| Second this 100%. Postmark is my go-to for every project
| evandwight wrote:
| Why not use AWS ses? It's so much cheaper.
| aledalgrande wrote:
| UX and support?
| svacko wrote:
| One important decision argument against AWS SES is their
| policy to keep bounce rate below 5% (account put under
| review, if unresolevd until end of month, will be
| suspended, with hard limit of 10%) [1] compared to least
| strict Postmark's bounce rate of 10% [2].
|
| Sometimes for SAAS products with a huge userbase or
| freemium pricing model is super difficult to keep the
| bounce rate so low for transactional emails.
|
| [1] https://docs.aws.amazon.com/pinpoint/latest/userguide
| /channe... [2]
| https://postmarkapp.com/support/article/1137-servers-faq
| welder wrote:
| I wish Cloudflare provided an outgoing email API service. Seems
| like a good fit for their customers, and I bet they would take
| security more seriously than Mailgun.
| rav wrote:
| I was recently looking into Mailgun's EU-hosted offering. Does
| anyone have recommendations for EU-based alternatives?
| rodelrod wrote:
| Mailjet is a French company with a lot of compliance parlance
| in their website. They are now under the same company as
| Mailgun (Pathwire) and there are some weird mentions of Mailgun
| in the Mailjet docs, so I don't know where they're heading.
|
| I was considering using Mailjet, but from the docs it looks
| like the inbound processing is not as sophisticated as Mailgun:
| we can't set inbound routes dynamically according to the
| destination email address.
| tedivm wrote:
| If accurate this means any mailgun user can pretend to be another
| one when sending email out- that's pretty damn bad. Since
| companies add mailgun to their SPF/DKIM records it means those
| spoofed emails will be hard to distinguish as fake.
| kxrm wrote:
| I know it's accurate, I had another domain on my machine that
| was sending email through my account, on accident, and Mailgun
| did nothing to stop it.
| ecf wrote:
| Judging by the reputation of the new Mailgun owner, I
| wouldn't be surprised to find out this is a feature for
| scammers, not a bug.
| vmception wrote:
| I have been trying to tell people that this is happening for
| years. More about that spoofers were doing it, not what tools
| they were using
|
| I didn't know I needed proof because people often resorted to
| victim blaming even though I never fell for any of the emails
| kxrm wrote:
| I think it's difficult to prove, and the only people who care
| will be the domains owners that are impacted. If you send
| enough mail, you won't notice a few extra emails going out
| from another account.
|
| Mailgun should have a way to monitor and block this. We used
| SMTP to interface with Mailgun and frankly, I didn't even
| think of this as being a vulnerability until I left the
| service. The DMARC reports just prove it was happening.
| JanSt wrote:
| I'm looking for an alternative to send mail and receive inbound
| mail. I'd prefer to connect my domain so I can send from an
| API+interface (like gmail). Google does only allow 300 or so
| mails per day through SMTP. I'd like to send more like 1000+
| through an API (I'd like a combination of mailgun and gmail) Is
| there a service like this out there?
| kxrm wrote:
| Mailgun does this, however I wouldn't recommend any of these
| services unless you are willing to fork out the cash for a
| static IP.
|
| The free tier or shared IP side is where these kinds of
| shenanigans can be played out.
| JanSt wrote:
| Yes, but they don't provide an interface for inbound mail,
| only redirecting, right?
| kxrm wrote:
| They have inbound on their paid tiers.
| johnchristopher wrote:
| Mailjet ?
| legitster wrote:
| Have you looked at Office 365/Outlook? A $100 a year
| subscription gets you a lot of firepower.
| tehbeard wrote:
| Well.... thanks for ruining my weekend...
|
| Gonna be fun on Monday looking into this, talking with leads, and
| looking for Mailgun alternates.
| kxrm wrote:
| If you pay for a static IP and tighten up your SPF records to
| just that IP rather than using Mailgun's include, you should be
| fine.
|
| It's bad that their service allows this at all, but it isn't
| the end of the world for all of their customers.
| akach wrote:
| In UniOne.io, Mailgun rival, we ask each our customer to add
| separate DNS entry for a new domain proving that he/she owns the
| domain, and don't let another customer send using this domain.
| [deleted]
| [deleted]
___________________________________________________________________
(page generated 2021-11-13 23:01 UTC)