Why Email Providers Scan Your Emails (consumerreports.org) 98
An anonymous reader shares a report: If you receive emails flagged as spam or see a warning that a message might be a phishing attempt, it's a sign that your email provider is scanning your emails. The company may do that just to protect you from danger, but in some situations it can delve into your communications for other purposes, as well. Google announced that it would stop scanning Gmail users' email messages for ad targeting in 2017 -- but that doesn't mean it stopped scanning them altogether. Verizon didn't respond to requests for comments about Yahoo and AOL's current practices, but in 2018 the Wall Street Journal reported that both email providers were scanning emails for advertising. And Microsoft scans its Outlook users' emails for malicious content. Here's what major email providers say about why they currently scan users' messages.
Email providers can scan for spam and malicious links and attachments, often looking for patterns. [...] You may see lots of ads in your email inbox, but that doesn't necessarily mean your email provider is using the content of your messages to target you with marketing messages. For instance, like Google, Microsoft says that it refrains from using your email content for ad targeting. But it does target ads to consumers in Outlook, along with MSN, and other websites and apps. The data to do that come from partnering with third-party providers, plus your browsing activity and search history on Bing and Microsoft Edge, as well as information you've given the company, such as your gender, country, and date of birth.
[...] If you're using an email account provided by your employer, an administrator with qualifying credentials can typically access all your incoming and outgoing emails on that account, as well as any documents you create using your work account or that you receive in your work account. This allows companies to review emails as part of internal investigations and access their materials after an employee leaves the company. [...] Law enforcement can request access to emails, though warrants, court orders, or subpoenas may be required. Email providers may reject requests that don't satisfy applicable laws, and may narrow requests that ask for too much information. They may also object to producing information altogether.
Email providers can scan for spam and malicious links and attachments, often looking for patterns. [...] You may see lots of ads in your email inbox, but that doesn't necessarily mean your email provider is using the content of your messages to target you with marketing messages. For instance, like Google, Microsoft says that it refrains from using your email content for ad targeting. But it does target ads to consumers in Outlook, along with MSN, and other websites and apps. The data to do that come from partnering with third-party providers, plus your browsing activity and search history on Bing and Microsoft Edge, as well as information you've given the company, such as your gender, country, and date of birth.
[...] If you're using an email account provided by your employer, an administrator with qualifying credentials can typically access all your incoming and outgoing emails on that account, as well as any documents you create using your work account or that you receive in your work account. This allows companies to review emails as part of internal investigations and access their materials after an employee leaves the company. [...] Law enforcement can request access to emails, though warrants, court orders, or subpoenas may be required. Email providers may reject requests that don't satisfy applicable laws, and may narrow requests that ask for too much information. They may also object to producing information altogether.
new info? (Score:5, Insightful)
Is there some new information here? I must be missing it.
Re:new info? (Score:5, Insightful)
There is nothing new here, but it's good to remind people from time to time that they are surrendering a tremendous amount of privacy by using email services they don't control.
Re:new info? (Score:5, Insightful)
Funny thing is, I run my own email server. But many people I email do not - much of my email gets scanned because it exists outside of my own email server and on services like gmail or outlook.com. Once you've sent an email you've lost control, again nothing new here.
I guess I should also remind you that the internet never forgets.
Re: (Score:2)
Don't worry, the big mail services are doing their best to make it impossible to run an independent mail server that can reliably send and receive email anyway. The cartel-like control they've been establishing over the most important communications medium we have today outside of face-to-face contact, all under the guise of "fighting spam" or whatever excuse they have this week, is really quite disturbing if you stop and think about it.
As for new info: TFS implies that Microsoft is monitoring not just your
Re: (Score:2)
DKIM and SPF are not all that burdensome. IP reputation is the tough one, but you can't blame the big mail services for what they do there. Entire neighborhoods of IP addresses get flagged and if your dedicated server's IP is in the same range as easily compromised shared hosting with outdated WordPress installs it can be nearly impossible to have a perfectly clean record. Never underestimate the amount of down these measures are stopping.
Re: (Score:2)
IP reputation is the tough one, but you can't blame the big mail services for what they do there.
Well, I can, for precisely the reason you set out. Some of the big mail services are extremely aggressive at flagging or even silently dropping incoming mail based on nothing but an IPv4 address, often due to associations like proximity to another address that has been blacklisted, being part of a domestic ISP's range, or being a source of spam a long time ago when someone completely different was using that address.
Never underestimate the amount of down these measures are stopping.
The amount of what that these measures are stopping? Detection of hostile content should be
Re: (Score:2)
Some of the big mail services are extremely aggressive at flagging or even silently dropping incoming mail based on nothing but an IPv4 address, often due to associations like proximity to another address that has been blacklisted, being part of a domestic ISP's range, or being a source of spam a long time ago when someone completely different was using that address.
I often apply those criteria to my own server as well, and often refuse any SMTP traffic from entire ASNs. I don't expect to receive any legi
Re: (Score:2)
Don't worry, the big mail services are doing their best to make it impossible to run an independent mail server that can reliably send and receive email anyway.
Oh? So far I have had one this year and one last year. In both cases, their fault, because they blocked a whole /16 of individual vservers. A complaint to my vserver provider cleared both up nicely. And no, I do not use DKIM or SPF. Not needed. Email gets authenticity from a PGP-signature, not from messing with DNS.
Re: (Score:2)
At work our infrastructure is hosted with a relatively small managed hosting service. We have unique IP addresses that have been exclusively ours for a long time. We send only legitimate, standards-compliant mails. And still, a significant proportion of essential outgoing mail (as in, we are legally required to send it, or it's something explicitly requested like a password reset) to people who are already paying customers gets lost, apparently just from mail services screwing up their filtering. A noticeab
Re: (Score:2)
I think you do not know what "authenticated" means.
Re: (Score:2)
I'm well aware of other meanings of the term, but the only kind of authenticity that is relevant in a discussion about reliable delivery of email is the kind that improves delivery rates. When you contrasted including a PGP signature with the other protocols, that appeared to be the point you were making. If that wasn't your intention, perhaps you'd like to clarify why you mentioned PGP here at all?
Re: (Score:2)
"Authentic" does not have a meaning of "reliable". You definitely do not know what "authenticated" means.
Re: (Score:2)
I spent much of the past decade working with enterprise-grade AAA infrastructure. I know what authenticated means just fine as a term of art in the field of IT security.
However, that meaning wouldn't have been relevant to this discussion, which is about reliable delivery of email, so I assumed you meant it in the plain English sense of being trustworthy and not fake, in contrast to the spam emails that these service providers are supposedly trying to block.
If that wasn't what you meant then you still haven'
Re: (Score:2)
Don't worry, the big mail services are doing their best to make it impossible to run an independent mail server that can reliably send and receive email anyway.
No, they don't.
Everyone can have his own mail server for $1 - $5 per month. Simple. Pay a bit more and you have it in your house on your own linux box.
Re:new info? (Score:5, Insightful)
Everyone can have his own mail server for $1 - $5 per month. Simple. Pay a bit more and you have it in your house on your own linux box.
Thank you. This is the first time in a long time that I get to write ROFLMAO on Slashdot. It takes me back to my youth.
I'm sorry to be the bearer of bad news, but if you actually do that today, there a very high probability that some major mail services will flag your mail immediately just because you're sending from an IP range used by a domestic ISP. And then more will flag you because someone else with the same ISP actually was spamming and your IP address is within the same /N as them. You won't do much better sending mail from an IP block known to be controlled by any cloud provider.
Running a mail server is not trivial but it's within the abilities of many geeks. Running a mail server that anyone else will listen to is an entirely different story, and it isn't the year 2000 any more. Increasing numbers of small organisations can't even get reliable delivery from a dedicated mail server at their office, using an exclusive IP address with a business-grade connection to their ISP, and this trend has been getting worse for years. Sending your mail via a large ISP or one of the big dedicated mail services is in danger of becoming the only reliable option for a lot of small businesses, and that is very much not how an open communication protocol like email was supposed to work.
Re: (Score:2)
Everyone can have his own mail server for $1 - $5 per month. Simple. Pay a bit more and you have it in your house on your own linux box.
The key part of the phrase you were responding to was "that can reliably send and receive email". Setting up the mail server is the easy part. Getting other ISPs to accept mail from your IP address is the trick.
Re: (Score:2)
Getting other ISPs to accept mail from your IP address is the trick.
And why would that be the case?
I never did anything in that regard and everyone is accepting my mails just fine.
Re: new info? (Score:2)
Re: (Score:3)
I'm trading privacy for functionality. I've tried to control spam on this email address myself... good luck. I get thousands of spams per month.
I could just not publish my address, but I'm not doing anything secret in my gmail. And if I were, I'd encrypt.
Re: (Score:2)
Re: (Score:2)
I don't seem to get google spam in my Inbox, if that's any help.
Looking in the Spam folder I can see five spam messages sent via google docs, so that's working.
Re: (Score:2)
I run my own server and 99% of the spam that I see originates from Google or Microsoft operated e-mail platforms.
Re: (Score:2)
I don't have enough spam getting into my inbox to have samples to examine right now to see if they originated from gmail servers. So the system must be working, and furthermore, it must not give a shit if the source is a google server.
Re: (Score:2)
Perhaps not from paying accounts.
Re: (Score:2)
Well one could do all this work [youtu.be] but people don't want to turn a simple task (communicating with others) into another job.
Re: (Score:1)
Indeed. One reason I use my own mail server, but there are others out there that will give you privacy for a moderate fee. With Google, etc. _you_ are the product.
Re: (Score:1)
Re: (Score:2)
Ceiling Cat is in yer emails!
Re: (Score:2)
Re: Rear Admiral Obvious strikes again (Score:1)
Just spoil it some more, and it's delicious again! :D
Forgot to mention (Score:1)
So the soup boys can build a profile on you, in case you’re a terrorist.
All of them can (Score:3)
All of them can, they have the technical ability. Unless you use some encryption scheme that you can't get your friends and contacts to use (easier to just not use email; same result).
And before someone tells me yet again that I should pay some guys in Switzerland to handle my emails, since they pinky swear that they won't do this - why exactly should I trust those guys either? How do I know they won't take my money and monetize my emails?
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I wonder if anyone has tried to get the NSA to sign a BAA.
Re: (Score:2)
that I should pay some guys in Switzerland to handle my emails .... why exactly should I trust those guys either? How do I know they won't take my money and monetize my emails?
Because those providers are running as "banks" and the banking secret is hold high there.
And automatic scanning to flag something has nothing to do with "reading" your secrets anyway.
for the paranoid (Score:4, Insightful)
If you are really paranoid about this just use gnupg, but really who cares, not getting spam is a big plus for me.
they would not learn much from me (Score:2)
Obligatory "why is this on Slashdot?" (Score:2)
This story could be of interest to non-technically-minded people; but, even nowadays, that doesn't remotely describe Slashdot's audience.
Re: (Score:2)
I agree in terms of the uselessness of this article but 'non-technically-minded' people seems to be more and more applicable to slashdot as time goes. on.
Re: Obligatory "why is this on Slashdot?" (Score:2)
Re: (Score:2)
Re: (Score:2)
I'm pretty sure that everyone who hasn't been under a rock, or in prison, for the past 20 years, knows that email providers scan emails for spam and viruses.
Yes, even in remote African villages. They have email there too, generally via a cellphone connection.
We need home servers for everyone. (Score:1)
With everyone having their own e-mail server etc.
This could be built into routers. FLOSS, of course, or it would be no better in the end.
Updates, written by somebody competent, would keep it just as safe. But it would be liberating, give people back control, and make the net a lot more decentralized an hence resilient. (Of course assuming there are many forks, as there will be, so supply chain attacks and losses of trust can be cut off quickly. But of course requiring a nice and easy way to choose, if you,
Re: (Score:3)
Re:We need home servers for everyone. (Score:5, Insightful)
I already run almost everything myself, including DNS and a CA. And I know it's really not that hard. A thin fork and home server can be maintained with less than half a day of work per week. Or, after the initial setup, no work at all, if everything goes well. It would take me only one additional command each time, to do it for other people as well.
If you think it's easy and it doesn't take much time to administer email, DNS and a CA then you're doing it wrong.
It is not trivial to run those services. Aside from applying security updates, scanning logs and auditing for signs of intrusion you need to keep up with the current state of the art and that changes fairly frequently. TLS configurations, SPF records, dnssec/crypt, DKIM, etc. Getting those things wrong can cut you off from communicating with other people.
DNS requires at least two NS records pointing to separate networks for your domain. If you only have a single NS then you're in violation.
SMTP is difficult on most ISPs. After you've gone through the war of getting them to allow port 25 you have to ensure that you never become an open relay, even inadvertently. That literally means reevaluating the configuration and re-testing it every time you apply an update that includes the SMTP server.
My ISP periodically hit up my mail server and tested it for relaying when I was running one. You also really need a secondary MX configured outside your ISP network so you don't lose mail when yours is overloaded or just down. A secondary MX opens a whole can of worms about spam reflection attacks that you need to be very careful to mitigate EVERY TIME you make a change on the primary.
If you run your own CA then nobody else will trust you. Clients will receive certificate warnings and the big boys connecting to your mail server will just hang up if you mandate TLS and hand out a self-signed certificate.
Go on and keep deluding yourself that you know what you're doing.
Everyone else should just sign up with a trustworthy provider like Proton or Tutanota for their personal email domains. Almost any DNS registrar will do what you need but Cloudflare is free and fast. Letsencrypt will give you certificates if you need them.
Re: (Score:2)
Re: We need home servers for everyone. (Score:2)
Yes to most, but no need for a secondary MX. Any real sender is going to keep trying for at least 3 days, which should be plenty of time to restore your email server.
You'd think that wouldn't you. And it's true until it isn't. Murphy has a profound way of showing up while you are away from it for more than a week.
Over the many years I've had several failures that required major intervention happen while I was out of state for days at a time. Having a secondary saved my mail for that time.
While it's not a hard requirement for a secondary MX it's a very good idea.
Re: (Score:2)
If you have multiple MX for the domain you probably want to add an MX at the highest priority pointing to a blackhole. It gets rid of the non-RFC compliant spam-to-MX senders (and there are a lot of them).
Re: (Score:2)
It gets rid of the non-RFC compliant spam-to-MX senders (and there are a lot of them).
There might have been at one time or another. As with all things, spammers adapted to that variation on greylisting. What I had started seeing more recently, that I found interesting because I hadn't personally seen it in years and years of running mail servers, was more than 50% of spammers going straight to the secondary to inject their excrement. The volume of spam injected direclty into the primary had reduced to almost zero toward the end.
I don't know what the logic is there. I never saw any kind of re
Re: (Score:2)
Should have written, "Perhaps they were circumventing your proposed black hole technique, I don't know.".
Somehow managed to not write that. Oops.
Re: (Score:2)
Re: (Score:2)
The biggest issue in keeping it simple is a fixed IP with an open port 25 from your ISP. Forget about running your own CA, Letsencrypt is simple enough today. DKIM solves nothing for the home user. I honestly believe it was conceived so large entities can deliver SPAM more than anything else. SPF is a simple DNS entry. Registrars today offer DNS and some even provide it for free. Keeping up with security advisories will be the headache/problem since home/personal email settings hardly ever change. It's not
Re: (Score:2)
The biggest issue in keeping it simple is a fixed IP with an open port 25 from your ISP.
That is no issue at all.
My port is on my computer, and my ISP is only routing packages: he does not know anything about (my) ports.
Re: We need home servers for everyone. (Score:2)
DKIM solves nothing for the home user.
DKIM solves very little for the *end user*. Without properly configured DKIM (and SPF) your spam score rises so high that the big boys won't share their toys with you. Couple that with anything they consider a "residential" IP and you can literally not get mail to >90% of people.
Microsoft blacklist you and makes you jump through hoops regularly to prove your server is legit. It isn't a once-off process
Google accepts mail and routes it to /dev/null. I've tested it personally when people started telling me
Re: (Score:2)
SMTP is difficult on most ISPs. After you've gone through the war of getting them to allow port 25 you have to ensure that you never become an open relay, even inadvertently. That literally means reevaluating the configuration and re-testing it every time you apply an update that includes the SMTP server.
No idea what that is supposed to mean. Can you explain?
My ISP is not my email hoste, I have two of them. All of SMTP/POP/IMAP just works fine. For all my computers and all my (or friends) eMail addresses, I
Re: We need home servers for everyone. (Score:2)
No idea what that is supposed to mean. Can you explain?
My ISP is not my email hoste, I have two of them. All of SMTP/POP/IMAP just works fine. For all my computers and all my (or friends) eMail addresses, I host.
No idea what any ISP has to do with my port 25, either. My port is on my computer, goes through my NAT router: what has an ISP to do with that?
What does your ISP have to do with packets on port 25? Seriously, you don't even know how that works? Shut down whatever services you are exposing to the Internet and walk away. You'll be making the world a better place.
Re: (Score:2)
You can run your own e-mail server all you want, but you're still sending everything to your ISP, who sends it to their ISP, who sends it....
If you don't want someone on the internet reading your mail, encrypt it. This could be trivially built into every e-mail client, and should be. No need to have grandma running her own server.
Re: (Score:2)
If you submit your e-mail to your ISP's e-mail server (very few actually have one -- they usually outsource it to someone else such as google or microsoft), then there is no point in running your own e-mail server. In fact, I would suggest that if you are using a "relay" then you are not actually running your own e-mail server.
It is only "your own" e-mail server if it sends and receives traffic directly from the source or to the destination.
It is rather trivial to run your own e-mail server. It takes only
Re: (Score:2)
If you submit your e-mail to your ISP's e-mail server (very few actually have one -- they usually outsource it to someone else such as google or microsoft),
That would be fraud.
It is only "your own" e-mail server if it sends and receives traffic directly from the source or to the destination.
That is what my servers do: except that you miss the fact that emails can be relayed.
Re: (Score:2)
"That is what my servers do: except that you miss the fact that emails can be relayed."
Only by agreement. Once upon a time before the invasion of the great unwashed almost all MTA's were capable of being relays by default. Post the arrival of the unwashed, relays are greatly restricted to the point where you cannot relay through arbitrary servers anymore, only by prior arrangement, and any MTA that "accidentally" leaves itself open to relaying will be widely blacklisted.
Re: (Score:2)
I'm going to go out on a limb and guess that your english horn playing skills are pretty bad. In fact, chances are excellent you're completely incompetent.
For the vast majority of people, setting up and maintaining an e-mail server is not at all easy. It's also gains them nothing. E-mail is not secure. At all. Wasn't designed that way, hasn't ever been that w
Re: (Score:2)
This is a common fallacy. E-Mail is 100% secure. In fact it is more secure than snail (postal) mail. What is not "secure" is the penchant to use "other people's computers" (aka the cloud) rather than resources under one's own control.
Re: (Score:2)
If that's how you think the Internet works you probably shouldn't be running your own server. At least familiarize yourself with the concept of "routing."
Here's a basic article on it:
https://www.khanacademy.org/co... [khanacademy.org]
unless of course you encrypt your email ... (Score:2)
... then only the NSA and other three letter agencies in the US and rival countries will scan it.
More scans (Score:1)
They forgot to mention another very common scan: Any email system that uses software written in C will scan all your messages to find NULL terminators.
That's why for maximum privacy, you should insist that your providers use software written in modern languages.
Re: (Score:2)
Modern languages have this same problem, so don't use them either until this is fixed.
In other news, troll probably wants to convert everything to rust or some such nonsense using nonsense fear arguments.
maybe not (Score:1)
Re: (Score:2)
Re: (Score:2)
Yes, the "rcpt to" and "mail from" together with the foreign MTA IP Address and DNS configuration (that is, require strict RFC compliance) is quite efficient in getting rid of spam and phishing. Combined with SPF and blocking of malicious actors it is at least 99% efficient at blocking all spam and other malicious traffic. DKIM does not really add anything to the equation.
Re: (Score:2)
Re: (Score:2)
All MTA's that are not me are foreign.
Re: (Score:2)
MTA means Mail Transfer Agent -- a "user" composes an e-mail and submits it to a MUA (Mail User Agent). The Mail User Agent sends the message to a MTA (Mail Transfer Agent). That MTA (Mail Transfer Agent) then transfers the message to another MTA (Mail Transfer Agent) which then delivers the message to a MUA (Mail User Agent) from which the "user" to which the message was sent can retrieve it.
Sometimes the MUA component is "linked into the same executable" as the MTA, sometimes not.
E-Mail (message) transf
Re: (Score:2)
Who cares? (Score:1)
Scanning? So last century Apple eavesdrops advert (Score:2)
iPad email is littered with advertisements for my latest .
Yesterday: Let's Solve Your Toughest Odors - Fresh Wave - we talked about cleaning minisplits
How I got onto Apple advertising through eavesdropping happened on my iPad. In my Dr. office in private conference I carried my tablet setting it on the corner of his desk. Dr. explained no Rx necessary for one script that it was available OTC by brand . within an hour after leaving my tablet shows brand advertising to me.
That’s impossible by coinciden
Re: (Score:2)
What has that to do with your iPad?
Your eMail goes via an email server. If anything is wrong with it: it is there.
Stupid idiots.
Why? (Score:2)
Because politicians are stupid and use private mail to conduct government businesses, so it's easier to put somebody at Google than an spy into any government.
Can anyone tell me? (Score:1)
Google announced that it would stop scanning Gmail (Score:2)
Because They Can. (Score:2)
Yeah, they use spam/scams etc. as an excuse. But as the article states, they have other uses as well.
One reason why some people start their own email service is just to avoid this crap.
Of course it means you get more spam.
To spy on you - DOH! (Score:1)
C'mon ... (Score:2)
Email is plain text. Even HTML-ized email is basically text, and it's trivial to decode.
Meanwhile, email service is a best-effort forwarding scheme. It can pass through any number of nodes (servers, routers, caching devices, etc.) on its journey from sender to receiver, and there may be packet-capture software installed on any of those nodes. So, basically ANYBODY could be reading your email for ANY purpose, including spying on you, building an ad profile on you, or stalking you online (okay, okay, I admit
Re: (Score:2)
So, basically ANYBODY could be reading your email for ANY purpose,
During transfer, eMail is encrypted. Since - decades - 2 decades or so?
Re: (Score:2)
About 3 decades. Encrypted transport appeared about the same time as the influx of the Great Unwashed.
Re: (Score:2)
Yes, but has everyone enforced encrypted transfer? AFAIK, port 25 can be plain text, including passwords.
Re: (Score:2)
Focus on: can be.
Yes, but has everyone enforced encrypted transfer?
In the business world, aka ISPs: yes.
Obvious solution? (Score:2)
Wrong ... (Score:2)
If you receive emails flagged as spam or see a warning that a message might be a phishing attempt, it's a sign that your email provider is scanning your emails.
That is simply wrong.
a) spam is detected most simply by rejecting the first attempt of the sender to sent it to your mail box. Giving him a hint how long he should delay the second attempt. 90% of the spam is either not sent again, or tries immediately again. Because: it comes from a mallwared PC.
b) spam and fishing is usually recognized by ppl, putt
Re: (Score:2)
Most spam is detected before the data phase of the transfer.
The first step is to immediately drop and blacklist any origin IP which transmits anything before you have completed sending the banner. Delaying sending the banner after connect for a few seconds helps enormously here. Second you need to validate the HELO or EHLO system name is properly forward and reversed in DNS and if it is not, drop the connection and blacklist the source IP. This process is called "Strict RFC compliance" and will eliminat
Rolling Your Own Does Not Solve The Problem (Score:1)
I do run my own infrastructure: two NSes, two MXes on four small VMs hosted by a reputable provider that never let me down for years, different data centres throughout the world. MXes queue incoming mail (encrypted queues), filter spam (spamd) and forward outgoing mail. The main server (MX, IMAP) is in my basement. Queueing on external MXes is extremely beneficial because electricity service in my area is very unstable (many tens of power events every year ranging from momentary glitches to hours of blac