GMail and Sourceforge E-mail Bouncing Saga

An anonymous reader writes "All e-mail going back and forth from Sourceforge and Gmail is being bounced. This leaves many Open Source projects with helpless mailing lists. Fortunately, Sourceforge blames Google and Google is blaming SourceForge for this. The Sourceforge support site is clogged with support requests for a resolution to this problem. Google's response to this bouncing has been automated e-mails saying it is probably at the other end of mail delivery. This is something that the community needs to know about since it has been going on for a week already with no end in sight." Worth noting that Sourceforge and Slashdot are both part of OSTG. Update 20:07 GMT by SM: According to SourceForge support staff this issue is now resolved. Apparently a few days ago the sender-verify to gmail started resulting in 450 errors. Google has since either corrected this issue or whitelisted SourceForge and several tests of the system have resulted in correct delivery.

Sourforge?

[eldavojohn (898314)]

Worth noting that Sourforge and Slashdot are both part of OSTG.

After all the great software I've found on there, I'd call it sweetforge.

Loss of communication can only mean one thing...

[photozz (168291)]

Invasion.

Re:Loss of communication can only mean one thing..

[by Anonymous Coward]

I for one welcome our new e-mail bouncing, blame placing, invading overlords!

Re:

[X0563511 (793323)]

no... Yahoo!

Re:Loss of communication can only mean one thing..

[caseydk (203763)]

Hmm... take down one of the biggest Open Source Software repositories and the biggest search engine?

This must be the work of Microsoft!

Now how can we fit Haliburton into this?

Re:Loss of communication can only mean one thing..

[mennucc1 (568756)]

(here comes the quote nazi:)
A communications disruption can mean only one thing - invasion. [moviewavs.com] (MP3) [moviewavs.com]

Re:Loss of communication can only mean one thing..

[garcia (6573)]

They don't have a "+1 Nerd Movie Quotes" mod, sorry. :)

Why is the email bouncing?

[by Anonymous Coward]

The summary was useless, there's only a few things I want to know about this spat. Who sends the first DSN, why and why was it rejected by the other party?

SourceForge uses Mailman

[ben there... (946946)]

In my opinion, the problem with SourceForge lies in that Mailman doesn't work well with Gmail addresses. I use Mailman discussion lists on my DreamHost account, and while testing I couldn't get the emails to work until I added a non-gmail account. I contacted support, blaming them for a while and getting frustrated, until I tried a different email account.

This was DreamHost's response:

I've closed out this ticket for you. I thought I should mention however
that quite a few people that have forwards to gmail have ran into similar
problem, the only thing that is consistent is that the messages make it
to the gmail relays and then disappear.

I don't know if that means that GMail rejects Mailman messages, or Mailman has problems sending to Gmail addresses, but one way or another, it doesn't work right.
--
Use coupon DH75OFF to get $75 off hosting at DreamHost.com

From the link ...

[khasim (1285)]

TEMP_FAILURE: SMTP Error (state 9):
451-Could not complete sender verify callout
451-Could not complete sender verify callout for .

So, it would seem that SourceForge cannot verify the sender of incoming messages from GMail so SourceForge is issuing a temporary rejection.

Is GMail correctly handling the temp rejects?

The solution would be:
a. Find out where the sender verify callout is breaking and fix that.

b. Disable sender verify callout until you can do "a".

Re:Why is the email bouncing?

[doti (966971)]

Here you go, a complete bounced message from sf.net:

X-Gmail-Received: ecfafb0784517c3cc7f903105542834cd33fde22
Delivered-To: rodolfo.borges@gmail.com
Received: by 10.35.42.5 with SMTP id u5cs205830pyj;
                Sat, 30 Sep 2006 21:26:16 -0700 (PDT)
Received: by 10.35.61.2 with SMTP id o2mr4364526pyk;
                Sat, 30 Sep 2006 21:26:16 -0700 (PDT)
Return-Path:
Received: by 10.35.61.2 with SMTP id o2mr5005562pyk;
                Sat, 30 Sep 2006 21:26:16 -0700 (PDT)
From: Mail Delivery Subsystem
To: rodolfo.borges@gmail.com
Subject: Delivery Status Notification (Delay)
Date: Sat, 30 Sep 2006 21:26:16 -0700 (PDT)

This is an automatically generated Delivery Status Notification

THIS IS A WARNING MESSAGE ONLY.

YOU DO NOT NEED TO RESEND YOUR MESSAGE.

Delivery to the following recipient has been delayed:

          albert@users.sf.net

Message will be retried for 2 more day(s)

Technical details of temporary failure:
TEMP_FAILURE: SMTP Error (state 9): 451-Could not complete sender verify callout
451-Could not complete sender verify callout for .
451-The mail server(s) for the domain may be temporarily unreachable, or
451-they may be permanently unreachable from this server. In the latter case,
451-you need to change the address or create an MX record for its domain
451-if it is supposed to be generally accessible from the Internet.
451 Talk to your mail administrator for details.

      ----- Message header follows -----

Received: by 10.35.61.2 with SMTP id o2mr1893905pyk;
                Fri, 29 Sep 2006 20:41:07 -0700 (PDT)
Received: by 10.35.42.5 with HTTP; Fri, 29 Sep 2006 20:41:07 -0700 (PDT)
Message-ID:
Date: Sat, 30 Sep 2006 00:41:07 -0300
From: "Rodolfo Borges"
To: procps-feedback@lists.sf.net
Subject: pkill -l
Cc: "Kjetil Torgrim Homme" ,
        "Albert Cahalan"
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

      ----- Message body suppressed -----

Probably Sourceforge?

[Chris_Jefferson (581445)]

The message linked to in the post says the person is having trouble with both gmail and sending mail from his own domain. I have also had trouble with sourceforge, where mails from my ISP seemed to be "eaten" about half the time. I've just moved mailing lists off sourceforge, although I'm still using them as their svn support is good. Unless anyone else is having trouble with gmail, I'm tempted to just lay all of the blame at sourceforge.

Re:Probably Sourceforge?

[srussell (39342)]

Unless anyone else is having trouble with gmail, I'm tempted to just lay all of the blame at sourceforge.

Hear, hear. Considering all of the problems I've (personally) encountered with SourceForge (broken databases, unresponsive, utterly down) and how few problems I've seen with Google (as in, none), I'd be inclined to think the problem is on SourceForge's end. Google has a reputation for reliability and quality. SourceForge, on the other hand...

--- SER

Umm

[nizo (81281)]

Fortunately, Sourceforge blames Google and Google is blaming SourceForge for this.

I don't think that word means what you think it means. Unless you are glad that no one is willing to take responsibility for the problem and fix it???

Re:Umm

[Rob T Firefly (844560)]

Fortunately, the word Schadenfreude [wikipedia.org] does mean what I think it means.

Re:Umm

[by Anonymous Coward]

Hello, I'm sarcasm, I don't believe we've met before.

Re:

[Ravensfire (209905)]

I think you need to turn on your Sarcasm Detector (TM)(Patent Pending).

-- Ravensfire

Re:Umm

[onion2k (203094)]

A sarcasm detector? Like that'd be useful.

Re:Umm

[narzy (166978)]

I would find such a device highly useful. I am one of many people who find it hard to differentiate sarcasm from strait forward conver...wait a minute...

Re:Umm

[houghi (78078)]

A sarcasm detector? Like that'd be useful.

I think it would, because many people don't recognize it when they see it.

SourceForge is good for spewing into the ether...

[jazzkat (901547)]

I've had cases where mail coming from SourceForge never reached me; their servers never even attempted to connect to my e-mail server (i.e. nothing in the logs to indicate this). I was running my own DNS at the time, at a colocation center, and never had problems sending or receiving e-mail before with any other domains.

I don't see the problem...

[by Anonymous Coward]

...you all have the source code, and the developers do not consider this a priority, so feel free to solve your problem and post a patch

well this looks clear as mud

[LiquidCoooled (634315)]

Greetings,

This is something recent that has changed in how Google handles
email (other sites have started to get the same errors). We
are investigating how to deal with this.

SourceForge.net Support

Is it because sourceforge is not following the RFCs and google has just tightened up?

We had a similar issue in one of our programs where mailing worked wonderfully for months and months for all customers, then one morning complaints started.
It appears as though we weren't following the RFCs to the letter and the main isp in our country (bt) had updated to a more stringent mail server (we shockingly used an additional CR where one was not expected...).

This all sounds similar.

Re:

[jfinke (68409)]

Been there as well. Our developers were using a old library that was compliant to the old SMTP RFC, but not that new one. When we switched firewalls from proxy (which was rewriting the smtp packets under the new RFC) to statefull inspection 5% of our clients has munged up attachments. It was really odd.

eh

[erikdotla (609033)]

Troubleshooting IT on message boards involving the public is a highly effective way to get things done.

Allow me to start. *ahem*

WHY is SourceForge even using SMTP????!!!

Re:

[einhverfr (238914)]

Because X.400 isn't as widely accepted yet ;-)

What we REALLY need is a full OSI protocol stack build on top of TCP/IP so we can use all the wonderful features of X.400, X.500 (instead of messy LDAP), and so forth!

Re:

[idontgno (624372)]

Because X.400 isn't at all accepted, anywhere, and never was ;-)

There, corrected that typo for you.

Open Source vs. Google

[patio11 (857072)]

Who is the Slashdotter to root for? Hmm... I know, third option! It is Microsoft's fault!

Google's Answer if they find it is them...

[tecker (793737)]

Original Response:

Google's response to this bouncing has been automated e-mails saying it is probably at the other end of mail delivery.

New Response:
"Well Gmail is still in beta so don't blame us."

E-mail isn't reliable, ya know

[Toe, The (545098)]

Sure, there are RFCs and other standards to ensure that if an e-mail isn't delivered, someone is notified, but those are hardly written in stone. Sometimes e-mail just disappears into the wonderful world of dev/null.

There is never, ever any absolute guarantee that an e-mail is going to reach its destination, just as there is no way of knowing if that letter you drop in a mailbox is really going to go where it is supposed to.

If you're trying to maintain a discussion, use a bulletin board. There you can see whether your message was posted, and... as long as the host is up, other people will see what you see.

In any event, people gotta learn that technology is never 100% reliable. You'd think we'd understand this by now.

SPF records....

[leto (8058)]

Google has SPF records. Sourceforge seems to reject mail that seems spoofed (eg people 'pretending' to be allowed to send user@gmail.com mail without going through google.

It's neither sourceforge's fault not google's fault. It's the enduser's fault. You must send/receive email through google's gmail system.

You get what you pay for.....

You have never had experience with this problem...

[einhverfr (238914)]

On my latest open source project (LedgerSMB), several of us including both project admins have been unable to send email to the lists from Gmail accounts because of this issue. Our mailing lists have thus been basically down because of this.

It is a *very serious* problem for Sourceforge. Before all this happened, we were actually talking about using Google Code instead.

If you are interested in what LedgerSMB [ledgersmb.org] is, it is a truly open fork of SQL-Ledger with a real attention to security and data integrity. C

Re:SPF records....

[nuzak (959558)]

> Google has SPF records. Sourceforge seems to reject mail that seems spoofed (eg people 'pretending' to be allowed to send user@gmail.com mail without going through google.

SPF has nothing to do with it. Sourceforge is employing callback verification, which is not only abuse itself (it's basically a dictionary attack that we're just supposed to trust is for good and not evil), it's also incredibly broken.

See http://atm.tut.fi/list-archive/nanog/msg37172.html [atm.tut.fi] for an explanation.

Just one more reason to jump ship from sourceforget.

Re:

[SiliconEntity (448450)]

It's neither sourceforge's fault not google's fault. It's the enduser's fault. You must send/receive email through google's gmail system.

That's not the case here. I use gmail solely through the web interface, nothing fancy going on at all. I'm subscribed to my SF.NET mailing lists at the same address I'm sending from. But my mail is bouncing. And this has been going on for a week now, since last Wednesday.

If it is an SPF problem, then one of the two of them is implementing it wrong, because all gmail users

I beg to differ

[geoffspear (692508)]

"All e-mail going back and forth from Sourceforge and Gmail" is certainly not being bounced. My Gmail account has been getting plenty of email from Sourceforge during the period when "all e-mail" has supposedly been bouncing.

Of course, this is the sort of accuracy I expect from Slashdot.

Callbacks Are Evil

[ccandreva (409807)]

I would say this is Gmail's problem.

Gmail is initiating what are called call-backs. For every incoming e-mail, they attempt to send a fake e-mail back to the sender to verify that the sending address actually exists.

The theory is that since spammers forge many names, it will reject spams that have made up names forged into them.

The end result, however, is that it pushes your spam problem back on to the domain forged into the spam. It causes an extra load on that server as it has to accept all these bogus connections. For another it will just encourage spammers to forge other people's actual addresses as the sender of their garbage.

It is encouraging to see that Sourceforge does not support that. I would give the solution as to either complain to Gmail that callbacks break they stated goal of "Do no evil".

Barring that, don't use gmail.

Re:Callbacks Are Evil

[140Mandak262Jamuna (970587)]

Initially callbacks will be evil as you say. But if gmail implements a learning system and starts tagging which ip addresses in the call chain are routinely sending spam it can become better. So at some point it will detect spam without actually calling back. So give them some slack please.

Re:Callbacks Are Evil

[140Mandak262Jamuna (970587)]

It is true that there are vast botnets. And the spammers routinely change the bots. And most bots are on dynamic ip address that keeps changing. You are right in saying that I or you or most other companies would not have the resources to combat spam by tagging the ip addresses. But if there is a company that has the resources, both in terms of money and in terms of searching, organizing and finding patterns it would be Google.

Most legitimate mailservers are running on static ip addresses. Google will be able to compile a list of legitimate good mailservers rather quickly. Google is also an IP address registrar. It has the routing tables and other registration information and netblock ownership information. It will know the dynamic ip addresses by the block. Mailservers running on dynamic addresses, or relays running dynamic addresses are suspect immediately. It is not proof. But more like preponderance of evidence (IANAL).

Can they determine spam without callbacks in three months. No way. Can they reduce the number of callbacks to confirm legitimacy of email by atleast an order of magnitude? Yes, they can by collecting relay ip addresses, mail server ip addresses, netblock ownership data and putting them all together like "page-rank", "mailserver-rank". They might even find the bots and inform the ISP that they probably have a bot and the ISPs might even contact the boob with the infected machine. Good things can come out of this.

Will they? There you got me. Dont know if they will. But I hope they do.

Re:

[ccandreva (409807)]

> So the email server that sent the email is required to ensure that it actually not spam

No. The e-mail server that handles whatever domain happens to be in the sender field is being asked if the address actually exists. There is a big difference.

People can put whatever address they want in the From: field of their mail. Return addresses are forged in spam all the time.

It is becomming a very big problem, when someone decides to forge your return address into 100,000 pieces of spam, and now your server h

pragmatism

[Speare (84249)]

A pragmatic solution would be to say, "I don't care whose fault it is, we will disable/filter our automatic reply system on our end for a couple days until a real solution can be found." The chances of someone being pragmatic on ONE side is pretty good, and while it wouldn't be necessary, the chances of someone being pragmatic on BOTH sides isn't too terrible to contemplate either.

Once you turn off the water at an upstream valve, fixing the actual pipe rupture gets a lot easier. Just git 'er done.

The Solution

[Cytlid (95255)]

Um, INCOASFML (I'm not currently on a source forge mailing list) but the way I've been operating for years would probably remedy this situation. I have my own domain... I run my own sendmail (insert MTA flamewar here, perhaps someday I'll switch to postfix or qmail or something). I have my own webmail, but it sucks. I signed up for gmail with an obscure username. Gave *noone* the account name. I just forwarded my user on my colocated machine to GMail, and have GMail use that username as a reply to address. Works great. GMail's become my glorified webmail client (it beats the crap outta my other ones).

  So at the end of the day, have your friendly local neighborhood mail admin forward a real domain account to your gmail. Then just change it on sourceforge's list. Then I'm not subject to gmails (or sourceforges) mail policies, only my own.

hosted gmail

[jasonhamilton (673330)]

gmail also has a hosted solution. you sign up, point your dns to gmail's mail servers, and can have all your email go through email. You can even create accounts, mailing lists, etc. Right now they appear to be limiting me to 25 users per domain. Works really well. you can pop3 off their system too.

It is definitely Sourceforge's problem

[kindbud (90044)]

Sourceforge is posting the following message to bug reports about this problem.

Greetings,
    We're aware of the difficulties in the interaction
between
our mailing list services and Gmail. Our network operations
team
is currently aware of the issue and is working with Gmail
administration on a resolution.

-Jay Bonci
Systems Programmer Analyst,
Sourceforge.net

Somebody posted a SMTP dialog to one of the bug reports:

Example:
telnet mail.sourceforge.net 25
Trying 66.35.250.206...
Connected to mail.sourceforge.net.
Escape character is '^]'.
220 mail.sourceforge.net ESMTP Exim 4.44 Sat, 30 Sep
2006 01:12:02 -0700 sc8-sf-mx1.sourceforge.net
HELO aisa.fi.muni.cz
250 mail.sourceforge.net Hello 14397 at aisa.fi.muni.cz [147.251.48.1]
mail from:
250 OK
rcpt to:
451-Could not complete sender verify callout
451-Could not complete sender verify callout for <anyone@gmail.com>
451-The mail server(s) for the domain may be temporarily unreachable, or
451-they may be permanently unreachable from this server. In the latter case,
451-you need to change the address or create an MX record for its domain
451-if it is supposed to be generally accessible from the Internet.
451 Talk to your mail administrator for details.
QUIT
221 mail.sourceforge.net closing connection
Connection closed by foreign host.

Sourceforge's mail server is doing a callback to gmail.com, to verify the sender address is accepted by gmail.com. This check is screwing up. It's Sourceforge's problem. Callback verify is not covered by any RFC, so SF has gone above and beyond the standards, it is their responsibility to make sure their SMTP service is interoperable with standard servers, not the other way around. Google can provide logs of the failed callbacks, but that's all the burden they should assume. It's SF's problem to fix.

Re:

[kindbud (90044)]

Oops, some angle brackets got munched by the parser because I forgot to HTML-ise them.


mail from: <anyone@gmail.com>
250 OK
rcpt to: <firebird-net-provider@lists.sourceforge.net>
451-Could not complete sender verify callout
451-Could not complete sender verify callout for <anyone@gmail.com>
451-The mail server(s) for the domain may be temporarily unreachable, or
451-they may be permanently unreachable from this server. In the latter case,
451-you need to change the address or create an MX record f

Re:It is definitely Sourceforge's problem

[pe1chl (90186)]

Callback verify is not covered by any RFC

On the other hand, there is nothing in any RFC that prohibits you from doing callbacks.

Unfortunately the above post misses critical information about the callback itself. What mail address is it using as a source?
Usually, callbacks use "MAIL FROM:<>" and the RFCs explicitly state that you MUST accept this. But, some mailservers reject mail from <>. That could be a problem, but in this case the problem is in the called server that does not implement a MUST item.

The mailserver I manage at work uses callbacks. It almost never causes problems. In cases where the sending server refuses MAIL FROM:<> it tries to use MAIL FROM:<mailer-daemon@domain>.
The only known problem occurs when the called server first accepts MAIL FROM:<> and then rejects the RCPT TO: with an error referring back to the <> source.
This is done by the broken "Spamfilter for ISP" by LOGSAT. But this one has other SMTP protocol bugs, so just don't use it.

And then of course there are some mailinglists that simply send their mail from a nonexistant address. Presumably to avoid having to do list maintenance.
I consider this antisocial, and have no problem with blocking their mail.

Re:Why not just dump GMail?

[dk.r*nger (460754)]

Why not just dump SourceForge? Surely there are utilities to migrate to another development platform or an open source repository solution...

Google offers Sourceforge-like services

[einhverfr (238914)]

I am considering dropping Sourceforge for Google partly for this reason. I have had trouble with some of my other domains and Sourceforge isn't even interested in helping me get my email servers working properly with their system.

Re:

[AJWM (19027)]

And now you know why Google is bouncing Sourceforge email.

Or vice versa.

Re:Can you expand on this a bit?

[einhverfr (238914)]

http://code.google.com/hosting/ [google.com]

Includes web space, svn hosting, a tracker, and the like.

Re:

[mrchaotica (681592)]

How can you collaborate without email in this modern age!

Stop ironing your question marks. They're supposed to look wrinkled like that!