"From:" of notification emails can trigger a phising warning
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Launchpad itself |
Triaged
|
Low
|
Unassigned | ||
Bug Description
When I'm subscribed to a bug, I get email notifications from launchpad.net. And the emails trigger the phising warning always in Gmail as follows:
https:/
> Be careful with this message
>
> Nobuto Murata is similar to a name in your organization, but the email
> address does not belong to your domain or Canonical Mail couldn’t
> verify that it actually came from <email address hidden>. Avoid
> replying to this email unless you reach out to the sender by other
> means to ensure that this email address is legitimate.
>
> Report phising | Looks safe
That's because Launchpad uses the From: header as:
From: "LAUNCHPAD USERNAME" <email address hidden>
e.g. From: Nobuto Murata <email address hidden>
And Gmail or other mailers think random email addresses (<email address hidden>, <email address hidden>, <email address hidden>, etc.) try to impersonate the same "LAUNCHPAD USERNAME".
It would be nice if Launchpad sends those emails from something like:
From: "LAUNCHPAD USERNAME" via Launchpad.net <email address hidden>
to be aligned with the industry best practices and other services, Discourse etc. are taking a similar approach.
| description: | updated |
| Ines Almeida (ines-almeida) wrote | #1 |
| tags: | added: email |
| Changed in launchpad: | |
| importance: | Undecided → Low |
| status: | New → Triaged |
| Alex Kavanagh (ajkavanagh) wrote | #2 |
That does sound like a good idea for us to implement