Why if you are yahoo.com or gmail.com mail user, you probably won't see this message :-)
10 Nov
2018
10 Nov
'18
7:31 a.m.
TL;DR:
In never ending battle against SPAM and phishing attacks, some email
providers are now using DMARC, rejecting or marking as SPAM email if the
originating mail server doesn't match the authorized ones for the
provider's service.
For example:
- Yahoo! is flat out rejecting e-mail from yahoo! mail users if it comes
from non-authorized servers.
- Google is marking e-mail from gmail users as SPAM if it comes from
non-authorized servers.
Unfortunately this breaks mailing list software like mailman (used for this
list) which tries to make e-mail from the list appear as if it is coming
from the original sender.
The changes that are required to fix the issue change the functionality of
the list software in ways users may not like.
I found this out while applying DMARC for my my own domains.
More info can be found at these sites:
https://wiki.list.org/DEV/DMARC
https://dmarc.org/
Fun.
-Neil
--
Neil Johnson
10 Nov
10 Nov
8:06 a.m.
Cheers from my gmail.com account :)
El sáb., 10 nov. 2018 a las 13:34, Neil Johnson (<neil.johnson(a)erudicon.com>)
escribió:
> TL;DR:
> In never ending battle against SPAM and phishing attacks, some email
> providers are now using DMARC, rejecting or marking as SPAM email if the
> originating mail server doesn't match the authorized ones for the
> provider's service.
>
> For example:
> - Yahoo! is flat out rejecting e-mail from yahoo! mail users if it comes
> from non-authorized servers.
> - Google is marking e-mail from gmail users as SPAM if it comes from
> non-authorized servers.
>
> Unfortunately this breaks mailing list software like mailman (used for this
> list) which tries to make e-mail from the list appear as if it is coming
> from the original sender.
>
> The changes that are required to fix the issue change the functionality of
> the list software in ways users may not like.
>
> I found this out while applying DMARC for my my own domains.
>
> More info can be found at these sites:
> https://wiki.list.org/DEV/DMARC
> https://dmarc.org/
>
> Fun.
>
> -Neil
>
> --
> Neil Johnson
>
8:31 a.m.
On November 10, 2018 12:31:49 PM UTC, Neil Johnson <neil.johnson(a)erudicon.com>
wrote:
TL;DR:
In never ending battle against SPAM and phishing attacks, some email
providers are now using DMARC, rejecting or marking as SPAM email if
the
originating mail server doesn't match the authorized ones for the
provider's service.
For example:
- Yahoo! is flat out rejecting e-mail from yahoo! mail users if it
comes
from non-authorized servers.
- Google is marking e-mail from gmail users as SPAM if it comes from
non-authorized servers.
Unfortunately this breaks mailing list software like mailman (used for
this
list) which tries to make e-mail from the list appear as if it is
coming
from the original sender.
The changes that are required to fix the issue change the functionality
of
the list software in ways users may not like.
I found this out while applying DMARC for my my own domains.
More info can be found at these sites:
https://wiki.list.org/DEV/DMARC
https://dmarc.org/
Fun.
-Neil
Hi Neil,
That DEV/DMARC link is a bit dated and obsolete.
The DMARC mitigation code available in Mailman (since v2.1.18) is in wide use and working
well. At a minimum this list should be automatically munging posts from DMARC enabled
domains.
Let me know if you need any help with this. I'm new here, but somewhat of an old-hat
in the Mailman world. I'm always glad to help.
73s,
-Jim P.
8:31 a.m.
Perhaps you have noticed that 'mailman' implements an option to get
around the fundamentally broken concept of DMARC, and that the 44net
mailing list has that functionality turned on. (This is the
"DMARC-Munge-From" option).
It is dependent on the DMARC-implementing site declaring so publicly
by publishing a TXT record in its DNS entries. Sites which implement
DMARC without the corrective DNS entry are making an already-broken
protocol behave even more poorly.
One recommended procedure is to set a mailman option which refuses
postings from email providers that implement DMARC and informs the
subscriber attempting to post to the list that their email provider
is running a non-standards-compliant email system, that their mail
is being refused as being unforwardable, and that they should find
some other email provider instead. I have considered turning this
option on but, while esthetically pleasing, it would reduce the
functionality of the list, and so I have not. That doesn't mean
that DMARC isn't a badly broken misconception; it is. It should
NOT BE USED.
- Brian
On Sat, Nov 10, 2018 at 06:31:49AM -0600, Neil Johnson wrote:
Unfortunately this breaks mailing list software like
mailman (used for this
list) which tries to make e-mail from the list appear as if it is coming
from the original sender.
The changes that are required to fix the issue change the functionality of
the list software in ways users may not like.
10:54 a.m.
Now that I've done some more research (google) I see I've twice naively
wandered into two hotly contested issues (IPv4 address transfers and SPF,
DKIM, DMARC).
My apologies!
Going back to lurking mode now.
-Neil
On Sat, Nov 10, 2018 at 7:31 AM Brian Kantor <Brian(a)bkantor.net> wrote:
Perhaps you have noticed that 'mailman'
implements an option to get
around the fundamentally broken concept of DMARC, and that the 44net
mailing list has that functionality turned on. (This is the
"DMARC-Munge-From" option).
It is dependent on the DMARC-implementing site declaring so publicly
by publishing a TXT record in its DNS entries. Sites which implement
DMARC without the corrective DNS entry are making an already-broken
protocol behave even more poorly.
One recommended procedure is to set a mailman option which refuses
postings from email providers that implement DMARC and informs the
subscriber attempting to post to the list that their email provider
is running a non-standards-compliant email system, that their mail
is being refused as being unforwardable, and that they should find
some other email provider instead. I have considered turning this
option on but, while esthetically pleasing, it would reduce the
functionality of the list, and so I have not. That doesn't mean
that DMARC isn't a badly broken misconception; it is. It should
NOT BE USED.
- Brian
On Sat, Nov 10, 2018 at 06:31:49AM -0600, Neil Johnson wrote:
--
Neil Johnson
Unfortunately this breaks mailing list software
like mailman (used for
this
list) which tries to make e-mail from the list
appear as if it is coming
from the original sender.
The changes that are required to fix the issue change the functionality
of
the list software in ways users may not like.
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
10:22 p.m.
I'm using gmail and reading all these well enough...
On Sat, 10 Nov 2018 at 07:32, Neil Johnson <neil.johnson(a)erudicon.com>
wrote:
> TL;DR:
> In never ending battle against SPAM and phishing attacks, some email
> providers are now using DMARC, rejecting or marking as SPAM email if the
> originating mail server doesn't match the authorized ones for the
> provider's service.
>
> For example:
> - Yahoo! is flat out rejecting e-mail from yahoo! mail users if it comes
> from non-authorized servers.
> - Google is marking e-mail from gmail users as SPAM if it comes from
> non-authorized servers.
>
> Unfortunately this breaks mailing list software like mailman (used for this
> list) which tries to make e-mail from the list appear as if it is coming
> from the original sender.
>
> The changes that are required to fix the issue change the functionality of
> the list software in ways users may not like.
>
> I found this out while applying DMARC for my my own domains.
>
> More info can be found at these sites:
> https://wiki.list.org/DEV/DMARC
> https://dmarc.org/
>
> Fun.
>
> -Neil
>
> --
> Neil Johnson
>
11 Nov
11 Nov
3:23 a.m.
This is easily circumvented by mailer software like this one.
It does NOT send mails as coming from the user. It just changes the name:
If I send a mail to this list, I send it from "Marius <marius(a)yo2loj.ro>"
The mailing list SW will send it from "Marius via 44Net
<44net(a)mailman.ampr.org>"
Even if that "via 44Net" would not be there, it still is a mailer's
address.
The same applies if the sender would be "marius(a)yo2loj.ro
<44net(a)mailman.ampr.org>"
It would APPEAR it was sent from me, but the actual address is mailman's
address.
On the other hand, mail servers are right, one can not send mail to them
using their own domain, unless allowed by some trusted source (DNS SFP
reccord or similar in the mail host's record) authorizing the external
host to send mail in its name.
And it is not only yahoo doing this, most mail servers reject such
mails. They also reject unknown sender hosts (without RDNS entries),
invalid HELLO headers and others.
Google is the exception, classifying it as spam instead of just
rejecting it with a 554 error.
IMHO this whole thing is actually in place for years, and a non-issue.
As long as a mail server is correctly configured, everything works as
expected.
Marius, YO2LOJ
On Sat, 10 Nov 2018 at 07:32, Neil Johnson
<neil.johnson(a)erudicon.com>
wrote:
(...)
Unfortunately this breaks mailing list software like mailman (used for this
list) which tries to make e-mail from the list appear as if it is coming
from the original sender.
The changes that are required to fix the issue change the functionality of
the list software in ways users may not like.
5:28 a.m.
Mailing list manager for a Dutch digital rights initiative here. We've
been dealing with DMARC for the last couple of years and are publishing
our own DMARC quarantine policy soon, after months of monitoring and
contacting other list managers to get DMARC to work with their lists.
Munging the From: header is one solution, but doing so makes it harder
to filter posts from a list member in a mail client (for example the
'Filter these messages' bar in Thunderbird doesn't work anymore).
We opted with not munging the From: header and instead trying to keep
the original DKIM signature valid. You see, you only need SPF *or* DKIM
alignment to achieve DMARC compliance, otherwise forwarding would break
(read the spec to know what 'alignment' means here). A forwarder should
of course use its own domain in the bounce (envelope FROM) domain so the
email passes SPF validation.
Keeping the DKIM signature valid means that you cannot modify the email
body (Mailman must not add a footer). The same goes for certain headers,
depending on the configuration of the DKIM signer. These headers are
often From:, To:, Date:, MIME-Version: and Message-ID:, but often the
Subject: header is included as well, so you cannot add '[listname]' in
front of the subject.
I hope this is useful to someone!
Imre PH0BOS
On 11/11/2018 09:23, Marius Petrescu wrote:
This is easily circumvented by mailer software like
this one.
It does NOT send mails as coming from the user. It just changes the name:
If I send a mail to this list, I send it from "Marius
<marius(a)yo2loj.ro>"
The mailing list SW will send it from "Marius via 44Net
<44net(a)mailman.ampr.org>"
Even if that "via 44Net" would not be there, it still is a mailer's
address.
The same applies if the sender would be "marius(a)yo2loj.ro
<44net(a)mailman.ampr.org>"
It would APPEAR it was sent from me, but the actual address is mailman's
address.
On the other hand, mail servers are right, one can not send mail to them
using their own domain, unless allowed by some trusted source (DNS SFP
reccord or similar in the mail host's record) authorizing the external
host to send mail in its name.
And it is not only yahoo doing this, most mail servers reject such
mails. They also reject unknown sender hosts (without RDNS entries),
invalid HELLO headers and others.
Google is the exception, classifying it as spam instead of just
rejecting it with a 554 error.
IMHO this whole thing is actually in place for years, and a non-issue.
As long as a mail server is correctly configured, everything works as
expected.
Marius, YO2LOJ
7:39 p.m.
Yep gmail here too, but it could be because it recieve via a mail redirect
from zonedit
73
Lin N4YCI
On Sun, Nov 11, 2018 at 5:02 AM David Gillingham via 44Net <
44net(a)mailman.ampr.org> wrote:
> I'm using gmail and reading all these well enough...
>
> On Sat, 10 Nov 2018 at 07:32, Neil Johnson <neil.johnson(a)erudicon.com>
> wrote:
>
> > TL;DR:
> > In never ending battle against SPAM and phishing attacks, some email
> > providers are now using DMARC, rejecting or marking as SPAM email if the
> > originating mail server doesn't match the authorized ones for the
> > provider's service.
> >
> > For example:
> > - Yahoo! is flat out rejecting e-mail from yahoo! mail users if it
> comes
> > from non-authorized servers.
> > - Google is marking e-mail from gmail users as SPAM if it comes from
> > non-authorized servers.
> >
> > Unfortunately this breaks mailing list software like mailman (used for
> this
> > list) which tries to make e-mail from the list appear as if it is coming
> > from the original sender.
> >
> > The changes that are required to fix the issue change the functionality
> of
> > the list software in ways users may not like.
> >
> > I found this out while applying DMARC for my my own domains.
> >
> > More info can be found at these sites:
> > https://wiki.list.org/DEV/DMARC
> > https://dmarc.org/
> >
> > Fun.
> >
> > -Neil
> >
> > --
> > Neil Johnson
> >
12 Nov
12 Nov
12:36 a.m.
On 12/11/18 11:39, Lin Holcomb wrote:
Yep gmail here too, but it could be because it recieve
via a mail redirect
from zonedit
I've been following this entire thread, and my email is hosted using
Google Apps. It's basically Gmail, but the DNS is managed by me.
--
73 de Tony VK3JED/VK3IRL
http://vkradio.com
12:53 a.m.
The subject line of this message is clearly wrong.
255 of the 821 subscribers to this mailing list use @gmail.com
mailboxes.
If there were a problem with gmail, it would have shown up long
ago.
- Brian
11 Nov
11 Nov
7:36 p.m.
Checking in from yahoo.com!
On Saturday, November 10, 2018, 5:32:15 AM MST, Neil Johnson
<neil.johnson(a)erudicon.com> wrote:
TL;DR:
In never ending battle against SPAM and phishing attacks, some email
providers are now using DMARC, rejecting or marking as SPAM email if the
originating mail server doesn't match the authorized ones for the
provider's service.
For example:
- Yahoo! is flat out rejecting e-mail from yahoo! mail users if it comes
from non-authorized servers.
- Google is marking e-mail from gmail users as SPAM if it comes from
non-authorized servers.
Unfortunately this breaks mailing list software like mailman (used for this
list) which tries to make e-mail from the list appear as if it is coming
from the original sender.
The changes that are required to fix the issue change the functionality of
the list software in ways users may not like.
I found this out while applying DMARC for my my own domains.
More info can be found at these sites:
https://wiki.list.org/DEV/DMARC
https://dmarc.org/
Fun.
-Neil
--
Neil Johnson
2201
days inactive
2203
days old
11 comments
10 participants
participants (10)
-
Brian Kantor -
David Gillingham -
Imre Jonk -
Jim Popovitch -
Lin Holcomb -
Marius Petrescu -
n0p [Luis Bernal] -
Neil Johnson -
Tony Langdon -
yahoo.com Lundy