Add PayPal to DNs publishing DMARC p=reject
$ dig +short -t txt _dmarc.paypal.com "v=DMARC1\; p=reject\; rua=mailto:d@rua.agari.com\; ruf=mailto:dk@bounce.paypal.com,mailto:d@ruf.agari.com"
This probably is a problem of lesser magnitude than Yahoo! and AOL since few list posts will come from PayPal, or be delivered to such an address from a list. It might, however, occur by accident, or by a future change whereby PayPal account holders to use their DN, and although I can't imagine PayPal doing this, nothing seems to be sacrosanct or certain in the Wild, Wild West that is the Internet.
It's more likely that a list might add a PayPal general customer notifications address of some sort to a list, with nomail set, for the benefit of other list subscribers.
-- Lindsay Haisley | "Everything works if you let it" FMP Computer Services | 512-259-1190 | --- The Roadie http://www.fmp.com |
On May 4, 2014, at 4:07 PM, Lindsay Haisley <fmouse@fmp.com> wrote:
This is probably the first actual practical application of DMARC p=reject that I have seen. Unfortunately, Yahoo’s and AOL’s abuse of DMARC will tend to neutralize the benefit of DMARC to financial institutions who have a really serious spoofing problem.
best regards, Larry
-- Larry Finch finches@portadmiral.org
On Sun, 2014-05-04 at 16:14 -0400, Larry Finch wrote:
Add also:
chasebank.com bankone.com jpmorgan.com
... just random hits checking on financial institutions.
-- Lindsay Haisley | "Everything works if you let it" FMP Computer Services | 512-259-1190 | --- The Roadie http://www.fmp.com |
Larry Finch wrote:
How does Yahoo's DMARC policy reduce the benefit of Paypal's? Because servers can't follow the reject recommendation without
And does the emergence of legitimate p=reject policies mean it's now less likely Yahoo and AOL will back down?
Here's a cpanel forum thread about the problem, discussing when cpanel's version of mailman will incorporate the features necessary to deal with the problem: http://forums.cpanel.net/f43/yahoos-new-dmarc-policy-causing-mailman-bounces...
Peter Shute
Peter Shute writes:
How does Yahoo's DMARC policy reduce the benefit of Paypal's? Because servers can't follow the reject recommendation without
No, it's because users get used to ignoring warnings about DMARC issues. If it was *only* your bank, you'd learn to pay attention to them. But when you (FVO "you" susceptible to phishing in the first place, of course!) see a pile of DMARC workarounds every day for 70% of your correspondents, how do you respond to this?
All of our mail to you have come back to us due to DMARC rejects,
so we need to use this unusual address.
Please confirm your blah-blah-blah by clicking <here> and logging
in to our secure site.2% of AOL customers will respond by clicking, at last report. :-(
Let's put it this way: When was the last time you saw an "unvalidated SSL certificate"? Is that timestamp equal to the last time you followed up by checking the root cert's fingerprint on the authority's secure site? Or is the latter equal to -1? ;-)
And does the emergence of legitimate p=reject policies mean it's now less likely Yahoo and AOL will back down?
What makes you think the banks didn't start doing this ages ago? Apparently they merely haven't made an explicit announcement.
On Mon, 05 May 2014 09:24:59 +0100, Peter Shute <pshute@nuw.org.au> wrote:
They get a warning? I thought it just bounced, and the intended
recipient never knew.
That was how I (thought I) understood it but I have heard of mailman
distributed messages from AOL & Yahoo addresses being put into spam rather
than rejected by Gmail.
= Malcolm.
-- Malcolm Austen <malcolm.austen@weald.org.uk>
Peter Shute writes:
On 5 May 2014, at 4:59 pm, "Stephen J. Turnbull" <stephen@xemacs.org> wrote:
them. But when you (FVO "you" susceptible to phishing in the first
Sorry, what does FVO stand for?
Ah, excuse my abbreviations. FVO = "for values of"; the intended implication is that the "you" reading my post isn't the kind of "you" who gets taken in by phishing emails.
No, the point is that a phishing mail with
From: Chase Bank Customer Service <service@chase.com.invalid>will sail right past DMARC, as currently set up. In the message, the complaint about the "DMARC rejects" was written by the phisherman, and the strange address is explained by that preamble. Thus reassured, the victim then clicks. Don't ask me to explain why they do that, I don't really understand (I'm almost tempted to quote Niven and Pournelle, "think of it as evolution in action"), but it's an empirical fact that real people lose real money to these scams ("2% of AOLers" click, according to AOL).
Now, it's *possible* that ".invalid" will trigger the latent common sense in the 2%. But I think that pretty unlikely to be completely effective, and I suspect it won't be effective at all in the presence of a disclaimer about the "unusual" address. If ".invalid" can't get by the victim's common sense, ".REMOVE-THIS" etc probably will.
The thing is that a bit of common sense will save you from any of these scams. But that's not enough to create good policies, because it's very hard is to think of all the ways to abuse a very naive victim, or a very young one, or an elderly one who's lost a step mentally -- it takes a devious mind just to think of one!
Regards,
Barry Warsaw writes:
Et tu, FLUFL?
The point is that if Mailman provides this, it becomes a "standard" way to get a DMARC p=reject address past DMARC p=reject, and people *may* develop an "it may say .INVALID, but it's OK" reflex.
As I wrote to John Levine on mailman-developers, if operators want to experiment with it, that's one thing. But does *Mailman* want to take part in encouraging that "it's OK *because* it's .INVALID" meme? Do we want to encourage phishers to use something that looks like a Mailman feature, and have the DMARC WG come back with something that involves "anything that looks like my domain"?
The DMARC WG advocates putting list-post in "From" in place of a DMARC p=reject address. I advocate accepting their advice for stock Mailman, and avoiding other non-conforming workarounds until the market demands them. If it gets noisy, feel free to cave in faster than you did on Reply-To munging.<wink />
Steve
Peter Shute writes:
Ouch! Sorry for the tech talk, often it's a useful habit, but not always.
What do you mean by "list-post"? Is that the list address?
There are several addresses that Mailman uses that might plausibly be called "the list address". The one you are thinking of is often called "List-Post" because there is a header, hidden by most mail clients, by that name, to allow mail clients to automatically recognize the posting address (some provide a separate command for reply-to-list). It is the address where members send posts.
But there's also the list owner's address (one might think of that as "headquarters", and therefore "the list address").
Thanks, I understand now. If the result of this is that replies go to everyone on the list, this is something we don't want for our list. Private replies becoming public means trouble, and we have enough of it already when people Reply All by accident.
We've been getting by rejecting then manually forwarding yahoo and aol emails to the list. At least then accidental replies only come to us instead of everyone, and there's an obvious cue for the senders to get new addresses.
Peter Shute
Peter Shute writes:
In that case, in Mailman 2.1.18-1, you probably get the best of all worlds by setting
'from_is_list' to 'Munge From'which puts the list in "From", deleting any other addresses from "From" (thus disabling DMARC), and then puts the poster in "Reply-To",
'reply_to_list' to 'Poster'which leaves the "Reply-To" header as it finds it. Finally, set
'personalize' to 'Full Personalization'which puts the recipient in "To". The first two are on the General Options page, the last on the Nondigest Options page.
The rules for these options are complicated, but if I've thought correctly about this, in most cases the header of the post as distributed to subscribers will say
To: each-subscriber@home
From: the-list@your-org
Reply-To: the-poster@homeAlthough "the-list" is *visible* in "From", conforming mail clients will *not* pay attention to it (the "rules" say Reply-To takes precedence over From as the author's address), and even a Reply All will produce a message addressed as
To: the-poster@home
From: each-subscriber@homeIn order to also CC the list, the replying subscriber would have to deliberately copy/paste the list address into "To", "Cc", or "Bcc". This depends on the replying subscriber's mail program, so there are no guarantees, but it seems very unlikely to me that any of your subscribers will inadvertantly CC the list with that configuration.
The only downsides are that (1) the list appears to claims to be authoring all the posts, and send each privately to each subscriber (but I wouldn't be surprised if few subscribers notice more than "something changed") and (2) full personalization uses more resources, potentially a lot more. On the other hand, with reasonably modern equipment and say 5 lists each with 500 subscribers and 10 posts each per day, the server will literally spend more time waiting for the next post than it does delivering them.
Network bandwidth is a more important consideration, because if you have many subscribers at one domain, you can tell that domain to deliver to a long list of those subscribers, and then send the message once. But if you personalize, then each message is (slightly) different, and must be sent separately. If you want advice about resource usage in your situation, don't hesitate to ask here. I have no experience with that configuration, but I suspect Mark has the numbers on tap, and I'm sure many of our lurkers do.
Hope this helps,
Steve
On May 7, 2014, at 8:59 AM, Stephen J. Turnbull <stephen@xemacs.org> wrote:
Is it possible the ‘personalize’ option moved elsewhere in 2.1.18-1? I’ve just updated to that version and don’t see it on the Nondigest Options page.
Thank you for these suggestions.
Rob
-- Rob Lingelbach http://rob.colorist.org
Rob Lingelbach writes:
Sorry, I haven't updated to 2.1.18-1 yet, I'm reading source and missed a crucial qualification at the top of the suite.
Because personalization can consume a lot of resources, the site admin needs to enable personalization with OWNERS_CAN_ENABLE_PERSONALIZATION in mm_cfg.py, then it will show up on the admin site.
Steve
On May 7, 2014, at 9:56 AM, Stephen J. Turnbull <stephen@xemacs.org> wrote:
Thanks. Impressive.
-- Rob Lingelbach http://rob.colorist.org
This fixes the accidental private reply to the list problem, but makes it hard to reply to the list, which is what our members normally want to do. The list would probably stop functioning for lack of public discussion.
Am I correct in believing that there is now an option to have these modified behaviours only apply to messages from p=reject senders? Maybe that's a decent compromise, as the rest of the messages can be treated normally, and the p=reject senders will be punished for not getting new addresses by not having their questions discussed by the whole group. So long as gmail and hotmail don't start doing it too, as then a majority of our members will be affected (and will consider they have nowhere left to go).
So does this mean that any solution is going to be a choice between ease of replying to the list and ease of accidental replying to the list?
Peter Shute
On 05/07/2014 01:34 PM, Peter Shute wrote:
Am I correct in believing that there is now an option to have these modified behaviours only apply to messages from p=reject senders?
Yes. At least in the latest release (2.1.18-1), there is dmarc_moderation_action which selects an action to apply only to messages From: domains that publish DMARC p=reject or optionally p=quarantine policies.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
My experience is that for most lists, the members are chronically confused about nearly everything having to do with addressing. Since very few list members are going to be subscribed from different ISPs at the same time (and those are apt to be the most expert) I don't expect this change (when I can upgrade, I'm hostage to my ISP's cPanel support) will create any *additional* confusion in the minds of the easily confused.
Keith Bierman khbkhb@gmail.com kbiermank AIM 303 997 2749
On Wed, May 7, 2014 at 8:59 PM, Stephen J. Turnbull <stephen@xemacs.org>wrote:
What Keith said. Either users are curious about this and will take the time to understand, or they throw up their hands and “Computers!” and they will do the minimum to get things working, which is how it was before.
My hosting provider, Dreamhost, just upgraded from 2.1.14 to 2.1.17 mere hours ago. (Apparently weren’t willing to wait to do testing on 2.1.18-1.) So we will squint thoughtfully at the monitor, nod almost imperceptibly, pick a setting which is the least egregious to fix this problem, and then have some scotch.
-Conrad
On May 7, 2014, at 11:05 PM, Keith Bierman <khbkhb@gmail.com> wrote:
-- Suspicion breeds confidence.
On 05/07/2014 05:41 PM, Peter Shute wrote:
If it means that Reply vs Reply All work differently for list messages from different domains, will it only lead to users becoming hopelessly confused? Is there anyone who's already using this who could report on the reactions from users?
It depends. If your MUA offers 'reply to list' that works in all cases to just reply to the list.
Otherwise, if first_strip_reply-to is No and reply_goes_to_list is Poster, in the case of From: munging or wrapping, reply will go to the poster and the poster's original Reply-To: and reply-all will go to the list. This is slightly different from the un-munged/wrapped case in that if the poster had an original Reply-To: with a different address, the poster's From: will be included in 'reply', but basically it's unchanged in spirit - reply is to the poster and reply-all includes the list.
In the other cases, it is similar except, e.g. if reply_goes_to_list is This list, simple reply will address the poster as well as the list, but in most cases, the poster is a list member and would have gotten it anyway.
The intent is to make munged/wrapped behavior as close as possible to the un-munged/wrapped behavior except that exposing the poster's address takes priority.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Peter Shute writes:
Yes, and that's an unsolvable problem. Some replies should be public, some should be private, and only the user can know which is which. We can bias things one way or the other, but we can't really do much on the list side to improve accuracy of addressing.
MUAs could help a bit more than they do, but they're just programs, too. In the end, you have to assume the user knows what she's doing, and that isn't always true.
"Stephen J. Turnbull" <stephen@xemacs.org> wrote:
It will sail past people using modern mail clients, too, by which I include web mail and Outlook, since those people will see some variation on this--
From: Chase Bank Customer Service
--so that it hardly matters what address is in the From line. This rewrite--
From: "Chase Bank Customer Service service@chase.com" <service@chase.com.invalid>
--would produce a more informative result, and just about honor RFC 5322 where it says the mailbox of the author of the message should be in the "From:" field.
But this is the Mailman discussion list.
Joseph Brennan Columbia University Information Technology
$ dig +short -t txt _dmarc.paypal.com "v=DMARC1\; p=reject\; rua=mailto:d@rua.agari.com\; ruf=mailto:dk@bounce.paypal.com,mailto:d@ruf.agari.com"
I'm on lots of lists with Paypal employees, who consistently use paypal-inc.com addresses, specicially to avoid DMARC problems.
They realized it was a problem about a year ago, and dealt with it in a reasonable way.
R's, John
On Sun, 2014-05-04 at 20:58 +0000, John Levine wrote:
$ dig +short -t txt _dmarc.paypal-inc.com "v=DMARC1\; p=reject\; rua=mailto:d@rua.agari.com\; ruf=mailto:dk@bounce.paypal.com,mailto:d@ruf.agari.com"
No joy :(
-- Lindsay Haisley | "Everything works if you let it" FMP Computer Services | 512-259-1190 | --- The Roadie http://www.fmp.com |
I looked through the list admin manual and didn't see anything about reconfirming a list. Is there an easy way to have mailman reconfirm a list?
I have a list that has been in use for 5+years and all of a sudden maps is saying I'm hitting a spam trap. The list has not been added to in at least 3+years. Actually I have 2 lists that maps claims is hitting spam traps, but neither list has been added to in at least 3+ years. New subscribers are asked to subscribe to a yahoo group instead.
On 05/05/2014 06:47 PM, Richard Shetron wrote:
I looked through the list admin manual and didn't see anything about reconfirming a list. Is there an easy way to have mailman reconfirm a list?
What does "reconfirm a list" mean to you?
Do you perhaps mean get a list of the list's members? If so, see the FAQ at <http://wiki.list.org/x/aYA9>.
There are other ways your list can hit a spam trap, e.g. a non-member post spoofs the spam trap address and thee list sends an autoresponse.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On 05/05/2014 08:33 PM, Keith Bierman wrote:
Wouldn't this be likely to be another DMARC victim?
Perhaps you can imagine such a scenario. I don't see it.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On Mon, May 5, 2014 at 9:39 PM, Mark Sapiro <mark@msapiro.net> wrote:
I defer to your much greater wisdom in the area. I naively thought that a formerly well functioning list having a number of yahoo members might have resulted in enough rejection/bounces that some "anti-spam bot" might declare the list itself forbidden ;>
On 05/05/2014 08:43 PM, Keith Bierman wrote:
I don't discount this possibility, but the rejections just go back to the Mailman server and the list, and reports of the rejections go to the people publishing the DMARC p=reject policy for their domain. I don't see how any of this winds up being delivered to some third party's spam trap address.
I.e., the people (or bots) at Yahoo receiving reports of your DMARC failures might decide to take some action against your server, but that would be Yahoo blacklisting you for excessive DMARC failures "impersonating" their domain. It wouldn't be maps saying you're sending mail to their spam traps.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
But since the OP said ". New subscribers are asked to subscribe to a yahoo group instead."
I assumed it was really Yahoo (perhaps under a mask as mail provider for some other named service, ala comcast ;>) who was doing the blacklisting... who else would be recommending yahoo groups as an alternative?
Keith Bierman wrote:
I took that to mean that these lists are no longer accepting new members, and that prospective members are being advised to join some particular yahoo groups instead. I.e. they're gradually migrating to yahoo groups.
Peter Shute
That is correct. The lists are current news announcements so only the list owner posts to the list. The sample headers I got look legit as far as I can tell. They redacted all the email/destination information that would id the receiving system/email.
The original lists are old enough to not have been confirmed. The goal would be to send a confirmation email to everyone on the list and unsubscribe anyone who does not re-confirm within a reasonable time, say 1 week.
On 5/6/2014 12:59 AM, Peter Shute wrote:
Lindsay Haisley writes:
FWIW, I don't consider it a "problem" at all (most definitely YMMV, of course). I think this is what DMARC *should* be used for.
My interpretation is that this is a particular author (a corporate one) allowing her MTA to digitally sign "her" mail, and soliciting the help of "email for those who can't implement Diffie-Hellman off the top of their heads" email providers' MTAs in the effort to protect the author's customers from 3rd party fraud.
I don't know what "paypal-inc.com" is for, so I can't speak to that one.
Steve
On May 4, 2014, at 4:07 PM, Lindsay Haisley <fmouse@fmp.com> wrote:
This is probably the first actual practical application of DMARC p=reject that I have seen. Unfortunately, Yahoo’s and AOL’s abuse of DMARC will tend to neutralize the benefit of DMARC to financial institutions who have a really serious spoofing problem.
best regards, Larry
-- Larry Finch finches@portadmiral.org
On Sun, 2014-05-04 at 16:14 -0400, Larry Finch wrote:
Add also:
chasebank.com bankone.com jpmorgan.com
... just random hits checking on financial institutions.
-- Lindsay Haisley | "Everything works if you let it" FMP Computer Services | 512-259-1190 | --- The Roadie http://www.fmp.com |
Larry Finch wrote:
How does Yahoo's DMARC policy reduce the benefit of Paypal's? Because servers can't follow the reject recommendation without
And does the emergence of legitimate p=reject policies mean it's now less likely Yahoo and AOL will back down?
Here's a cpanel forum thread about the problem, discussing when cpanel's version of mailman will incorporate the features necessary to deal with the problem: http://forums.cpanel.net/f43/yahoos-new-dmarc-policy-causing-mailman-bounces...
Peter Shute
Peter Shute writes:
How does Yahoo's DMARC policy reduce the benefit of Paypal's? Because servers can't follow the reject recommendation without
No, it's because users get used to ignoring warnings about DMARC issues. If it was *only* your bank, you'd learn to pay attention to them. But when you (FVO "you" susceptible to phishing in the first place, of course!) see a pile of DMARC workarounds every day for 70% of your correspondents, how do you respond to this?
All of our mail to you have come back to us due to DMARC rejects,
so we need to use this unusual address.
Please confirm your blah-blah-blah by clicking <here> and logging
in to our secure site.2% of AOL customers will respond by clicking, at last report. :-(
Let's put it this way: When was the last time you saw an "unvalidated SSL certificate"? Is that timestamp equal to the last time you followed up by checking the root cert's fingerprint on the authority's secure site? Or is the latter equal to -1? ;-)
And does the emergence of legitimate p=reject policies mean it's now less likely Yahoo and AOL will back down?
What makes you think the banks didn't start doing this ages ago? Apparently they merely haven't made an explicit announcement.
On Mon, 05 May 2014 09:24:59 +0100, Peter Shute <pshute@nuw.org.au> wrote:
They get a warning? I thought it just bounced, and the intended
recipient never knew.
That was how I (thought I) understood it but I have heard of mailman
distributed messages from AOL & Yahoo addresses being put into spam rather
than rejected by Gmail.
= Malcolm.
-- Malcolm Austen <malcolm.austen@weald.org.uk>
Peter Shute writes:
On 5 May 2014, at 4:59 pm, "Stephen J. Turnbull" <stephen@xemacs.org> wrote:
them. But when you (FVO "you" susceptible to phishing in the first
Sorry, what does FVO stand for?
Ah, excuse my abbreviations. FVO = "for values of"; the intended implication is that the "you" reading my post isn't the kind of "you" who gets taken in by phishing emails.
No, the point is that a phishing mail with
From: Chase Bank Customer Service <service@chase.com.invalid>will sail right past DMARC, as currently set up. In the message, the complaint about the "DMARC rejects" was written by the phisherman, and the strange address is explained by that preamble. Thus reassured, the victim then clicks. Don't ask me to explain why they do that, I don't really understand (I'm almost tempted to quote Niven and Pournelle, "think of it as evolution in action"), but it's an empirical fact that real people lose real money to these scams ("2% of AOLers" click, according to AOL).
Now, it's *possible* that ".invalid" will trigger the latent common sense in the 2%. But I think that pretty unlikely to be completely effective, and I suspect it won't be effective at all in the presence of a disclaimer about the "unusual" address. If ".invalid" can't get by the victim's common sense, ".REMOVE-THIS" etc probably will.
The thing is that a bit of common sense will save you from any of these scams. But that's not enough to create good policies, because it's very hard is to think of all the ways to abuse a very naive victim, or a very young one, or an elderly one who's lost a step mentally -- it takes a devious mind just to think of one!
Regards,
Barry Warsaw writes:
Et tu, FLUFL?
The point is that if Mailman provides this, it becomes a "standard" way to get a DMARC p=reject address past DMARC p=reject, and people *may* develop an "it may say .INVALID, but it's OK" reflex.
As I wrote to John Levine on mailman-developers, if operators want to experiment with it, that's one thing. But does *Mailman* want to take part in encouraging that "it's OK *because* it's .INVALID" meme? Do we want to encourage phishers to use something that looks like a Mailman feature, and have the DMARC WG come back with something that involves "anything that looks like my domain"?
The DMARC WG advocates putting list-post in "From" in place of a DMARC p=reject address. I advocate accepting their advice for stock Mailman, and avoiding other non-conforming workarounds until the market demands them. If it gets noisy, feel free to cave in faster than you did on Reply-To munging.<wink />
Steve
Peter Shute writes:
Ouch! Sorry for the tech talk, often it's a useful habit, but not always.
What do you mean by "list-post"? Is that the list address?
There are several addresses that Mailman uses that might plausibly be called "the list address". The one you are thinking of is often called "List-Post" because there is a header, hidden by most mail clients, by that name, to allow mail clients to automatically recognize the posting address (some provide a separate command for reply-to-list). It is the address where members send posts.
But there's also the list owner's address (one might think of that as "headquarters", and therefore "the list address").
Thanks, I understand now. If the result of this is that replies go to everyone on the list, this is something we don't want for our list. Private replies becoming public means trouble, and we have enough of it already when people Reply All by accident.
We've been getting by rejecting then manually forwarding yahoo and aol emails to the list. At least then accidental replies only come to us instead of everyone, and there's an obvious cue for the senders to get new addresses.
Peter Shute
Peter Shute writes:
In that case, in Mailman 2.1.18-1, you probably get the best of all worlds by setting
'from_is_list' to 'Munge From'which puts the list in "From", deleting any other addresses from "From" (thus disabling DMARC), and then puts the poster in "Reply-To",
'reply_to_list' to 'Poster'which leaves the "Reply-To" header as it finds it. Finally, set
'personalize' to 'Full Personalization'which puts the recipient in "To". The first two are on the General Options page, the last on the Nondigest Options page.
The rules for these options are complicated, but if I've thought correctly about this, in most cases the header of the post as distributed to subscribers will say
To: each-subscriber@home
From: the-list@your-org
Reply-To: the-poster@homeAlthough "the-list" is *visible* in "From", conforming mail clients will *not* pay attention to it (the "rules" say Reply-To takes precedence over From as the author's address), and even a Reply All will produce a message addressed as
To: the-poster@home
From: each-subscriber@homeIn order to also CC the list, the replying subscriber would have to deliberately copy/paste the list address into "To", "Cc", or "Bcc". This depends on the replying subscriber's mail program, so there are no guarantees, but it seems very unlikely to me that any of your subscribers will inadvertantly CC the list with that configuration.
The only downsides are that (1) the list appears to claims to be authoring all the posts, and send each privately to each subscriber (but I wouldn't be surprised if few subscribers notice more than "something changed") and (2) full personalization uses more resources, potentially a lot more. On the other hand, with reasonably modern equipment and say 5 lists each with 500 subscribers and 10 posts each per day, the server will literally spend more time waiting for the next post than it does delivering them.
Network bandwidth is a more important consideration, because if you have many subscribers at one domain, you can tell that domain to deliver to a long list of those subscribers, and then send the message once. But if you personalize, then each message is (slightly) different, and must be sent separately. If you want advice about resource usage in your situation, don't hesitate to ask here. I have no experience with that configuration, but I suspect Mark has the numbers on tap, and I'm sure many of our lurkers do.
Hope this helps,
Steve
On May 7, 2014, at 8:59 AM, Stephen J. Turnbull <stephen@xemacs.org> wrote:
Is it possible the ‘personalize’ option moved elsewhere in 2.1.18-1? I’ve just updated to that version and don’t see it on the Nondigest Options page.
Thank you for these suggestions.
Rob
-- Rob Lingelbach http://rob.colorist.org
Rob Lingelbach writes:
Sorry, I haven't updated to 2.1.18-1 yet, I'm reading source and missed a crucial qualification at the top of the suite.
Because personalization can consume a lot of resources, the site admin needs to enable personalization with OWNERS_CAN_ENABLE_PERSONALIZATION in mm_cfg.py, then it will show up on the admin site.
Steve
On May 7, 2014, at 9:56 AM, Stephen J. Turnbull <stephen@xemacs.org> wrote:
Thanks. Impressive.
-- Rob Lingelbach http://rob.colorist.org
This fixes the accidental private reply to the list problem, but makes it hard to reply to the list, which is what our members normally want to do. The list would probably stop functioning for lack of public discussion.
Am I correct in believing that there is now an option to have these modified behaviours only apply to messages from p=reject senders? Maybe that's a decent compromise, as the rest of the messages can be treated normally, and the p=reject senders will be punished for not getting new addresses by not having their questions discussed by the whole group. So long as gmail and hotmail don't start doing it too, as then a majority of our members will be affected (and will consider they have nowhere left to go).
So does this mean that any solution is going to be a choice between ease of replying to the list and ease of accidental replying to the list?
Peter Shute
On 05/07/2014 01:34 PM, Peter Shute wrote:
Am I correct in believing that there is now an option to have these modified behaviours only apply to messages from p=reject senders?
Yes. At least in the latest release (2.1.18-1), there is dmarc_moderation_action which selects an action to apply only to messages From: domains that publish DMARC p=reject or optionally p=quarantine policies.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
My experience is that for most lists, the members are chronically confused about nearly everything having to do with addressing. Since very few list members are going to be subscribed from different ISPs at the same time (and those are apt to be the most expert) I don't expect this change (when I can upgrade, I'm hostage to my ISP's cPanel support) will create any *additional* confusion in the minds of the easily confused.
Keith Bierman khbkhb@gmail.com kbiermank AIM 303 997 2749
On Wed, May 7, 2014 at 8:59 PM, Stephen J. Turnbull <stephen@xemacs.org>wrote:
What Keith said. Either users are curious about this and will take the time to understand, or they throw up their hands and “Computers!” and they will do the minimum to get things working, which is how it was before.
My hosting provider, Dreamhost, just upgraded from 2.1.14 to 2.1.17 mere hours ago. (Apparently weren’t willing to wait to do testing on 2.1.18-1.) So we will squint thoughtfully at the monitor, nod almost imperceptibly, pick a setting which is the least egregious to fix this problem, and then have some scotch.
-Conrad
On May 7, 2014, at 11:05 PM, Keith Bierman <khbkhb@gmail.com> wrote:
-- Suspicion breeds confidence.
On 05/07/2014 05:41 PM, Peter Shute wrote:
If it means that Reply vs Reply All work differently for list messages from different domains, will it only lead to users becoming hopelessly confused? Is there anyone who's already using this who could report on the reactions from users?
It depends. If your MUA offers 'reply to list' that works in all cases to just reply to the list.
Otherwise, if first_strip_reply-to is No and reply_goes_to_list is Poster, in the case of From: munging or wrapping, reply will go to the poster and the poster's original Reply-To: and reply-all will go to the list. This is slightly different from the un-munged/wrapped case in that if the poster had an original Reply-To: with a different address, the poster's From: will be included in 'reply', but basically it's unchanged in spirit - reply is to the poster and reply-all includes the list.
In the other cases, it is similar except, e.g. if reply_goes_to_list is This list, simple reply will address the poster as well as the list, but in most cases, the poster is a list member and would have gotten it anyway.
The intent is to make munged/wrapped behavior as close as possible to the un-munged/wrapped behavior except that exposing the poster's address takes priority.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Peter Shute writes:
Yes, and that's an unsolvable problem. Some replies should be public, some should be private, and only the user can know which is which. We can bias things one way or the other, but we can't really do much on the list side to improve accuracy of addressing.
MUAs could help a bit more than they do, but they're just programs, too. In the end, you have to assume the user knows what she's doing, and that isn't always true.
"Stephen J. Turnbull" <stephen@xemacs.org> wrote:
It will sail past people using modern mail clients, too, by which I include web mail and Outlook, since those people will see some variation on this--
From: Chase Bank Customer Service
--so that it hardly matters what address is in the From line. This rewrite--
From: "Chase Bank Customer Service service@chase.com" <service@chase.com.invalid>
--would produce a more informative result, and just about honor RFC 5322 where it says the mailbox of the author of the message should be in the "From:" field.
But this is the Mailman discussion list.
Joseph Brennan Columbia University Information Technology
$ dig +short -t txt _dmarc.paypal.com "v=DMARC1\; p=reject\; rua=mailto:d@rua.agari.com\; ruf=mailto:dk@bounce.paypal.com,mailto:d@ruf.agari.com"
I'm on lots of lists with Paypal employees, who consistently use paypal-inc.com addresses, specicially to avoid DMARC problems.
They realized it was a problem about a year ago, and dealt with it in a reasonable way.
R's, John
On Sun, 2014-05-04 at 20:58 +0000, John Levine wrote:
$ dig +short -t txt _dmarc.paypal-inc.com "v=DMARC1\; p=reject\; rua=mailto:d@rua.agari.com\; ruf=mailto:dk@bounce.paypal.com,mailto:d@ruf.agari.com"
No joy :(
-- Lindsay Haisley | "Everything works if you let it" FMP Computer Services | 512-259-1190 | --- The Roadie http://www.fmp.com |
I looked through the list admin manual and didn't see anything about reconfirming a list. Is there an easy way to have mailman reconfirm a list?
I have a list that has been in use for 5+years and all of a sudden maps is saying I'm hitting a spam trap. The list has not been added to in at least 3+years. Actually I have 2 lists that maps claims is hitting spam traps, but neither list has been added to in at least 3+ years. New subscribers are asked to subscribe to a yahoo group instead.
On 05/05/2014 06:47 PM, Richard Shetron wrote:
I looked through the list admin manual and didn't see anything about reconfirming a list. Is there an easy way to have mailman reconfirm a list?
What does "reconfirm a list" mean to you?
Do you perhaps mean get a list of the list's members? If so, see the FAQ at <http://wiki.list.org/x/aYA9>.
There are other ways your list can hit a spam trap, e.g. a non-member post spoofs the spam trap address and thee list sends an autoresponse.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On 05/05/2014 08:33 PM, Keith Bierman wrote:
Wouldn't this be likely to be another DMARC victim?
Perhaps you can imagine such a scenario. I don't see it.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On Mon, May 5, 2014 at 9:39 PM, Mark Sapiro <mark@msapiro.net> wrote:
I defer to your much greater wisdom in the area. I naively thought that a formerly well functioning list having a number of yahoo members might have resulted in enough rejection/bounces that some "anti-spam bot" might declare the list itself forbidden ;>
On 05/05/2014 08:43 PM, Keith Bierman wrote:
I don't discount this possibility, but the rejections just go back to the Mailman server and the list, and reports of the rejections go to the people publishing the DMARC p=reject policy for their domain. I don't see how any of this winds up being delivered to some third party's spam trap address.
I.e., the people (or bots) at Yahoo receiving reports of your DMARC failures might decide to take some action against your server, but that would be Yahoo blacklisting you for excessive DMARC failures "impersonating" their domain. It wouldn't be maps saying you're sending mail to their spam traps.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
But since the OP said ". New subscribers are asked to subscribe to a yahoo group instead."
I assumed it was really Yahoo (perhaps under a mask as mail provider for some other named service, ala comcast ;>) who was doing the blacklisting... who else would be recommending yahoo groups as an alternative?
Keith Bierman wrote:
I took that to mean that these lists are no longer accepting new members, and that prospective members are being advised to join some particular yahoo groups instead. I.e. they're gradually migrating to yahoo groups.
Peter Shute
That is correct. The lists are current news announcements so only the list owner posts to the list. The sample headers I got look legit as far as I can tell. They redacted all the email/destination information that would id the receiving system/email.
The original lists are old enough to not have been confirmed. The goal would be to send a confirmation email to everyone on the list and unsubscribe anyone who does not re-confirm within a reasonable time, say 1 week.
On 5/6/2014 12:59 AM, Peter Shute wrote:
Lindsay Haisley writes:
FWIW, I don't consider it a "problem" at all (most definitely YMMV, of course). I think this is what DMARC *should* be used for.
My interpretation is that this is a particular author (a corporate one) allowing her MTA to digitally sign "her" mail, and soliciting the help of "email for those who can't implement Diffie-Hellman off the top of their heads" email providers' MTAs in the effort to protect the author's customers from 3rd party fraud.
I don't know what "paypal-inc.com" is for, so I can't speak to that one.
Steve
participants (14)
-
Barry Warsaw -
Conrad G T Yoder -
John Levine -
Joseph Brennan -
Keith Bierman -
Larry Finch -
Lindsay Haisley -
Malcolm Austen -
Mark Sapiro -
Peter Shute -
Richard Shetron -
Rob Lingelbach -
Stephen J. Turnbull -
Stephen J. Turnbull