Has anyone seen issues with Gmail accounts and Yahoo's DMARC policy? I've been working with the list admins of one of FMP's hosted lists and they've seen over 100 addresses unsubscribed from the usual suspects - yahoo.com, att.net, Comcast, etc., but no Gmail accounts and there are 228 of them on the list. Nonetheless, the PC World article at http://www.pcworld.com/article/2141120/yahoo-email-antispoofing-policy-break... lists Gmail as being one of the cooperating email service providers honoring Yahoo's DMARC p=reject policy.
I've been telling list admins to recommend that subscribers drop their Yahoo accounts in favor of Gmail. What's the story here?
-- Lindsay Haisley | "Everything works if you let it" FMP Computer Services | 512-259-1190 | --- The Roadie http://www.fmp.com |
On 04/16/2014 06:58 AM, Lindsay Haisley wrote:
This is consistent with what I've observed on lists.
I've done some testing. If I send a message from my server, but not from a list From: a yahoo.com address to a gmail address, it gets rejected with
However, if I send the same message to a list which then resends it without touching the From: to the same gmail address, gmail accepts it and delivers it to my gmail spam folder.
Thus, it appears that gmail does honor DMARC policy in general, but has some kind of mitigation policy to identify (heuristicly? via headers?) mail from a list and quarantine it even if the From: domain's policy is reject.
Note it doesn't use the RFC 2369 List- headers because it still recognizes a message without them as from a list.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
We have a community group mail list which we run using Mailman and have lately had a problem getting our emails to members who have Bellsouth and Yahoo email addresses. I've seen the posts about DMARC but am not that tech-savvy to figure out what this means and how to resolve. Some of our members have complained that they are not getting the group's emails. We have written Bellsouth but they claim the domain is not on a blacklist and problem is not on their end. Our ISP tells us domain is "RFC -compliant" and problem must be with Bellsouth or Yahoo. How do we resolve this? What is the fix? Help, please...
I'll jump in here and offer the quick solution that I'm using at FMP. The primary culprit here is Yahoo, which publishes a DMARC p=reject policy via DNS. To the best of our knowledge, so far, no one else is doing this, although sbcglobal, att.net, comcast.net, Hotmail and a number of other email service providers will honor Yahoo's policy and bounce posts which have a yahoo.com address in the From header and come from an IP address which isn't a yahoo.com server. This is the case, as per relevant RFCs, for most mail from Mailman mailing lists.
What I'm advising list admins here, which puts a band-aid on the problem, is to put all yahoo.com subscribers on moderation, effectively making them read-only subscriptions. Also go through your membership list and clear any nomail disablements with a "[B]" beside them. We're also advising yahoo.com list subscribers to get a Gmail account (as free and easy to get as a Yahoo account)
Mark or Stephen may have a more in-depth response to you, but this is how I've addressed the problem here.
On Wed, 2014-04-16 at 11:30 -0400, Jose I. Rojas wrote:
-- Lindsay Haisley | "Everything works if you let it" FMP Computer Services | 512-259-1190 | --- The Roadie http://www.fmp.com |
On 4/16/2014 12:51 PM, Lindsay Haisley wrote:
Query: On a very low-traffic mailing list (i.e. one where the list admin doesn't think it too much trouble), would it be a reasonable workaround for the list admin to paste the content of a message-to-be-moderated (i.e. one From: a yahoo address) into a new message _of his/her own_ and send _that_ to the list? This message could include the original From: address _in its body text_ (not its headers) along with a brief reference to the yahoo problem to explain the unusual format.
From what I've read here so far, I think this would succeed in avoiding the usual yahoo-generated problems. However, I can foresee a couple of drawbacks (besides the extra work for list admins):
Other subscribers replying to the message will get MUA-generated text saying "Larry List-Admin wrote" instead of "Sonia Subscriber wrote". Those who pay attention and take a little trouble can change that before clicking Send, but many won't.
Similarly, other subscribers wanting to reply privately will send their replies to Larry List-Admin instead of Sonia Subscriber if they aren't careful (and some of them won't be). The list admin can forward these replies, but in a few cases they may contain confidential material that the admin shouldn't have seen.
-- Larry Kuenning larry@qhpress.org
Le 16/04/2014 19:57, Larry Kuenning a écrit :
also advising yahoo.com list subscribers to get a Gmail account (as free and easy to get as a Yahoo account)
so to be sure all your mail a read by google :-)
(of course may be yahoo do the same - why people can't use they ISP's mail?)
jdd
On Wed, 16 Apr 2014 20:31:25 +0200 jdd <jdanield@free.fr> wrote:
Hello jdd,
(... why people can't use they ISP's mail?)
In case that's not a rhetorical question:
Because every time you change provider, you would have to change email address too. When you're subscribed to over one hundred mailing lists, to say nothing of the umpteen individuals that would need to be told of the change, it would be an (shall we say) onerous task.
-- Regards _ / ) "The blindingly obvious is / _)rad never immediately apparent" You suck my blood like a leech Death On Two Legs - Queen
Le 16/04/2014 20:59, Brad Rogers a écrit :
does this occur often?
I find too often many problems are caused by mass mail providers like gmail
but it's not necessary to go further sorry to have begun this
jdd
On Wed, 16 Apr 2014 23:19:29 +0200 jdd <jdanield@free.fr> wrote:
Hello jdd,
It can, yes. In the past year, I've changed provider twice. If things continue as they are with the current one, I'll be changing again, soon.
I find too often many problems are caused by mass mail providers like gmail
There are other providers, both free and paid for.
but it's not necessary to go further sorry to have begun this
Not a problem.
Sorry for extending this slightly further, but as the answers were reasonably short I felt it was worth taking the risk. :-)
-- Regards _ / ) "The blindingly obvious is / _)rad never immediately apparent" He looked the wrong way at a policeman I Predict A Riot - Kaiser Chiefs
If one is interested in maintaining one's identity, using an ISP's email makes it a pain to change ISPs. Of course, that does make the ISPs very happy.
This is a fascinating discussion and as administrator of two very small lists, it's giving me an awful lot to think about. However, being a clues newbie to matters of RFCs and such I'm going to ask what could be a very naive question... would it be possible/useful/productive to create an RFC to explicitly override this foolishness? I know there aren't any teeth behind RFCs but it might at least get their attention. Of course, I'd be willing to make the appropriate person a loan of my "Official Technical Writer's 2x4®" <grin>.
Best Regards,
Mike
Mike Starr, Writer Technical Writer - Online Help Developer - WordPress Websites Graphic Designer - Desktop Publisher - Custom Microsoft Word templates (262) 694-1028 - mike@writestarr.com - http://www.writestarr.com President - Working Writers of Wisconsin http://www.workingwriters.org/
On 4/16/2014 1:31 PM, jdd wrote:
On Wed, 2014-04-16 at 15:34 -0500, Mike Starr wrote:
I know there aren't any teeth behind RFCs but it might at least get their attention.
Doubtful, but the sentiment is noble. My guess is that the people at Yahoo who implemented this, and possibly also the designers of DMARC, don't fully understand the RFC process and have a limited attention span and very narrow focus of attention as far as such things are concerned. Their understanding (and knowledge) of accepted best practices regarding email and mailing lists is woefully limited. My guess also is that as a result, all of this kerfuffle has probably caught a number of these people by surprise.
-- Lindsay Haisley | "Everything works if you let it" FMP Computer Services | 512-259-1190 | --- The Roadie http://www.fmp.com |
Lindsay Haisley writes:
On Wed, 2014-04-16 at 15:34 -0500, Mike Starr wrote:
I know there aren't any teeth behind RFCs but it might at least get their attention.
The real problem is that RFCs are based on working practice, preferably acknowledged best practice. DMARC is an experiment which is seriously flawed on the policy side, but has the potential to provide a lot of useful information for spam-fighting (I mean real spam-fighting, not the posturing that Yahoo! is involved in at the moment), not to mention lightening the burden on ISPs and list operators who implement DKIM and SPF. Until Yahoo!'s experiment has played out (which will take months), an anti-DMARC RFC is moot. After that, it will take years to get it through the IETF.
Note that DMARC itself is an Internet-Draft (ie, proto-RFC). If you want to fight this, the related mailing list is the right place. However, looking at some of the threads there are rather high-powered folks already on the list (eg, the guy who edited most of the SMTP RFCs, and the guy who edited most of the RFC 822 series). You had better go in having booked up, or you will get ignored to death at best. Put it this way: *I* may go look over their archives, but it will be quite a while before I'm willing to speak to anything except technical details of how it affects mailing lists.
Nope. If E. Zwicky (DMARC editor) is who I think she is, I owe her a kitten. No dummy. Murray Kucherawy doesn't seem to have two heads or a half-brain, either.
Their understanding (and knowledge) of accepted best practices regarding email and mailing lists is woefully limited.
I rather doubt that. The DMARC I-D has gone through several editions (I-Ds have a life-span limited to 6 months, the current renewal happened just about the time of Yahoo!'s policy change), suggesting that the NetGods and the commercial providers have been thinking pretty carefully all along. I think that where understanding and knowledge is lacking is on *this side* of the fence. Few, if any, of us have to make decisions about how to spend many millions of dollars on additional bandwidth, 90% of which (according to some accounts) is spam. That's a pile of money on the line for these guys.
My guess also is that as a result, all of this kerfuffle has probably caught a number of these people by surprise.
Indeed. I suspect that they didn't do their homework and simply count how many subscribers receive mail with List-* headers in them.
I think they probably also were surprised by how fast Yahoo is hemmorhaging email users.
Steve-rushes-not-where-angels-fear-to-tread-ly y'rs,
On Thu, 2014-04-17 at 15:24 +0900, Stephen J. Turnbull wrote:
Stephen, thanks for your generous reply, and your insights. It does seem to me, though, that when megabucks are riding on additional bandwidth, and if Yahoo is serious about controlling spam, they might start by putting some resources behind putting their own house in order. Someone, maybe it was you, posted on this forum earlier that perhaps 90% or more of spam with a yahoo.com origin (or one of their international DNs) actually _does_ come from Yahoo and that their response to abuse notifications is abysmal to nonexistent. So it looks to me as if one of two things is happening here. Either the right hand doesn't know what the left hand is doing (or not doing), or this is a blatant, cynical attack on network neutrality designed to push people toward Yahoo's own list service.
Has anyone seen or heard any figures on how much this DMARC fiasco has cost Yahoo in terms of the number of email end-users who have left their service? Someone mentioned that it was substantial enough to probably get their attention.
-- Lindsay Haisley | "Everything works if you let it" FMP Computer Services | 512-259-1190 | --- The Roadie http://www.fmp.com |
I can't answer your specific question but a number of years ago I created a Yahoo account which required the creation of a Yahoo email address. I have never used that email address nor have I divulged it to anyone. Oddly enough, thousands of spam email addresses land in that Yahoo email account. I can only assume that Yahoo routinely sells email addresses indiscriminately... not caring if they're delivering those email addresses to spammers. The only other alternative is that somehow Yahoo's security at the time was so lax that spammers were able to hack into their servers and grab millions of Yahoo email addresses.
Best Regards,
Mike
Mike Starr, Writer Technical Writer - Online Help Developer - WordPress Websites Graphic Designer - Desktop Publisher - Custom Microsoft Word templates (262) 694-1028 - mike@writestarr.com - http://www.writestarr.com President - Working Writers of Wisconsin http://www.workingwriters.org/
On 4/17/2014 11:13 AM, Lindsay Haisley wrote:
Lindsay Haisley writes:
Nobody can control spam in the current architecture of Internet mail. What needs to be done is author identification, that is, digital signatures. But that requires cooperation from users, which is anathema to the freemail providers. So p=reject, and to a lesser extent DMARC itself, are basically PR stunts IMO, see below.
Wasn't me. I don't have that data, and don't know where to get it offhand.
So maybe it does, but in my spamtrap I have only 67/4359 (1.5%) messages from Yahoo (based on grepping for "^From:.*yahoo" and "^From:" respectively), vs. 658/38748 (1.7%) in my saved mail folders. It seems to me that spam using Yahoo addresses is hardly a big problem, whether it's spoofed or using throwaway addresses.
I think the main thing is that the decision-makers (who are basically business people) see this as a marketing/PR problem. I don't think it's an attack on network neutrality per se so much as a PR stunt to be perceived as "doing something about spam and phishing". I wonder if they're not positioning themselves to do something big in finance or expand in handling payments to vendors who use their e-business platforms -- which would make a "tough on phishing" stance very important to them, as it is for banks.
I did but that was based on my personal experience, with (as I wrote elsewhere) users who are not very attached to any particular email address yet. I don't see how anybody could get reliable figures, though, except Yahoo! themselves based on statistical analysis of outbound traffic and maybe an increase in the number of accounts that .forward to other accounts.
Steve
On 04/17/2014 09:13 AM, Lindsay Haisley wrote:
The post is at <https://mail.python.org/pipermail/mailman-users/2014-April/076392.html>
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On Fri, 2014-04-18 at 16:23 -0700, Mark Sapiro wrote:
On Fri Apr 11 12:13:58 CEST 2014 Rich Kulawiec rsk at gsp.org said:
This is just (a) propaganda, so that they claim to be "doing something"
Which pretty much meshes with what you've suggested about Yahoo's motives.
-- Lindsay Haisley | "Everything works if you let it" FMP Computer Services | 512-259-1190 | --- The Roadie http://www.fmp.com |
On 4/16/2014 1:57 PM, Larry Kuenning wrote:
I've since thought of a third difficulty besides the two I mentioned.
If the post-to-be-moderated is itself a reply to an earlier post, then mailman's archive threading will be broken unless the list moderator goes to the trouble of setting up the substitute message as a reply to the same earlier post. (And of course one must delete all the stuff one's MUA wants to insert, as that will already be provided in the message-to-be-moderated.)
Is this correct?
-- Larry Kuenning larry@qhpress.org
On 04/16/2014 01:34 PM, Larry Kuenning wrote:
If I understand, yes...
But what you are suggesting is essentially what the Wrap Message option introduced as a site option in 2.1.16 and expanded in 2.1.18 does.
Effectively (with some details omitted) that option is forward the message as an attachment to a message from the list with Reply-To: including the original poster. It does all this without any moderator intervention.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On 4/16/2014 4:51 PM, Mark Sapiro wrote (about my suggestion of manually moderating posts from Yahoo users):
But what you are suggesting is essentially what the Wrap Message option introduced as a site option in 2.1.16 and expanded in 2.1.18 does.
Well, yes. But:
-- if you're working with an earlier Mailman version (I have 2.1.9),
-- if upgrading Mailman might be difficult (mine was pre-installed under Plesk, which probably implies some unknown tweaking),
-- if you're a novice at writing and debugging Python scripts,
-- and if your site has *extremely* low traffic (I have 2 lists with a total of 20 messages in the past year, and only 5 Yahoo users, who are usually lurkers),
then you might find it easier to live with the manual moderating task than to try to make changes to an otherwise well-working system. (At least in the short run while waiting to see what else develops.)
-- Larry Kuenning larry@qhpress.org
Larry Kuenning writes:
Yes, although given the available alternatives in the web admin pages I don't think this is worth the trouble for almost anybody (I understand that you have a very special situation with a relatively old Mailman that's working just fine, thank you, for you, but that's pretty unusual nowadays).
Change the display name to "Sonia Subscriber/lla" (the usual convention for letters written by a secretary but signed by the boss).
Add a "Reply-To: sonia@her-place.net" header field.
The recommendations above violate the letter but conform to the spirit of RFC 822 and successor standards.
The above practices should mitigate this issue.
Jose I. Rojas writes:
What it means right now is that posts with "@yahoo.com" in the "From" header field will not be delivered to users whose subscribed addresses are at a long list of large email service providers.
If emails posted by users with "@gmail.com" and "@harvard.edu" etc addresses are getting through to everybody, but emails from "@yahoo.com" members are not, then the problem may very well be Yahoo!'s DMARC policy.
Our ISP tells us domain is "RFC-compliant" and problem must be with Bellsouth or Yahoo.
That's not very helpful of them.
How do we resolve this? What is the fix?
If in fact the problem is Yahoo!'s DMARC policy, you can't resolve it and there is no fix. Simply put, Yahoo! does not permit their users to post to modern mailing lists that conform to the mail standards. There are four possible workarounds, depending on the access you have to your mailing list's configuration:
(1) You can tell your members with @yahoo.com addresses to post from a different domain. This is what I personally recommend, as it (a) conforms to Yahoo's stated policy and (b) makes Yahoo users unhappy with their provider, whose behavior is causing denial of service to thousands, perhaps millions, of mailing list users.
My experience with this approach is "no complaints", but my users
are unusual in that they don't really care about their yahoo.com
addresses for various reasons. People who do most or all of their
mail using Yahoo addresses will find this painful. Depending on
how actively you want to protest Yahoo's behavior, you may or may
not be willing to impose that pain.(2) You can break your mailing lists by using the author_is_list option in Mailman 2.1.16 and later. This option will only be available if the site configuration has ALLOW_AUTHOR_IS_LIST set to "Yes". This will cause the list to replace the author's address with its own address in "From". However, your domain may not permit this, as it's a clear violation of the mail RFCs.
(3) There is a patch to have Mailman encapsulate posts from yahoo.com addresses in a "one-message digest". This is RFC-conformant, but some users may have difficulty reading such mail. (Frequently reported on iPhones.) It also requires using a third-party patch for Mailman, which may be prohibited by your ISP or beyond your technical capability in the short run.
(4) You can operate Mailman in pure pass-through mode. I believe it is sufficient to configure Mailman to (a) have a completely empty header (not even whitespace) (b) a completely empty footer (c) no list prefix in the Subject header field. This is conformant to the RFCs, but may place you in violation of anti-spam law (because for most users there will be no visible indication of how to unsubscribe from the list).
On 04/16/2014 11:11 AM, Stephen J. Turnbull wrote:
The ALLOW_AUTHOR_IS_LIST switch has been removed (is effectively always Yes) for Mailman 2.1.18 (watch for a release announcement soon or pull the head of the lp:mailman/2.1 bzr branch ;)
This capability, without the dnspython dependency, is an option to (2) above, even in 2.1.16.
In 2.1.18 There is an enhanced set of controls that can be applied to all mail From: domains with DMARC p=reject and (optionally, default includes) p=quarantine policies. See <http://wiki.list.org/display/DEV/DMARC> for a bit more detail.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Stephen,
Thank you very much for the summary of solutions. I was about to suggest/request it. It may be helpful to add to the wiki as it seems quite important and complicated. I'd be interested in more mails like this, helping those of us move forward and alleviate the issues.
Unless I'm overlooking something, there is another option that appears to work. The anonymous_list option repackages the mail enough that gmail no longer marks it as spam.
I don't think it's appropriate for most lists, but could be mentioned as another option. Unless it's similar to option 2 below. I'm not familiar with ALLOW_AUTHOR_IS_LIST.
Lindsay Haisley also suggested:
"What I'm advising list admins here, which puts a band-aid on the problem, is to put all yahoo.com subscribers on moderation, effectively making them read-only subscriptions. Also go through your membership list and clear any nomail disablements with a "[B]" beside them."
Is there any way to make these changes with a script, or would one have to do it manually?
I'm also curious if the spam options (header_filter_rules or bounce_matching_headers) might be options to catch inbound messages from yahoo.
Thank you all
Tom Lieuallen
On 4/16/14, 11:11 AM, Stephen J. Turnbull wrote:
On 04/16/2014 01:30 PM, Tom Lieuallen wrote:
I just updated <http://wiki.list.org/x/ggARAQ>. What do you think?
See <http://www.msapiro.net/scripts/reset_bounce.py>.
Either could be used but bounce_matching_headers is deprecated in favor of header_filter_rules.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Lindsay Haisley writes:
I wouldn't trust the popular press to be fully accurate. Even one test delivery failure would probably be counted as "honoring", and it's not obvious that you need to specifically test mailing lists, since DMARC doesn't explicitly allow treating different DMARC failures differently.
I've been telling list admins to recommend that subscribers drop their Yahoo accounts in favor of Gmail.
That remains good policy AFAICT.
What's the story here?
There are several possibilities. One is that DMARC doesn't define the semantics of "reject". (Why doesn't that surprise me?) Here's what they say:
15.4. Rejecting Messages
This proposal calls for rejection of a message during the SMTP session under certain circumstances. This is typically done in one of two ways:
o Full rejection, wherein the SMTP server issues a 5xy reply code as an indication to the SMTP client that the transaction failed; the SMTP client is then responsible for generating notification that delivery failed (see Section 4.2.5 of [SMTP]).
o A "silent discard", wherein the SMTP server returns a 2xy reply code implying to the client that delivery (or, at least, relay) was successfully completed, but then simply discarding the message with no further action.
Each of these has a cost. For instance, a silent discard may prevent "backscatter" (the annoying generation of delivery failure reports, which go back to the RFC5321.MailFrom address, about messages that were fraudulently generated), but effectively means the SMTP server has to be programmed to give a false result, which can confound external debugging efforts.
A "silent discard" by Google is consistent with your observation, since no bounce would be generated.
However, it is not consistent with Mark's experimental outcome.[1] So apparently, at least in their implementation of DMARC, Google takes their "Don't Be Evil" slogan quite seriously.
It is clear to me that the "silent discard" method is the right way to handle a DMARC p=reject policy. Although the receiving MTA is "giving a false result" in some sense, in fact the DMARC-using domain can request a specific failure report which will enable the domain to determine why non-delivery occurred despite an SMTP success. If they don't request such a report, too bad for their users.
Note that the "annoyance" mentioned in the 4th paragraph includes denial of service to completely innocent third parties, ie, the DMARC-triggered unsubscribes that have been observed.
Footnotes: [1] His message arrived while I was composing this one.
On Thu, Apr 17, 2014 at 01:27:23AM +0900, Stephen J. Turnbull wrote:
They should have allowed/defined a new 2xy code that could be returned, eg 253 which means ''Mail accepted but will be discarded''. So a simple sending MTA could just look at the initial '2' and think 'job done', a more complex one could note that the receipt wasn't quite right.
However: it still means that some people on mail lists occasionally don't get stuff - this will cause confusion at best or could be dangerous (if the mail list has a critical function).
-- Alain Williams Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer. +44 (0) 787 668 0256 http://www.phcomp.co.uk/ Parliament Hill Computers Ltd. Registration Information: http://www.phcomp.co.uk/contact.php #include <std_disclaimer.h>
Alain Williams writes:
That's problematic. It would require an extension negotiated via EHLO at least, and maybe a new SMTP RFC, since there's no registry for extensions to the SMTP reply codes. It might not be harmful, since most modern MTAs are 2821-conforming, and so must interpret 253 as a "2yz success" == 250, even if they don't understand 253 specifically. I note that RFC 821, the current standard, does *not* have this requirement, though. Still, it could work, I guess, since DMARC policies are outside-of-RFC agreements anyway.
Sure, but that's the tradeoff that DMARC explicitly makes. DMARC thinks that rejecting spam and phishing is sometimes more important than delivering legitimate mail, and that the provider of a mailbox is the appropriate entity to make that decision.
It's not limited to mailing lists, either. Anybody who has a forwarding mailbox is at some risk (in a personal .forward this is a simple pass-through preserving the DKIM signature so it should be OK, but I've seen commercial forwarders who add junk in the footer), and it breaks the common patterns where a website allows you to request a mail to a friend or an email service provider allows you to use different From addresses (all of my mail from my @xemacs.org address is sent from a different domain, and of the large webmail providers at least Gmail provides this feature, and I use it occasionally).
On Thu, 2014-04-17 at 04:34 +0900, Stephen J. Turnbull wrote:
Simple pass-through forwarding/redirection of email is one of the situations in which SPF fails. Does this in any way impact DMARC?
-- Lindsay Haisley | "We have met the enemy and he is us." FMP Computer Services | 512-259-1190 | -- Pogo http://www.fmp.com |
On 04/16/2014 12:49 PM, Lindsay Haisley wrote:
Simple pass-through forwarding/redirection of email is one of the situations in which SPF fails. Does this in any way impact DMARC?
Not if the message is properly DKIM signed by the From: domain. In this case DKIM passes and the domains align so the fact that SPF fails for the original envelope sender doesn't matter.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On Apr 17, 2014, at 04:34 AM, Stephen J. Turnbull wrote:
Of course, it really doesn't help with phishing because with a slight tweak of the domain (or even a similar enough non-ascii domain), you can still put phishing links in the body and I'll bet you'll still fool most people who would be tricked anyway.
Yeah that sucks too. I sure hope none of the FLOSS projects I work on never publish a DMARC reject.
Sigh. -Barry
[DMARC's words]
Naturally the people who can't read RFC5322 and understand that the From header line represents the writer of the message also can't read RFC5321 and grasp that a 2xy code signifies a responsibility that is well defined (sec 4.2.5).
They're just making stuff up. And companies that fall for it betray their cluelessness.
Joseph Brennan Columbia University Information Technology
(N.B. They were so proud of using "wherein" that they got lost later in the sentence-- s/b "discards" not "discarding".)
On 04/16/2014 06:58 AM, Lindsay Haisley wrote:
This is consistent with what I've observed on lists.
I've done some testing. If I send a message from my server, but not from a list From: a yahoo.com address to a gmail address, it gets rejected with
However, if I send the same message to a list which then resends it without touching the From: to the same gmail address, gmail accepts it and delivers it to my gmail spam folder.
Thus, it appears that gmail does honor DMARC policy in general, but has some kind of mitigation policy to identify (heuristicly? via headers?) mail from a list and quarantine it even if the From: domain's policy is reject.
Note it doesn't use the RFC 2369 List- headers because it still recognizes a message without them as from a list.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
We have a community group mail list which we run using Mailman and have lately had a problem getting our emails to members who have Bellsouth and Yahoo email addresses. I've seen the posts about DMARC but am not that tech-savvy to figure out what this means and how to resolve. Some of our members have complained that they are not getting the group's emails. We have written Bellsouth but they claim the domain is not on a blacklist and problem is not on their end. Our ISP tells us domain is "RFC -compliant" and problem must be with Bellsouth or Yahoo. How do we resolve this? What is the fix? Help, please...
I'll jump in here and offer the quick solution that I'm using at FMP. The primary culprit here is Yahoo, which publishes a DMARC p=reject policy via DNS. To the best of our knowledge, so far, no one else is doing this, although sbcglobal, att.net, comcast.net, Hotmail and a number of other email service providers will honor Yahoo's policy and bounce posts which have a yahoo.com address in the From header and come from an IP address which isn't a yahoo.com server. This is the case, as per relevant RFCs, for most mail from Mailman mailing lists.
What I'm advising list admins here, which puts a band-aid on the problem, is to put all yahoo.com subscribers on moderation, effectively making them read-only subscriptions. Also go through your membership list and clear any nomail disablements with a "[B]" beside them. We're also advising yahoo.com list subscribers to get a Gmail account (as free and easy to get as a Yahoo account)
Mark or Stephen may have a more in-depth response to you, but this is how I've addressed the problem here.
On Wed, 2014-04-16 at 11:30 -0400, Jose I. Rojas wrote:
-- Lindsay Haisley | "Everything works if you let it" FMP Computer Services | 512-259-1190 | --- The Roadie http://www.fmp.com |
On 4/16/2014 12:51 PM, Lindsay Haisley wrote:
Query: On a very low-traffic mailing list (i.e. one where the list admin doesn't think it too much trouble), would it be a reasonable workaround for the list admin to paste the content of a message-to-be-moderated (i.e. one From: a yahoo address) into a new message _of his/her own_ and send _that_ to the list? This message could include the original From: address _in its body text_ (not its headers) along with a brief reference to the yahoo problem to explain the unusual format.
From what I've read here so far, I think this would succeed in avoiding the usual yahoo-generated problems. However, I can foresee a couple of drawbacks (besides the extra work for list admins):
Other subscribers replying to the message will get MUA-generated text saying "Larry List-Admin wrote" instead of "Sonia Subscriber wrote". Those who pay attention and take a little trouble can change that before clicking Send, but many won't.
Similarly, other subscribers wanting to reply privately will send their replies to Larry List-Admin instead of Sonia Subscriber if they aren't careful (and some of them won't be). The list admin can forward these replies, but in a few cases they may contain confidential material that the admin shouldn't have seen.
-- Larry Kuenning larry@qhpress.org
Le 16/04/2014 19:57, Larry Kuenning a écrit :
also advising yahoo.com list subscribers to get a Gmail account (as free and easy to get as a Yahoo account)
so to be sure all your mail a read by google :-)
(of course may be yahoo do the same - why people can't use they ISP's mail?)
jdd
On Wed, 16 Apr 2014 20:31:25 +0200 jdd <jdanield@free.fr> wrote:
Hello jdd,
(... why people can't use they ISP's mail?)
In case that's not a rhetorical question:
Because every time you change provider, you would have to change email address too. When you're subscribed to over one hundred mailing lists, to say nothing of the umpteen individuals that would need to be told of the change, it would be an (shall we say) onerous task.
-- Regards _ / ) "The blindingly obvious is / _)rad never immediately apparent" You suck my blood like a leech Death On Two Legs - Queen
Le 16/04/2014 20:59, Brad Rogers a écrit :
does this occur often?
I find too often many problems are caused by mass mail providers like gmail
but it's not necessary to go further sorry to have begun this
jdd
On Wed, 16 Apr 2014 23:19:29 +0200 jdd <jdanield@free.fr> wrote:
Hello jdd,
It can, yes. In the past year, I've changed provider twice. If things continue as they are with the current one, I'll be changing again, soon.
I find too often many problems are caused by mass mail providers like gmail
There are other providers, both free and paid for.
but it's not necessary to go further sorry to have begun this
Not a problem.
Sorry for extending this slightly further, but as the answers were reasonably short I felt it was worth taking the risk. :-)
-- Regards _ / ) "The blindingly obvious is / _)rad never immediately apparent" He looked the wrong way at a policeman I Predict A Riot - Kaiser Chiefs
If one is interested in maintaining one's identity, using an ISP's email makes it a pain to change ISPs. Of course, that does make the ISPs very happy.
This is a fascinating discussion and as administrator of two very small lists, it's giving me an awful lot to think about. However, being a clues newbie to matters of RFCs and such I'm going to ask what could be a very naive question... would it be possible/useful/productive to create an RFC to explicitly override this foolishness? I know there aren't any teeth behind RFCs but it might at least get their attention. Of course, I'd be willing to make the appropriate person a loan of my "Official Technical Writer's 2x4®" <grin>.
Best Regards,
Mike
Mike Starr, Writer Technical Writer - Online Help Developer - WordPress Websites Graphic Designer - Desktop Publisher - Custom Microsoft Word templates (262) 694-1028 - mike@writestarr.com - http://www.writestarr.com President - Working Writers of Wisconsin http://www.workingwriters.org/
On 4/16/2014 1:31 PM, jdd wrote:
On Wed, 2014-04-16 at 15:34 -0500, Mike Starr wrote:
I know there aren't any teeth behind RFCs but it might at least get their attention.
Doubtful, but the sentiment is noble. My guess is that the people at Yahoo who implemented this, and possibly also the designers of DMARC, don't fully understand the RFC process and have a limited attention span and very narrow focus of attention as far as such things are concerned. Their understanding (and knowledge) of accepted best practices regarding email and mailing lists is woefully limited. My guess also is that as a result, all of this kerfuffle has probably caught a number of these people by surprise.
-- Lindsay Haisley | "Everything works if you let it" FMP Computer Services | 512-259-1190 | --- The Roadie http://www.fmp.com |
Lindsay Haisley writes:
On Wed, 2014-04-16 at 15:34 -0500, Mike Starr wrote:
I know there aren't any teeth behind RFCs but it might at least get their attention.
The real problem is that RFCs are based on working practice, preferably acknowledged best practice. DMARC is an experiment which is seriously flawed on the policy side, but has the potential to provide a lot of useful information for spam-fighting (I mean real spam-fighting, not the posturing that Yahoo! is involved in at the moment), not to mention lightening the burden on ISPs and list operators who implement DKIM and SPF. Until Yahoo!'s experiment has played out (which will take months), an anti-DMARC RFC is moot. After that, it will take years to get it through the IETF.
Note that DMARC itself is an Internet-Draft (ie, proto-RFC). If you want to fight this, the related mailing list is the right place. However, looking at some of the threads there are rather high-powered folks already on the list (eg, the guy who edited most of the SMTP RFCs, and the guy who edited most of the RFC 822 series). You had better go in having booked up, or you will get ignored to death at best. Put it this way: *I* may go look over their archives, but it will be quite a while before I'm willing to speak to anything except technical details of how it affects mailing lists.
Nope. If E. Zwicky (DMARC editor) is who I think she is, I owe her a kitten. No dummy. Murray Kucherawy doesn't seem to have two heads or a half-brain, either.
Their understanding (and knowledge) of accepted best practices regarding email and mailing lists is woefully limited.
I rather doubt that. The DMARC I-D has gone through several editions (I-Ds have a life-span limited to 6 months, the current renewal happened just about the time of Yahoo!'s policy change), suggesting that the NetGods and the commercial providers have been thinking pretty carefully all along. I think that where understanding and knowledge is lacking is on *this side* of the fence. Few, if any, of us have to make decisions about how to spend many millions of dollars on additional bandwidth, 90% of which (according to some accounts) is spam. That's a pile of money on the line for these guys.
My guess also is that as a result, all of this kerfuffle has probably caught a number of these people by surprise.
Indeed. I suspect that they didn't do their homework and simply count how many subscribers receive mail with List-* headers in them.
I think they probably also were surprised by how fast Yahoo is hemmorhaging email users.
Steve-rushes-not-where-angels-fear-to-tread-ly y'rs,
On Thu, 2014-04-17 at 15:24 +0900, Stephen J. Turnbull wrote:
Stephen, thanks for your generous reply, and your insights. It does seem to me, though, that when megabucks are riding on additional bandwidth, and if Yahoo is serious about controlling spam, they might start by putting some resources behind putting their own house in order. Someone, maybe it was you, posted on this forum earlier that perhaps 90% or more of spam with a yahoo.com origin (or one of their international DNs) actually _does_ come from Yahoo and that their response to abuse notifications is abysmal to nonexistent. So it looks to me as if one of two things is happening here. Either the right hand doesn't know what the left hand is doing (or not doing), or this is a blatant, cynical attack on network neutrality designed to push people toward Yahoo's own list service.
Has anyone seen or heard any figures on how much this DMARC fiasco has cost Yahoo in terms of the number of email end-users who have left their service? Someone mentioned that it was substantial enough to probably get their attention.
-- Lindsay Haisley | "Everything works if you let it" FMP Computer Services | 512-259-1190 | --- The Roadie http://www.fmp.com |
I can't answer your specific question but a number of years ago I created a Yahoo account which required the creation of a Yahoo email address. I have never used that email address nor have I divulged it to anyone. Oddly enough, thousands of spam email addresses land in that Yahoo email account. I can only assume that Yahoo routinely sells email addresses indiscriminately... not caring if they're delivering those email addresses to spammers. The only other alternative is that somehow Yahoo's security at the time was so lax that spammers were able to hack into their servers and grab millions of Yahoo email addresses.
Best Regards,
Mike
Mike Starr, Writer Technical Writer - Online Help Developer - WordPress Websites Graphic Designer - Desktop Publisher - Custom Microsoft Word templates (262) 694-1028 - mike@writestarr.com - http://www.writestarr.com President - Working Writers of Wisconsin http://www.workingwriters.org/
On 4/17/2014 11:13 AM, Lindsay Haisley wrote:
Lindsay Haisley writes:
Nobody can control spam in the current architecture of Internet mail. What needs to be done is author identification, that is, digital signatures. But that requires cooperation from users, which is anathema to the freemail providers. So p=reject, and to a lesser extent DMARC itself, are basically PR stunts IMO, see below.
Wasn't me. I don't have that data, and don't know where to get it offhand.
So maybe it does, but in my spamtrap I have only 67/4359 (1.5%) messages from Yahoo (based on grepping for "^From:.*yahoo" and "^From:" respectively), vs. 658/38748 (1.7%) in my saved mail folders. It seems to me that spam using Yahoo addresses is hardly a big problem, whether it's spoofed or using throwaway addresses.
I think the main thing is that the decision-makers (who are basically business people) see this as a marketing/PR problem. I don't think it's an attack on network neutrality per se so much as a PR stunt to be perceived as "doing something about spam and phishing". I wonder if they're not positioning themselves to do something big in finance or expand in handling payments to vendors who use their e-business platforms -- which would make a "tough on phishing" stance very important to them, as it is for banks.
I did but that was based on my personal experience, with (as I wrote elsewhere) users who are not very attached to any particular email address yet. I don't see how anybody could get reliable figures, though, except Yahoo! themselves based on statistical analysis of outbound traffic and maybe an increase in the number of accounts that .forward to other accounts.
Steve
On 04/17/2014 09:13 AM, Lindsay Haisley wrote:
The post is at <https://mail.python.org/pipermail/mailman-users/2014-April/076392.html>
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On Fri, 2014-04-18 at 16:23 -0700, Mark Sapiro wrote:
On Fri Apr 11 12:13:58 CEST 2014 Rich Kulawiec rsk at gsp.org said:
This is just (a) propaganda, so that they claim to be "doing something"
Which pretty much meshes with what you've suggested about Yahoo's motives.
-- Lindsay Haisley | "Everything works if you let it" FMP Computer Services | 512-259-1190 | --- The Roadie http://www.fmp.com |
On 4/16/2014 1:57 PM, Larry Kuenning wrote:
I've since thought of a third difficulty besides the two I mentioned.
If the post-to-be-moderated is itself a reply to an earlier post, then mailman's archive threading will be broken unless the list moderator goes to the trouble of setting up the substitute message as a reply to the same earlier post. (And of course one must delete all the stuff one's MUA wants to insert, as that will already be provided in the message-to-be-moderated.)
Is this correct?
-- Larry Kuenning larry@qhpress.org
On 04/16/2014 01:34 PM, Larry Kuenning wrote:
If I understand, yes...
But what you are suggesting is essentially what the Wrap Message option introduced as a site option in 2.1.16 and expanded in 2.1.18 does.
Effectively (with some details omitted) that option is forward the message as an attachment to a message from the list with Reply-To: including the original poster. It does all this without any moderator intervention.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On 4/16/2014 4:51 PM, Mark Sapiro wrote (about my suggestion of manually moderating posts from Yahoo users):
But what you are suggesting is essentially what the Wrap Message option introduced as a site option in 2.1.16 and expanded in 2.1.18 does.
Well, yes. But:
-- if you're working with an earlier Mailman version (I have 2.1.9),
-- if upgrading Mailman might be difficult (mine was pre-installed under Plesk, which probably implies some unknown tweaking),
-- if you're a novice at writing and debugging Python scripts,
-- and if your site has *extremely* low traffic (I have 2 lists with a total of 20 messages in the past year, and only 5 Yahoo users, who are usually lurkers),
then you might find it easier to live with the manual moderating task than to try to make changes to an otherwise well-working system. (At least in the short run while waiting to see what else develops.)
-- Larry Kuenning larry@qhpress.org
Larry Kuenning writes:
Yes, although given the available alternatives in the web admin pages I don't think this is worth the trouble for almost anybody (I understand that you have a very special situation with a relatively old Mailman that's working just fine, thank you, for you, but that's pretty unusual nowadays).
Change the display name to "Sonia Subscriber/lla" (the usual convention for letters written by a secretary but signed by the boss).
Add a "Reply-To: sonia@her-place.net" header field.
The recommendations above violate the letter but conform to the spirit of RFC 822 and successor standards.
The above practices should mitigate this issue.
Jose I. Rojas writes:
What it means right now is that posts with "@yahoo.com" in the "From" header field will not be delivered to users whose subscribed addresses are at a long list of large email service providers.
If emails posted by users with "@gmail.com" and "@harvard.edu" etc addresses are getting through to everybody, but emails from "@yahoo.com" members are not, then the problem may very well be Yahoo!'s DMARC policy.
Our ISP tells us domain is "RFC-compliant" and problem must be with Bellsouth or Yahoo.
That's not very helpful of them.
How do we resolve this? What is the fix?
If in fact the problem is Yahoo!'s DMARC policy, you can't resolve it and there is no fix. Simply put, Yahoo! does not permit their users to post to modern mailing lists that conform to the mail standards. There are four possible workarounds, depending on the access you have to your mailing list's configuration:
(1) You can tell your members with @yahoo.com addresses to post from a different domain. This is what I personally recommend, as it (a) conforms to Yahoo's stated policy and (b) makes Yahoo users unhappy with their provider, whose behavior is causing denial of service to thousands, perhaps millions, of mailing list users.
My experience with this approach is "no complaints", but my users
are unusual in that they don't really care about their yahoo.com
addresses for various reasons. People who do most or all of their
mail using Yahoo addresses will find this painful. Depending on
how actively you want to protest Yahoo's behavior, you may or may
not be willing to impose that pain.(2) You can break your mailing lists by using the author_is_list option in Mailman 2.1.16 and later. This option will only be available if the site configuration has ALLOW_AUTHOR_IS_LIST set to "Yes". This will cause the list to replace the author's address with its own address in "From". However, your domain may not permit this, as it's a clear violation of the mail RFCs.
(3) There is a patch to have Mailman encapsulate posts from yahoo.com addresses in a "one-message digest". This is RFC-conformant, but some users may have difficulty reading such mail. (Frequently reported on iPhones.) It also requires using a third-party patch for Mailman, which may be prohibited by your ISP or beyond your technical capability in the short run.
(4) You can operate Mailman in pure pass-through mode. I believe it is sufficient to configure Mailman to (a) have a completely empty header (not even whitespace) (b) a completely empty footer (c) no list prefix in the Subject header field. This is conformant to the RFCs, but may place you in violation of anti-spam law (because for most users there will be no visible indication of how to unsubscribe from the list).
On 04/16/2014 11:11 AM, Stephen J. Turnbull wrote:
The ALLOW_AUTHOR_IS_LIST switch has been removed (is effectively always Yes) for Mailman 2.1.18 (watch for a release announcement soon or pull the head of the lp:mailman/2.1 bzr branch ;)
This capability, without the dnspython dependency, is an option to (2) above, even in 2.1.16.
In 2.1.18 There is an enhanced set of controls that can be applied to all mail From: domains with DMARC p=reject and (optionally, default includes) p=quarantine policies. See <http://wiki.list.org/display/DEV/DMARC> for a bit more detail.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Stephen,
Thank you very much for the summary of solutions. I was about to suggest/request it. It may be helpful to add to the wiki as it seems quite important and complicated. I'd be interested in more mails like this, helping those of us move forward and alleviate the issues.
Unless I'm overlooking something, there is another option that appears to work. The anonymous_list option repackages the mail enough that gmail no longer marks it as spam.
I don't think it's appropriate for most lists, but could be mentioned as another option. Unless it's similar to option 2 below. I'm not familiar with ALLOW_AUTHOR_IS_LIST.
Lindsay Haisley also suggested:
"What I'm advising list admins here, which puts a band-aid on the problem, is to put all yahoo.com subscribers on moderation, effectively making them read-only subscriptions. Also go through your membership list and clear any nomail disablements with a "[B]" beside them."
Is there any way to make these changes with a script, or would one have to do it manually?
I'm also curious if the spam options (header_filter_rules or bounce_matching_headers) might be options to catch inbound messages from yahoo.
Thank you all
Tom Lieuallen
On 4/16/14, 11:11 AM, Stephen J. Turnbull wrote:
On 04/16/2014 01:30 PM, Tom Lieuallen wrote:
I just updated <http://wiki.list.org/x/ggARAQ>. What do you think?
See <http://www.msapiro.net/scripts/reset_bounce.py>.
Either could be used but bounce_matching_headers is deprecated in favor of header_filter_rules.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Lindsay Haisley writes:
I wouldn't trust the popular press to be fully accurate. Even one test delivery failure would probably be counted as "honoring", and it's not obvious that you need to specifically test mailing lists, since DMARC doesn't explicitly allow treating different DMARC failures differently.
I've been telling list admins to recommend that subscribers drop their Yahoo accounts in favor of Gmail.
That remains good policy AFAICT.
What's the story here?
There are several possibilities. One is that DMARC doesn't define the semantics of "reject". (Why doesn't that surprise me?) Here's what they say:
15.4. Rejecting Messages
This proposal calls for rejection of a message during the SMTP session under certain circumstances. This is typically done in one of two ways:
o Full rejection, wherein the SMTP server issues a 5xy reply code as an indication to the SMTP client that the transaction failed; the SMTP client is then responsible for generating notification that delivery failed (see Section 4.2.5 of [SMTP]).
o A "silent discard", wherein the SMTP server returns a 2xy reply code implying to the client that delivery (or, at least, relay) was successfully completed, but then simply discarding the message with no further action.
Each of these has a cost. For instance, a silent discard may prevent "backscatter" (the annoying generation of delivery failure reports, which go back to the RFC5321.MailFrom address, about messages that were fraudulently generated), but effectively means the SMTP server has to be programmed to give a false result, which can confound external debugging efforts.
A "silent discard" by Google is consistent with your observation, since no bounce would be generated.
However, it is not consistent with Mark's experimental outcome.[1] So apparently, at least in their implementation of DMARC, Google takes their "Don't Be Evil" slogan quite seriously.
It is clear to me that the "silent discard" method is the right way to handle a DMARC p=reject policy. Although the receiving MTA is "giving a false result" in some sense, in fact the DMARC-using domain can request a specific failure report which will enable the domain to determine why non-delivery occurred despite an SMTP success. If they don't request such a report, too bad for their users.
Note that the "annoyance" mentioned in the 4th paragraph includes denial of service to completely innocent third parties, ie, the DMARC-triggered unsubscribes that have been observed.
Footnotes: [1] His message arrived while I was composing this one.
On Thu, Apr 17, 2014 at 01:27:23AM +0900, Stephen J. Turnbull wrote:
They should have allowed/defined a new 2xy code that could be returned, eg 253 which means ''Mail accepted but will be discarded''. So a simple sending MTA could just look at the initial '2' and think 'job done', a more complex one could note that the receipt wasn't quite right.
However: it still means that some people on mail lists occasionally don't get stuff - this will cause confusion at best or could be dangerous (if the mail list has a critical function).
-- Alain Williams Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer. +44 (0) 787 668 0256 http://www.phcomp.co.uk/ Parliament Hill Computers Ltd. Registration Information: http://www.phcomp.co.uk/contact.php #include <std_disclaimer.h>
Alain Williams writes:
That's problematic. It would require an extension negotiated via EHLO at least, and maybe a new SMTP RFC, since there's no registry for extensions to the SMTP reply codes. It might not be harmful, since most modern MTAs are 2821-conforming, and so must interpret 253 as a "2yz success" == 250, even if they don't understand 253 specifically. I note that RFC 821, the current standard, does *not* have this requirement, though. Still, it could work, I guess, since DMARC policies are outside-of-RFC agreements anyway.
Sure, but that's the tradeoff that DMARC explicitly makes. DMARC thinks that rejecting spam and phishing is sometimes more important than delivering legitimate mail, and that the provider of a mailbox is the appropriate entity to make that decision.
It's not limited to mailing lists, either. Anybody who has a forwarding mailbox is at some risk (in a personal .forward this is a simple pass-through preserving the DKIM signature so it should be OK, but I've seen commercial forwarders who add junk in the footer), and it breaks the common patterns where a website allows you to request a mail to a friend or an email service provider allows you to use different From addresses (all of my mail from my @xemacs.org address is sent from a different domain, and of the large webmail providers at least Gmail provides this feature, and I use it occasionally).
On Thu, 2014-04-17 at 04:34 +0900, Stephen J. Turnbull wrote:
Simple pass-through forwarding/redirection of email is one of the situations in which SPF fails. Does this in any way impact DMARC?
-- Lindsay Haisley | "We have met the enemy and he is us." FMP Computer Services | 512-259-1190 | -- Pogo http://www.fmp.com |
On 04/16/2014 12:49 PM, Lindsay Haisley wrote:
Simple pass-through forwarding/redirection of email is one of the situations in which SPF fails. Does this in any way impact DMARC?
Not if the message is properly DKIM signed by the From: domain. In this case DKIM passes and the domains align so the fact that SPF fails for the original envelope sender doesn't matter.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On Apr 17, 2014, at 04:34 AM, Stephen J. Turnbull wrote:
Of course, it really doesn't help with phishing because with a slight tweak of the domain (or even a similar enough non-ascii domain), you can still put phishing links in the body and I'll bet you'll still fool most people who would be tricked anyway.
Yeah that sucks too. I sure hope none of the FLOSS projects I work on never publish a DMARC reject.
Sigh. -Barry
[DMARC's words]
Naturally the people who can't read RFC5322 and understand that the From header line represents the writer of the message also can't read RFC5321 and grasp that a 2xy code signifies a responsibility that is well defined (sec 4.2.5).
They're just making stuff up. And companies that fall for it betray their cluelessness.
Joseph Brennan Columbia University Information Technology
(N.B. They were so proud of using "wherein" that they got lost later in the sentence-- s/b "discards" not "discarding".)
participants (14)
-
Alain Williams -
Barry Warsaw -
Brad Rogers -
jdd -
Jim Popovitch -
Jose I. Rojas -
Joseph Brennan -
Larry Kuenning -
Lindsay Haisley -
Mark Sapiro -
Mike Starr -
Stephen J. Turnbull -
Stephen J. Turnbull -
Tom Lieuallen