What version of Mailman are you using? It sounds like a DMARC issue going on.

Brian Carpenter Owner

Providing Cloud Services and more for over 15 years.

T: 336.755.0685 E: brian@emwd.com www.emwd.com

-----Original Message----- From: Mailman-Users [mailto:mailman-users- bounces+brian=emwd.com@python.org] On Behalf Of Nancy C Sent: Wednesday, September 09, 2015 8:26 PM To: mailman-users@python.org Subject: [Mailman-Users] Potential "Bounce" Question

I am the admin for a group & some members frequently get warning messages like this:

"Your current bounce score is 3.0 out of a maximum of 5.0"

The subscriber has done nothing wrong & these messages are usually Hotmail, yahoo & aol accounts.

What can be done to reduce / eliminate these messages?

Thank you

Nancy

---

Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman- users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman- users/brian%40emwd.com

@Mark & anybody else familiar with the FAQ: Some of the information below isn't in the DMARC FAQ, and some of it doesn't seem to be in FAQ at all. Pointers to relevant FAQs would be appreciated as I will update & xref in the next few days as I find time.

Nancy C writes:

I am the admin for a group & some members frequently get warning messages like this:

"Your current bounce score is 3.0 out of a maximum of 5.0"

The subscriber has done nothing wrong & these messages are usually Hotmail, yahoo & aol accounts.

The subscriber may have done nothing wrong -- but they chose evil and incompetent providers. "Friends don't let friends use Yahoo! or AOL."

In practice, it's really hard to get people to change providers, so I don't recommend that you try. However, these sites are actively disrupting the whole mail system (not just mailing lists) to cover up for massive security breaches leading to the leakage of millions of contact lists to professional spammers. Not nice.

What can be done to reduce / eliminate these messages?

The first thing I would suggest is to upgrade Mailman. As far as I can tell, Mailman 2.1.20 doesn't send those messages, period (there's a template for it, but I can't find anywhere it's used). It sends a message when the account is disabled, and then at intervals thereafter. (Mark Sapiro would know better, though.) If it *does* send those messages, I'm sure it's triggered by actual bounces: those users are losing posts.

As Brian and Mark point out, a likely cause of frequent bounces is the DMARC p=reject policy used by Yahoo! and AOL. This policy effectively requires that mail "From" a user of one of those sites be delivered directly by a mail server at those sites, a condition which cannot be satisfied by a public mailing list.[1]

The most popular[2] way to address this condition is to use Mailman >= 2.1.18-1, and set the "Privacy Options > Sender Filters > dmarc_moderation_action" to "Munge From". You should review your settings in the "Reply-To header munging" section of the "General Options", as there are interactions between the DMARC moderation action and Reply-To. (In Mailman 2.1.20 several adjustments were made to improve the default settings and options available, but 2.1.18-1 and 2.1.19 are usable with care.) There are other options for your consideration, but this is by far the most popular.

Another possibility is that those systems have become very paranoid about spam, and reject mail for various and sundry (ie, quite random) reasons that have nothing to do with spammy content.

1. Your external mail server should have consistent A, MX, and PTR records, and announce itself with the public domain.

2. You should publish SPF and DKIM records for the external mail server, and DKIM sign outgoing mail yourself.

3. It may help to register as a bona fide mailing list with the problem providers, and get on their feedback loops.

4. If you have a lot of resources, you could publish a DMARC record and get feedback about who is spoofing your domain, and how much. But keeping up with and analyzing that feedback could easily be somebody's full-time job, although there are options to just get summaries.

Some people think that removing broken DKIM signatures is a good idea, but we recommend against that. See Mailman/Defaults.py, the setting for REMOVE_DKIM_HEADERS and the comment above it.

Footnotes: [1] That's not quite true: a pure "pass through" mailing list that doesn't change any of the received content will pass the digital signature test (such a list can add header fields, but not edit subject or add a heading or footer to the body). This is unpleasant at best, and may be legally risky in some cases where the list needs to add a disclaimer. ("Legal risk" may be an urban legend, and certainly varies by jurisdiction.)

[2] Personally, I just conform to Japanese Ministry of Education policy that prohibits use of Yahoo for "official communications", and for once enjoy conformance to policy hugely. ;-)