leaking user list to recipient email domains
I'm running Mailman version 2.1.29.
I have a Mailman email list that has around 500 subscribers, who are all members of an organization who have opted-in to the list.
One of the email addresses on the list used a custom personalized domain, which started bouncing. I didn't notice the bounces at the time. Eventually, Google started sending the list moderators messages saying "Our system has detected an excessively high number of invalid recipients originating from your account," and Gmail started rejecting list messages that were being sent to the list subscribers who use a Gmail address. I removed the bouncing email address from the list, and soon after that Gmail started accepting messages from the email list again.
This seems like a very precarious situation to be in... I have a list of 500 email addresses, and Google starts rejecting all incoming email from my list just because 1 of 500 email addresses was bouncing.
I sought help from someone at my hosting provider who seems to be knowledgeable about Mailman configuration. He said that the problem was that Mailman was batching up the emails and sending a single email to the entire batch, putting each individual email address in the "RCPT TO" field. So when a bounce happened, Gmail was able to associate the bad address from my domain with the bounce that was happening on the bouncing personalized domain. The advice for fixing the problem was to set the "personalize" setting to "Full Personalization", which would prevent Google from making that association. I think this worked (but don't know for sure, since I don't know that we've had any bounces since then).
The problem with "Full Personalization" is that the email headers are being rewritten, which is confusing to users. Now, if someone sends an email to the list, the message that is delivered to each recipient has the recipient's email address in the "To" header and the list email address in the "Cc" header. It works, but it's confusing (and some people's email filters now have to be changed).
Questions... the best way to fix the issue?
- Given my description of the initial problem, is "Full Personalization"
- Is there a way to fix the issue that doesn't involve rewriting the headers so that the email list address is in the "Cc" field?
- Would upgrading to Mailman 3 help fix this issue in a better way?
Thanks Mike
On 1/5/21 3:14 PM, Mike Wertheim wrote:
Questions... the best way to fix the issue?
- Given my description of the initial problem, is "Full Personalization"
No.
- Is there a way to fix the issue that doesn't involve rewriting the headers so that the email list address is in the "Cc" field?
Yes, just set the list to personalize Yes rather than Full Personalization. This will also cause Mailman to send list messages (but not digests) with one recipient per transaction without rewriting the To: header.
However, a better solution is for the hosting provider to set
VERP_DELIVERY_INTERVAL = 1
in mm_cfg.py which will cause all mail from Mailman to be VERPed for better bounce recognition and will also send all mail with 1 recipient per transaction.
- Would upgrading to Mailman 3 help fix this issue in a better way?
Except for the detail of how you set verp delivery, Mailman 3 is the same as Mailman 2.1 in this respect.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Mike Wertheim writes:
One of the email addresses on the list used a custom personalized domain, which started bouncing. I didn't notice the bounces at the time.
In addition to what Mark says, you should also investigate this. You should not need to notice the bounces. Mailman can be configured to notice the bounces (with some exceptions for unusual formats for the bounce messages), and after a certain number have been received, it disables the subscription and starts sending messages "your subscription has been disabled, here's how to reenable it", and if those also bounce, after a certain number the subscription will be deleted. How strict this policy is is configurable per-list using the standard Mailman list configuration page "Bounce processing".
It's possible that you have a reasonable bounce policy and it's been working but you never noticed it, and the problem here was a heavily redacted bounce message that doesn't allow Mailman identify the subscriber, or an unusual bounce format that Mailman didn't recognize. In both cases setting the VERP_DELIVERY_INTERVAL=1 as Mark recommends is the best defense we can offer without your host patching Mailman.
In the latter case, if you have a copy of the bounce notice, we'd appreciate it if you'd send us a copy so we can improve detection in the future. Please obfuscate any personally identifying information such as email addresses, host names, and IP addresses. It would help a lot if you make sure the replacement text has the appropriate format, a@b.c for email, 0.0.0.0 for IP addresses etc.
Steve
participants (3)
-
Mark Sapiro -
Mike Wertheim -
Stephen J. Turnbull