Over the last few months, twistedmatrix.com's mailman installation has been used increasingly frequently to execute denial-of-service attacks against people's mailboxes. This is accomplished by sending huge numbers of subscription requests to our website, which in turn sends huge numbers of confirmation emails to their inbox. Based on some information that some targeted users have sent me, I now believe that this is to cause those users' mail quotas to be exceeded so that password reset or login notification emails won't reach them.
This has been going on for some time, but the frequency and severity of the attacks seem to be increasing; I only recently realized that this was considerably worse than an annoyance for those affected. I now have at least 1 confirmed report of this attack being a part of a (partially successful) identity theft.
This isn't the only problem we have with email:
- We're running our own infrastructure which puts load on our already beyond-overloaded volunteer system administration team.
- Despite running our own infrastructure, we are not dogfooding Twisted at all in the process, so we're not even learning anything useful from the pain; "exim is bad" is a lesson we've already learned many times, we do not need to keep learning it.
- Given how hard it is for us to upgrade Mailman in our current system, we aren't even dogfooding our fellow community project terribly well.
- Our infrastructure runs on the same host as the website and the buildmaster, overloading a very creaky system.
- In addition to mailing lists, we run a mail forwarder. Our server's sender reputation is ... not great. We don't have SPF records, we don't do DKIM, and we don't provide authenticated SMTP for users, so emails just come from "wherever" when they are sent from, e.g. 'firstname.lastname@example.org' :-).
In order to address this, as soon as I can reasonably manage to do so, I will be moving Twisted's email infrastructure to mailgun.com
, a product that I've been successfully using for a range of personal domains (in particular, the divmod.com
email forwarder - yes, I still operate that, when the Twisted community promises you an email address for life you get it
;-)). Additionally, Mailgun uses a bunch of Twisted within their infrastructure, so (although we won't be operating it) we will actually be dogfooding considerably more
(Mailgun is a product of my employer, Rackspace, but they've given us a generous open source discount so there's no conflict of interest; the Twisted project won't be spending money on this.)
There will be a couple of inconveniences immediately after the transition:
- At first, there will be no self-service subscription to mailing lists any more. If you want to subscribe, you'll have to send a message to email@example.com and the list administrator (right now, probably just me) will manually add your address. (Self-service unsubscription will still be possible.)
- I'm not sure if I'll be able to keep the list archives at https://twistedmatrix.com/pipermail/ updated, at least at first. I would encourage everyone to use http://news.gmane.org/gmane.comp.python.twisted and http://news.gmane.org/gmane.comp.python.twisted.web in the meanwhile.
- Speaking of the contents of that sad URL, many disused mailing lists will be deleted. I doubt anyone will notice since there haven't been any posts to most of them in many years.
- If you presently send email from a twistedmatrix.com address, you will probably want to start using the mailgun forwarder so that your messages will have nice shiny DKIM/SPF headers; I suspect you may start having more deliverability problems than you already do once other mail servers notice that we have said records if you're not using them. I'll distribute SMTP credentials via GPG-encrypted email to everyone I'm aware of who uses such an address.
There will be considerable benefits though:
- For those of you with @twistedmatrix.com addresses, Mailgun operates a pretty conservative low-pass spam filter, but in looking at the analytics from my own personal domains, it really helps a lot and it is definitely more effective than the setup we've got right now.
- Deliverability and mail-sending performance should be much improved; messages should arrive faster because they will be quarantined or deferred-bounced by major senders like GMail et. al. far less often, because we'll be forwarding less spam and legitimate messages will have appropriate anti-spam headers.
- Trac will get faster at certain times because email DoSes should stop hitting the server.
- Administrative overhead will decrease; we can just stop maintaining email ourselves.
- Last but certainly not least, we'll stop being a collective unwilling accessory to cybercrime.
Probably these changes will all be pretty subtle, and most folks won't notice, but I wanted it to be clear in advance that they were intentional, in case there is some disruption associated with them :-). If anyone wants to give me a hand with parts of this (for example, setting up a smarthost configuration so that trac can still send email) please let me know.