[Mailman-Users] A DMARC munging issue ... ?

Mark Sapiro mark at msapiro.net
Thu Jun 26 00:32:23 CEST 2014 

On 06/25/2014 02:41 PM, Malcolm Austen wrote:
> I won't call this a bug but I think it's an issue :-)


It is an issue. I too am not sure whether it is a bug, but I think we
need to do something about it. More below ...


> I have (via the GUI sender filters) dmarc_moderation_action set to
> 'munge from' and yet a post from aol.com went through unmunged (and
> caused 100+ subscribers to be disabled).


This implies that the list's bounce_score_threshold is <= 1.0 so that a
member's delivery is disabled on the first bounce. This may be too
agressive.

Also, you may be interested in
<http://www.msapiro.net/scripts/reset_bounce.py>.


> I think (but may be wrong) the problem is that I also have(had) a spam
> filter set to catch all posts from ISPs with a bad spam/hacking/leaking
> history. This holds everything that matches:
> 
>        ^from:.*(aol|yahoo|hotmail|btinternet|btopenworld).*
> 
> So, it appears to me that being held by this spam filter and then
> released by a moderator results in the message escaping the DMARC
> munging :-(


That is exactly what happened. header_filter_rules is processed by
SpamDetect which is the first handler in the pipeline. The Munge From
actions are actually done by CookHeaders and WrapMessage which process
even moderator approved messages, but the check for
dmarc_moderation_action is in Moderate which also processes member
moderation and non-member actions.

The Moderate process is bypassed if the message has already been
approved. When we implemented dmarc_moderation_action, we deliberately
didn't include Hold as an action, because we didn't think it made sense,
so following that reasoning, we shouldn't skip at least the Munge From
and Wrap Message actions on pre-approved messages because these are
message transformation actions, not message disposition actions. What to
do in the case of Reject or Discard is the question.

If dmarc_moderation_action is say Reject and applies to this message, we
shouldn't just accept the message because it has been pre-approved
(probably without considering the consequences thereof).

This leaves two choices. Either honor the dmarc_moderation_action which
will possibly reject or discard a pre-approved post, or fall back to
Wrap Message which may produce list messages in an undesired format.

I have reported this at
<https://bugs.launchpad.net/mailman/+bug/1334450>. I am interest in
hearing either here or as bug comments what others think.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Users mailing list