Re: [Mailman-Users] Add PayPal to DNs publishing DMARC p=reject
Peter Shute writes: Stephen J. Turnbull wrote: The DMARC WG advocates putting list-post in From in place of a DMARC p=reject address. I advocate accepting their advice for stock Mailman, and avoiding other non-conforming workarounds until the market demands them. If it gets noisy, feel free to cave in faster than you did on Reply-To munging.wink / Can you explain that for the uneducated, please? Ouch! Sorry for the tech talk, often it's a useful habit, but not always. What do you mean by list-post? Is that the list address? There are several addresses that Mailman uses that might plausibly be called the list address. The one you are thinking of is often called List-Post because there is a header, hidden by most mail clients, by that name, to allow mail clients to automatically recognize the posting address (some provide a separate command for reply-to-list). It is the address where members send posts. But there's also the list owner's address (one might think of that as headquarters, and therefore the list address). -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Add PayPal to DNs publishing DMARC p=reject
On 7 May 2014, at 4:07 pm, Stephen J. Turnbull step...@xemacs.org wrote: Peter Shute writes: Stephen J. Turnbull wrote: The DMARC WG advocates putting list-post in From in place of a DMARC p=reject address. I advocate accepting their advice for stock Mailman, and avoiding other non-conforming workarounds until the market demands them. If it gets noisy, feel free to cave in faster than you did on Reply-To munging.wink / Can you explain that for the uneducated, please? Ouch! Sorry for the tech talk, often it's a useful habit, but not always. What do you mean by list-post? Is that the list address? There are several addresses that Mailman uses that might plausibly be called the list address. The one you are thinking of is often called List-Post because there is a header, hidden by most mail clients, by that name, to allow mail clients to automatically recognize the posting address (some provide a separate command for reply-to-list). It is the address where members send posts. But there's also the list owner's address (one might think of that as headquarters, and therefore the list address) Thanks, I understand now. If the result of this is that replies go to everyone on the list, this is something we don't want for our list. Private replies becoming public means trouble, and we have enough of it already when people Reply All by accident. We've been getting by rejecting then manually forwarding yahoo and aol emails to the list. At least then accidental replies only come to us instead of everyone, and there's an obvious cue for the senders to get new addresses. Peter Shute -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Add PayPal to DNs publishing DMARC p=reject
Peter Shute writes: Thanks, I understand now. If the result of this is that replies go to everyone on the list, this is something we don't want for our list. Private replies becoming public means trouble, and we have enough of it already when people Reply All by accident. In that case, in Mailman 2.1.18-1, you probably get the best of all worlds by setting 'from_is_list' to 'Munge From' which puts the list in From, deleting any other addresses from From (thus disabling DMARC), and then puts the poster in Reply-To, 'reply_to_list' to 'Poster' which leaves the Reply-To header as it finds it. Finally, set 'personalize' to 'Full Personalization' which puts the recipient in To. The first two are on the General Options page, the last on the Nondigest Options page. The rules for these options are complicated, but if I've thought correctly about this, in most cases the header of the post as distributed to subscribers will say To: each-subscriber@home From: the-list@your-org Reply-To: the-poster@home Although the-list is *visible* in From, conforming mail clients will *not* pay attention to it (the rules say Reply-To takes precedence over From as the author's address), and even a Reply All will produce a message addressed as To: the-poster@home From: each-subscriber@home In order to also CC the list, the replying subscriber would have to deliberately copy/paste the list address into To, Cc, or Bcc. This depends on the replying subscriber's mail program, so there are no guarantees, but it seems very unlikely to me that any of your subscribers will inadvertantly CC the list with that configuration. The only downsides are that (1) the list appears to claims to be authoring all the posts, and send each privately to each subscriber (but I wouldn't be surprised if few subscribers notice more than something changed) and (2) full personalization uses more resources, potentially a lot more. On the other hand, with reasonably modern equipment and say 5 lists each with 500 subscribers and 10 posts each per day, the server will literally spend more time waiting for the next post than it does delivering them. Network bandwidth is a more important consideration, because if you have many subscribers at one domain, you can tell that domain to deliver to a long list of those subscribers, and then send the message once. But if you personalize, then each message is (slightly) different, and must be sent separately. If you want advice about resource usage in your situation, don't hesitate to ask here. I have no experience with that configuration, but I suspect Mark has the numbers on tap, and I'm sure many of our lurkers do. Hope this helps, Steve -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Add PayPal to DNs publishing DMARC p=reject
On May 7, 2014, at 8:59 AM, Stephen J. Turnbull step...@xemacs.org wrote: which leaves the Reply-To header as it finds it. Finally, set 'personalize' to 'Full Personalization' which puts the recipient in To. The first two are on the General Options page, the last on the Nondigest Options page. Is it possible the ‘personalize’ option moved elsewhere in 2.1.18-1? I’ve just updated to that version and don’t see it on the Nondigest Options page. Thank you for these suggestions. Rob -- Rob Lingelbach http://rob.colorist.org -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Add PayPal to DNs publishing DMARC p=reject
Rob Lingelbach writes: Is it possible the ‘personalize’ option moved elsewhere in 2.1.18-1? I’ve just updated to that version and don’t see it on the Nondigest Options page. Sorry, I haven't updated to 2.1.18-1 yet, I'm reading source and missed a crucial qualification at the top of the suite. Because personalization can consume a lot of resources, the site admin needs to enable personalization with OWNERS_CAN_ENABLE_PERSONALIZATION in mm_cfg.py, then it will show up on the admin site. Steve -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Add PayPal to DNs publishing DMARC p=reject
On May 7, 2014, at 9:56 AM, Stephen J. Turnbull step...@xemacs.org wrote: Because personalization can consume a lot of resources, the site admin needs to enable personalization with OWNERS_CAN_ENABLE_PERSONALIZATION in mm_cfg.py, then it will show up on the admin site. Thanks. Impressive. -- Rob Lingelbach http://rob.colorist.org -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Add PayPal to DNs publishing DMARC p=reject
On 7 May 2014, at 11:59 pm, Stephen J. Turnbull step...@xemacs.org wrote: Peter Shute writes: Thanks, I understand now. If the result of this is that replies go to everyone on the list, this is something we don't want for our list. Private replies becoming public means trouble, and we have enough of it already when people Reply All by accident. In that case, in Mailman 2.1.18-1, you probably get the best of all worlds by setting 'from_is_list' to 'Munge From' which puts the list in From, deleting any other addresses from From (thus disabling DMARC), and then puts the poster in Reply-To, 'reply_to_list' to 'Poster' which leaves the Reply-To header as it finds it. Finally, set 'personalize' to 'Full Personalization' which puts the recipient in To. The first two are on the General Options page, the last on the Nondigest Options page. The rules for these options are complicated, but if I've thought correctly about this, in most cases the header of the post as distributed to subscribers will say To: each-subscriber@home From: the-list@your-org Reply-To: the-poster@home Although the-list is *visible* in From, conforming mail clients will *not* pay attention to it (the rules say Reply-To takes precedence over From as the author's address), and even a Reply All will produce a message addressed as To: the-poster@home From: each-subscriber@home In order to also CC the list, the replying subscriber would have to deliberately copy/paste the list address into To, Cc, or Bcc. This depends on the replying subscriber's mail program, so there are no guarantees, but it seems very unlikely to me that any of your subscribers will inadvertantly CC the list with that configuration. This fixes the accidental private reply to the list problem, but makes it hard to reply to the list, which is what our members normally want to do. The list would probably stop functioning for lack of public discussion. Am I correct in believing that there is now an option to have these modified behaviours only apply to messages from p=reject senders? Maybe that's a decent compromise, as the rest of the messages can be treated normally, and the p=reject senders will be punished for not getting new addresses by not having their questions discussed by the whole group. So long as gmail and hotmail don't start doing it too, as then a majority of our members will be affected (and will consider they have nowhere left to go). So does this mean that any solution is going to be a choice between ease of replying to the list and ease of accidental replying to the list? Peter Shute -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Add PayPal to DNs publishing DMARC p=reject
On 05/07/2014 01:34 PM, Peter Shute wrote: Am I correct in believing that there is now an option to have these modified behaviours only apply to messages from p=reject senders? Yes. At least in the latest release (2.1.18-1), there is dmarc_moderation_action which selects an action to apply only to messages From: domains that publish DMARC p=reject or optionally p=quarantine policies. -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Add PayPal to DNs publishing DMARC p=reject
Mark Sapiro wrote: Am I correct in believing that there is now an option to have these modified behaviours only apply to messages from p=reject senders? Yes. At least in the latest release (2.1.18-1), there is dmarc_moderation_action which selects an action to apply only to messages From: domains that publish DMARC p=reject or optionally p=quarantine policies. If it means that Reply vs Reply All work differently for list messages from different domains, will it only lead to users becoming hopelessly confused? Is there anyone who's already using this who could report on the reactions from users? Peter Shute -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Add PayPal to DNs publishing DMARC p=reject
Peter Shute writes: So does this mean that any solution is going to be a choice between ease of replying to the list and ease of accidental replying to the list? Yes, and that's an unsolvable problem. Some replies should be public, some should be private, and only the user can know which is which. We can bias things one way or the other, but we can't really do much on the list side to improve accuracy of addressing. MUAs could help a bit more than they do, but they're just programs, too. In the end, you have to assume the user knows what she's doing, and that isn't always true. -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Add PayPal to DNs publishing DMARC p=reject
Peter Shute writes: If it means that Reply vs Reply All work differently for list messages from different domains, It does. will it only lead to users becoming hopelessly confused? Is there anyone who's already using this who could report on the reactions from users? Good question. Anybody? -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Add PayPal to DNs publishing DMARC p=reject
My experience is that for most lists, the members are chronically confused about nearly everything having to do with addressing. Since very few list members are going to be subscribed from different ISPs at the same time (and those are apt to be the most expert) I don't expect this change (when I can upgrade, I'm hostage to my ISP's cPanel support) will create any *additional* confusion in the minds of the easily confused. Keith Bierman khb...@gmail.com kbiermank AIM 303 997 2749 On Wed, May 7, 2014 at 8:59 PM, Stephen J. Turnbull step...@xemacs.orgwrote: Peter Shute writes: If it means that Reply vs Reply All work differently for list messages from different domains, It does. will it only lead to users becoming hopelessly confused? Is there anyone who's already using this who could report on the reactions from users? Good question. Anybody? -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/khbkhb%40gmail.com -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Add PayPal to DNs publishing DMARC p=reject
What Keith said. Either users are curious about this and will take the time to understand, or they throw up their hands and “Computers!” and they will do the minimum to get things working, which is how it was before. My hosting provider, Dreamhost, just upgraded from 2.1.14 to 2.1.17 mere hours ago. (Apparently weren’t willing to wait to do testing on 2.1.18-1.) So we will squint thoughtfully at the monitor, nod almost imperceptibly, pick a setting which is the least egregious to fix this problem, and then have some scotch. -Conrad On May 7, 2014, at 11:05 PM, Keith Bierman khb...@gmail.com wrote: My experience is that for most lists, the members are chronically confused about nearly everything having to do with addressing. Since very few list members are going to be subscribed from different ISPs at the same time (and those are apt to be the most expert) I don't expect this change (when I can upgrade, I'm hostage to my ISP's cPanel support) will create any *additional* confusion in the minds of the easily confused. Keith Bierman khb...@gmail.com kbiermank AIM 303 997 2749 On Wed, May 7, 2014 at 8:59 PM, Stephen J. Turnbull step...@xemacs.orgwrote: Peter Shute writes: If it means that Reply vs Reply All work differently for list messages from different domains, It does. will it only lead to users becoming hopelessly confused? Is there anyone who's already using this who could report on the reactions from users? Good question. Anybody? -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/khbkhb%40gmail.com -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/cgtyoder%40alum.mit.edu -- Suspicion breeds confidence. -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Add PayPal to DNs publishing DMARC p=reject
On 05/07/2014 05:41 PM, Peter Shute wrote: If it means that Reply vs Reply All work differently for list messages from different domains, will it only lead to users becoming hopelessly confused? Is there anyone who's already using this who could report on the reactions from users? It depends. If your MUA offers 'reply to list' that works in all cases to just reply to the list. Otherwise, if first_strip_reply-to is No and reply_goes_to_list is Poster, in the case of From: munging or wrapping, reply will go to the poster and the poster's original Reply-To: and reply-all will go to the list. This is slightly different from the un-munged/wrapped case in that if the poster had an original Reply-To: with a different address, the poster's From: will be included in 'reply', but basically it's unchanged in spirit - reply is to the poster and reply-all includes the list. In the other cases, it is similar except, e.g. if reply_goes_to_list is This list, simple reply will address the poster as well as the list, but in most cases, the poster is a list member and would have gotten it anyway. The intent is to make munged/wrapped behavior as close as possible to the un-munged/wrapped behavior except that exposing the poster's address takes priority. -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Add PayPal to DNs publishing DMARC p=reject
I understand now, fake warnings for phishing. As for not being taken in, I haven't yet, but I'm sure it would be possible to create one that I would assume to be genuine. Peter Shute Sent from my iPad On 6 May 2014, at 3:15 pm, Stephen J. Turnbull step...@xemacs.org wrote: Peter Shute writes: On 5 May 2014, at 4:59 pm, Stephen J. Turnbull step...@xemacs.org wrote: them. But when you (FVO you susceptible to phishing in the first Sorry, what does FVO stand for? Ah, excuse my abbreviations. FVO = for values of; the intended implication is that the you reading my post isn't the kind of you who gets taken in by phishing emails. All of our mail to you have come back to us due to DMARC rejects, so we need to use this unusual address. Please confirm your blah-blah-blah by clicking here and logging in to our secure site. 2% of AOL customers will respond by clicking, at last report. :-( They get a warning? I thought it just bounced, and the intended recipient never knew. No, the point is that a phishing mail with From: Chase Bank Customer Service serv...@chase.com.invalid will sail right past DMARC, as currently set up. In the message, the complaint about the DMARC rejects was written by the phisherman, and the strange address is explained by that preamble. Thus reassured, the victim then clicks. Don't ask me to explain why they do that, I don't really understand (I'm almost tempted to quote Niven and Pournelle, think of it as evolution in action), but it's an empirical fact that real people lose real money to these scams (2% of AOLers click, according to AOL). Now, it's *possible* that .invalid will trigger the latent common sense in the 2%. But I think that pretty unlikely to be completely effective, and I suspect it won't be effective at all in the presence of a disclaimer about the unusual address. If .invalid can't get by the victim's common sense, .REMOVE-THIS etc probably will. The thing is that a bit of common sense will save you from any of these scams. But that's not enough to create good policies, because it's very hard is to think of all the ways to abuse a very naive victim, or a very young one, or an elderly one who's lost a step mentally -- it takes a devious mind just to think of one! Regards, -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Add PayPal to DNs publishing DMARC p=reject
On May 06, 2014, at 02:15 PM, Stephen J. Turnbull wrote: No, the point is that a phishing mail with From: Chase Bank Customer Service serv...@chase.com.invalid will sail right past DMARC, as currently set up. So too will serv...@chase.com.ru without Mailman ever getting involved, and I bet that will be just as effective at phishing as .invalid. Cheers, -Barry -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Add PayPal to DNs publishing DMARC p=reject
Stephen J. Turnbull step...@xemacs.org wrote: No, the point is that a phishing mail with From: Chase Bank Customer Service serv...@chase.com.invalid will sail right past DMARC, as currently set up It will sail past people using modern mail clients, too, by which I include web mail and Outlook, since those people will see some variation on this-- From: Chase Bank Customer Service --so that it hardly matters what address is in the From line. This rewrite-- From: Chase Bank Customer Service serv...@chase.com serv...@chase.com.invalid --would produce a more informative result, and just about honor RFC 5322 where it says the mailbox of the author of the message should be in the From: field. But this is the Mailman discussion list. Joseph Brennan Columbia University Information Technology -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Add PayPal to DNs publishing DMARC p=reject
Barry Warsaw writes: On May 06, 2014, at 02:15 PM, Stephen J. Turnbull wrote: No, the point is that a phishing mail with From: Chase Bank Customer Service serv...@chase.com.invalid will sail right past DMARC, as currently set up. So too will serv...@chase.com.ru without Mailman ever getting involved, and I bet that will be just as effective at phishing as .invalid. Et tu, FLUFL? The point is that if Mailman provides this, it becomes a standard way to get a DMARC p=reject address past DMARC p=reject, and people *may* develop an it may say .INVALID, but it's OK reflex. As I wrote to John Levine on mailman-developers, if operators want to experiment with it, that's one thing. But does *Mailman* want to take part in encouraging that it's OK *because* it's .INVALID meme? Do we want to encourage phishers to use something that looks like a Mailman feature, and have the DMARC WG come back with something that involves anything that looks like my domain? The DMARC WG advocates putting list-post in From in place of a DMARC p=reject address. I advocate accepting their advice for stock Mailman, and avoiding other non-conforming workarounds until the market demands them. If it gets noisy, feel free to cave in faster than you did on Reply-To munging.wink / Steve -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Add PayPal to DNs publishing DMARC p=reject
Stephen J. Turnbull wrote: The DMARC WG advocates putting list-post in From in place of a DMARC p=reject address. I advocate accepting their advice for stock Mailman, and avoiding other non-conforming workarounds until the market demands them. If it gets noisy, feel free to cave in faster than you did on Reply-To munging.wink / Can you explain that for the uneducated, please? What do you mean by list-post? Is that the list address? Peter Shute -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
[Mailman-Users] Add PayPal to DNs publishing DMARC p=reject
Lindsay Haisley writes: $ dig +short -t txt _dmarc.paypal.com v=DMARC1\; p=reject\; rua=mailto:d...@rua.agari.com\; ruf=mailto:d...@bounce.paypal.com,mailto:d...@ruf.agari.com; This probably is a problem of lesser magnitude than Yahoo! and AOL FWIW, I don't consider it a problem at all (most definitely YMMV, of course). I think this is what DMARC *should* be used for. My interpretation is that this is a particular author (a corporate one) allowing her MTA to digitally sign her mail, and soliciting the help of email for those who can't implement Diffie-Hellman off the top of their heads email providers' MTAs in the effort to protect the author's customers from 3rd party fraud. I don't know what paypal-inc.com is for, so I can't speak to that one. Steve -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Add PayPal to DNs publishing DMARC p=reject
Peter Shute writes: How does Yahoo's DMARC policy reduce the benefit of Paypal's? Because servers can't follow the reject recommendation without No, it's because users get used to ignoring warnings about DMARC issues. If it was *only* your bank, you'd learn to pay attention to them. But when you (FVO you susceptible to phishing in the first place, of course!) see a pile of DMARC workarounds every day for 70% of your correspondents, how do you respond to this? All of our mail to you have come back to us due to DMARC rejects, so we need to use this unusual address. Please confirm your blah-blah-blah by clicking here and logging in to our secure site. 2% of AOL customers will respond by clicking, at last report. :-( Let's put it this way: When was the last time you saw an unvalidated SSL certificate? Is that timestamp equal to the last time you followed up by checking the root cert's fingerprint on the authority's secure site? Or is the latter equal to -1? ;-) And does the emergence of legitimate p=reject policies mean it's now less likely Yahoo and AOL will back down? What makes you think the banks didn't start doing this ages ago? Apparently they merely haven't made an explicit announcement. -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Add PayPal to DNs publishing DMARC p=reject
On 5 May 2014, at 4:59 pm, Stephen J. Turnbull step...@xemacs.org wrote: Peter Shute writes: How does Yahoo's DMARC policy reduce the benefit of Paypal's? Because servers can't follow the reject recommendation without No, it's because users get used to ignoring warnings about DMARC issues. If it was *only* your bank, you'd learn to pay attention to them. But when you (FVO you susceptible to phishing in the first place, of course!) see a pile of DMARC workarounds every day for 70% of your correspondents, how do you respond to this? Sorry, what does FVO stand for? All of our mail to you have come back to us due to DMARC rejects, so we need to use this unusual address. Please confirm your blah-blah-blah by clicking here and logging in to our secure site. 2% of AOL customers will respond by clicking, at last report. :-( They get a warning? I thought it just bounced, and the intended recipient never knew. And does the emergence of legitimate p=reject policies mean it's now less likely Yahoo and AOL will back down? What makes you think the banks didn't start doing this ages ago? Apparently they merely haven't made an explicit announcement. I wondered about that. Anyone know? Peter Shute -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Add PayPal to DNs publishing DMARC p=reject
On Mon, 05 May 2014 09:24:59 +0100, Peter Shute psh...@nuw.org.au wrote: They get a warning? I thought it just bounced, and the intended recipient never knew. That was how I (thought I) understood it but I have heard of mailman distributed messages from AOL Yahoo addresses being put into spam rather than rejected by Gmail. = Malcolm. -- Malcolm Austen malcolm.aus...@weald.org.uk -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Add PayPal to DNs publishing DMARC p=reject
$ dig +short -t txt _dmarc.paypal.com v=DMARC1\; p=reject\; rua=mailto:d...@rua.agari.com\; ruf=mailto:d...@bounce.paypal.com,mailto:d...@ruf.agari.com; I'm on lots of lists with Paypal employees, who consistently use paypal-inc.com addresses, specicially to avoid DMARC problems. They realized it was a problem about a year ago, and dealt with it in a reasonable way. R's, John -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Add PayPal to DNs publishing DMARC p=reject
I'm on lots of lists with Paypal employees, who consistently use paypal-inc.com addresses, specicially to avoid DMARC problems. $ dig +short -t txt _dmarc.paypal-inc.com v=DMARC1\; p=reject\; rua=mailto:d...@rua.agari.com\; ruf=mailto:d...@bounce.paypal.com,mailto:d...@ruf.agari.com; No joy :( Phoo. That's new, and surprisingly foolish of them. Perhaps this is management's way of telling the staff not to waste time on mailing lists while they're at work. R's, John -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Add PayPal to DNs publishing DMARC p=reject
Peter Shute writes: On 5 May 2014, at 4:59 pm, Stephen J. Turnbull step...@xemacs.org wrote: them. But when you (FVO you susceptible to phishing in the first Sorry, what does FVO stand for? Ah, excuse my abbreviations. FVO = for values of; the intended implication is that the you reading my post isn't the kind of you who gets taken in by phishing emails. All of our mail to you have come back to us due to DMARC rejects, so we need to use this unusual address. Please confirm your blah-blah-blah by clicking here and logging in to our secure site. 2% of AOL customers will respond by clicking, at last report. :-( They get a warning? I thought it just bounced, and the intended recipient never knew. No, the point is that a phishing mail with From: Chase Bank Customer Service serv...@chase.com.invalid will sail right past DMARC, as currently set up. In the message, the complaint about the DMARC rejects was written by the phisherman, and the strange address is explained by that preamble. Thus reassured, the victim then clicks. Don't ask me to explain why they do that, I don't really understand (I'm almost tempted to quote Niven and Pournelle, think of it as evolution in action), but it's an empirical fact that real people lose real money to these scams (2% of AOLers click, according to AOL). Now, it's *possible* that .invalid will trigger the latent common sense in the 2%. But I think that pretty unlikely to be completely effective, and I suspect it won't be effective at all in the presence of a disclaimer about the unusual address. If .invalid can't get by the victim's common sense, .REMOVE-THIS etc probably will. The thing is that a bit of common sense will save you from any of these scams. But that's not enough to create good policies, because it's very hard is to think of all the ways to abuse a very naive victim, or a very young one, or an elderly one who's lost a step mentally -- it takes a devious mind just to think of one! Regards, -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
[Mailman-Users] Add PayPal to DNs publishing DMARC p=reject
$ dig +short -t txt _dmarc.paypal.com v=DMARC1\; p=reject\; rua=mailto:d...@rua.agari.com\; ruf=mailto:d...@bounce.paypal.com,mailto:d...@ruf.agari.com; This probably is a problem of lesser magnitude than Yahoo! and AOL since few list posts will come from PayPal, or be delivered to such an address from a list. It might, however, occur by accident, or by a future change whereby PayPal account holders to use their DN, and although I can't imagine PayPal doing this, nothing seems to be sacrosanct or certain in the Wild, Wild West that is the Internet. It's more likely that a list might add a PayPal general customer notifications address of some sort to a list, with nomail set, for the benefit of other list subscribers. -- Lindsay Haisley | Everything works if you let it FMP Computer Services | 512-259-1190 | --- The Roadie http://www.fmp.com| -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Add PayPal to DNs publishing DMARC p=reject
On May 4, 2014, at 4:07 PM, Lindsay Haisley fmo...@fmp.com wrote: $ dig +short -t txt _dmarc.paypal.com v=DMARC1\; p=reject\; rua=mailto:d...@rua.agari.com\; ruf=mailto:d...@bounce.paypal.com,mailto:d...@ruf.agari.com; This probably is a problem of lesser magnitude than Yahoo! and AOL since few list posts will come from PayPal, or be delivered to such an address from a list. It might, however, occur by accident, or by a future change whereby PayPal account holders to use their DN, and although I can't imagine PayPal doing this, nothing seems to be sacrosanct or certain in the Wild, Wild West that is the Internet. It's more likely that a list might add a PayPal general customer notifications address of some sort to a list, with nomail set, for the benefit of other list subscribers. This is probably the first actual practical application of DMARC p=reject that I have seen. Unfortunately, Yahoo’s and AOL’s abuse of DMARC will tend to neutralize the benefit of DMARC to financial institutions who have a really serious spoofing problem. best regards, Larry -- Larry Finch finc...@portadmiral.org -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Add PayPal to DNs publishing DMARC p=reject
On Sun, 2014-05-04 at 16:14 -0400, Larry Finch wrote: On May 4, 2014, at 4:07 PM, Lindsay Haisley fmo...@fmp.com wrote: $ dig +short -t txt _dmarc.paypal.com v=DMARC1\; p=reject\; rua=mailto:d...@rua.agari.com\; ruf=mailto:d...@bounce.paypal.com,mailto:d...@ruf.agari.com; This probably is a problem of lesser magnitude than Yahoo! and AOL since few list posts will come from PayPal, or be delivered to such an address from a list. It might, however, occur by accident, or by a future change whereby PayPal account holders to use their DN, and although I can't imagine PayPal doing this, nothing seems to be sacrosanct or certain in the Wild, Wild West that is the Internet. It's more likely that a list might add a PayPal general customer notifications address of some sort to a list, with nomail set, for the benefit of other list subscribers. This is probably the first actual practical application of DMARC p=reject that I have seen. Unfortunately, Yahoo’s and AOL’s abuse of DMARC will tend to neutralize the benefit of DMARC to financial institutions who have a really serious spoofing problem. Add also: chasebank.com bankone.com jpmorgan.com ... just random hits checking on financial institutions. -- Lindsay Haisley | Everything works if you let it FMP Computer Services | 512-259-1190 | --- The Roadie http://www.fmp.com| -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Add PayPal to DNs publishing DMARC p=reject
On Sun, 2014-05-04 at 20:58 +, John Levine wrote: $ dig +short -t txt _dmarc.paypal.com v=DMARC1\; p=reject\; rua=mailto:d...@rua.agari.com\; ruf=mailto:d...@bounce.paypal.com,mailto:d...@ruf.agari.com; I'm on lots of lists with Paypal employees, who consistently use paypal-inc.com addresses, specicially to avoid DMARC problems. $ dig +short -t txt _dmarc.paypal-inc.com v=DMARC1\; p=reject\; rua=mailto:d...@rua.agari.com\; ruf=mailto:d...@bounce.paypal.com,mailto:d...@ruf.agari.com; No joy :( -- Lindsay Haisley | Everything works if you let it FMP Computer Services | 512-259-1190 | --- The Roadie http://www.fmp.com| -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Add PayPal to DNs publishing DMARC p=reject
Larry Finch wrote: This is probably the first actual practical application of DMARC p=reject that I have seen. Unfortunately, Yahoo's and AOL's abuse of DMARC will tend to neutralize the benefit of DMARC to financial institutions who have a really serious spoofing problem. How does Yahoo's DMARC policy reduce the benefit of Paypal's? Because servers can't follow the reject recommendation without And does the emergence of legitimate p=reject policies mean it's now less likely Yahoo and AOL will back down? Here's a cpanel forum thread about the problem, discussing when cpanel's version of mailman will incorporate the features necessary to deal with the problem: http://forums.cpanel.net/f43/yahoos-new-dmarc-policy-causing-mailman-bounces-402751.html Peter Shute -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
