Re: [Mailman-Users] DMARC and Bellsouth, etc.
The wiki page looks great and thank you for the other replies. thank you Tom Lieuallen On 4/16/14, 2:22 PM, Mark Sapiro wrote: On 04/16/2014 01:30 PM, Tom Lieuallen wrote: Thank you very much for the summary of solutions. I was about to suggest/request it. It may be helpful to add to the wiki as it seems quite important and complicated. I'd be interested in more mails like this, helping those of us move forward and alleviate the issues. I just updated http://wiki.list.org/x/ggARAQ. What do you think? Lindsay Haisley also suggested: What I'm advising list admins here, which puts a band-aid on the problem, is to put all yahoo.com subscribers on moderation, effectively making them read-only subscriptions. Also go through your membership list and clear any nomail disablements with a [B] beside them. Is there any way to make these changes with a script, or would one have to do it manually? See http://www.msapiro.net/scripts/reset_bounce.py. I'm also curious if the spam options (header_filter_rules or bounce_matching_headers) might be options to catch inbound messages from yahoo. Either could be used but bounce_matching_headers is deprecated in favor of header_filter_rules. -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] DMARC and Bellsouth, etc.
Jim Popovitch writes: On Thu, Apr 17, 2014 at 2:32 PM, Stephen J. Turnbull step...@xemacs.orgwrote: So maybe it does, but in my spamtrap I have only 67/4359 (1.5%) messages from Yahoo (based on grepping for ^From:.*yahoo and ^From: respectively), vs. 658/38748 (1.7%) in my saved mail folders. It seems to me that spam using Yahoo addresses is hardly a big problem, whether it's spoofed or using throwaway addresses. I'm curious, what numbers do you currently see for tumblr (also a yahoo company) spam? Zero. -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] DMARC and Bellsouth, etc.
On 04/17/2014 09:13 AM, Lindsay Haisley wrote: Someone, maybe it was you, posted on this forum earlier that perhaps 90% or more of spam with a yahoo.com origin (or one of their international DNs) actually _does_ come from Yahoo and that their response to abuse notifications is abysmal to nonexistent. The post is at https://mail.python.org/pipermail/mailman-users/2014-April/076392.html -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] DMARC and Bellsouth, etc.
On Fri, 2014-04-18 at 16:23 -0700, Mark Sapiro wrote: On 04/17/2014 09:13 AM, Lindsay Haisley wrote: Someone, maybe it was you, posted on this forum earlier that perhaps 90% or more of spam with a yahoo.com origin (or one of their international DNs) actually _does_ come from Yahoo and that their response to abuse notifications is abysmal to nonexistent. The post is at https://mail.python.org/pipermail/mailman-users/2014-April/076392.html On Fri Apr 11 12:13:58 CEST 2014 Rich Kulawiec rsk at gsp.org said: This is just (a) propaganda, so that they claim to be doing something Which pretty much meshes with what you've suggested about Yahoo's motives. -- Lindsay Haisley | Everything works if you let it FMP Computer Services | 512-259-1190 | --- The Roadie http://www.fmp.com| -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] DMARC and Bellsouth, etc.
Lindsay Haisley writes: On Wed, 2014-04-16 at 15:34 -0500, Mike Starr wrote: I know there aren't any teeth behind RFCs but it might at least get their attention. The real problem is that RFCs are based on working practice, preferably acknowledged best practice. DMARC is an experiment which is seriously flawed on the policy side, but has the potential to provide a lot of useful information for spam-fighting (I mean real spam-fighting, not the posturing that Yahoo! is involved in at the moment), not to mention lightening the burden on ISPs and list operators who implement DKIM and SPF. Until Yahoo!'s experiment has played out (which will take months), an anti-DMARC RFC is moot. After that, it will take years to get it through the IETF. Note that DMARC itself is an Internet-Draft (ie, proto-RFC). If you want to fight this, the related mailing list is the right place. However, looking at some of the threads there are rather high-powered folks already on the list (eg, the guy who edited most of the SMTP RFCs, and the guy who edited most of the RFC 822 series). You had better go in having booked up, or you will get ignored to death at best. Put it this way: *I* may go look over their archives, but it will be quite a while before I'm willing to speak to anything except technical details of how it affects mailing lists. Doubtful, but the sentiment is noble. My guess is that the people at Yahoo who implemented this, and possibly also the designers of DMARC, don't fully understand the RFC process and have a limited attention span and very narrow focus of attention as far as such things are concerned. Nope. If E. Zwicky (DMARC editor) is who I think she is, I owe her a kitten. No dummy. Murray Kucherawy doesn't seem to have two heads or a half-brain, either. Their understanding (and knowledge) of accepted best practices regarding email and mailing lists is woefully limited. I rather doubt that. The DMARC I-D has gone through several editions (I-Ds have a life-span limited to 6 months, the current renewal happened just about the time of Yahoo!'s policy change), suggesting that the NetGods and the commercial providers have been thinking pretty carefully all along. I think that where understanding and knowledge is lacking is on *this side* of the fence. Few, if any, of us have to make decisions about how to spend many millions of dollars on additional bandwidth, 90% of which (according to some accounts) is spam. That's a pile of money on the line for these guys. My guess also is that as a result, all of this kerfuffle has probably caught a number of these people by surprise. Indeed. I suspect that they didn't do their homework and simply count how many subscribers receive mail with List-* headers in them. I think they probably also were surprised by how fast Yahoo is hemmorhaging email users. Steve-rushes-not-where-angels-fear-to-tread-ly y'rs, -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] DMARC and Bellsouth, etc.
Larry Kuenning writes: Query: On a very low-traffic mailing list (i.e. one where the list admin doesn't think it too much trouble), would it be a reasonable workaround for the list admin to paste the content of a message-to-be-moderated (i.e. one From: a yahoo address) into a new message _of his/her own_ and send _that_ to the list? Yes, although given the available alternatives in the web admin pages I don't think this is worth the trouble for almost anybody (I understand that you have a very special situation with a relatively old Mailman that's working just fine, thank you, for you, but that's pretty unusual nowadays). This message could include the original From: address _in its body text_ (not its headers) along with a brief reference to the yahoo problem to explain the unusual format. 1. Other subscribers replying to the message will get MUA-generated text saying Larry List-Admin wrote instead of Sonia Subscriber wrote. Those who pay attention and take a little trouble can change that before clicking Send, but many won't. Change the display name to Sonia Subscriber/lla (the usual convention for letters written by a secretary but signed by the boss). 2. Similarly, other subscribers wanting to reply privately will send their replies to Larry List-Admin instead of Sonia Subscriber if they aren't careful (and some of them won't be). Add a Reply-To: so...@her-place.net header field. The recommendations above violate the letter but conform to the spirit of RFC 822 and successor standards. The list admin can forward these replies, but in a few cases they may contain confidential material that the admin shouldn't have seen. The above practices should mitigate this issue. -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] DMARC and Bellsouth, etc.
On Thu, 2014-04-17 at 15:24 +0900, Stephen J. Turnbull wrote: Their understanding (and knowledge) of accepted best practices regarding email and mailing lists is woefully limited. I rather doubt that. The DMARC I-D has gone through several editions (I-Ds have a life-span limited to 6 months, the current renewal happened just about the time of Yahoo!'s policy change), suggesting that the NetGods and the commercial providers have been thinking pretty carefully all along. I think that where understanding and knowledge is lacking is on *this side* of the fence. Few, if any, of us have to make decisions about how to spend many millions of dollars on additional bandwidth, 90% of which (according to some accounts) is spam. That's a pile of money on the line for these guys. Stephen, thanks for your generous reply, and your insights. It does seem to me, though, that when megabucks are riding on additional bandwidth, and if Yahoo is serious about controlling spam, they might start by putting some resources behind putting their own house in order. Someone, maybe it was you, posted on this forum earlier that perhaps 90% or more of spam with a yahoo.com origin (or one of their international DNs) actually _does_ come from Yahoo and that their response to abuse notifications is abysmal to nonexistent. So it looks to me as if one of two things is happening here. Either the right hand doesn't know what the left hand is doing (or not doing), or this is a blatant, cynical attack on network neutrality designed to push people toward Yahoo's own list service. Has anyone seen or heard any figures on how much this DMARC fiasco has cost Yahoo in terms of the number of email end-users who have left their service? Someone mentioned that it was substantial enough to probably get their attention. -- Lindsay Haisley | Everything works if you let it FMP Computer Services | 512-259-1190 | --- The Roadie http://www.fmp.com| -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] DMARC and Bellsouth, etc.
I can't answer your specific question but a number of years ago I created a Yahoo account which required the creation of a Yahoo email address. I have never used that email address nor have I divulged it to anyone. Oddly enough, thousands of spam email addresses land in that Yahoo email account. I can only assume that Yahoo routinely sells email addresses indiscriminately... not caring if they're delivering those email addresses to spammers. The only other alternative is that somehow Yahoo's security at the time was so lax that spammers were able to hack into their servers and grab millions of Yahoo email addresses. Best Regards, Mike -- Mike Starr, Writer Technical Writer -Online Help Developer - WordPress Websites Graphic Designer - Desktop Publisher - Custom Microsoft Word templates (262) 694-1028 - m...@writestarr.com - http://www.writestarr.com President - Working Writers of Wisconsin http://www.workingwriters.org/ On 4/17/2014 11:13 AM, Lindsay Haisley wrote: Stephen, thanks for your generous reply, and your insights. It does seem to me, though, that when megabucks are riding on additional bandwidth, and if Yahoo is serious about controlling spam, they might start by putting some resources behind putting their own house in order. Someone, maybe it was you, posted on this forum earlier that perhaps 90% or more of spam with a yahoo.com origin (or one of their international DNs) actually _does_ come from Yahoo and that their response to abuse notifications is abysmal to nonexistent. So it looks to me as if one of two things is happening here. Either the right hand doesn't know what the left hand is doing (or not doing), or this is a blatant, cynical attack on network neutrality designed to push people toward Yahoo's own list service. Has anyone seen or heard any figures on how much this DMARC fiasco has cost Yahoo in terms of the number of email end-users who have left their service? Someone mentioned that it was substantial enough to probably get their attention. -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] DMARC and Bellsouth, etc.
Lindsay Haisley writes: Stephen, thanks for your generous reply, and your insights. It does seem to me, though, that when megabucks are riding on additional bandwidth, and if Yahoo is serious about controlling spam, they might start by putting some resources behind putting their own house in order. Nobody can control spam in the current architecture of Internet mail. What needs to be done is author identification, that is, digital signatures. But that requires cooperation from users, which is anathema to the freemail providers. So p=reject, and to a lesser extent DMARC itself, are basically PR stunts IMO, see below. Someone, maybe it was you, posted on this forum earlier that perhaps 90% or more of spam with a yahoo.com origin (or one of their international DNs) actually _does_ come from Yahoo Wasn't me. I don't have that data, and don't know where to get it offhand. So maybe it does, but in my spamtrap I have only 67/4359 (1.5%) messages from Yahoo (based on grepping for ^From:.*yahoo and ^From: respectively), vs. 658/38748 (1.7%) in my saved mail folders. It seems to me that spam using Yahoo addresses is hardly a big problem, whether it's spoofed or using throwaway addresses. and that their response to abuse notifications is abysmal to nonexistent. So it looks to me as if one of two things is happening here. Either the right hand doesn't know what the left hand is doing (or not doing), or this is a blatant, cynical attack on network neutrality designed to push people toward Yahoo's own list service. I think the main thing is that the decision-makers (who are basically business people) see this as a marketing/PR problem. I don't think it's an attack on network neutrality per se so much as a PR stunt to be perceived as doing something about spam and phishing. I wonder if they're not positioning themselves to do something big in finance or expand in handling payments to vendors who use their e-business platforms -- which would make a tough on phishing stance very important to them, as it is for banks. Has anyone seen or heard any figures on how much this DMARC fiasco has cost Yahoo in terms of the number of email end-users who have left their service? Someone mentioned that it was substantial enough to probably get their attention. I did but that was based on my personal experience, with (as I wrote elsewhere) users who are not very attached to any particular email address yet. I don't see how anybody could get reliable figures, though, except Yahoo! themselves based on statistical analysis of outbound traffic and maybe an increase in the number of accounts that .forward to other accounts. Steve -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] DMARC and Bellsouth, etc.
On Thu, Apr 17, 2014 at 2:32 PM, Stephen J. Turnbull step...@xemacs.orgwrote: Lindsay Haisley writes: Someone, maybe it was you, posted on this forum earlier that perhaps 90% or more of spam with a yahoo.com origin (or one of their international DNs) actually _does_ come from Yahoo Wasn't me. I don't have that data, and don't know where to get it offhand. So maybe it does, but in my spamtrap I have only 67/4359 (1.5%) messages from Yahoo (based on grepping for ^From:.*yahoo and ^From: respectively), vs. 658/38748 (1.7%) in my saved mail folders. It seems to me that spam using Yahoo addresses is hardly a big problem, whether it's spoofed or using throwaway addresses. I'm curious, what numbers do you currently see for tumblr (also a yahoo company) spam? -Jim P. -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] DMARC and Bellsouth, etc.
We have a community group mail list which we run using Mailman and have lately had a problem getting our emails to members who have Bellsouth and Yahoo email addresses. I've seen the posts about DMARC but am not that tech-savvy to figure out what this means and how to resolve. Some of our members have complained that they are not getting the group's emails. We have written Bellsouth but they claim the domain is not on a blacklist and problem is not on their end. Our ISP tells us domain is RFC -compliant and problem must be with Bellsouth or Yahoo. How do we resolve this? What is the fix? Help, please... On Apr 16, 2014, at 10:48 AM, Mark Sapiro m...@msapiro.net wrote: On 04/16/2014 06:58 AM, Lindsay Haisley wrote: Has anyone seen issues with Gmail accounts and Yahoo's DMARC policy? I've been working with the list admins of one of FMP's hosted lists and they've seen over 100 addresses unsubscribed from the usual suspects - yahoo.com, att.net, Comcast, etc., but no Gmail accounts and there are 228 of them on the list. This is consistent with what I've observed on lists. Nonetheless, the PC World article at http://www.pcworld.com/article/2141120/yahoo-email-antispoofing-policy-breaks-mailing-lists.html lists Gmail as being one of the cooperating email service providers honoring Yahoo's DMARC p=reject policy. I've done some testing. If I send a message from my server, but not from a list From: a yahoo.com address to a gmail address, it gets rejected with 550-5.7.1 Unauthenticated email from yahoo.com is not accepted due to domain's 550-5.7.1 DMARC policy. Please contact administrator of yahoo.com domain if 550-5.7.1 this was a legitimate mail. Please visit 550-5.7.1 http://support.google.com/mail/answer/2451690 to learn about DMARC 550 5.7.1 initiative. uc7si1048327pbc.131 - gsmtp However, if I send the same message to a list which then resends it without touching the From: to the same gmail address, gmail accepts it and delivers it to my gmail spam folder. Thus, it appears that gmail does honor DMARC policy in general, but has some kind of mitigation policy to identify (heuristicly? via headers?) mail from a list and quarantine it even if the From: domain's policy is reject. Note it doesn't use the RFC 2369 List- headers because it still recognizes a message without them as from a list. -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] DMARC and Bellsouth, etc.
I'll jump in here and offer the quick solution that I'm using at FMP. The primary culprit here is Yahoo, which publishes a DMARC p=reject policy via DNS. To the best of our knowledge, so far, no one else is doing this, although sbcglobal, att.net, comcast.net, Hotmail and a number of other email service providers will honor Yahoo's policy and bounce posts which have a yahoo.com address in the From header and come from an IP address which isn't a yahoo.com server. This is the case, as per relevant RFCs, for most mail from Mailman mailing lists. What I'm advising list admins here, which puts a band-aid on the problem, is to put all yahoo.com subscribers on moderation, effectively making them read-only subscriptions. Also go through your membership list and clear any nomail disablements with a [B] beside them. We're also advising yahoo.com list subscribers to get a Gmail account (as free and easy to get as a Yahoo account) Mark or Stephen may have a more in-depth response to you, but this is how I've addressed the problem here. On Wed, 2014-04-16 at 11:30 -0400, Jose I. Rojas wrote: We have a community group mail list which we run using Mailman and have lately had a problem getting our emails to members who have Bellsouth and Yahoo email addresses. I've seen the posts about DMARC but am not that tech-savvy to figure out what this means and how to resolve. Some of our members have complained that they are not getting the group's emails. We have written Bellsouth but they claim the domain is not on a blacklist and problem is not on their end. Our ISP tells us domain is RFC -compliant and problem must be with Bellsouth or Yahoo. How do we resolve this? What is the fix? Help, please... -- Lindsay Haisley | Everything works if you let it FMP Computer Services | 512-259-1190 | --- The Roadie http://www.fmp.com| -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] DMARC and Bellsouth, etc.
Jose I. Rojas writes: We have a community group mail list which we run using Mailman and have lately had a problem getting our emails to members who have Bellsouth and Yahoo email addresses. I've seen the posts about DMARC but am not that tech-savvy to figure out what this means and how to resolve. What it means right now is that posts with @yahoo.com in the From header field will not be delivered to users whose subscribed addresses are at a long list of large email service providers. If emails posted by users with @gmail.com and @harvard.edu etc addresses are getting through to everybody, but emails from @yahoo.com members are not, then the problem may very well be Yahoo!'s DMARC policy. Our ISP tells us domain is RFC-compliant and problem must be with Bellsouth or Yahoo. That's not very helpful of them. How do we resolve this? What is the fix? If in fact the problem is Yahoo!'s DMARC policy, you can't resolve it and there is no fix. Simply put, Yahoo! does not permit their users to post to modern mailing lists that conform to the mail standards. There are four possible workarounds, depending on the access you have to your mailing list's configuration: (1) You can tell your members with @yahoo.com addresses to post from a different domain. This is what I personally recommend, as it (a) conforms to Yahoo's stated policy and (b) makes Yahoo users unhappy with their provider, whose behavior is causing denial of service to thousands, perhaps millions, of mailing list users. My experience with this approach is no complaints, but my users are unusual in that they don't really care about their yahoo.com addresses for various reasons. People who do most or all of their mail using Yahoo addresses will find this painful. Depending on how actively you want to protest Yahoo's behavior, you may or may not be willing to impose that pain. (2) You can break your mailing lists by using the author_is_list option in Mailman 2.1.16 and later. This option will only be available if the site configuration has ALLOW_AUTHOR_IS_LIST set to Yes. This will cause the list to replace the author's address with its own address in From. However, your domain may not permit this, as it's a clear violation of the mail RFCs. (3) There is a patch to have Mailman encapsulate posts from yahoo.com addresses in a one-message digest. This is RFC-conformant, but some users may have difficulty reading such mail. (Frequently reported on iPhones.) It also requires using a third-party patch for Mailman, which may be prohibited by your ISP or beyond your technical capability in the short run. (4) You can operate Mailman in pure pass-through mode. I believe it is sufficient to configure Mailman to (a) have a completely empty header (not even whitespace) (b) a completely empty footer (c) no list prefix in the Subject header field. This is conformant to the RFCs, but may place you in violation of anti-spam law (because for most users there will be no visible indication of how to unsubscribe from the list). -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] DMARC and Bellsouth, etc.
On 4/16/2014 12:51 PM, Lindsay Haisley wrote: What I'm advising list admins here, which puts a band-aid on the problem, is to put all yahoo.com subscribers on moderation, effectively making them read-only subscriptions. Also go through your membership list and clear any nomail disablements with a [B] beside them. We're also advising yahoo.com list subscribers to get a Gmail account (as free and easy to get as a Yahoo account) Query: On a very low-traffic mailing list (i.e. one where the list admin doesn't think it too much trouble), would it be a reasonable workaround for the list admin to paste the content of a message-to-be-moderated (i.e. one From: a yahoo address) into a new message _of his/her own_ and send _that_ to the list? This message could include the original From: address _in its body text_ (not its headers) along with a brief reference to the yahoo problem to explain the unusual format. From what I've read here so far, I think this would succeed in avoiding the usual yahoo-generated problems. However, I can foresee a couple of drawbacks (besides the extra work for list admins): 1. Other subscribers replying to the message will get MUA-generated text saying Larry List-Admin wrote instead of Sonia Subscriber wrote. Those who pay attention and take a little trouble can change that before clicking Send, but many won't. 2. Similarly, other subscribers wanting to reply privately will send their replies to Larry List-Admin instead of Sonia Subscriber if they aren't careful (and some of them won't be). The list admin can forward these replies, but in a few cases they may contain confidential material that the admin shouldn't have seen. -- Larry Kuenning la...@qhpress.org -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] DMARC and Bellsouth, etc.
On 04/16/2014 10:57 AM, Larry Kuenning wrote: Query: On a very low-traffic mailing list (i.e. one where the list admin doesn't think it too much trouble), would it be a reasonable workaround for the list admin to paste the content of a message-to-be-moderated (i.e. one From: a yahoo address) into a new message _of his/her own_ and send _that_ to the list? This message could include the original From: address _in its body text_ (not its headers) along with a brief reference to the yahoo problem to explain the unusual format. I think you then go on to answer your own query ;) From what I've read here so far, I think this would succeed in avoiding the usual yahoo-generated problems. However, I can foresee a couple of drawbacks (besides the extra work for list admins): 1. Other subscribers replying to the message will get MUA-generated text saying Larry List-Admin wrote instead of Sonia Subscriber wrote. Those who pay attention and take a little trouble can change that before clicking Send, but many won't. 2. Similarly, other subscribers wanting to reply privately will send their replies to Larry List-Admin instead of Sonia Subscriber if they aren't careful (and some of them won't be). The list admin can forward these replies, but in a few cases they may contain confidential material that the admin shouldn't have seen. -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] DMARC and Bellsouth, etc.
Le 16/04/2014 19:57, Larry Kuenning a écrit : also advising yahoo.com list subscribers to get a Gmail account (as free and easy to get as a Yahoo account) so to be sure all your mail a read by google :-) (of course may be yahoo do the same - why people can't use they ISP's mail?) jdd -- http://www.dodin.org -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] DMARC and Bellsouth, etc.
On 04/16/2014 11:11 AM, Stephen J. Turnbull wrote: (2) You can break your mailing lists by using the author_is_list option in Mailman 2.1.16 and later. This option will only be available if the site configuration has ALLOW_AUTHOR_IS_LIST set to Yes. This will cause the list to replace the author's address with its own address in From. However, your domain may not permit this, as it's a clear violation of the mail RFCs. The ALLOW_AUTHOR_IS_LIST switch has been removed (is effectively always Yes) for Mailman 2.1.18 (watch for a release announcement soon or pull the head of the lp:mailman/2.1 bzr branch ;) (3) There is a patch to have Mailman encapsulate posts from yahoo.com addresses in a one-message digest. This is RFC-conformant, but some users may have difficulty reading such mail. (Frequently reported on iPhones.) It also requires using a third-party patch for Mailman, which may be prohibited by your ISP or beyond your technical capability in the short run. This capability, without the dnspython dependency, is an option to (2) above, even in 2.1.16. In 2.1.18 There is an enhanced set of controls that can be applied to all mail From: domains with DMARC p=reject and (optionally, default includes) p=quarantine policies. See http://wiki.list.org/display/DEV/DMARC for a bit more detail. -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] DMARC and Bellsouth, etc.
On Wed, 16 Apr 2014 20:31:25 +0200 jdd jdani...@free.fr wrote: Hello jdd, (... why people can't use they ISP's mail?) In case that's not a rhetorical question: Because every time you change provider, you would have to change email address too. When you're subscribed to over one hundred mailing lists, to say nothing of the umpteen individuals that would need to be told of the change, it would be an (shall we say) onerous task. -- Regards _ / ) The blindingly obvious is / _)radnever immediately apparent You suck my blood like a leech Death On Two Legs - Queen signature.asc Description: PGP signature -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] DMARC and Bellsouth, etc.
On 4/16/2014 1:57 PM, Larry Kuenning wrote: Query: On a very low-traffic mailing list (i.e. one where the list admin doesn't think it too much trouble), would it be a reasonable workaround for the list admin to paste the content of a message-to-be-moderated (i.e. one From: a yahoo address) into a new message _of his/her own_ and send _that_ to the list? This message could include the original From: address _in its body text_ (not its headers) along with a brief reference to the yahoo problem to explain the unusual format. I've since thought of a third difficulty besides the two I mentioned. If the post-to-be-moderated is itself a reply to an earlier post, then mailman's archive threading will be broken unless the list moderator goes to the trouble of setting up the substitute message as a reply to the same earlier post. (And of course one must delete all the stuff one's MUA wants to insert, as that will already be provided in the message-to-be-moderated.) Is this correct? -- Larry Kuenning la...@qhpress.org -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] DMARC and Bellsouth, etc.
Stephen, Thank you very much for the summary of solutions. I was about to suggest/request it. It may be helpful to add to the wiki as it seems quite important and complicated. I'd be interested in more mails like this, helping those of us move forward and alleviate the issues. Unless I'm overlooking something, there is another option that appears to work. The anonymous_list option repackages the mail enough that gmail no longer marks it as spam. I don't think it's appropriate for most lists, but could be mentioned as another option. Unless it's similar to option 2 below. I'm not familiar with ALLOW_AUTHOR_IS_LIST. Lindsay Haisley also suggested: What I'm advising list admins here, which puts a band-aid on the problem, is to put all yahoo.com subscribers on moderation, effectively making them read-only subscriptions. Also go through your membership list and clear any nomail disablements with a [B] beside them. Is there any way to make these changes with a script, or would one have to do it manually? I'm also curious if the spam options (header_filter_rules or bounce_matching_headers) might be options to catch inbound messages from yahoo. Thank you all Tom Lieuallen On 4/16/14, 11:11 AM, Stephen J. Turnbull wrote: Jose I. Rojas writes: We have a community group mail list which we run using Mailman and have lately had a problem getting our emails to members who have Bellsouth and Yahoo email addresses. I've seen the posts about DMARC but am not that tech-savvy to figure out what this means and how to resolve. What it means right now is that posts with @yahoo.com in the From header field will not be delivered to users whose subscribed addresses are at a long list of large email service providers. If emails posted by users with @gmail.com and @harvard.edu etc addresses are getting through to everybody, but emails from @yahoo.com members are not, then the problem may very well be Yahoo!'s DMARC policy. Our ISP tells us domain is RFC-compliant and problem must be with Bellsouth or Yahoo. That's not very helpful of them. How do we resolve this? What is the fix? If in fact the problem is Yahoo!'s DMARC policy, you can't resolve it and there is no fix. Simply put, Yahoo! does not permit their users to post to modern mailing lists that conform to the mail standards. There are four possible workarounds, depending on the access you have to your mailing list's configuration: (1) You can tell your members with @yahoo.com addresses to post from a different domain. This is what I personally recommend, as it (a) conforms to Yahoo's stated policy and (b) makes Yahoo users unhappy with their provider, whose behavior is causing denial of service to thousands, perhaps millions, of mailing list users. My experience with this approach is no complaints, but my users are unusual in that they don't really care about their yahoo.com addresses for various reasons. People who do most or all of their mail using Yahoo addresses will find this painful. Depending on how actively you want to protest Yahoo's behavior, you may or may not be willing to impose that pain. (2) You can break your mailing lists by using the author_is_list option in Mailman 2.1.16 and later. This option will only be available if the site configuration has ALLOW_AUTHOR_IS_LIST set to Yes. This will cause the list to replace the author's address with its own address in From. However, your domain may not permit this, as it's a clear violation of the mail RFCs. (3) There is a patch to have Mailman encapsulate posts from yahoo.com addresses in a one-message digest. This is RFC-conformant, but some users may have difficulty reading such mail. (Frequently reported on iPhones.) It also requires using a third-party patch for Mailman, which may be prohibited by your ISP or beyond your technical capability in the short run. (4) You can operate Mailman in pure pass-through mode. I believe it is sufficient to configure Mailman to (a) have a completely empty header (not even whitespace) (b) a completely empty footer (c) no list prefix in the Subject header field. This is conformant to the RFCs, but may place you in violation of anti-spam law (because for most users there will be no visible indication of how to unsubscribe from the list). -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] DMARC and Bellsouth, etc.
On 04/16/2014 01:34 PM, Larry Kuenning wrote: I've since thought of a third difficulty besides the two I mentioned. If the post-to-be-moderated is itself a reply to an earlier post, then mailman's archive threading will be broken unless the list moderator goes to the trouble of setting up the substitute message as a reply to the same earlier post. (And of course one must delete all the stuff one's MUA wants to insert, as that will already be provided in the message-to-be-moderated.) Is this correct? If I understand, yes... But what you are suggesting is essentially what the Wrap Message option introduced as a site option in 2.1.16 and expanded in 2.1.18 does. Effectively (with some details omitted) that option is forward the message as an attachment to a message from the list with Reply-To: including the original poster. It does all this without any moderator intervention. -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] DMARC and Bellsouth, etc.
Le 16/04/2014 20:59, Brad Rogers a écrit : On Wed, 16 Apr 2014 20:31:25 +0200 jdd jdani...@free.fr wrote: Hello jdd, (... why people can't use they ISP's mail?) In case that's not a rhetorical question: Because every time you change provider, you would have to change email address too. does this occur often? I find too often many problems are caused by mass mail providers like gmail but it's not necessary to go further sorry to have begun this jdd -- http://www.dodin.org -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] DMARC and Bellsouth, etc.
On 04/16/2014 01:30 PM, Tom Lieuallen wrote: Thank you very much for the summary of solutions. I was about to suggest/request it. It may be helpful to add to the wiki as it seems quite important and complicated. I'd be interested in more mails like this, helping those of us move forward and alleviate the issues. I just updated http://wiki.list.org/x/ggARAQ. What do you think? Lindsay Haisley also suggested: What I'm advising list admins here, which puts a band-aid on the problem, is to put all yahoo.com subscribers on moderation, effectively making them read-only subscriptions. Also go through your membership list and clear any nomail disablements with a [B] beside them. Is there any way to make these changes with a script, or would one have to do it manually? See http://www.msapiro.net/scripts/reset_bounce.py. I'm also curious if the spam options (header_filter_rules or bounce_matching_headers) might be options to catch inbound messages from yahoo. Either could be used but bounce_matching_headers is deprecated in favor of header_filter_rules. -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] DMARC and Bellsouth, etc.
On Wed, 16 Apr 2014 23:19:29 +0200 jdd jdani...@free.fr wrote: Hello jdd, Le 16/04/2014 20:59, Brad Rogers a écrit : Because every time you change provider, you would have to change email address too. does this occur often? It can, yes. In the past year, I've changed provider twice. If things continue as they are with the current one, I'll be changing again, soon. I find too often many problems are caused by mass mail providers like gmail There are other providers, both free and paid for. but it's not necessary to go further sorry to have begun this Not a problem. Sorry for extending this slightly further, but as the answers were reasonably short I felt it was worth taking the risk. :-) -- Regards _ / ) The blindingly obvious is / _)radnever immediately apparent He looked the wrong way at a policeman I Predict A Riot - Kaiser Chiefs signature.asc Description: PGP signature -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] DMARC and Bellsouth, etc.
If one is interested in maintaining one's identity, using an ISP's email makes it a pain to change ISPs. Of course, that does make the ISPs very happy. This is a fascinating discussion and as administrator of two very small lists, it's giving me an awful lot to think about. However, being a clues newbie to matters of RFCs and such I'm going to ask what could be a very naive question... would it be possible/useful/productive to create an RFC to explicitly override this foolishness? I know there aren't any teeth behind RFCs but it might at least get their attention. Of course, I'd be willing to make the appropriate person a loan of my Official Technical Writer's 2x4® grin. Best Regards, Mike -- Mike Starr, Writer Technical Writer -Online Help Developer - WordPress Websites Graphic Designer - Desktop Publisher - Custom Microsoft Word templates (262) 694-1028 - m...@writestarr.com - http://www.writestarr.com President - Working Writers of Wisconsin http://www.workingwriters.org/ On 4/16/2014 1:31 PM, jdd wrote: (of course may be yahoo do the same - why people can't use they ISP's mail?) jdd -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] DMARC and Bellsouth, etc.
On Wed, 2014-04-16 at 15:34 -0500, Mike Starr wrote: I know there aren't any teeth behind RFCs but it might at least get their attention. Doubtful, but the sentiment is noble. My guess is that the people at Yahoo who implemented this, and possibly also the designers of DMARC, don't fully understand the RFC process and have a limited attention span and very narrow focus of attention as far as such things are concerned. Their understanding (and knowledge) of accepted best practices regarding email and mailing lists is woefully limited. My guess also is that as a result, all of this kerfuffle has probably caught a number of these people by surprise. -- Lindsay Haisley | Everything works if you let it FMP Computer Services | 512-259-1190 | --- The Roadie http://www.fmp.com| -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] DMARC and Bellsouth, etc.
On 4/16/2014 4:51 PM, Mark Sapiro wrote (about my suggestion of manually moderating posts from Yahoo users): But what you are suggesting is essentially what the Wrap Message option introduced as a site option in 2.1.16 and expanded in 2.1.18 does. Well, yes. But: -- if you're working with an earlier Mailman version (I have 2.1.9), -- if upgrading Mailman might be difficult (mine was pre-installed under Plesk, which probably implies some unknown tweaking), -- if you're a novice at writing and debugging Python scripts, -- and if your site has *extremely* low traffic (I have 2 lists with a total of 20 messages in the past year, and only 5 Yahoo users, who are usually lurkers), then you might find it easier to live with the manual moderating task than to try to make changes to an otherwise well-working system. (At least in the short run while waiting to see what else develops.) -- Larry Kuenning la...@qhpress.org -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org