On 3/31/18 2:31 PM, Lindsay Haisley wrote:
I've been working with a From-rewriting tool with code taken from
Mailman (thanks, Mark!) and discovered a couple of things which I
thought deserved posting about. I expect that they peripherally affect
Mailman, too.
At some point Amazon (amazon.com) started publishing a DMARC
"p=quarantine" policy, which means that any email which gets redirected
and hits my dmarc_shield piece is going to have its From address re-
written to "postmas...@fmp.com" (fmp.com has a proper SPF record).
I don't know what Gmail's policy is with regard to "p=quarantine" -
whether it rejects such email outright or relegates it to the
recipient's spam folder. I know that if the sending site publishes
"p=reject", redirected email is refused by Gmail at the front door.
I'll have to test the "p=quarantine" behavior.
Here's the really annoying thing. My dmarc_shield processor rewrites
the From header as per SOP for Mailman with the proper switch turned
on. The From header address becomes "postmas...@fmp.com" with the
original From address in the address comment (from xxx at yyz.com). If
the email didn't already have a Reply-To address, the original From
address is inserted as the Reply-To address. If a Gmail user replies to
such an email, the reply goes to the Reply-To address, but Gmail
**whitelists** the From address! Thereafter, any email which comes in
with a munged From address is accepted, bypassing Gmail's otherwise
pretty good spam filtering. I'm noticing a lot of spam email going out
with From addresses for which a DMARC "p=reject" policy is published,
which means that any such spam redirected to the Gmail user via FMP is
also whitelisted. Bah! It's a fucking war zone out there!
The only possible solution here would be to randomize the username
portion of the rewritten From address, which makes the email look more
like spam, and the Gmail user would end up with a whole lot of useless
whitelisted address which would need to be deleted. Not to mention the
fact that FMP's mail server might be blocked from sending ANY email to
Gmail.
To me the issue sounds like why is fmp.com forwarding spam?
If this is a case of fmp.com offering forwarding mailboxes to users, who
might be using gmail as a final destination, then yes, fmp needs to try
to be as good at detecting spam as gmail or users need to accept the
increased spam levels.
Another option is to deterministically munge the from address so every
incoming email address gets a unique fmp address that it represents (it
doesn't have to be absolutely unique, mostly unique is likely good
enough), something like replace the at with _at_ and add a tail wart
like _dm...@fmp.com (so you can have other addresses an not worry about
possible overlaps with those) and use that as the from address. Then a
reply will only whitelist that specific original from address.
--
Richard Damon
------------------------------------------------------
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe:
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
