Re: [courier-users] Re: freemail list and questions about yahoo...
Sam Varshavchik wrote: Provided that they will follow through on their promise, and they don't do something stupid, like using a trusted authority certificate model, this is going to be the final solution. freemail is just a temporary stop-gap measure. http://edition.cnn.com/2003/TECH/internet/12/05/spam.yahoo.reut/ Acknowledging that my opinion isn't worth much, this seems stupid. As described, the solution would require all of the work that SPF does (http://spf.pobox.com/), plus additional computation. What's the additional check get you? Am I missing something, or is this going to be a stupid standard that gets used only because it's backed by enough money? --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id78alloc_id371op=click ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] Re: freemail list and questions about yahoo... YAHOO.COM doesn't work?
Andrew Newton writes: Sam Varshavchik wrote: Reverse, and forward. So why is web60006.mail.yahoo.com not being seen as in yahoo.com? Most likely there was a temporary DNS resolution failure. pgp0.pgp Description: PGP signature
[courier-users] Re: freemail list and questions about yahoo... YAHOO.COM doesn't work?
Mitch (WebCob) writes: Sam said: Mitch (WebCob) writes: So I am assuming that the way freemail works is that it checks to see if the sending server is in the MX list for the freemail domain - I understood No. the docs to mean that it would reverse resolve within the domain - which seems to be wrong... Reverse, and forward. Of course, temporary resolution glitches would be a factor here. Hmmm - so maybe the problem people are having with this is a DNS problem? In that case, could I try patching courier to use a temporary failure code so the remote server retries (at which point the DNS should work?) I've tried several test messages - so far ALL have failed this way. Check for the text string softdnserr, which is used in place of hostname when there's a temporary DNS error. pgp0.pgp Description: PGP signature
[courier-users] Re: freemail list and questions about yahoo...
Gordon Messmer writes: Sam Varshavchik wrote: Provided that they will follow through on their promise, and they don't do something stupid, like using a trusted authority certificate model, this is going to be the final solution. freemail is just a temporary stop-gap measure. http://edition.cnn.com/2003/TECH/internet/12/05/spam.yahoo.reut/ Acknowledging that my opinion isn't worth much, this seems stupid. As described, the solution would require all of the work that SPF does (http://spf.pobox.com/), plus additional computation. What's the additional check get you? Forwarding will now work. SPF breaks forwarding. Am I missing something, or is this going to be a stupid standard that gets used only because it's backed by enough money? There's that, and there's the 800lb gorilla factor. pgp0.pgp Description: PGP signature
Re: [courier-users] Re: freemail list and questions about yahoo...
Sam Varshavchik wrote: Gordon Messmer writes: Acknowledging that my opinion isn't worth much, this seems stupid. As described, the solution would require all of the work that SPF does (http://spf.pobox.com/), plus additional computation. What's the additional check get you? Forwarding will now work. Malcolm tried to impress upon me the same thing. The description on cnn.com is not very technical. Who has the private keys? How does forwarding work? --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
RE: [courier-users] Re: freemail list and questions about yahoo...
I'm not sure - the way I read it it sounded more like a verification of the sender - not the recipient... similar to spf I guess it will require REAL registered domains to host the txt records containing the keys (guessing here). But instead of validating a sender to a recipient (which screws up CC and BCC as well as forwarding) it just validates a sender... Would be nice if they'd throw up a working document so people could throw some collective brainpower at it. m/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Gordon Messmer Sent: Tuesday, January 06, 2004 10:19 AM To: Courier Users Subject: Re: [courier-users] Re: freemail list and questions about yahoo... Sam Varshavchik wrote: Gordon Messmer writes: Acknowledging that my opinion isn't worth much, this seems stupid. As described, the solution would require all of the work that SPF does (http://spf.pobox.com/), plus additional computation. What's the additional check get you? Forwarding will now work. Malcolm tried to impress upon me the same thing. The description on cnn.com is not very technical. Who has the private keys? How does forwarding work? --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
RE: [courier-users] Re: freemail list and questions about yahoo...
-Original Message- From: Gordon Messmer Sent: Tuesday, January 06, 2004 10:19 AM To: Courier Users Sam Varshavchik wrote: Gordon Messmer writes: Acknowledging that my opinion isn't worth much, this seems stupid. As described, the solution would require all of the work that SPF does (http://spf.pobox.com/), plus additional computation. What's the additional check get you? Forwarding will now work. Malcolm tried to impress upon me the same thing. The description on cnn.com is not very technical. Who has the private keys? How does forwarding work? It really isn't that complicated: As each message is injected into the public internet by a SMTP server, that message is signed with a private key controlled by whoever owns the injecting domain. From that point on, anyone can query the DNS for that domain and get a public key; if the public key doesn't unlock the message, it *is* forged, and can be immediately dropped. SPF can only suggest that it might be forged, and use that information to feed into subsequent filters; Yahoo's scheme is authoritative. Further, using SPF every stage (relaying or forwarding) must provide SPF sender verification otherwise there is no benefit. Using Yahoo's crypto scheme, you can copy the message onto a floppy disk and hand carry it around and at the other end you can still authenticate the message. The issues that seem to me as still need clarification/definition are these: if my return address is not in the same domain as the injecting server, a specific header would be useful to encapsulate that plus (idealistically) the authenticated sender's name (or the lack thereof). The recipient could then do the following: * If the public key of the sender's domain validates the message, the message is authentic and should be delivered. * If that key *doesn't* work, but that of a listed injecting host does, then you have a relay or third-party sender -- but you definitively *know* that, and can make decisions before attempting delivery (e.g. check the injecting host to see if it's listed in a blacklist). * If the sender's domain and the injecting host have public keys, and the message doesn't have a signature, then the message is a forgery and can be dropped without further effort. * If the sender's domain has a key but there is no indication of an injecting host nor a signature, then the injecting host may not understand the new scheme, OR the message may be a forgery. However, it is likely that it will be possible to determine (via Received-From lines) if there was a separate injecting host, and if not, simply drop the message. Of course, the alternative is to insist that if you want to send a message with a sender address in a given domain, you must use that domain's server. With authenticated MTA's, that isn't too onerous, but it will impact some folk (particularly mass marketers... Dearie dearie me!) In the particular case of Yahoo (and clearly this colors their thinking) they can pretty much unilaterally decree that if you use a @yahoo.com address and you want the message to have a valid signature, you must send using Yahoo's servers. This may sound draconian, but it *is* Yahoo's staff who deals with complaints about forged messages allegedly showing a Yahoo return address (and, given I know the person who has an address similar to jane at yahoo.com, the amount of forged spam with that address is astonishing. Luckily, she used to head Yahoo's eMail customer service team...) Malc. --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] RE: freemail list and questions about yahoo...
Malcolm Weir [EMAIL PROTECTED] wrote: Gordon Messmer wrote: Sam Varshavchik wrote: Forwarding will now work [with the Yahoo proposal, unlike with SPF]. Malcolm tried to impress upon me the same thing. The description on cnn.com is not very technical. Who has the private keys? How does forwarding work? It really isn't that complicated: First, thanks for explaining the Yahoo proposal, or YASAF (Yahoo Anti Sender Address Forgery), as I'll call it. That was the first explanation that included enough technical detail for me to be able to understand YASAF. As each message is injected into the public internet by a SMTP server, that message is signed with a private key controlled by whoever owns the injecting domain. From that point on, anyone can query the DNS for that domain and get a public key; if the public key doesn't unlock the message, it *is* forged, and can be immediately dropped. SPF can only suggest that it might be forged, and use that information to feed into subsequent filters; Yahoo's scheme is authoritative. Further, using SPF every stage (relaying or forwarding) must provide SPF sender verification otherwise there is no benefit. Using Yahoo's crypto scheme, you can copy the message onto a floppy disk and hand carry it around and at the other end you can still authenticate the message. I don't see what SPF does NOT do (to prevent sender domain forgery) that IS being done by YASAF. SPF, for a given domain, prevents rogue SMTP servers, that are unauthorized to send from that domain, from delivering mails to an SPF-protected server. You as a domain owner can even authorize 3rd party servers (like your ISP's ones) to send mail from your domain. The you can carry a YASAF-protected mail on a floppy disk and still verify its sender domain's authenticity argument is bogus. Why would you actually want to perform the verification anytime *after* the mail has been received by your side in the first place? For reliability's sake (from a legitimate sender's point of view), you'd want to reject invalid mails right in the SMTP dialog anyway instead of just dropping mails or even generating concrete bounce messages. And even if there were a real reason to perform late verification, you could do the same with SPF. Just check the delivering IP address in the apropriate Received: header (i.e. the oldest header you trust). Why can SPF only suggest that a sender address is forged? What's the difference from YASAF in this regard? Further, the YASAF private keys can't be handed out to users for them to sign their messages themselves (and use whatever SMTP relay they want), or to other untrusted 3rd parties. This means that users are required to use SMTP servers that have access to the private key, which will usually be the domain owner's trusted servers only. This in turn means that YASAF prevents domain owners from authorizing (untrusted) 3rd party servers to send mail from their domain, while SPF does support this. SPF's concept is most natural, as it basically represents the reverse of the DNS MX record type, plus it brings some extensions. I don't see why this is not enough to effectively prevent sender address forgery. --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id78alloc_id371op=click ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] Error messages from submit and courierlocal
I mentioned this back on 18 November, but that discussion got a little sidetracked with the filters bit. Every day I'm getting 20 or so messages from courierlocal and submit just saying Permission denied. No messages before or after to hint at what it is trying to access. Also about 50 a day from courierlocal with just No such file or directory, again, no clue as to what it is looking for. Keeping in mind my daily maillog is already 50 megs or so I don't want to have to enable gross levels of debug messages or the like, but is there any way to get more information from courier as to what it is looking for in these instances? -- Andrew Gray Systems Administrator College of Engineering University of Nevada, Las Vegas --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] Re: freemail list and questions about yahoo...
Malcolm Weir writes: The issues that seem to me as still need clarification/definition are these: if my return address is not in the same domain as the injecting server, then you sign the message with YOUR key, and put THAT in DNS. I don't really know what Yahoo's going to do, but based on what I've read, in several place, I reached a similar impression as to what they're doing. The recipient could then do the following: * If the public key of the sender's domain validates the message, the message is authentic and should be delivered. * If that key *doesn't* work, but that of a listed injecting host does, then you have a relay or third-party sender -- but you definitively *know* that, and can make decisions before attempting delivery (e.g. check the injecting host to see if it's listed in a blacklist). I didn't get the impression that Yahoo's stuff has anything to do with the injection host. Remember, that legitimate Yahoo mail can only come out of Yahoo itself, so they can take care of signing entirely on their end. As you indicated, this scheme will prevent someone from using their Yahoo E-mail address to send mail themselves, from their ISP. That's unfortunate, but I also agree that Yahoo wouldn't give a fsck about it. They specifically _want_ their lusers to send mail through their webmail interface, instead of their own mail programs. And I'm optimistic that they'll explicitly specify that the domain check has to be carried out against the From: header, and not the envelope sender address (although that one can still be optionally checked). Remember that Yahoo's goal is to get rid off all the clueless wonders from complaining to Yahoo about spam From: [EMAIL PROTECTED] I'll be disappointed if they're naive enough to believe that checking the envelope sender address is sufficient; otherwise all that's needed to nullify any value added from this enterprise is to simply use a different envelope sender address, but keep the From: header intact. Yes, that means that the message's body will have to be received, before the message can be authenticated. That's better than nothing. pgp0.pgp Description: PGP signature
[courier-users] RE: freemail list and questions about yahoo...
Sam Varshavchik [EMAIL PROTECTED] wrote: Julian Mehnle writes: I don't see what SPF does NOT do (to prevent sender domain forgery) that IS being done by YASAF. It prevents mail from being forwarded. A forwarded message will keep its return address, but will now originate from some other host, from the point view of the ultimate recipient. Alright, I do see that. What's wrong with sender rewriting? I mean, except for that it has to be implemented? --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id78alloc_id371op=click ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] RE: freemail list and questions about yahoo...
Sam Varshavchik [EMAIL PROTECTED] wrote: Julian Mehnle writes: What's wrong with sender rewriting? I mean, except for that it has to be implemented? What exactly are you going to rewrite the sender to? The address from which the message gets forwarded? Gee, guess where the bounce would go? The bounce would go to the forwarder. So what? The forwarder can simply forward (backward) the bounce as well. Is this a serious problem? --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id78alloc_id371op=click ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] Seeming issue between SA courier... WAS RE: [SAtalk] RCVD_IN_DYNABLOCK,RCVD_IN_SORBS in 2.61 when sending myself a test message?
I'm cross posting this message here just to keep other courier users in the loop. I'm a long time courier user but not quite as long time SpamAssassin user. I noticed a problem with false positives related to the default settings in SA. Messages sent from my home machine to myself were being detected as spam due to a score on the RCVD_IN_DYNABLOCK test which is supposed to trip when the top received header indicates the mail was received from an address in a dynamic pool - like a cable modem / etc. My first concern is that apparently due to the differences in courier's vs sendmails Received header formats, the first courier header is not always detected. Secondly, if I am sending to another user in my own system via authenticated SMTP, the rule still triggers - even though my authentication on the server should allow me some sort of whitelist like status (my humble opinion). I'm assuming that someone on the SA side can fix the failure to detect the first header, and hopefuly the authentication issue as well (when the first Received header shows (AUTH: ...). As this pertains courier specifically, and it may be causing false positives I thought I'd share it here. Hope it helps - I'll post the resolution as well assuming there is one. cheers. Original message from SAtalk follows. m/ With the help of Shane Williams (who received a message and showed me how it passed his SA ok) I figured out the following: Courier formats it's received lines like this (this trips RCVD_IN_DYNABLOCK): Received: from bigass1.XXX.com ([66.199.X.X]) by slim1.XXX.com with esmtp; Tue, 06 Jan 2004 23:56:09 + Received: from a1200 ([24.83.X.X]) (AUTH: LOGIN [EMAIL PROTECTED]) by bigass1.XXX.com with esmtp; Tue, 06 Jan 2004 23:56:09 + Shane I presume (by version numbers) is running sendmail - which has a different Received format and DOESN'T trip RCVD_IN_DYNABLOCK: Received: from bigass1.XXX.com (ns1.XXX.com [66.199.X.X]) by fiat.XXX.edu (8.12.10/8.12.10) with ESMTP id i06MBJ6U020255 for [EMAIL PROTECTED]; Tue, 6 Jan 2004 16:11:19 -0600 Received: from a1200 ([24.83.X.X]) (AUTH: LOGIN [EMAIL PROTECTED]) by bigass1.XXX.com with esmtp; Tue, 06 Jan 2004 22:09:53 + So for starters, the -notfirsthop option seems to be missing my first header. And for seconds... I will still have a problem when my first header is AUTHENTICATED. If I send mail to myself, my ONLY received header looks like: Received: from a1200 ([24.83.X.X]) (AUTH: LOGIN [EMAIL PROTECTED]) by bigass1.XXX.com with esmtp; Tue, 06 Jan 2004 23:56:09 + Which I think should be ignored - although headers can be forged, the first header can't - right? And if it says authenticated, I shouldn't be penalized for sending mail to myself - right? So now what - do I file a bug report ? or have I already put the info in the right place? Thanks a bunch for the tool - glad to do my bit - I imagine that this problem affects all courier users. Unless I'm missing something? Thanks! m/ -Original Message- From: Brian Sneddon [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 06, 2004 4:55 AM To: 'Mitch (WebCob)'; [EMAIL PROTECTED] Subject: RE: [SAtalk] RCVD_IN_DYNABLOCK,RCVD_IN_SORBS in 2.61 when sending myself a test message? Hi, Mitch. Could you please provide more information regarding the mail server which is running SpamAssassin? Information such as which MTA it's using, how you're calling SpamAssassin (procmail, milter, etc.), and whether the machine is on a private NATed address will be helpful in troubleshooting your problem. Thanks. Brian --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Re: freemail list and questions about yahoo...
Gordon Messmer wrote: Acknowledging that my opinion isn't worth much, this seems stupid. As described, the solution would require all of the work that SPF does (http://spf.pobox.com/), plus additional computation. What's the additional check get you? If the particular server is who it says it is, and I trust its certificate, I don't really have to care what domain it's sending mail for. The method will support roaming users on multiple networks, for instance, in a way SPF cannot. --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Re: freemail list and questions about yahoo...
Mitch (WebCob) wrote: Personally I don't see that as a bad thing - it makes it a lot simpler to keep tabs on the spam problem, and since authenticated SMTP and open source webmail systems are so common, I would question why ANYONE would send mail from a foreign domain through a convenient SMTP server. Becauase many ISPs will only allow you to access port 25 of THEIR server; if you're roaming onto their network, you must use their server, not some external one you can authenticate to. --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Seeming issue between SA courier... WAS RE: [SAtalk] RCVD_IN_DYNABLOCK,RCVD_IN_SORBS in 2.61 when sending myself a test message?
Mitch (WebCob) wrote: My first concern is that apparently due to the differences in courier's vs sendmails Received header formats, the first courier header is not always detected. Secondly, if I am sending to another user in my own system via authenticated SMTP, the rule still triggers - even though my authentication on the server should allow me some sort of whitelist like status (my humble opinion). Configure maildrop not to pass messages that were AUTH'd to spamassassin: if( ! ( /Received: .*\(AUTH: [^)]*\) *by [:alnum:]*.example.com/ ) ) { xfilter /usr/bin/spamc } --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
RE: [courier-users] RE: freemail list and questions about yahoo...
-Original Message- From: Julian Mehnle Sent: Tuesday, January 06, 2004 3:08 PM [ Snip ] As each message is injected into the public internet by a SMTP server, that message is signed with a private key controlled by whoever owns the injecting domain. From that point on, anyone can query the DNS for that domain and get a public key; if the public key doesn't unlock the message, it *is* forged, and can be immediately dropped. SPF can only suggest that it might be forged, and use that information to feed into subsequent filters; Yahoo's scheme is authoritative. Further, using SPF every stage (relaying or forwarding) must provide SPF sender verification otherwise there is no benefit. Using Yahoo's crypto scheme, you can copy the message onto a floppy disk and hand carry it around and at the other end you can still authenticate the message. I don't see what SPF does NOT do (to prevent sender domain forgery) that IS being done by YASAF. SPF only validates that the host that claims to be on the other end of the SMTP connection is the 'correct' host (or a correct host) for that domain. In most cases (see Sam's remarks) YASAF validates that the 'From:' line is being used legitimately. Still, the main thing that YASAF *does* is based on the fact that it is sponsored by Yahoo who is one of the major e-mail domains out there, while SPF is sponsored by more-or-less no-one. SPF may be acceptable, but any fair assessment will acknowledge that the use of crypto signatures *is* a harder nut to crack when it comes to forgeries, so YASAF can be viewed as SPF++ (the first plus for the crypto, the second for the sponsor). SPF, for a given domain, prevents rogue SMTP servers, that are unauthorized to send from that domain, from delivering mails to an SPF-protected server. You as a domain owner can even authorize 3rd party servers (like your ISP's ones) to send mail from your domain. Sure. Now, explain why it isn't already being used universally? Why doesn't Yahoo simply implement it? The answer is that it doesn't authenticate the message, only the connection. If your SMTP server decides that mine is authentic (in the SPF sense), then I can shovel a message to you that appears to have been relayed from (say) a Yahoo domain. You'll add another 'Received-From:' header, and deliver it to your user. Unfortunately, in this specific case, 'I' might have been a SPF-protected disposable domain, and your user still complains to Yahoo... The you can carry a YASAF-protected mail on a floppy disk and still verify its sender domain's authenticity argument is bogus. No, it's entirely valid, and covers one of the key issues. Note that SPF can only be employed during SMTP dialogs; 'YASAF' can be employed even by an MUA's during a POP3 dialog... And the old POP3 (and IMAP and SMTP) server(s)s can be entirely ignorant of the whole issue while the user gains the benefits! Why would you actually want to perform the verification anytime *after* the mail has been received by your side in the first place? Because you are Yahoo's support department and, to borrow Sam's example, you are fed up with responding to people complaining about mail received from '[EMAIL PROTECTED]'. In this case, the forwarded message (or the message carried on a floppy) is self-contained from the standpoint of its signature, and it can be subsequently proven (say, in a court of law) that it is a forgery. This may be rather important if you are being sued for sending UCE... As may now be the case! Secondly, as suggested earlier, your 'side' may be using a old SMTP package, but your MUA is cutting edge and is smart enough to discard invalid 'YASAF' messages during the download. For reliability's sake (from a legitimate sender's point of view), you'd want to reject invalid mails right in the SMTP dialog anyway instead of just dropping mails or even generating concrete bounce messages. That's debatable. If you are sending legitimately with a signature, all is well. If you are sending *without* a signature where you 'should' have one, it can be argued that you are sending a forgery, and a rejection provides the forger with additional information -- that may be good, or not, depending on whether you choose to argue that it is better to permit forgers to hone their mailing lists, or whether it is better to allow the forgers to bloat their lists so as to increase the overall cost. Sure, from a good citizen standpoint you are right... But from an anti-spam standpoint the issue is slightly more complex (I personally would love for the largest ISPs to silently drop forged mail, for precisely this reason). And even if there were a real reason to perform late verification, you could do the same with SPF. Just check the delivering IP address in the apropriate Received: header (i.e. the oldest header you trust). No, because once the connection has been closed,
Re: [courier-users] RE: freemail list and questions about yahoo...
Julian Mehnle wrote: But it *could* be. You can set the following SPF record for workdomain.com (if Earthlink has their own SPF set up correctly): v=spf1 [...] include:earthlink.net -all or (if Earthlink uses their incoming MXes as outgoing MXes as well): v=spf1 [...] mx:earthlink.net -all or even (otherwise): v=spf1 [...] a:smtp.earthlink.net -all So my employer has to determine which networks I'm allowed to roam onto?! So when I travel on business, I should call the hotel a day or two ahead of time to ask who their service provider is and what their SMTP servers are, so I can ask the work NOC to add it as a valid sender?! What planet are we talking about? Yahoo's scheme has the advantage that the owner of workdomain.com doesn't have to open his domain to forgery from other domains (like in the example above). But as soon as a user @workdomain.com is forced to send through a 3rd party SMTP relay (like in the example above), either the user or that 3rd party would need access to the workdomain.com private key to properly sign the sent messages. Of course. But it makes lots more sense for employees of workdomain.com to have access to its private key than it does for servers of randomroamprovider.net to. So essentially, the difference in this regard between SPF and the Yahoo scheme is that with SPF, the 3rd party must be trusted, while with the Yahoo scheme, the 3rd party OR the user @workdomain.com must be trusted. I.e., with SPF, trust cannot be delegated to the user. No, but you seem to trivialize the amount of work and the impractical and unreasonable policy involved in that difference. --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] Re: freemail list and questions about yahoo...
Julian Mehnle writes: Sam Varshavchik [EMAIL PROTECTED] wrote: Julian Mehnle writes: What's wrong with sender rewriting? I mean, except for that it has to be implemented? What exactly are you going to rewrite the sender to? The address from which the message gets forwarded? Gee, guess where the bounce would go? The bounce would go to the forwarder. So what? The forwarder can simply forward (backward) the bounce as well. Is this a serious problem? Yes. Because the bounce bounces (after all, everything to the forwarded address gets bounced, right?), and since the return address is reset to the forwarder, it go back to the forwarder. But, by definition, the forwarder forwards all mail, resetting the return address. So the bounce gets forwarded again, it bounces, goes back, forwards, bounces again, etc pgp0.pgp Description: PGP signature
[courier-users] Re: freemail list and questions about yahoo...
Malcolm Weir writes: Still, the main thing that YASAF *does* is based on the fact that it is sponsored by Yahoo who is one of the major e-mail domains out there, while SPF is sponsored by more-or-less no-one. That's absolutely correct. The 800lb gorilla factor cannot be overlooked. However, be assured that if Yahoo cooks up something obnoxious, like some scheme that involves a trusted certificate authority, nobody will pay any attention to the gorilla. Nobody is going to pay $100/yr for the privilege of obtaining a certificate to validate their mail. But I think that as far as 800lb gorillas go, Yahoo probably has a better chance of putting something workable on the table. I would feel fairly comfortable pronouncing dead-on-arrival any similar press release from Hotmail (for the obvious reasons). It is a fact that there's an awful lot of crap being thrown around with @yahoo.com return addresses. You just HAVE TO KNOW that if there's ANY WAY that any Internet provider can easily trash all that spam, without even the slightest possibility of interfering any legitimate @yahoo.com mail (setting aside the marginal case of someone using their yahoo.com address from their ISP), then you, as an ISP, would have to be astonishingly DUMB not to make use of this opportunity. And once the infrastructure is in place to validate @yahoo.com mail, there's virtually no added cost to turn it on for any other domain. And, as long as anyone can play, without paying a dime, there's absolutely no reason why any other E-mail provider would NOT voluntarily choose to authenticate their E-mail in a similar fashion. Everything is hinging on the proposition that Yahoo is not about to try something stupid. If they get it right, you're going to have a snowball effect coming down the hill. pgp0.pgp Description: PGP signature
[courier-users] Re: Seeming issue between SA courier... WAS RE: [SAtalk] RCVD_IN_DYNABLOCK,RCVD_IN_SORBS in 2.61 when sending myself a test message?
Mitch (WebCob) writes: And for seconds... I will still have a problem when my first header is AUTHENTICATED. If I send mail to myself, my ONLY received header looks like: Received: from a1200 ([24.83.X.X]) (AUTH: LOGIN [EMAIL PROTECTED]) by bigass1.XXX.com with esmtp; Tue, 06 Jan 2004 23:56:09 + Which I think should be ignored - although headers can be forged, the first header can't - right? And if it says authenticated, I shouldn't be penalized for sending mail to myself - right? Correct. The topmost received header is yours, and it cannot be forged. pgp0.pgp Description: PGP signature
[courier-users] courierperlfilter question
Hi all. I'm wanting to test a perlfilter script, and from what I can figure it wants a socket ID in ARGV when it starts. I'd like to test this filter without having it run as one of Courier's mail filters. I can probably come up with some wrapper around it, etc, but I don't understand how to pass the file descriptor to the script. I've tried (in perl): --- open($handle, mailfile); $foo = '/usr/local/bin/spamassassin-filter.pl ' . $handle; print `$foo`; --- That doesn't work. Does anyone have any ideas? Thanks, -- Tim Nelson Systems Administrator Sunet Internet Tel: +61 3 5241 1155 Fax: +61 3 5241 6187 Web: http://www.sunet.com.au/ Email: [EMAIL PROTECTED] --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id78alloc_id371op=click ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] RE: freemail list and questions about yahoo...
Malcolm Weir [EMAIL PROTECTED] wrote: SPF only validates that the host that claims to be on the other end of the SMTP connection is the 'correct' host (or a correct host) for that domain. In most cases (see Sam's remarks) YASAF validates that the 'From:' line is being used legitimately. SPF doesn't primarily use the HELO string, but the envelope from. In principle it can also be used to verify the From: and Sender: headers. Still, the main thing that YASAF *does* is based on the fact that it is sponsored by Yahoo who is one of the major e-mail domains out there, while SPF is sponsored by more-or-less no-one. SPF may be acceptable, but any fair assessment will acknowledge that the use of crypto signatures *is* a harder nut to crack when it comes to forgeries, so YASAF can be viewed as SPF++ (the first plus for the crypto, the second for the sponsor). For SPF to be cracked, one would need to spoof DNS. Granted, it's some orders of magnitude harder to fake digital signatures (that are using significant key lengths) than to spoof DNS. But on the other hand, cryptography would need to be newly implemented in huge chunks of software, even in countries where digital cryptography is illegal. Sure, this might not concern us lucky ones, but given that the crypto approach is vast overkill for the problem, this seems like a very bad trade off. At least to me. I acknowledge that Yahoo is BIG and that this will give YASAF some considerable momentum. But this alone certainly doesn't make YASAF the technically superior solution against sender address forgery. But isn't that what we're arguing about here? [...] Sure. Now, explain why [SPF] isn't already being used universally? Why doesn't Yahoo simply implement it? I can't. Please ask Yahoo. And please also ask them why YASAF isn't already being used universally. And why has nobody else yet implemented YASAF? The answer is that it doesn't authenticate the message, only the connection. This is not true. [...] Unfortunately, in this specific case, 'I' might have been a SPF-protected disposable domain, and your user still complains to Yahoo... http://spf.pobox.com/objections.html#throwaway Why would you actually want to perform the verification anytime *after* the mail has been received by your side in the first place? Because you are Yahoo's support department and, to borrow Sam's example, you are fed up with responding to people complaining about mail received from '[EMAIL PROTECTED]'. In this case, the forwarded message (or the message carried on a floppy) is self-contained from the standpoint of its signature, and it can be subsequently proven (say, in a court of law) that it is a forgery. This may be rather important if you are being sued for sending UCE... As may now be the case! Are we debating SPF vs. YASAF from a sender address forgery protection tool point of view or from a forensic evidence point of view? Besides, it's technically impossible to prove anything with a copy of an alleged digital mail message. A message with an invalid digital signature can be easily forged by the suitor. Based on such bogus proof, one could sue anybody. And would hopefully fail! And even if there were a real reason to perform late verification, you could do the same with SPF. Just check the delivering IP address in the apropriate Received: header (i.e. the oldest header you trust). No, because once the connection has been closed, the headers are vulnerable to being rewritten. Sure, *most* MTA's behave well, but some clearly don't, Oh come on, are you talking about broken software here? What about broken software that incorrectly verifies digital signatures, or even corrupts the digital signature during transmission? Does that kind of software make YASAF technically inferior? and if you are willing to forge a 'From:' line, one must acknowledge that forging a 'Received:' line is certainly possible. Forging a crypto key is rather harder... On a trusted mail server, the oldest trusted Received: line cannot ever be forged. I.e. there is always at least one Received: line containing an unforged sender IP address which can be used for SPF verification. Why can SPF only suggest that a sender address is forged? What's the difference from YASAF in this regard? SPF validates that the connection came from the place it claims to have come from. It doesn't validate that the origination is is valid for an address. Further processing is required to discover if the validated connection is associated with a problematic source (e.g. checks against blacklists). Yes, blacklists may be required with SPF to avert the disposable domain problem. But SPF is not designed to kill spam on its own, but as a tool to protect against sender address forgery. With SPF, spammers may send from disposable domains, but they can't forge other people's domains.
Re: [courier-users] RE: freemail list and questions about yahoo...
JulianMehnle wrote: See it this way: the domain owner has to determine which networks the domain users are allowed to send mail from. It's not always about employer/emplyoee. In fact, most of the time it will be ISP/customer. I see that as stupid and totalitarian. If I have an Earthlink account, you're saying it's reasonable that: - I can only send mail with my Earthlink-hosted address through their servers or servers they bless, BUT - I can only send through their servers if I'm connected to them (and most of their peers will do the same)... ...meaning that I will likely only be able to send mail using any address when I'm on that ISP's pipe... ...an absurd situation. This is a good objection, agreed. But YASAF doesn't really avoid this. With YASAF, as an employee you may be better off because your employer entrusted you with his domain private key, but as an ISP customer, you can't send mail from we're blocking port 25 hotels either. Why not? I'd furnish my clients with *a* domain private key -- especially if their address is in a private domain of theirs that I manage -- and spank them if they misuse it. Of course. But consider not employer/employee, but ISP/customer. I'm 100% dead sure that less than 1% of ISPs will give their domain private keys away to their customers. Clearly, it will be much more workable with private domains. Additionally, any employer giving his domain private key(s) to its employees will have to generate new keys each time any (previously) trusted employee leaves the company. Of course, but they pretty much need to do that for lots of things now. --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] RE: freemail list and questions about yahoo...
Sam Varshavchik [EMAIL PROTECTED] wrote: Julian Mehnle writes: Sam Varshavchik [EMAIL PROTECTED] wrote: Julian Mehnle writes: What's wrong with sender rewriting? I mean, except for that it has to be implemented? What exactly are you going to rewrite the sender to? The address from which the message gets forwarded? Gee, guess where the bounce would go? The bounce would go to the forwarder. So what? The forwarder can simply forward (backward) the bounce as well. Is this a serious problem? Yes. Because the bounce bounces (after all, everything to the forwarded address gets bounced, right?), and since the return address is reset to the forwarder, it go back to the forwarder. But, by definition, the forwarder forwards all mail, resetting the return address. So the bounce gets forwarded again, it bounces, goes back, forwards, bounces again, etc I don't see the problem. http://spf.pobox.com/objections.html#forwarding handles it, I think. --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id78alloc_id371op=click ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] RE: freemail list and questions about yahoo...
Julian Mehnle wrote: And why has nobody else yet implemented YASAF? Before they write it and build its infrastructure? Perhaps you'd like to tell me why you're not driving the 2033 Porsche. --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] Re: freemail list and questions about yahoo...
Julian Mehnle writes: I acknowledge that Yahoo is BIG and that this will give YASAF some considerable momentum. But this alone certainly doesn't make YASAF the technically superior solution against sender address forgery. Both of them provide equivalent authentication of the sender's address. SPF will break when mail is forwarded. YASAF won't. The logical conclusion is that YASAF is a technically superior solution. [...] Sure. Now, explain why [SPF] isn't already being used universally? Why doesn't Yahoo simply implement it? I can't. Please ask Yahoo. And please also ask them why YASAF isn't already being used universally. And why has nobody else yet implemented YASAF? They have not published it. The Reuters report indicates that they are working on a toolkit that they intend to give away to everyone, and they estimate that they will complete the work sometime before May. pgp0.pgp Description: PGP signature
Re: [courier-users] Re: freemail list and questions about yahoo...
Sam Varshavchik wrote: You forgot all about authenticated SMTP. You can use any ISP, and authenticate yourself to Earthlink's mail servers. After you are authenticated, you have relaying privileges, and Earthlink's mail servers will sign your relayed mail automatically. Not with pobox.com's private key. --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] Re: freemail list and questions about yahoo...
Roger B.A. Klorese writes: Julian Mehnle wrote: I don't see the problem. http://spf.pobox.com/objections.html#forwarding handles it, I think. But it's just wrong. If I am connected to my Earthlink DSL at home and want to send mail using my pobox.com account in their example... - Earthlink will block port 25 to any other SMTP server but theirs - therefore there's no voodoo that pobox.com can do that will allow a normally-configured mail client to send using my pobox.com address Yes, they can. SMTP's twin sister, the mail submission protocol, uses port 587, which will be unaffected by Earthlink's stupid firewall. It's unacceptable to me -- and to millions of others. If your mail client cannot be reconfigured to use SMTP to port 587, instead of port 25, then have someone fix it, so that it can. I think that the spam problem has gotten big enough to force a swift kick in the ass, to everyone. pgp0.pgp Description: PGP signature
Re: [courier-users] Re: freemail list and questions about yahoo...
Sam Varshavchik wrote: Yes, they can. SMTP's twin sister, the mail submission protocol, uses port 587, which will be unaffected by Earthlink's stupid firewall. Perhaps. But why assume it won't be blocked? I'd expect them to block it in a New York minute. I think that the spam problem has gotten big enough to force a swift kick in the ass, to everyone. Maybe for you. I get a good 1000-2000 pieces of spam a day, and compared to these hoops, it seems no big deal to me. --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users