from:"John R Levine"

Re: [mailop] Debugging fwd issue meta.com to zoho.com (Help from user under meta.com needed)

2024-06-05 Thread John R Levine via mailop


On Wed, 5 Jun 2024, Tobias Fiebig wrote:

If you're not sending SMTPUTF8 mail, the DKIM signature headers
should be ASCII with no encoding needed. But if you are ending
SMTPUTF8 mail, you can put UTF-8 directly in the header and it
doesn't need any futher encoding either.


Yeah, even more odd, the actual data did not contain any UTF-8 anyway.
Meta now also fixed this.


Can you give an example of the signature headers that caused a
problem? They just sound wrong.


See attached. dkimpy/dkimverify failed on the original mail with:


I wouldn't verify that either.  It's just wrong.  You're not allowed to 
MIME encode strings in a DKIM-Signature header.*


Unfortunately there is a lot of badly written mail processing code that 
tries to be helpful by MIME encoding headers without checking whether the 
headers allow it.



My understanding, though, is that encoding _should_ be permissible
here, as it would be needed, e.g., when receiving a message from a
server with SMTPUTF8 which then must be forwarded via a server that
does not support it.


Nope.  You cannot downgrade a SMTUTF8 message to an ASCII message.  The 
experimental versions of EAI tried to do that and it never worked so they 
took it out of the standards track EAI RFCs.


You can wrap one as a message/global MIME part and send it as an 
attachment, but you can't "translate" the message..


R's,
John

* - I'm pretty sure that if you asked the author of RFC 8616, he'd say the 
same thing.

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Line too long

2024-05-17 Thread John R Levine via mailop


On Fri, 17 May 2024, Brandon Long wrote:

I don't know anyone who uses BINARYMIME.  Microsoft's MTAs say they do
but I've never tried to see if it works.


We did some testing with it and got some really inconsistent end to end 
responses even from services which advertised it.  The idea of saving 
bytes by not using base64 was appealing.


Back in 2016 I proposed CDAT which is like BDAT but with deflate 
compression (what gzip uses.)  That would shrink base64 to no bigger than 
the original data, but nobody was interested.


https://www.ietf.org/archive/id/draft-levine-smtp-compress-00.txt


And BINARYMIME is incompatible with the line length limit unless your
content happens to have new-lines in the right places or is shorter than
1000 bytes.


Right, the binary data probably isn't text so if it has any \r\n pairs 
it's just an accident.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] (Mis)use of DKIM's length tag and it's impact on DMARC and BIMI

2024-05-17 Thread John R Levine via mailop


On Fri, 17 May 2024, Brandon Long wrote:
I guess the part that's new to me is the apparent widespread (enough) 
use of the l= parameter.  I don't recall ever noticing its use before, 
though can't say it was ever top of mind when looking at various headers 
of messages.


I have to admit I'm surprised too.  I thought everyone knew it was bad.

In my file of DKIM signatures in newsletter/mailing list mail I've gotten 
over the past 15 years, I have about 200,000 signatures of which 6500 have 
l=something.  I divided it in half, and since 2018 there are 98,000 
signatures of which only 500 have l=something.


It's not very common and it's gotten less common, like one message in 
2000, but it does exist.



The example in the post of someone using l=1 really sounds like a
workaround for


I looked, I see a bunch of l=1 in mailings from the libertarians at 
reason.com which makes a perverse kind of sense.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] What is Yahoo TSS09 ?

2024-05-06 Thread John R Levine via mailop


I am moving my servers to new IP addresses, which is always fun. The
new block is 192.55.226/24 which was allocated in 1989 and has never
been live until this week.

So here's what AOL says to innocuous messagee from my users.

553 5.7.2 [TSS09] All messages from 192.55.226.66 will be permanently deferred; 
Retrying will NOT succeed.

I presume it has something to do with it being a hitherto unseen IP range

The volume is quite low, maybe 200 messages a day including from my
mailing lists, and does not look spammy. The highest volume list is
gossip about folk dancing.

Any suggestions?


To answer the obvious questions, it all has DKIM signatures and the SPF is 
updated, so it ain't that.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Are there other comparable services like spamcop.net / spamhaus.org?

2024-04-03 Thread John R Levine via mailop


On Wed, 3 Apr 2024, Laura Atkins wrote:

They do not accept third party samples and never have.


They are now. https://submit.spamhaus.org/


Huh.  Nobody tells me nothin'.

Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] One click unsubscribe in mailing list messages

2024-02-25 Thread John R Levine via mailop


On Sun, 25 Feb 2024, Ken O'Driscoll wrote:

Outlook has supported list-unsubscribe for at least a year, if not longer.
But, it's an add-on you need to proactively install so...


I'm looking at the list of add-ins and I don't see it.  Maybe it's Windows 
only and I'm on a Mac?


R's,
John


It appears that Hans-Martin Mosner via mailop  said:

Yes. I'm looking at you, thunderbird...

This should be a no-brainer, and it's a shame that the major open source

MUA doesn't seem to support it. There's

probably an add-on to do this, I just can't access the thunderbird add-on

search at the moment, so don't know for sure.

There is but it hasn't been updated to work with recent versions of
T'bird so it installs a button but the button doesn't do anything
useful. Oh well.

Still waiting for Outlook to do this, both the web site and the program.



___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop





Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

2024-02-08 Thread John R Levine via mailop


Frustratingly, some see DKIM as too complicated and they run their own
mail servers and simply won't set it up.  I agree that it's annoying to
do ... but it's become pretty close to necessary these days.


The users with the worst problems were my local town government who were 
getting mail from US government agencies.  There is a mandate that 
agencies MUST do DMARC, so some of them said what's the cheapest easiest 
way to do it, publish an SPF record and DMARC p=reject?  OK, done.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [E] Re: Spamfolder mini rant (Was: Contact Google Postmaster)

2024-01-30 Thread John R Levine via mailop


That’s not the only option they offer. While they might use POP3 for most
accounts in the ancient “import” flow, they do support adding 3rd party
accounts properly via IMAP via their Gmailify feature.


Oh, OK.  That only works for a handful of large providers.  For my users 
it says too bad, POP only.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] ECDSA DKIM validation?

2023-12-22 Thread John R Levine via mailop


On Thu, 21 Dec 2023, Stuart Henderson wrote:

If you've had to talk someone not very technical through adding a DKIM
RSA key to a poorly implemented web interface from some cheap DNS
provider that doesn't handle long TXT records, you might feel
differently.


I take your point but I can only have limited sympathy for "you have to 
change your correctly working mail system because we don't care enough to 
fix our broken DNS crudware."



There is often a workaround in that case - using 1024 bit keys - but
then there *is* a cryptographic problem.


A 1536 bit key should fit in one string and that's plenty long for the 
forseeable future.  The largest RSA number known to be factored is 829 
bits, and that's nearly twice the length.  Keep in mind that DKIM keys are 
intended to protect messages for a few weeks, not years, so expensive 
attacks aren't worth it.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] ECDSA DKIM validation?

2023-12-21 Thread John R Levine via mailop


On Thu, 21 Dec 2023, Mike Hillyer wrote:

John Said:


I'm sure that Google has code somewhere that can validate ED25519
signatures.  But that does not mean that it would be a good idea for them
to use that code in production today and try to update their reputation
systems to deal with the dual signing that implies.


With the number of messages already arriving with multiple DKIM 
signatures I can't imagine their reputation systems don't already handle 
dual signing just fine. Granted this would be two signatures on the same 
domain, but that seems that a small change from handling a signature on 
the From plus one from the ESP and maybe even one for the 
list-unsubscribe domain.


If there's two signatures for the same domain, one is good and one is bad, 
which do you believe?  I know what the spec says, but we have no practical 
experience.


In any event, as I've said at least three times now, RSA keys are fine for 
the forseeable future so there is no benefit to using ED25519 keys unless 
there is an unexpected key break.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] ECDSA DKIM validation?

2023-12-21 Thread John R Levine via mailop


On Thu 21/Dec/2023 10:37:52 +0100 John Levine via mailop wrote:
Yes, your code should handle them.  No, that doesn't mean you should sign 
with them.


Yup.  The question was why Gmail doesn't /verify/ ed25519 signatures. 
Answering that they do so because it's not necessary to use them doesn't 
sound real.  That way, they are damaging the halo of steady innovators that 
their pushing on authentication might evoke...


Sorry, but I don't understand what you are saying.

I'm sure that Google has code somewhere that can validate ED25519 
signatures.  But that does not mean that it would be a good idea for them 
to use that code in production today and try to update their reputation 
systems to deal with the dual signing that implies.


As I've said several times, unless there is a cryptographic problem with 
RSA, there is no reason to *use* any other kind of signature.


R's,
John
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] dnsbl.spam.fail

2023-12-12 Thread John R Levine via mailop


I also block most mail from Hetzner's network. It's not a vendetta,
it's not extortion, it's purely practical. My time is not unlimited,
the vast majority of the mail from that network is spam and if a tiny
bit of real mail gets lost, so be it. It is not worth my time to make
exceptions in my filtering rules.


If you're the only user on the system, then sure, fine -- your mail, your 
choice, but in my case I have "normal" users, ...


I also have normal users, and if they complain I make their mail work. 
But they've never complained about losing mail from Hetzner.


They complain a lot about losing mail but it very rarely has to do with 
local blocks.  More often it's either that the sender is taking a long 
time to get around to it, or don't send at all because their ESP decided 
not to send it.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Gmail says "Message bounced due to organizational settings."

2023-09-27 Thread John R Levine via mailop


I'm doing some work for arxiv.org, the preprint server at Cornell university.

Many gmail users have reported that when they try to send mail to
arxiv.org addresses to update their subscriptions, it fails saying
Message Blocked, with the explanation "Message bounced due to
organizational settings."

This affects some but not all mail from Gmail. I am reasonably sure
that Gmail is not trying to deliver this mail before rejecting it.

Any suggestions?


Is this gmail.com  directly or google hosted domains?


I see complaints from gmail.com addresses so I don't think it's just 
hosted domains.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] greylisting, SendGrid is deleting your mail

2023-06-26 Thread John R Levine via mailop


Do you have any idea how many of those would be tripped up by a
Postfix-style banner delay?


Good question. I've been meaning to add a greet pause but haven't yet
gotten around to it.


I got around to it and now do a greet pause before I greylist.  Most of 
the hosts on the Spamhaus BLs are early talkers but that's not a surprise 
and I wouldn't waste effort greylisting them.  Instead I accept the mail, 
reject at the end of data, and put it in the spamtrap to collect 
statistics.


After it runs for a while I'll see what the numbers look like

Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
"I dropped the toothpaste", said Tom, crestfallenly.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] SPF: Does include: a host without TXT entry invalidate the whole SPF entry?

2023-06-09 Thread John R Levine via mailop


If you don't care enough to publish a valid SPF record, why should
we think you care whether we deliver your mail?


The customer in question used an ESP to send marketing emails.
That ESP told him what host to include in his SPF record.

Probably some years later, that ESP changed domain and that include
became invalid.


Quite possibly, but I don't see why that is anyone else's problem.  As I 
said, if you want people to accept your mail, act like you want people to 
accept your mail.  If you don't have the skills to do that, get help from 
someone who does.


If people make reasonable requests for help, that is fine, but don't 
expect people to work around stuff you can and should fix.


R's,
John
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] push and pull, Microsoft Office365 not rejecting emails when instructed so by SPF recored?

2023-05-30 Thread John R Levine via mailop

Not really.  Partly it's that they don't want to send stuff by SMTP where a 
glitch could bounce the statement into some random admin's mailbox or a 
spam scanner might do who knows what with it.  But mostly it's that they 
want to train their users to use a web browser with an SSL connection to 
look at their bank info.


if you want to believe so... as a lawyer who had to argue around those 
timestamps and statements, I am pretty confident that the *main advantage* I 
listed outweighs by a few $-digits all the reasons you list, combined.


It probably differs by country.  I have talked to a lot of people who do 
security for bank computer systems here in the U.S.


I am fairly sure that in the U.S. there is generally no obligation on the 
bank to prove that a customer has seen a statement.  If you move and don't 
give the bank your new address, that's your problem, not the bank's problem.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] push and pull, Microsoft Office365 not rejecting emails when instructed so by SPF recored?

2023-05-30 Thread John R Levine via mailop


On Tue, 30 May 2023, post...@sfina.com wrote:

https://cr.yp.to/im2000.html

You can tell from its name how long ago it was, and from the fact that you
never heard of it before how successful it was.


If I may respectfully encourage you to look at how you receive your online 
banking statements, most likely they are delivered by a system that is 
conceptually pretty much like DJB described it back then. ...


Conceptually, sure, but the notice they send me telling me to look at 
their web site is a lot more than just a link to the server where the 
statement is.


The main advantage for the financial institution is proof on the balance 
of probability of the timestamp and statements that have been delivered 
to the customer.


Not really.  Partly it's that they don't want to send stuff by SMTP where 
a glitch could bounce the statement into some random admin's mailbox or a 
spam scanner might do who knows what with it.  But mostly it's that they 
want to train their users to use a web browser with an SSL connection to 
look at their bank info.



Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] address rewriting, Thoughts on envelope address local-part length limits

2023-05-15 Thread John R Levine via mailop


On Mon, 15 May 2023, Brandon Long wrote:

Yes, VERP and SRS are the two most obvious cases where their design
inherently doesn't work
with the limit (encoding the full email address into the mailbox portion)

You'd need to either get fancy with the domain portion, which has its own
complications (multi-level star DNS?) or use a lookup table.


The wildcard isn't hard, since a DNS wildcard matches any number of 
labels.  (You may be confusing it with wildcard SSL certs which use the 
same syntax but only match a single label.)  One wildcard is plenty for my 
DMARC rewriter to, say, bl...@google.com.dmarc.fail:


;; QUESTION SECTION:
;*.dmarc.fail.  IN  MX

;; ANSWER SECTION:
*.dmarc.fail.   10  IN  MX  20 mx1.dmarc.fail.

Once the mail arrives I need a lookup table to track which domains I'm 
rewriting and which addresses in those domains, to keep from turning into 
an open relay.


I believe that LISTSERV rewrites addresses to a hash of the address which 
fixes the length problem but also needs a lookup table.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] SPF behavior on email forwarding

2023-04-15 Thread John R Levine via mailop


In other words, SPF check is not something what helps with SPAM
here, seems that spammers adapted to it...


As far as I know, SPF was never meant as an anti-spam measure.


It was most definitely touted as an anti-spam measure.  Some of us were there.


Absolutely. Spent time listening to Meng Wong talk about it, totally ignoring 
the forwarding problem.


Which was really strange since Meng ran pobox.com, a forwarding service.

Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Mailing Lists and domains with DMARC reject

2023-03-09 Thread John R Levine via mailop

Would a MUA send a POST to a known domain if it was found on a message 
coming from an unknown, or anyway different domain?


Maybe.  It's quite common for a message to come from some company and the 
links to point back to the ESP.


Isn't it difficult to agree on opaque tokens in that case?


No.

Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Mailing Lists and domains with DMARC reject

2023-03-09 Thread John R Levine via mailop

Yes, the idea was to prevent malicious unsubs by sending fake spam with 
someone else's one-click unsub.


Would a MUA send a POST to a known domain if it was found on a message coming 
from an unknown, or anyway different domain?


Maybe.  It's quite common for a message to come from some company and the 
links to point back to the ESP.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Mailing Lists and domains with DMARC reject

2023-03-08 Thread John R Levine via mailop

Yeah, RFC4871 was a proposed standard, RFC6376, four years later became an 
Internet standard.  Once there was a level in between...


Seems that 4 years was not enough ;-) Or we understand idea behind that
RFC wrongly...


Keep in mind that DMARC was invented long after SPF and DKIM.  Also that 
the original goal of DMARC was to protect heavily phished domains like 
paypal.com and its authors did not expect anyone to use it on domains that 
send mail to lists.  It was several years later that AOL and Yahoo started 
abusing DMARC to outsource the cost of phishes using address books that 
they let crooks steal.


And why does RFC8058 require that fields such as List-Unsubscribe-Post: 
MUST be signed?


Is it special "One click" case? I was not interested in it yet...


Yes, the idea was to prevent malicious unsubs by sending fake spam with 
someone else's one-click unsub.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] warming up IPs, Microsoft?

2023-03-06 Thread John R Levine via mailop


Huh. We don't have any issues sending email to them from Linode, including

a small number from one of our new IP addresses I've been trying to warm up.


Linode has a bunch of different IP address blocks and I would expect 
recipients to block the ones that send annoying amounts of spam.  That's 
what I do.  So as likely as not, you're just lucky that you don't have 
annoying neighbors.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] warming up IPs, Microsoft?

2023-03-05 Thread John R Levine via mailop

It also occurs to me that you don't need to do your computing and mail on 
the same VM.  Mail is rather lightweight so you could run a mail server at 
Tektonic, and send messages from other places via port 587 submission.


On Sun, 5 Mar 2023, Mark Fletcher wrote:


On Sun, Mar 5, 2023 at 10:20 AM John R Levine  wrote:



I've been happy with a small provider called Tektonic.  If you've never
heard of them, that's a good sign.

Thanks for the recommendation; unfortunately they wouldn't work for us.

Their largest VM is less than half the size we would need for our
databases, also they don't appear to have an API to provision new VMs.

Thanks,
Mark



Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] warming up IPs, Microsoft?

2023-03-05 Thread John R Levine via mailop


Thanks for the recommendation; unfortunately they wouldn't work for us.

Their largest VM is less than half the size we would need for our
databases, also they don't appear to have an API to provision new VMs.


If you need a big VM there's always AWS.  They do a surprisingly good job 
of managing outbound mail.  You get 62K messages/mo for free, then 10c per 
1000 messages sent from a VM.  If you want big databases, you can run them 
in your own VM but it's easier and probably just as cheap to use one of 
their managed ones.


You have to validate each domain you use for sending, which is a modest 
pain, but that's one of the reasons their mail stream is pretty clean.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] warming up IPs, Microsoft?

2023-03-05 Thread John R Levine via mailop


On Sun, 5 Mar 2023, Mark Fletcher wrote:

Best I can tell, in our 9+ years, being hosted by Linode has never been an

issue wrt deliverability, and as a hosting provider, they've been nothing
but responsive and reliable. That said, they were recently bought by
Akamai, and have just raised prices. So I guess I need to start at least
paying attention to other hosting options. Who do you recommend these days?


I've been happy with a small provider called Tektonic.  If you've never 
heard of them, that's a good sign.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Does gmail accept unicode character in From domain? I don't think so

2023-03-03 Thread John R Levine via mailop

It occurs to me that if you only have a handful of addresses with accented
Latin characters, they are probably typos, not real addresses.

Unless you're sending mail to south or southeast Asia, just get rid of
them.

On Fri, 3 Mar 2023, Alex Burch wrote:

Thanks everyone. Is there any reason not to just always use punycode for
the domain and keep it pure ascii? Seems safer that way. Are there any
known risks to doing that?

About swaks, there is an open MR to add SMTPUTF8 support:
https://github.com/jetmore

If John Jetmore is here, please merge that sucker!

Thanks,
Alex

Alexander Burch
ActiveCampaign / Senior Deliverability Engineer
abu...@activecampaign.com
1 North Dearborn St Suite 500, Chicago IL, 60602

On Thu, Mar 2, 2023 at 6:20 PM John Levine wrote:

It appears that Alex Burch via mailop said:

-=-=-=-=-=-
-=-=-=-=-=-

I am using unicode in the From: not the MAIL FROM. Do you have to specify
it SMTPUTF8 in the MAIL FROM to use it in the From header? I don't see
anything about that here:

https://urldefense.com/v3/__https://www.rfc-editor.org/rfc/rfc6531__;!!JIZ-LZtDGnv5HBqN_A!LLHjvWO9Lj3NLPOW2WO4wfuIRc6jsmEppjd-E6-oOHDWAguRDF1IVTyo6F7qheRN7lfhCKHmFEIrsWFs$

See section 3.6 which refers to an "internationalized message" and RFC
6532 which explains what that means. It roughly means you can have
UTF-8 in the headers.

I was under the impression that if the client offered SMTPUTF8 extension
then you could go ahead and use unicode in the headers like From.

You can, but you have to put the SMTPUTF8 parameter on the MAIL FROM to say
it's an internationalized message.

I did a bunch of EAI mail tests for ICANN's UASG and Gmail passed most of
them.
If you use the correct envelope and headers, it'll work.

Someone else asserted that nobody handes Unicode domain names, and he is
wrong,
although the have to be encoded as A-labels when you do the DNS lookup, as
described in RFCs 5894 and 5895.

R's,
John

Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Does gmail accept unicode character in From domain? I don't think so

2023-03-03 Thread John R Levine via mailop

We are an ESP and we have a lot of customers who send with characters like
ü or á, usually in the local part but occasionally in the domain. I think
if we converted all from addresses to pure ascii punycode, we'd solve our
problems rather than trying to keep them unicode and rely on SMTPUTF8
working.

If an address has ü or á in the local part, it is an EAI address and you
cannot "convert it to punycode." Domains have A-label versions but local
parts do not.

I see Yahoo does not even offer SMTPUTF8

Right, they're behind the curve. Gmail and Microsoft do and their support
is pretty good.

Sounds like you should either go to the modest effort to make SMTPUTF8
sending work, or go through your lists and delete the non-ASCII addresses
since they'll just bounce or get lost.

Thanks,
Alex

Alexander Burch
ActiveCampaign / Senior Deliverability Engineer
abu...@activecampaign.com
1 North Dearborn St Suite 500, Chicago IL, 60602
<https://www.facebook.com/activecampaign>
<http://www.twitter.com/activecampaign>
<https://www.linkedin.com/company/activecampaign-inc->
<https://plus.google.com/107063868317743606466>

<https://www.activecampaign.com/sig/?u=aburch=1>

On Fri, Mar 3, 2023 at 9:32 AM John R Levine wrote:

Thanks everyone. Is there any reason not to just always use punycode for
the domain and keep it pure ascii? Seems safer that way. Are there any
known risks to doing that?

"Always" in what context? The whole point of IDNs and EAI is so that
people who don't speak English can use mail addresses they can read.

If you mean in your lists of addresses to send to, sure you can use
A-labels (the ones that contain punycode) and it'll work, although if the
local parts have UTF-8 characters, you still have to do SMTPUTF8 so it's
not much of a shortcut.

Most of the people with EAI addresses are in India, Thailand, and other
parts of south and east Asia. If you don't do a lot of business there,
you don't need to worry about them.

R's,
John

About swaks, there is an open MR to add SMTPUTF8 support:

https://urldefense.com/v3/__https://github.com/jetmore__;!!JIZ-LZtDGnv5HBqN_A!MykNXx6yo6uaoX3D_3VQ1iI9p1jeUkSw6Rl62hNqBo1YB1pKliY2BMyPv3L5IAND_HKUjZ2XbsMeFi_m$

If John Jetmore is here, please merge that sucker!

Thanks,
Alex

Alexander Burch
ActiveCampaign / Senior Deliverability Engineer
abu...@activecampaign.com
1 North Dearborn St Suite 500, Chicago IL, 60602
<

https://urldefense.com/v3/__https://www.facebook.com/activecampaign__;!!JIZ-LZtDGnv5HBqN_A!MykNXx6yo6uaoX3D_3VQ1iI9p1jeUkSw6Rl62hNqBo1YB1pKliY2BMyPv3L5IAND_HKUjZ2XbqfZAr-s$

https://urldefense.com/v3/__http://www.twitter.com/activecampaign__;!!JIZ-LZtDGnv5HBqN_A!MykNXx6yo6uaoX3D_3VQ1iI9p1jeUkSw6Rl62hNqBo1YB1pKliY2BMyPv3L5IAND_HKUjZ2Xbna6n5jx$

https://urldefense.com/v3/__https://www.linkedin.com/company/activecampaign-inc-__;!!JIZ-LZtDGnv5HBqN_A!MykNXx6yo6uaoX3D_3VQ1iI9p1jeUkSw6Rl62hNqBo1YB1pKliY2BMyPv3L5IAND_HKUjZ2Xbot0HO8K$

https://urldefense.com/v3/__https://plus.google.com/107063868317743606466__;!!JIZ-LZtDGnv5HBqN_A!MykNXx6yo6uaoX3D_3VQ1iI9p1jeUkSw6Rl62hNqBo1YB1pKliY2BMyPv3L5IAND_HKUjZ2Xbvl4yHSI$

<https://www.activecampaign.com/sig/?u=aburch=1>

On Thu, Mar 2, 2023 at 6:20 PM John Levine wrote:

It appears that Alex Burch via mailop said:

-=-=-=-=-=-
-=-=-=-=-=-

I am using unicode in the From: not the MAIL FROM. Do you have to

specify

it SMTPUTF8 in the MAIL FROM to use it in the From header? I don't see
anything about that here:

https://urldefense.com/v3/__https://www.rfc-editor.org/rfc/rfc6531__;!!JIZ-LZtDGnv5HBqN_A!LLHjvWO9Lj3NLPOW2WO4wfuIRc6jsmEppjd-E6-oOHDWAguRDF1IVTyo6F7qheRN7lfhCKHmFEIrsWFs$

See section 3.6 which refers to an "internationalized message" and RFC
6532 which explains what that means. It roughly means you can have
UTF-8 in the headers.

I was under the impression that if the client offered SMTPUTF8

extension

then you could go ahead and use unicode in the headers like From.

You can, but you have to put the SMTPUTF8 parameter on the MAIL FROM to

say

it's an internationalized message.

I did a bunch of EAI mail tests for ICANN's UASG and Gmail passed most

them.
If you use the correct envelope and headers, it'll work.

Someone else asserted that nobody handes Unicode domain names, and he is
wrong,
although the have to be encoded as A-labels when you do the DNS lookup,

described in RFCs 5894 and 5895.

R's,
John

Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail.
https://urldefense.com/v3/__https://jl.ly__;!!JIZ-LZtDGnv5HBqN_A!MykNXx6yo6uaoX3D_3VQ1iI9p1jeUkSw6Rl62hNqBo1YB1pKliY2BMyPv3L5IAND_HKUjZ2Xbt5FsPoR$

Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___

Re: [mailop] Does gmail accept unicode character in From domain? I don't think so

2023-03-03 Thread John R Levine via mailop

Thanks everyone. Is there any reason not to just always use punycode for
the domain and keep it pure ascii? Seems safer that way. Are there any
known risks to doing that?

"Always" in what context? The whole point of IDNs and EAI is so that
people who don't speak English can use mail addresses they can read.

Most of the people with EAI addresses are in India, Thailand, and other
parts of south and east Asia. If you don't do a lot of business there,
you don't need to worry about them.

R's,
John

About swaks, there is an open MR to add SMTPUTF8 support:
https://github.com/jetmore

If John Jetmore is here, please merge that sucker!

Thanks,
Alex

Alexander Burch
ActiveCampaign / Senior Deliverability Engineer
abu...@activecampaign.com
1 North Dearborn St Suite 500, Chicago IL, 60602

On Thu, Mar 2, 2023 at 6:20 PM John Levine wrote:

It appears that Alex Burch via mailop said:

-=-=-=-=-=-
-=-=-=-=-=-

I am using unicode in the From: not the MAIL FROM. Do you have to specify
it SMTPUTF8 in the MAIL FROM to use it in the From header? I don't see
anything about that here:

https://urldefense.com/v3/__https://www.rfc-editor.org/rfc/rfc6531__;!!JIZ-LZtDGnv5HBqN_A!LLHjvWO9Lj3NLPOW2WO4wfuIRc6jsmEppjd-E6-oOHDWAguRDF1IVTyo6F7qheRN7lfhCKHmFEIrsWFs$

See section 3.6 which refers to an "internationalized message" and RFC
6532 which explains what that means. It roughly means you can have
UTF-8 in the headers.

I was under the impression that if the client offered SMTPUTF8 extension
then you could go ahead and use unicode in the headers like From.

You can, but you have to put the SMTPUTF8 parameter on the MAIL FROM to say
it's an internationalized message.

I did a bunch of EAI mail tests for ICANN's UASG and Gmail passed most of
them.
If you use the correct envelope and headers, it'll work.

Someone else asserted that nobody handes Unicode domain names, and he is
wrong,
although the have to be encoded as A-labels when you do the DNS lookup, as
described in RFCs 5894 and 5895.

R's,
John

Re: [mailop] Mail Sending Self-Test Platform

2023-03-01 Thread John R Levine via mailop


Still, i am a bit wondering; Looking at the data flushed in so far (and
already multiple bugs filed against implementations)... there are a lot
of funny milters and often unmaintained software integrated in funny
docker stacks (probably preaching to the choir there, but i have a lot
of grievances with those setups), and generally a lot of awry things
(example.com. IN TXT "v=spf1 include:example.com -all" is, for example,
far more common than i'd have ever believed...).


In the DMARC working group we've had endless arguments about what changes 
will or won't break existing DMARC setups, informed by a lot of opinions 
and very little data.  Actual data would be greatly appreciated.


It's not surprising that there are a lot of broken DMARC and SPF records. 
The question is whether anyone cares.  My impression is that in many cases 
there was a checklist item "DMARC" so someone did the absolute mimimum.  A 
p=none policy, a sloppy SPF record, and no DKIM is a strong hint.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Mail Sending Self-Test Platform

2023-02-28 Thread John R Levine via mailop


dmarcv1 is a typo in the description (i correctly check for DMARC1,
otherwise this would have shown up earlier);

??

The actual complaint is psd=n; Lemme see if i can make the report more
clear re: where it complained.

Do you maybe have some context on psd=n? I can't find it in 7489.


It's in RFC 9091 and in the DMARC update currently in draft form at the 
IETF.  The intention was always that you could put private clauses in 
DMARC records which get ignored by clients that don't understand them, but 
the ABNF was overly clever.  That's fixed in the new draft too.





With best regards,
Tobias

On Tue, 2023-02-28 at 17:32 -0500, John Levine wrote:

It appears that Tobias Fiebig via mailop  said:

Heho,

after our paper on mail sending configurations some time ago [1],
we
now glued that together into a self-service site:

https://email-security-scans.org/

I'd be happy to hear your feedback, especially if things do not
work as
expected (then, your test ID and ideally stored emails would be
really
helpful,


It's complaining that my DMARC record is invalid because it doesn't
start with "v=DKIMv1".  What?

Test ID ttada96061gfwnvbuthbycansr5h34

R's,
John





Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] DMARC Stockholm syndrome, Reject vs spam folders

2022-09-16 Thread John R Levine via mailop


On Fri, 16 Sep 2022, Brandon Long wrote:

For thirty years we all used mailing lists that didn't mess with the
author's name or address, so you could easily reply eiher to the
authors or the list (and please don't mansplain to me what Reply-To
does.) That stopped working when AOL and Yahoo repurposed DMARC to
outsource the support costs of incoming spam due to their own security



For 30 years, we allowed mailing lists to modify messages and take partial
"ownership" of them (the mailing list gets the bounces), without
modifying who the message was "from".  When digital signatures were
introduced and then linking them to the sender, it made that untenable...
but the reason we added the signature and linkage was because of bad
actors, and the number of "we always did it this way" things that
have fallen to our fight with bad actors has been quite large.


I think you're basically agreeing with me.  When we came up with DKIM we 
deliberately designed it so that the DKIM domain was separate from any 
other identity in the message.  ADSP was supposed to connect the DKIM 
domain to the From: domain but did it so badly and failed in so many cases 
that nobody used it.  So the next round was DMARC, which handled more 
situations than ADSP, and was intended for heavily forged domains like 
paypal.com.


Unsurprisingly, like any retrofit, DMARC handles a lot of cases but fails 
on others, with mailing lists being the most notable example.  (You used 
to be able to do things like forward an article from a newspaper web site 
to a friend and put your own return address on it, which was useful.) The 
response too often is to blame the victim and retroactively redefine 
perfectly normal and legitimate activities as bad, just because the 
security model du jour can't describe them.


I think we both hope that ARC turns out to be an adequate band-aid to 
increase the amount of legitimate mail that DMARC can handle so that the 
most painful failures work again.  But I think send an article is dead 
forever.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] FW: Did Google become stricter about RFC 5322?

2022-07-15 Thread John R Levine via mailop


On Fri, 15 Jul 2022, Michael Ellis wrote:

The body text lines are likely more than 998 characters. They have a feature to 
break long lines but they didn't enable it. The headers lines will all be well 
below 998 characters.


That's probably what's wrong.  5322 says all the lines, not just the 
headers, have to be no more than 1000 octets including the \r\n





Each header is separated by \r\n

Here is an example of the date: Fri, 15 Jul 2022 12:51:19 -0500   I think this 
is correct.

-Original Message-
From: John Levine [mailto:jo...@taugh.com]
Sent: July 15, 2022 1:16 PM
To: mailop@mailop.org
Cc: m...@bacchusbrew.com
Subject: Re: [mailop] FW: Did Google become stricter about RFC 5322?

It appears that Michael Ellis via mailop  said:

Am I missing something as well? Google just rejected a client due to PTR on 
mailop-boun...@mailop.org but it seems fine to me ...



Gmail, 550-5.7.1 this message has been blocked. Please review 550
5.7.1
RFC 5322 specifications for more information.


PTRs aren't RFC 5322


As far as I can tell, the message is compliant.  It doesn't have any of
the obvious problems, at least.  From, To, Message-ID and Date are
supplied.  No duplicate headers.


How long are the text lines?

Is there \r\n at the end of each line in the header and body?

Is the Date: in the correct form?

R's,
John




Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] FTC Report on Feasibility of Creating a 'Do Not Email' List

2022-05-18 Thread John R Levine via mailop


Note that, in spite of DMARC, we still do not have per-user
authentication.

We have at least two flavors in PGP and S/MIME,


When something exists for 30 years and has market penetration that cannot 
even rise to the level of being called 'meager'. /WE/ -- it, the Internet 
community -- does not have that thing.


Hm, your copy of the message appears to have been cut off.  Here's the 
rest which you presumably missed:


 but even though both are technically sound, nobody uses them outside of a
 few specialized communities which suggests that it's not going to happen.

 There is also the difference between "this mail is from
 b...@sludgemail.com" and "this mail is from Bob Smith whose current
 address is b...@sludgemail.com".  The PGP web of trust is supposed to
 validate real names, but even among PGP users few pay attention to WOT.

Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Spamhaus: Get more details about LISTING (Could a DMARC Report Address point to a spamtrap)?

2022-05-17 Thread John R Levine via mailop


On Tue, 17 May 2022, Tobias Fiebig wrote:
However, judging from the state of DMARC reporting by the bounces 
hitting my report-from (_large_ orgs having non existent mailboxes in 
there etc.), I'd argue that the only thing that prevents ruf/rua that 
are stale for a decade is the age of RFC7489.


They're just reporting what they recieve.  It shouldn't be a big surprise 
that spamware makes up addresses, some of which happen to be in your 
domains.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] SMTP line wrapping breaking DKIM signatures when forwarding

2022-04-28 Thread John R Levine via mailop


On Thu, 28 Apr 2022, Dave Crocker wrote:

Actually, for the current discussion, there is only a single issue:

Should an intermediate relay get fussy and modify the substance
of a message?


That is one way to look at it, but as I said in the message you just 
replied to, in this case not a particularly helpful one.


We can also have endless discussions about what "substance" means, e.g., 
just the body, body and some headers, body in ways that doesn't bother 
DKIM?


R's,
John
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] DKIM by the third party

2022-04-21 Thread John R Levine via mailop

My main point is this: ESPs and other 3rd party SMTP services - should be 
aware that using an SPF record that validates against the provider's domain 
in the SMTP envelope-FROM (and not the actual client's domain) - AND ALSO - 
having only one DKIM record which uses the provider's domain in the DKIM 
record (and, again, not the actual client's domain) - so the combination of 
these 2 - is insufficient and substandard for validating the identity of the 
sender, especially in those cases where that service provider routinely 
allows spammers and scammer to abuse their service.


Oh, sure.  If you're doing B2C or B2B mail which isn't going to run into 
the edge cases of individual or discussion list mail, it makes sense to 
publish a strict DMARC policy and add a DKIM signature which matches the 
header From: address.  Leave the envelope address alone so the ESP can do 
the bounce handling.


So my question was simply asking if Amazon had some checks in place to 
prevent this scenario? ...since I saw some examples of them coming close to 
this fiasco.


They do.  See the link in my message.  I wouldn't say their abuse handling 
is fabulous, but considering their scale, it could be a lot worse.


The lowest tiers of AWS are very cheap, so it's not hard to sign up and do 
a few small scale experiments.


R's,
John

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Fwd: RFC 9228 on Delivered-To Email Header Field

2022-04-14 Thread John R Levine via mailop


On Thu, 14 Apr 2022, Dave Crocker wrote:

Without knowing what mail software your provider is running, there is
no way to tell.


The benefit of an over-the-wire approach to specification writing is that all 
that matters is what goes... over the wire.  One does not need to know the 
'intent' or 'thinking' or who the source is, or whatever about the source of 
the data that goess over the wire.  One merely needs to know what goes over 
the wire, and compare it to what is in the specification.


So, just so I don't misunderstand, you're saying that one can tell what a 
complex piece of software does by examining a single example of its 
output.  That's quite impressive.



Section 4, second bullet

If a receiving system's delivery process applies mappings or
transformations from the address used by the MHS to a local value,
this new value SHOULD also be recorded into a separate Delivered-To:
field when transit and processing using that address successfully
complete. This ensures a detailed record of the sequence of handling
addresses used for the message.


covers that form of string.


It doesn't, we explained why last year, but since I doubt anyone else is 
interestied in this p*ing match, I'm really done now.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] not a way to do abuse contacts, What am I supposed to do with abuse complaints on legit mail?

2022-01-17 Thread John R Levine via mailop


On Mon, 17 Jan 2022, Dan Mahoney wrote:

It is quite simple to use RDAP to get the abuse contact email for
anyone who has provided the info to their RIR.  I do it all the time.
The problem is that too many operators don't bother.  If they don't
tell the RIR, they are not likely to spend effort putting extra
stuff in their rDNS.


What do you do when abuse complaints are just observably bounced or blackholed, 
and not accepting email from gma^W that provider isn't an option?


Nothing surprising.  Sometimes you can tell it's a SWIP to a customer so I 
can add the host's contact address.  Sometimes a provider just doesn't 
care but I find in those cases, they rarely send any mail my users are 
likely to want so I just send their mail to the shredder.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Sendgrid spam of the day -- crypto.com phish

2021-12-31 Thread John R Levine via mailop

For full headers see http://spample.iecc.com/eam/23683557

R's,
John
-- Forwarded message --
Date: Fri, 31 Dec 2021 20:36:03
From: Crypto.com 
To: i...@taugh.com
Subject: Case ID 23045 -Important Notice: Update Your Account

[8fGHc0PkvWohUASUVORK5CYII=]

Dear Valued Customer,

We need your help resolving an issue with your account Thus, we have 
temporarily limited what you can do with your account until the issue is
resolved.

We understand it may be frustrating not to have full access to your account. We 
want to work with you to get your account back to normal as quickly
as possible.

we just need some more information about your account or latest transactions

Signin

[wOiaohJxQ4ALABJRU5ErkJggg==]

Crypto.‌com
Blog
App
Exchange
[0mjBE6HZp4K5v8a0yHn2l6YAvVOKWlrTmBW0NReWVb73z7d+DcNR9mxUxRFURRFURRFURRFURRFkeIfjS9wMMPxVGkASUVORK5CYII=]
[ZvpBEal58LABJRU5ErkJggg==]
[i4NcpdSCAElFTkSuQmCC]
[j0mXXMufsAElFTkSuQmCC]
[92++x9gBJRU5ErkJggg==]
[wFBQUFBQUFBQUFBQUFBQVnxD+nNitl9LEuSABJRU5ErkJggg==]
[9VQ7D8PYJv8BJI4C6XpQKPUASUVORK5CYII=]
[gHQO0i8xRfY1ABJRU5ErkJggg==]
Contact us at:

contact‌@crypto.‌com

Copyright © 2021 Crypto.‌com, All Rights Reserved.

Crypto.‌com
U‌nit 15‌06-‌7 1‌5/‌F P‌acific P‌laza, 4‌10-‌41‌8 D‌es Vo‌eux R‌oad W‌est, 
H‌ong K‌ong

If you no longer wish to receive promotional communications from Crypto.‌com, 
please click here.
(you will no longer receive emails from us about updates and exclusive 
privileges/promotions)

[open?upn=rojQG26eAcf4GkAb-2FyFQAZwk55TQvR0RJfEiRLCZlOKwhfSqOVGh5NdQdcZjD-2Fp6I9psdg851hMnLzMDeazatb99lFbrpuk8VFjzewDY94wZ8dDE1t7sDA1XxcWGHrX9nWLL
5f3wguoGqKUNiDU0AQhnqrCBlKnAGJKFibIcXWDmprzwJtZxVBlLW1eRXNi-2B1ll3I8zmc5BoEoKH26WGbA-3D-3D]
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Privacy research spam apparently from a grad student at Princeton

2021-12-14 Thread John R Levine via mailop


Which domain?  Feel free to encode it out as need be.


It was in my first message:

 From: Privacy Practices 

Registered at Namecheap, mail sent from AWS

R's,
John


On Dec 14, 2021, at 6:49 PM, John Levine via mailop  wrote:

It appears that Simon Arlott via mailop  said:

On 14/12/2021 18:53, John Levine via mailop wrote:

I think this is different and really is a botched survey from a grad student.  
Poking
around his department's web site, it seems like the sort of stuff he is 
interested in.


I heard back from the student.  It's real, he thinks spamming scraped addreses 
is dandy.

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Privacy research spam apparently from a grad student at Princeton

2021-12-14 Thread John R Levine via mailop

I got a couple of copies of this message to addresses scraped off my 
websites.  It was sent from AWS cloud using a recently registered domain 
so it's likely a phish, but "Ross Teixeira" is a real person, a grad 
student at Princeton.  Needless to say, sending blasts of spam to scraped 
addresses is not going to get useful research results.


Anyone else get this?  If you want to complain, Princeton's IRB which is 
supposed to review every experiment with human subjects is at 
i...@princeton.edu.  Or if you want to ask Mr. Teixeira what the bleep he 
was thinking, he's at rteixe...@princeton.edu.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

-- Forwarded message --
Date: Tue, 14 Dec 2021 03:03:40
From: Privacy Practices 
To: infri...@iecc.com
Subject: Questions About iecc.com Privacy Practices for Princeton University
Research


To Whom It May Concern,

We are researchers at Princeton University conducting a study of how websites 
are implementing the EU and UK General Data Protection Regulation (GDPR) and 
the California Consumer Privacy Act (CCPA). We are
reaching out to you because this email address is provided as a contact on the 
website iecc.com.

Your website may be required to implement one or both of GDPR and CCPA, and we 
would appreciate if you would answer a few brief questions about your privacy 
practices.

1) Does iecc.com implement GDPR or CCPA? If not, could you please explain why? 
If you are uncertain about whether iecc.com is required to implement these laws 
or answer questions like ours, we have included
informative resources at the end of this email.

2) If you implement GDPR or CCPA, do you process data access requests from 
individuals who are not residents of the EU or UK (for GDPR) or who are not 
residents of California (for CCPA)?

3) If you implement GDPR or CCPA, do you process data access requests via 
email, a website, or telephone? If via a website, what is the URL?

4) If you implement GDPR or CCPA, what personal information must a user submit 
for you to verify and process a data access request?

5) If you implement GDPR or CCPA, what personal information do you provide in 
response to a data access request?

Thank you in advance for your answers to these questions. If there is a better 
contact for questions about privacy practices on iecc.com, I kindly ask that 
you forward my request to them.

Sincerely,
Ross Teixeira

--

We offer these resources about GDPR and CCPA for your convenience. Please note 
that we cannot provide legal advice about whether iecc.com is required to 
implement these laws or respond to our questions like
ours about GDPR and CCPA practices.

* Article 3 of the GDPR, which specifies coverage: 
https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679=EN#d1e1455-1-1

* European Data Protection Board guidance on GDPR coverage: 
https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32018-territorial-scope-gdpr-article-3-version_en

* California Attorney General guidance on CCPA coverage: 
https://oag.ca.gov/privacy/ccpa#sectiona

* Section 1798.140 of the California Civil Code, which specifies the businesses 
that CCPA covers:
https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?sectionNum=1798.140.=8.4.45=CIV


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Bonus sendgrid spam of the day

2021-12-11 Thread John R Levine via mailop


Same outfit, same spamtrap address, this time touting our pals at AARP.

So who is https://www.ninesevenpebble.com/ ?

Full spam at http://spample.iecc.com/saa/23681599

Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

-- Forwarded message --
Date: Sat, 11 Dec 2021 08:03:28
From: Membership Offer 
Reply-To: no-re...@smartfinancehome.com
To: john...@zeusprod.com
Subject: December Offer from AARP

AARP - Join & Explore the Benefits

https://rdtrk201.com/?E=MFMTckPk18yTGQ7tjbZyueoobSK6wlK5=

This is a Paid Advertisement.

To unsubscribe please click here 
https://www.ninesevenpebble.com/o-fjch-j43-2f665da82da7ba7c9121aac5a0b4c0e0

4376 Forestdale Drive, #4, Park City, UT 84098, United States
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Sendgrid spam of the day

2021-12-11 Thread John R Levine via mailop

Sent to an address that has never been real but has been getting a lot of 
spam recently, touting insurance via one of those fake review sites that 
collects affiliate fees.


Full copy here: http://spample.iecc.com/sys/23681598

Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

-- Forwarded message --
Date: Sat, 11 Dec 2021 11:03:42
From: Liberty Mutual Insurance 
Reply-To: no-re...@smartfinancehome.com
To: john...@zeusprod.com
Subject: Here's how to only pay for what you need.

Spring RateCut

https://www.smartfinancecentral.com/click.php?source=liberty_mutual=liberty_mutual==234578

Can we help you cut your rate?

You could save $947.
 Only pay for what you need with customized insurance from Liberty Mutual.

Get my customized quote 
https://www.smartfinancecentral.com/click.php?source=liberty_mutual=liberty_mutual==234578

or call 1-844-764-0144 
https://www.smartfinancecentral.com/click.php?source=liberty_mutual=liberty_mutual_mi==234578

Savings validated by new customers who switched to Liberty Mutual between 
1/2020-10/2020 and participated in a countrywide survey. Savings may vary. 
Comparison does not apply in MA.

Coverage provided and underwritten by Liberty Mutual Insurance Company or its 
subsidiaries or affiliates, 175 Berkeley Street, Boston, MA 02116 USA. Equal 
Housing Insurer. Learn more about our privacy policy at 
libertymutual.com/privacy 
https://www.libertymutualgroup.com/about-lm/corporate-information/privacy-policy.

©2021 Liberty Mutual Insurance

This email was sent to you on behalf of Liberty Mutual by a third-party 
marketing company. You are receiving email from this third-party marketing 
company because you have previously expressed your interest in receiving 
commercial email through a site or sites associated with them.

This email message contains information regarding products and services offered 
by Liberty Mutual Insurance Company. If you do not wish to receive email 
messages from Liberty Mutual that are advertising or promotional in nature, 
please unsubscribe here https://pages.email-libertymutual.com/tp-unsubscribe.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] WhatCounts/Costco silliness

2021-10-26 Thread John R Levine via mailop


From memory, I believe ...


Why are you guessing?  The CAN SPAM law and the FTC's CAN SPAM rule are 
easy to find online.



lot of mail programs now recognize List-Unsubscribe and give you an

option in the frame of

the message which is easier to recognize


1. But others do not


Well, if you know the recipient is at Gmail, you know they show the unsub 
link, and there are plenty of senders that separate mail per large 
recipient.  Law is not software, you have to show reasonable intent.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] WhatCounts/Costco silliness

2021-10-24 Thread John R Levine via mailop


List-Unsubscribe: 
List-Unsubscribe-Post: List-Unsubscribe=One-Click

I don't know which fools to blame; The client Costco, or their ESP
WhatCounts.  Perhaps both.


Definitely both.


I don't work for or with WhatCounts, but I know who does, so I nudged them.


Considering that every message sent without working unsubscribe is a CAN 
SPAM violation, I'd think some tooling to check that the link at least 
connects to a server would be in order.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] how SSL works, was IMAP and SMTP in the same or separated IPs?

2021-10-16 Thread John R Levine via mailop


On Fri, 15 Oct 2021, Michael wrote:
I prefer to think that the company I pay $$ to for a cert, makes enough 
they don't have to sell our data.  Remember, each lookup against Let's 
Encrypt shares information, that can be resold.


Sorry, but that is simply wrong.  It's not how SSL works.

The whole point of the signature chain from a CA certificate is so that a 
client can check any cert against its local list of signers, without 
any external queries.  In theory a client can use OCSP to ask a signer 
whether a cert has been revoked, in practice nobody does because it's slow 
and revocations are rare.


Let's Encrypt is run by the Internet Security Research Group, a Californa 
non-profit funded by large gifts from organizations like Cisco, Facebook, 
Akamai, Amazon, EFF, ISOC and the Ford and Gates foundations, and small 
gifts from people like me.  I happen to know a few of their directors and 
technical advisory board members, and I expect you do, too.  FWIW, their 
privacy policy specifically says that the do not sell user information 
including OCSP queries, but it would make no sense for them to do so.


If you want online verification of certs, that's DNSSEC and DANE, but for 
a variety of political and technical reasons, hardly anyone other than 
Comcast uses them for mail.


R's,
John

PS: Looking at the privacy policy for Sectigo, the new name for Comodo, I 
see:


Re-Targeting

Sectigo has relationships with third-party advertising companies and 
permits the operation of a retargeting consumer marketing program. These 
third-party advertisers may place cookies on your computer for the 
collection of pseudonymised consumer information, but they do not collect 
personal information and we do not give them personal information. This 
Privacy Policy does not apply to these third-party advertisers but if you 
would like additional information, please visit Network Advertising 
Initiative at www.networkadvertising.org/managing/opt_out.asp, which also 
allows you to opt-out of such retargeting programs.



___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Gosh I love sendgrid

2021-09-11 Thread John R Levine via mailop


Today's phish, sent directly from sendgrid to my father who has been dead since 
2019.

Relevant Received headers in the unlikely event anyone might want to track it 
down:

Received: from o3.ptr4431.ordersnapp.com (o3.ptr4431.ordersnapp.com 
[167.89.47.140])  by mail1.iecc.com ([64.57.183.56])

  with ESMTPS via TCP (port 20674/25) id 682323596
  tls TLS1_3_ECDHE_RSA_AES_128_GCM_AEAD sni mx1.gurus.org; 11 Sep 2021 18:41:35 
-
Received: by filterdrecv-55446c4d49-sgpf9 with SMTP id 
filterdrecv-55446c4d49-sgpf9-1-613CF85E-32

2021-09-11 18:41:34.618842626 + UTC m=+850909.425078822
Received: from EC2AMAZ-GM5P31T.ec2.internal (unknown)
by geopod-ismtpd-3-0 (SG) with ESMTP id PyG_AmsvSzySaVHEQAwcBQ
for ; Sat, 11 Sep 2021 18:41:34.502 + (UTC)

Regards,
John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

-- Forwarded message --
Date: Sat, 11 Sep 2021 14:41:34
From: Security Center 
To: xxx
Subject: Account Security Update 11 September, 2021

[DZGVOMC.png]
We recently detected an unusual activity, We are sorry for the inconvience 
caused. Hope you are safe at home   Ꭰеаr chase member,
I'm not the only one here who's not married.We recently detected an unusual 
activity. tay Safe Stay Homeon yoI'm not the only one here who's not
married.ur J.P MorgI'm not the only one here who's not married.an CI'm not the 
only one here who's not married.hase online banking account. UnfortuI'm
not the only one here who's not married.na tely, we had to suspend your online 
bankiI'm not the only one here who's not married.ng in order to ensure
the safety of your account. I'm not the only one here who's not married.This 
suspension is temporary. We require some additional information. I'm not the 
only one here who's not married.We are sorry for the inconvience caused.

Verify now
Sincerely,
ChaI'm not the only one here who's not married.se BanI'm not the only one here 
who's not married.king


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] DMARC: Anyone using pct=n with n !=0 and n !=100?

2021-08-23 Thread John R Levine via mailop


On Mon, 23 Aug 2021, A. Schulze wrote:

Am 21.08.2021 um 20:30 schrieb John Levine:

It appears that A. Schulze via mailop  said:

We review the reports once per month and inverstigate findings
Depending on the current situation we plan to increase pct=


If you mean the DMARC aggregate and failure reports, are you aware that the 
pct=N setting

does not affect the reports at all?


yes, I mean the daily aggregated reports, we review them at all once a month


I'm confused.  Since the pct doesn't affect the reports, what's the point?
Once you get the number of failures low enough, just set pct=100 and be 
done with it.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] m-365 still works like a spammer !

2021-07-24 Thread John R Levine via mailop


On Sat, 24 Jul 2021, Lukas Tribus wrote:

See SPF-aware greylisting:

https://poolp.org/posts/2019-12-01/spf-aware-greylisting-and-filter-greylist/


Interesting idea, might try it sometime, but on my small system fuzzing 
IPs works well enough.  I do have a whitelist but I find I only need to 
add something to it about once a year.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] DMARC Reject

2021-07-19 Thread John R Levine via mailop

Remember that when you publish p=reject, you're saying your mail is very 
UNimportant.  If there's any doubt that a message is really from you, 
don't deliver it, throw it away.  This makes sense if you are Paypal, 
you're phished 24/7/365, and your mail only says "something happened, look 
at your account."  For the rest of us, we'd probably prefer that our mail 
were delivered.



As it stands from what I seen in the DMARC logs I am not aware of any group 
trying to use are domain names but as a PUD that is a concern I have


When I look at your mail I see that it has a DKIM signature from 
gcpud.onmicrosoft.com, not gcpud.org, so your DMARC authentication is SPF 
only.


If you're sending paperless electric bills from gcpud.org to people who 
use a forwarding address, e.g., from their university or a professional 
association, SPF can't handle the forward so with p=quarantine they will 
have to fish their bills out of the spam folder every month.  With 
p=reject they won't get the bills at all.  That doesn't seem like 
excellent customer service.



I could just leave it at p= quarantine and wait to see if I actually see if 
things pop off on the two domains we use


Since you're not seeing any attacks, I would set it back to p=none until 
you can get aligned DKIM signatures.


R's,
John


-Original Message-
From: John Levine 
Sent: Monday, July 19, 2021 6:43 PM
To: mailop@mailop.org
Cc: Samual Carman 
Subject: Re: [mailop] DMARC Reject

It appears that Samual Carman via mailop  said:

I am considering rolling out a p=Reject policy at my company and before I did 
that I wanted to see where we are at as industry.


Different operators publish different policies.  In the IETF group where we are 
working on a DMARC revision, we're finding that the practical difference 
between p=quarantine and p=reject is insignificant.

Have you been collecting DMARC reports?  Are you confident that you know the 
paths your mail takes?
On the one hand, do you actually see people maliciously forging your domain, 
and on the other hand are you willing to screw up the mail of people who 
participate in lists like this one?

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] So how do you actually manage to send mails to outlook/hotmail?

2021-07-11 Thread John R Levine via mailop


On Mon, 12 Jul 2021, Marcus Hoffmann wrote:

(Others at Hetzner seem to do fine. I really do not get the whole rating 
IP neighborhoods thing, but let's not get into that again. I can't change it anyway.)


I can only speak for myself, but I have all of Hetzner's IPs routed into 
the spam trap, and I poke holes on the rare occasion that one of my users 
reports missing mail they care about.  I suppose that if you send enough 
mail that the recepients notice they are missing, you can get exceptions 
added.  Seems like a lot of work.



Netcup isn't fabulous, but it's better than Hetzner.


So, what would be even better then? (Netcup was just the next best available 
option here in DE. And well, the cheapest.)


Someone suggested routing emails to MS and google domains through Amazon SES. 
Would that actually make things better?


It might, Amazon does some fairly sophisticated filtering.  But if your 
mail from Netcup works, you might as well stick with that.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Greylisting never passing on retry

2021-04-21 Thread John R Levine via mailop


On Wed, 21 Apr 2021, Peter Nicolai Mathias Hansteen wrote:

SMTP was defined in the late 1970s and we didn't invent greylisting
until about 2003. I don't think you can blame them for not being
clairvoyant.


No clairvoyance was required for taking account of greylisting in the 2008 
update that the article was about, but you’re probably right in a largish chunk 
of cases about this bit:


That update quite deliberately did *not* make changes that were 
incompatible with decades of existing practice.  Forcing large mail farms 
to send retries from the same IP would be a significant and painful change 
which means that in practice they would have ignored it.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] SPF prevents enabling IPv4+IPv6?

2021-03-02 Thread John R Levine via mailop


On Tue, 2 Mar 2021, Otto J. Makela wrote:

Unfortunately, RFC 7208 section 4.6.4 DNS Lookup limits also states:

  As described at the end of Section 11.1, there may be cases where it
  is useful to limit the number of "terms" for which DNS queries return
  either a positive answer (RCODE 0) with an answer count of 0, or a
  "Name Error" (RCODE 3) answer.  These are sometimes collectively
  referred to as "void lookups".  SPF implementations SHOULD limit
  "void lookups" to two.  An implementation MAY choose to make such a
  limit configurable.  In this case, a default of two is RECOMMENDED.

I read this as meaning most implementations will let you only have
two NOERRORs, and then it's game over. As I said, I doubt SPF was
intended to cause this side effect.


Hm, missed that, it does seem wrong.

On the other hand, if you're going to support IPv6, it seems to me that 
it you put host names in your SPF record, those names should have both A 
and  records.  As other people have pointed out, using the IP 
addresses is often a better idea anyway.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Spamhaus Public Mirror Error Return Code Update

2021-02-16 Thread John R Levine via mailop


On Tue, 16 Feb 2021, Alessandro Vesely wrote:

rcode[*], such as FORMERR/
REFUSED, possibly followed by a more precise extended error code[†].


Except that REFUSED means something else,


When Spamhaus sends REFUSED, it means you're trying to query a server than 
only paying customers can use, but you didn't provide a customer password.


Is it that requiring people to install a DNSBL-specific plugin earns 
Spamhaus something?


If you see any of these codes, your setup is broken.


What I see is something like this:

Feb 16 09:30:44 north courieresmtpd: 
error,relay=193.188.30.85,port=50761,from=,to=: 
550 Rejected - see http://www.spamhaus.org/query/bl?ip=193.188.30.85


I don't see the actual code.


The hint will be that every single message appears to be blacklisted.

Having been through this a few times with a tiny BL that I run, no matter 
what you return a lot of clueless people will keep hammering on you year 
after year.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] What's the point of secondary MX servers?

2020-12-17 Thread John R Levine via mailop

Unfortunately, many sending clients (newsletters, announcements, etc.) 
do not retry if the initial delivery fails.


That's impressively broken.  Do you have specific examples?

Back when I was tuning my greylister I found some rather strange retries, 
but I don't recall many senders that didn't retry and didn't look like 
spambots.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] What's the point of secondary MX servers?

2020-12-17 Thread John R Levine via mailop


I use minger to validate secondary mx with the primary for account validity, is 
that not common then?


If the primary is up, why would anyone be sending mail to the secondary?

R's,
John



Sent from my iPad


On 17 Dec 2020, at 21:28, John Levine via mailop  wrote:

As we all know, MX records have a priority number, and mail senders
are supposed to try the highest priority/lowest number servers first,
then fall back to the lower priority.

I understand why secondary MX made sense in the 1980s, when the net
was flakier, there was a lot of dialup, and there were hosts that only
connected for a few hours or even a few minutes a day.

But now, in 2020, is there a point to secondary servers? Mail servers
are online all the time, and if they fail for a few minutes or hours,
the client servers will queue and retry when they come back.

Secondary servers are a famous source of spam leaks, since they
generally don't know the set of valid mailboxes and often don't keep
their filtering in sync?  What purpose do they serve now?

R's,
John

PS: I understand the point of multiple MX with the same priority for
load balancing.  The question is what's the point of a high priorty
server that's always up, and a lower priority server that's, I dunno,
probably always up, too.



___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop








Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Google and Spam detection

2020-07-25 Thread John R Levine via mailop


Gmail has repeatedly said that they do not accept unauthenticated mail on IPv6.


And with very good reason. Consider that you can very easily have a dedicated 
IP address for every email message you will ever send :-)


Of course.  Doesn't everyone do that?

Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Rolling DKIM Key Disclosure

2020-07-11 Thread John R Levine via mailop


"Sorry, I think what you're looking for isnt useful, you're misinformed" isn't 
exactly a useful response when someone,
especially a customer, asks for something, sadly.


So what do you say when they demand 100% inbox placement and the ability 
to remotely delete mail they've already sent?


Customers ask for silly things all the time.  We say no.

R's,
John



On 7/11/20 3:02 PM, John Levine wrote:

In article <4ac6b77b-375b-4cc0-b2f5-84f769683...@as397444.net> you write:

More like “customer sees that DKIM is used to authenticate DNC leaks, decides 
that DKIM is a
terrible idea for a political entity to have on, let alone any random business”.


Sounds like a customer deep into cypherpunk silliness.

For one thing, while it was kind of cute that we could still check the
DKIM signatures on old DNC mail (I did) that's only because Gmail
never rotates their keys. The signing key was still in the DNS.
Monthly key rotation like I do should be plenty to avoid that unless
messages are leaking in close to real time, in which case DKIM is the
least of your problems.

The other is that nobody I know found the DKIM validation to be more
than a curiosity. People believed the messages were real because they
knew who used the account and they were otherwise plausible. There was
no cryptographic signature on the Pentagon papers in 1971 but that
doesn't seem to have been any impediment to people taking them
seriously.___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Rolling DKIM Key Disclosure

2020-07-11 Thread John R Levine via mailop


Hmm? SSS/TLS has never signed the content of a website. It only authenticates 
temporary symmetric encryption keys which
are used to encrypt (not sign) the contents.


Aw, come on.  Web servers send a certificate at the beginning of the 
transaction.  If I cared, it would take about 10 seconds to do wgets and 
save the certificate.


Technically, you're right that the cert doesn't sign the contents, but 
this is a distinction only someone deep into cyperpunk silliness cares 
about.


R's,
John


On 7/11/20 2:50 PM, John Levine wrote:

In article <22b8aa44-cab8-4467-a18b-ee463997c...@as397444.net> you write:

As for use-case, I don’t find it strange that folks may not want to 
cryptographically sign all
their mail without any option to turn that off.


They put up with it on their web sites.

This still impresses me as a customer not worth the hassle.___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Is Gmails DMARC check broken?

2020-06-02 Thread John R Levine via mailop


In article <947f2235-ae10-47b5-90cd-f096d5648...@wordtothewise.com> you write:


Why is Google applying a strict reject when the policy is p=none?


It is my understanding that Google requires all IPv6 mail to be SPF or
DKIM authenticated with or without DMARC.

The "aspf=s" is probably the reason since the mail servers have names
in three Gaullish subdomains of imp.ch and I doubt those domains are
on the From: line of mail.

Beyond that I'm also wondering if the /32 in the SPF record is too big
and smells too close to +all.  The MTAs are all in the same /64 so put
that in the SPF record.



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] what is spam was Re: [External] Re: Horrible week for email deliverability - Looking for help with RackSpace/Emailsrvr

2020-03-27 Thread John R Levine via mailop


On Fri, 27 Mar 2020, Kevin A. McGrail wrote:

And I take a the approach that there are implicit consent in
transactions.  For example, you buy something from XYZ big box store's
website.  There is a 100% implicit consent that you can receive emails
about that order such as a receipt and shipping status.


Sure, but even there it rapidly gets grey.  When they send you a note 
saying "you ordered PRODUCT three days ago, please review it for our other 
customers"?  Or if you ignore it and they send you three more?


There's also a lot of fuzz about what's consent.  How about a prechecked 
box saying "send me valuable offers from our treasured marketing 
partners?"  Feel free to imagine how visible or not the checkbox might be.


That's where the rule comes in about sending mail people want.

Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [External] Re: Horrible week for email deliverability - Looking for help with RackSpace/Emailsrvr

2020-03-26 Thread John R Levine via mailop


Messages of all type but not a single feedback loop complaint.  These
are definitely FPs as I disagree with your statement that a notice about
COVID-19 from someone who signed up to a list would be false positives.

?? These are confirmed, opt-in customer / community lists.  Things like

Fire Department staff and Knights of Columbus member lists.


Oh, OK.  If the mail has a clear relation to what the users signed up for, 
you're right, it's FP's


As I'm sure you're aware, we've seen way too much spam from people who 
imagine that COVID is an excuse to reanimate zombie lists.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [EXTERNAL] Strange MIME headers from Microsoft

2020-03-06 Thread John R Levine via mailop


Yeah, looking for someone to have a peek at that.
Rather Strange, to say the least.


I looked at the logs, there's quite a few, all seem from outlook hosted 
accounts.



-Original Message-
From: mailop  On Behalf Of John Levine via mailop
Sent: Friday, March 6, 2020 9:35 AM
To: mailop@mailop.org
Subject: [EXTERNAL] [mailop] Strange MIME headers from Microsoft



Take a look at this archived message sent from an Outlook hosted user:



https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmailarchive.ietf.org%2Farch%2Fmsg%2Flast-call%2FxTEWTOyy4HOX-wyvFVaOicn2P-I%2F%23data=02%7C01%7Cmichael.wise%40microsoft.com%7Cff4f318df5b24e654fb008d7c1f52e92%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637191131102826023sdata=%2Br4mkYri0davTs5Z3J4HCvcuGWtydtlexGxI8FykX%2Bs%3Dreserved=0



The Message-ID, ARC-Seal and some private headers are MIME encoded, like this:



Message-ID: =?utf-8?q?=3CMWHPR1301MB209609A6C565A653FD477AA585E30=40MWHPR130?= 
=?utf-8?q?1MB2096=2Enamprd13=2Eprod=2Eoutlook=2Ecom=3E?=



That is completely invalid under the mail standards (I checked with the guys 
who wrote them) and oddly pointless, since if you decode the MIME glop, it's an 
ordinary ASCII ID:



Message-ID: 
mailto:mwhpr1301mb209609a6c565a653fd477aa585...@mwhpr1301mb2096.namprd13.prod.outlook.com>>



I only see this in messages from outlook.com so I'm pretty sure they're doing 
it, not some intermediate system.  Anyone there we can get to look at it and 
fix it?



R's,

John



___

mailop mailing list

mailop@mailop.org

https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fchilli.nosignal.org%2Fcgi-bin%2Fmailman%2Flistinfo%2Fmailopdata=02%7C01%7Cmichael.wise%40microsoft.com%7Cff4f318df5b24e654fb008d7c1f52e92%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637191131102826023sdata=0wdchpRx9ssEJ161kTFXs%2BuH1MkXr6JbgbGihxubCx8%3Dreserved=0



Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [FEEDBACK] whose address, was Approach to dealing with List Washing services, industry feedback..

2020-01-23 Thread John R Levine via mailop


message (this time to the correct address), it will end up in the
recipient's spam folder, without them knowing why.
Don't do it to them. Just delete those messages, don't put them to spam.


I disagree. If the sender wants eyeballs to see their emails, they need
some incentive to put in place the systems that'll validate the correct
recipients. Like double-opt-in. Especially before persistent and repeat
use of an address where you don't actually know the recipient wants your
mail.


In my experience the wrong-John mail consists of a great deal of 
individual and transaction mail and very little ordinary bulky stuff. 
These days most legit mailers have working unsubs so if someone signs me 
up, or more likely a store from which they've bought something assumes I 
want endless ads for stuff sort of like what I didn't buy, one click on 
the unsub button makes it stop.


Not so for wedding invitations, tax notices, and so forth.

Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] BIMI

2019-12-10 Thread John R Levine via mailop


On Tue, 10 Dec 2019, Brandon Long wrote:
I guess it depends on how small.  It's also that it's kind of self 
limiting, in the sense that if it's expensive enough that only few do 
it, then it doesn't have the same perceived bad effects like it would if 
99% of mail had it.


I think it could be a long tail thing -- if all the businesses $100M or 
bigger do BIMI, that's a large fraction of the mail but a small fraction 
of the number of businesses.


The overall request for it probably has to do with the perception that 
email is competing these days with other messaging products which are 
almost entirely proprietary.  If I'm contacted by a vendor on 
FB/Twitter/Messenger/Instagram/whatever, it will be branded... and email 
looks outdated.


I sadly realize that I am the last person in the world using Alpine.


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Gmail marking email from me as spam

2019-10-11 Thread John R Levine via mailop


Are they still fundamentally constrained by their choice of network
provider, despite complying with every possible security and delivery
behaviour to warrant and verify the content and sender of every email?


Yes.  Remember, nobody else cares as much about the mail you send as you do.


Has the prevailing method of deciding worthiness now become permanently
biased towards the 'prior reputation' factor?


Yes.  See above.


If so, would an operator ever be able to build the kind of reputation to
have reliable delivery to the big public services, without resorting to
using third party delivery providers? To me that feels like an expensive
cop-out and is assisting the creation of a de facto oligopoly (never mind
all the arguments about a two-tier email ecosystem, net neutrality etc).


Find a provider that keeps its spamming customers under control.  It's not 
hard, they do exist, but you're not likely to find them selling self-serve 
VPS for $2/mo.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Gmail marking email from me as spam

2019-10-10 Thread John R Levine via mailop


It's a basic mistake to operate on whole netblocks and not
individual senders.


i somewhat disagree


There are definitely networks that are so dirty that it's not worth 
accepting their mail.  OVH hovers on the bad side of that line.


If I were more interested in getting my mail to work than in lecturing 
strangers on how to run their networks, and for some reason I still wanted 
to keep my server at OVH (they're certainly cheap) I would reconfigure my 
outgoing mail to use OVH's smarthosts which have a somewhat better rep 
than their cruddy hosting blocks.


And, of course, I would get a real domain name rather than a free one.

Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Gmail marking email from me as spam

2019-10-09 Thread John R Levine via mailop


Just because you should by default accept mail from everyone
*unless* the sender proved to be nasty/harmful/mailicious etc.?


what if the look quite plausibly harmful?


Right.  I didn't get the message you were responding to, so I looked in 
the logs and see the IP is in the middle of a block at OVH that gushes 
spam so it went straight to the spam trap.  The logs say that it's the 
only message of the last several hundred from that block that arguably 
wasn't spam, so that's a pretty low error rate.



Well, Gmail is basically "free stuff" as well. Yahoo is "free
stuff". In my country, Onet, WP and Interia are big free e-mail
providers as well. Should nobody accept mail from them just because
they are free?


They manage to keep the ratio of good mail to junk acceptable.  As others 
have pointed out, whether they're "free" is open to debate.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Anyone on this List with Access to Amazon SES Maillogs?

2019-05-17 Thread John R Levine via mailop


Hi, this is very odd, could you send a traceroute to those IPv6
destinations? I can confirm the servers do NOT refuse IPv6 connections.
I suppose there is a transit problem from certain ISP.


No, you're refusing the connections.  When I connect via an IPv6 tunnel 
from HE you refuse the connection, when I connect from a VPS somewhere 
else, you accept it.  Traceroutes show it's going to you, not anywhere 
else.


Contrary to rumor, there are plenty of real people using HE tunnels. 
You're probably blocking SES, too.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] List of unused, big email-domains?

2019-01-08 Thread John R Levine


Tools can be used for good and bad purposes.  At some level, an ESP is
trusting mailing lists from their customers, and
knows that some of those lists are bad, even if the customer claims the
lists are on the up and up.  Any "white hat" ESP is going
to have various systems in place to try and catch these bad lists and bad
customers before they send mail.  A grey or black hat
ESP could use that to just remove the known bad entries.


Every legit ESP that I know already has a big list of poison addresses. 
People can try and do it if they want, but don't see it as very useful.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Lost DMARC reports reason (Was: DKIM headers - which do you sign and why?)

2018-07-27 Thread John R Levine


2) RFC is unclear about the minimal authorization record being
"v=DMARC1" or "v=DMARC1\;"


The semicolon is required.  I filed an erratum.

See https://www.rfc-editor.org/errata/eid5440

Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] DKIM headers - which do you sign and why?

2018-07-25 Thread John R Levine


When you put in the missing semicolon, what happened?


On Wed, 25 Jul 2018, Stefano Bagnara wrote:


On Wed, 25 Jul 2018 at 21:18, John R Levine  wrote:

For example, a TXT resource record at
"*._report._dmarc.example.com" containing at least "v=DMARC1"
confirms that example.com is willing to receive DMARC reports for any domain.


That appears to be a typo in the spec.  Every valid DMARC record has a
semicolon after v=DMARC1


That's not a DMARC record according to the spec. It is some other
thing to make third party domain validation record" (simply states
"same overall format" but most of the DMARC record attributes would
make no sense there..).
It doesn't sounds like a typo as the spec iterate the "v=DMARC1"
sequence multiple times and simply tells that you have to parse txt
records as "key=value".

A real DMARC record with no ";" wouldn't make sense as "v=DMARC1;" is
not enough for a DMARC policy record (p= is required too).

Also DMARC spec says:

6.3.  General Record Format
  DMARC records follow the extensible "tag-value" syntax for DNS-based
  key records defined in DKIM [DKIM].

and RFC6376 3.2. Tag=Value Lists does not make the ";" mandatory:
tag-list  =  tag-spec *( ";" tag-spec ) [ ";" ]

Also the whole ABNF for dmarc-record is IMHO wrong . The sentence
"components other than dmarc-version and dmarc-request may appear in
any order" is not formal ABNF nor correct (so the first dmarc-sep can
be placed out of order???).

Also, given the last ";" is optional, I think the "least surprise"
rule would state that it makes no sense to require the ";" when you
only have 1 key=value.

So, given that the only place "requiring" that ";" in the SPEC is an
ABNF token that is defined with not formal sintax, I read that token
definition as the *error* in the RFC, not the other 6 references that
states the ";" is not required. But I was not in the working group, so
I can only read and analyze what I read in the most critical way ;-)

I see that you just submitted an Errata for the RFC, so we'll see what
the consensus will be in the next draft.

That said, I'm going to be safe and add the semicolon there, and make
it "v=DMARC1;".

Thank you, really!

PS: I saw that "v=DMARC1" in a lot of domains in the wild as the RFC
reports that "v=DMARC1" minimal sequence a lot of times.



Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] DKIM headers - which do you sign and why?

2018-07-25 Thread John R Levine


For example, a TXT resource record at
"*._report._dmarc.example.com" containing at least "v=DMARC1"
confirms that example.com is willing to receive DMARC reports for any domain.


That appears to be a typo in the spec.  Every valid DMARC record has a 
semicolon after v=DMARC1


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] DKIM headers - which do you sign and why?

2018-07-23 Thread John R Levine


On Tue, 24 Jul 2018, Stefano Bagnara wrote:

We wrote that a long time before anyone had imagined the mess that is DMARC.


Well, if it is not valid anymore then we need an update... "You" made
3 revisions between 2007 and 2011 and then stopped updating it when it
really started being used? ;-)
There's not even an "errata" for that.
Implementors (when they read the RFC) deserve to know what's the
*current* best practices suggested by the spec RFC.


As Steve said, the best practices depend on your situation.  It's not one 
size fits all.



I see your messages to this mailing list are failing DMARC and here
are their signatures:
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com;
h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding;
s=c4b4.5b538d77.k1807; ...
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com;
h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding;
s=c4b4.5b538d77.k1807; ...

I'm not sure I understand why (the rationale about it) you decide to
sign that headers and fail DMARC here, while you suggest the "asker"
to stop signing reply-to


I put signatures on all outgoing mail, including mail that goes to mailing 
lists.  Doesn't everyone?  Anyone who rejects my mail due to DMARC has a 
badly broken DMARC implementation.



And still I'm honestly looking for stats about how many domains are
really currently sending DMARC reports to senders (I get reports for
much less than 1% of my recipients: is it what you all get or is there
something wrong in my setup/target?).


Your setup is fine.  Hardly anyone sends reports.

Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Sending mail to t-mobile.com

2018-06-10 Thread John R Levine


554 5.7.1 You are not allowed to connect.

Which is probably deliberate because I'm connecting from residential
cable (and I think it's listed on the DUL).  The other source address
is not (it's business cable).


I get the 554 when connecting from consumer broadband (currently from 
Bavaria), but it works when I connect from my servers.



So it's either a deliberate block or missing route on the T-Mobile
network.  Hard to tell which.


Unless you've done something they find uniquely annoying it's probably a 
route problem.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Received header address information

2018-04-21 Thread John R Levine


I was specifically talking about querying a DNSBL with possible-forged IP 
addresses, not creating new listings or anything else.


That wasn't clear.

Anyway, you normally only look up the IP of the gateway host that sent the 
mail from their network to yours.  Relays before that are often from hosts 
on dialup lists like the PBL, which is fine for intra-network relays, and 
means you'll mark legit mail as spam.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] question regarding support for international characters {dkim-fail}

2018-04-11 Thread John R Levine


Curious, isn't it, that the MSP EAI support we've talked about here is
exclusively for other people's addresses, not for their own users?


I know a few Indian providers that offer EAI addresses and I think a 
Chinese one.  It's not surprising that the US providers don't do so, since 
as you note that's a lot harder than just dealing with other people's 
addresses.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] question regarding support for international characters {dkim-fail}

2018-04-11 Thread John R Levine


On Wed, 11 Apr 2018, Ned Freed wrote:

MTAs, maybe. But your typical MTA also acts as an MSA.


Mine's atypical, the MSA is a separate program that I haven't tried to fix 
yet.  At this point I'm exchanging EAI mail with other places, using the 
scanning hack to decide whether to look for SMTPUTF8 when sending it to 
other systems.



Besides, I have a sneaking suspicions that those who take the step of offering
addresses in scripts that have these issues are going to be so busy dealing
with visual similarity, address fakery, and similar issues that we'll be 
lucky if they do any sort of normalization at all, let alone dive deep into

the rabbit hole.


My impression is that for the forseeable future most of the EAI interest 
will be in India and maybe China where the similarity issues are 
different, so in practice you're right, the funkiness of all the languages 
written in Latin characters will get no attention.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] question regarding support for international characters {dkim-fail}

2018-04-10 Thread John R Levine


The Gmail and Hotmail support handles other people's UTF-8 addresses
in mail but they still don't provide UTF-8 addresses on their own
systems.


From what I can tell, Gmail and outlook.com's support is basically "just send
UTF-8", that is, it will send EAI messages without the server offering the
extension.


I know the people involved and can check.


I agree that this isn't difficult. What's difficult is keeping track of the
EAI-ness of a message as it goes through processing like alias expansion, which
can turn an non-EAI message into an EAI message or vice versa.



Support for the nested encodings message/global creates may also be
nontrivial.


I don't even try.  In the places where it matters, I scan the envelope and 
message headers for characters with the high bit set.  This is wrong, but 
it doesn't seem much wronger than far more complex approaches.  Haven't 
thought too much about message/global but in the MTAs I use, it's only a 
MUA problem.



The hardest part, which I haven't done yet, is generalizing
the address mapping that MTAs do on incoming mail. ...



This I frankly don't care about, as I believe that doing it in a meaningful
language-specific way is impossible.


I meant interpreting addresses in mail to my own mailboxes, the 
generalized version of case folding and subaddresses.  Maybe you're right 
that undotted i's won't work in a lot of places, but I'd be surprised if 
they didn't work in Turkey.


R's,
John

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] question regarding support for international characters

2018-04-09 Thread John R Levine


We announced that it was supported back in 2014:
https://googleblog.blogspot.com/2014/08/a-first-step-toward-more-global-email.html

Were you referring to something else?


No, I just wasn't paying attention.  Oops.

Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Is BitBounce for real?

2018-01-16 Thread John R Levine


This idea behind Betbounce is neither stupid nor new, and it's actually
funny, because current proof of work (PoW) algorithms, including one in
bitcoin,  are based on "hashcash" algorithm, and hashcash was initially
developed to combat SPAM.  See https://en.wikipedia.org/wiki/Hashcash so
the service like this was just a question of time.


Yes, I know.  I went to high school with Cynthia Dwork.


I can hardly believe Betbounce can succeed where Microsoft failed though.


No kidding.  It's so obviously doomed to fail that I can't figure out what 
their angle is.


R's,
John___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Many SPF failures lately

2017-05-20 Thread John R Levine

You appear to be making the naive assumption that every SPF record is 
correct, or worse, that whatever the SPF record must be correct even if 
it's not what the system manager intended, or it doesn't describe the 
domain's actual mail.


In reality, nearly every SPF record is wrong, because SPF's simple model 
of mail transport cannot describe all the ways that people send mail.  A 
competent mail system manager will deal with that, rather than imagining 
that he can force the rest of the world to change.


As I have said many times, my goal is to deliver the mail that my users 
want.  SPF, DKIM, and DMARC are all useful, but I do not make unilateral 
decisions based on what any of them say.  Having talked to the people who 
run many of the world's largest mail systems, I can assure you that they 
don't either.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Many SPF failures lately

2017-05-20 Thread John R Levine


On Sat, 20 May 2017, frnk...@iname.com wrote:
Are you saying that checking the box on our commercial spam filtering 
system’s “check SPF” feature, which quarantines messages that have SPF 
failures (-all), was a poor decision on my part?


If it does that on a simple SPF failure with no other indication that a 
message is spam, yes.*  I expect that's the sort of thing Neil was 
referring to when he mentioned firing offenses.


I don’t understand what DMARC has to do with this – a sender who 
implements an SPF record should not the assume the receiver has also 
implemented DMARC checking.


Now I must say that I am really, really glad that I am not one of your 
mail users.  Just for starters, why do you think that DMARC checks both 
SPF and DKIM and applies the policy only if they both fail?


R's,
John

* - disregarding the special case of an SPF record that contains only 
-all, meaning that a domain sends no mail at all.  But I don't think 
that's what we're talking about here.___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Many SPF failures lately

2017-05-19 Thread John R Levine


On Fri, 19 May 2017, Luis E. Muñoz wrote:
Well, it's not unheard of to see TOSes that contain provisions for 
spam/malware/illegal content filtering. Considering that from the 1st 
paragraph of RFC-7208 it's clear that the intent is to "authorize", I would 
think the shoe would fit.


If I were looking for an excuse to play BOFH and throw away mail, that's 
as good an excuse as any.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] New sending range for MailChimp - 148.105.0.0/16

2017-05-05 Thread John R Levine


This was my bad when I sent this.  I should have been more specific with the 
exact ranges that we are sending from:

148.105.11.0/25
148.105.12.0/24
148.105.13.0/24
148.105.14.0/25

The ranges listed above have rDNS and and actively sending.  Since allocation 
of IPs for sending is rather dynamic on our part, the rDNS piece isn’t 
something that is setup until time to send.


Oh, OK.  You might tell UltraDNS to return NXDOMAIN rather than SERVFAIL 
for the rest of it.




My goal in the email was to hopefully fix any classification receivers might 
have set from the previous owner of the range. Was hoping that including the 
entire range would be easier for anyone that might have the range blocked or 
classified accordingly.

Thanks for the feedback.

Joey




R's,
John

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop





Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] LOUDMOUTHS WANTED!! ICANN WHOIS Replacement Work URGENT IMPORTANT ACTION NEEDED

2017-03-25 Thread John R Levine


The reality is that the vast majority of domain registrations are made
by businesses with no reasonable expectation of privacy.


I'm not sure if this is actually true for new registrations.  Prior to
launch of a web site, many businesses are eager to conceal the
identity of the domain holder, to coordinate the launch with some sort
of marketing campaign.


want to keep a business name secret != reasonable expectation of privacy

Or to put it another way, your business plan is not my problem.

R's,
John

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] conventional wisdom, was Google rejects a TLS connection

2017-03-17 Thread John R Levine


On Fri, 17 Mar 2017, Eric Henson wrote:

As a PCI compliant company, we have to go to great lengths to secure any 
system that stores, processes, or transacts credit card data. If that 
included our email servers, that would put every single mail server, 
every single mail client, including smart phones, in scope for our PCI 
audit. That would be a complete nightmare.


I believe you, but that's not the question -- when's the last time 
something bad actually happened due to sending credit card info by mail?


I used to have my own credit card account and my card processor demanded 
PCI compliance.  About 1/4 of it was reasonable, 3/4 was cargo cult stuff 
that mostly involved stuff like setting packet filters so they couldn't 
probe ports that weren't going to answer anyway.


R's,
John

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Forwarding issues, was Mails to microsoft

2017-02-09 Thread John R Levine


having IMAP IDLE to everywhere... ugh, I guess.  What's another million
persistent connections.


As the saying goes, if all you have is a hammer, everything looks like a 
thumb.


I'd rather make forwarding more reliable.  I've wanted to add an inbound 
gateway setting to consumer accounts, similar to what we have for GSuite 
customers, which would allow us to be smarter about forwarding, but 
never had the resources to do it.


That's a lot like what I was thinking -- the forwards would look more like 
authorized submissions.  Maybe ARC will help, but I dunno, if someone's 
forward is totally unfiltered and gushes spam, I wouldn't want to have to 
pick out the 1% that might be legit.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Storing 821 envelope recipients in an 822.Header?

2016-12-07 Thread John R Levine

Legitimate eXtension headers as X- are easily filtered as "this is something 
you shouldn't pay attention to because it's not part of any standard".  Take 
away the X- and you go back to the 'ok what is legitimate and what is not' 
situation...


Oh, that's easy.  They're all legitimate.  If you're wondering which ones 
have some sort of standards status, you can look here but you'll find a 
lot of dusty old experiments that nobody really uses.


http://www.iana.org/assignments/message-headers/message-headers.xml

Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] So, about this iOS10 unsubscribe feature...

2016-09-16 Thread John R Levine


On Fri, 16 Sep 2016, valdis.kletni...@vt.edu wrote:

On 16 Sep 2016 18:22:33 -, "John Levine" said:


There are some issues with helpful spam filters that fetch the URLs in
list-unsubscribe headers to see if they lead somewhere malicious, but
they're not all that hard to deal with.


For those who don't know what John is referring to:



Subject: I-D Action: draft-levine-herkula-oneclick-03.txt


It's up to -05, now with more expository goodness for the benefit of 
people who don't live in a world where "deliverability" is an adjective.


You can find it here:


https://datatracker.ietf.org/doc/draft-levine-herkula-oneclick/


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Gmail SRS Problem: low reputation of sending domain

2016-08-16 Thread John R Levine

There is the class of spammers who seem fine with getting as much mail 
as possible in the spam label, with the assumption that enough folks 
will check their spam label and click on the links anyways.  We'd 
probably need to have more complicated rules of when to listen to the 
X-Spam header, of course.



Is there some other issues with a "deliver to spam"?


Keepind in mind that I run a pretty small mail system, not that I'm aware 
of.  If you think you can manage the spam and malware filtering, it'd 
certainly be easier for me if I could foist some of the spam filtering 
back on you.


It's also possible that with ARC, you wouldn't need the SRS and we could 
better learn forwarding on a per-user basis, and so we'd just know it's 
a gateway.


Probably depends on how many bad guys use fake ARC and how good they are 
at it.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Gmail throttles anyway

2016-02-04 Thread John R Levine


If it's a mailing list, the traffic is not simply passing thru. Since the 
message is being modified, the signature should at the very least be 
deactivated.


For the third time, why?  The RFC says it doesn't matter.

I believe it goes into the junk, but I don't believe it has anything to do 
with a broken DKIM signature.


R's,
John


If you're going to do something that will break the DKIM signature as a matter 
of course,
You should remove the DKIM signature, and maybe re-sign it with your own.

You shouldn't break the signature and then forward what was once goodmail with 
a now busted signature.


Au contraire.  You should always preserve all the signatures to make it
easier to figure out what happened if there's some sort of trouble down
the line.

Since the spec says that there is no difference in message handling for a
broken signature and one that's not there, could you be more specific
about why you think it's important to make forensics harder?

Signed,
Confused

PS: See RFC 6376, section 6.1:

   Survivability of signatures after transit is not guaranteed, and
   signatures can fail to verify through no fault of the Signer.
   Therefore, a Verifier SHOULD NOT treat a message that has one or more
   bad signatures and no good signatures differently from a message with
   no signature at all.

   ...

   In the following description, text reading "return status
   (explanation)" (where "status" is one of "PERMFAIL" or "TEMPFAIL")
   means that the Verifier MUST immediately cease processing that
   signature.  The Verifier SHOULD proceed to the next signature, if one
   is present, and completely ignore the bad signature.




Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Gmail throttles anyway

2016-02-04 Thread John R Levine


If you're going to do something that will break the DKIM signature as a matter 
of course,
You should remove the DKIM signature, and maybe re-sign it with your own.

You shouldn't break the signature and then forward what was once goodmail with 
a now busted signature.


Au contraire.  You should always preserve all the signatures to make it 
easier to figure out what happened if there's some sort of trouble down 
the line.


Since the spec says that there is no difference in message handling for a 
broken signature and one that's not there, could you be more specific 
about why you think it's important to make forensics harder?


Signed,
Confused

PS: See RFC 6376, section 6.1:

   Survivability of signatures after transit is not guaranteed, and
   signatures can fail to verify through no fault of the Signer.
   Therefore, a Verifier SHOULD NOT treat a message that has one or more
   bad signatures and no good signatures differently from a message with
   no signature at all.

   ...

   In the following description, text reading "return status
   (explanation)" (where "status" is one of "PERMFAIL" or "TEMPFAIL")
   means that the Verifier MUST immediately cease processing that
   signature.  The Verifier SHOULD proceed to the next signature, if one
   is present, and completely ignore the bad signature.


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] New method of blocking spam

2016-01-22 Thread John R Levine


What get's spammers caught is that eventually they
have to sell you something


Gee, did we drop through a wormhole into 1998 or something?


He's missing a few somethings.
Spammers might not be trying to sell you something.


No kidding.  The classic example is pump and dump, where they're trying to 
get you to call your own stockbroker to buy the stock they're touting, 
with no direct contact at all with the spammer.


Even with stuff like drug spam, the number of throwaway domains and 
redirections between the spam and the payload site is likely to be 
somewhat higher than someone might expect.  A *lot* higher.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Gmail's postmaster tools

2015-07-13 Thread John R Levine


Google's record doesn't affect SPF.  Look at section 4.5 of RFC 7208,
and you'll see that SPF takes all of the records returned for the TXT
lookup, and only picks the one that starts with v=spf1.  Other records
are ignored and don't count toward the lookup limit.


Except it may not fit in an 1500 bytes UDP packet anymore... fragmentation
and or TCP  will occur... delaying the answer, enough for the mailserver to
move on, not waiting for the answer anymore.


I've done it.  The extra DNS records for site verification are not large.

Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail.

___
mailop mailing list
mailop@mailop.org
http://chilli.nosignal.org/mailman/listinfo/mailop

Re: [mailop] Possible sendmail name resolution issues triggered by hotmail.com zone change

2015-05-29 Thread John R Levine


Look closely, they're not the identical ips per MX as of the changes yesterday 
:)


They're not exactly the same, but they're almost all the same.  Each 
actual A record has at least three names.  I understand why you'd want to 
do load levelling, but it's hard to imagine any sensible reason to use the 
same A record on more than one MX.


   4 mx1.hotmail.com has address 134.170.2.199
   4 mx1.hotmail.com has address 207.46.8.167
   4 mx1.hotmail.com has address 207.46.8.199
   3 mx1.hotmail.com has address 65.54.188.110
   3 mx2.hotmail.com has address 65.54.188.126
   3 mx1.hotmail.com has address 65.54.188.72
   3 mx1.hotmail.com has address 65.54.188.94
   4 mx1.hotmail.com has address 65.55.33.119
   4 mx1.hotmail.com has address 65.55.33.135
   3 mx1.hotmail.com has address 65.55.37.104
   3 mx2.hotmail.com has address 65.55.37.120
   3 mx1.hotmail.com has address 65.55.37.72
   3 mx1.hotmail.com has address 65.55.37.88
   3 mx1.hotmail.com has address 65.55.92.136
   3 mx1.hotmail.com has address 65.55.92.152
   3 mx1.hotmail.com has address 65.55.92.168
   3 mx2.hotmail.com has address 65.55.92.184

Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail.

___
mailop mailing list
mailop@mailop.org
http://chilli.nosignal.org/mailman/listinfo/mailop

Re: [mailop] Possible sendmail name resolution issues triggered by hotmail.com zone change

2015-05-29 Thread John R Levine


Is this still occurring?
A little birdie told me that it might be... just want to check.


A quick check of the MXes show that they each have 14 A records.

Not to ask annoying questions or anything, but what's the point of four MX 
records each pointing to the same set of IPs?  It seems like a rather odd 
way to do load spreading.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail.

___
mailop mailing list
mailop@mailop.org
http://chilli.nosignal.org/mailman/listinfo/mailop

Re: [mailop] should google dns solve this?

2015-01-24 Thread John R Levine


The edns-client-subnet hack is intended for cases where the server wants
to return a different result based on the IP address of the end client,
rather than that of an intermediate DNS server, which sounds exactly like
something the RBL software would be interested in to me...


Once again, we look forward to your tested patches to rbldnsd.

Until then, if you want to use somebody else's free DNSBL, you have to 
play by their rules.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail.

___
mailop mailing list
mailop@mailop.org
http://chilli.nosignal.org/mailman/listinfo/mailop

Re: [mailop] should google dns solve this?

2015-01-23 Thread John R Levine

Apologies if I still have misunderstood but wouldn't EDNS client subnet 
then work to do exactly this. It would expose the address of the 
requesting user to allow the free usage allowance to be assessed by the 
operator.


No, for two reasons.

One is that Google runs a cache, and the client subnet thing would only 
tell about you the first person who asked a question, not all the others 
who reused the result.  I expect Google would have problems with it, too, 
since now some queries would return results and others would return 
REFUSED, which is not what normally happens.


More to the point, the software that DNSBL providers use (called rbldnsd) 
doesn't support client subnet queries.  That particular hack is intended 
for companies like Akamai whose business is providing optimized DNS 
service.  That's not what DNSBLs do, it would take a lot of effort to add 
client subnet support to their software and would provide no benefit to 
them.


It takes perhaps 15 minutes to download and install unbound on a linux or 
BSD server.  If someone can't do that, he or she is very unlikely to have 
the skills and time needed to run a mail server.  Or if this is really 
important to you, rbldnsd is open source so go ahead and code to 
track client subnet data and manage it with ACLs.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail.

___
mailop mailing list
mailop@mailop.org
http://chilli.nosignal.org/mailman/listinfo/mailop

1 2 >

100 matches

Mail list logo