Re: [mailop] Is forwarding to Gmail basically dead?

[Gellner, Oliver via mailop]

> On 15.02.2024 at 03:55 Philip Paeps wrote:
>
> On 2024-02-15 02:51:17 (+0800), Gellner, Oliver via mailop wrote:
>>> On 13.02.2024 at 17:05 John Levine via mailop wrote:
>>> More to the point, whether it's DKIM nor S/MIME or PGP, bad guys can
>>> and do sign their mail, too.
>> True, however I never came across a S/MIME- or PGP-signed spam or phishing 
>> message - and we receive a lot of S/MIME emails. I wonder if others on this 
>> list have made different experiences.
>
> I see a fair amount of S/MIME phishing.  As John points out: S/MIME is a very 
> regional thing.  As far as I can tell, it's something people in Europe do a 
> lot and people elsewhere do very rarely.
>
> Having said that: I have seen S/MIME and even PGP signed spear fishing.

In spear phishing attacks everything is possible, but can you share some 
information about which senders send S/MIME signed or perhaps even encrypted 
spam messages? I‘d be interested to learn more about this.

—
BR Oliver


dmTECH GmbH
Am dm-Platz 1, 76227 Karlsruhe * Postfach 10 02 34, 76232 Karlsruhe
Telefon 0721 5592-2500 Telefax 0721 5592-2777
dmt...@dm.de * www.dmTECH.de
GmbH: Sitz Karlsruhe, Registergericht Mannheim, HRB 104927
Geschäftsführer: Christoph Werner, Martin Dallmeier, Roman Melcher

Datenschutzrechtliche Informationen
Wenn Sie mit uns in Kontakt treten, beispielsweise wenn Sie an unser 
ServiceCenter Fragen haben, bei uns einkaufen oder unser dialogicum in 
Karlsruhe besuchen, mit uns in einer geschäftlichen Verbindung stehen oder sich 
bei uns bewerben, verarbeiten wir personenbezogene Daten. Informationen unter 
anderem zu den konkreten Datenverarbeitungen, Löschfristen, Ihren Rechten sowie 
die Kontaktdaten unserer Datenschutzbeauftragten finden Sie 
hier.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Jaroslaw Rafa via mailop]

Dnia 15.02.2024 o godz. 10:54:56 Philip Paeps via mailop pisze:
> 
> Having said that: I have seen S/MIME and even PGP signed spear fishing.

I'd dare to say, that aginst *spear* phishing there is no viable technical
protection. The only protection against this is common sense and awareness
of the user.

If a phisher is targeting the particular recipient, he does it for a reason.
So he always finds a way - one or another - to reach his target.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Taavi Eomäe via mailop]

On 14/02/2024 20:44, Gellner, Oliver via mailop wrote:

Do you have more information about passkeys in regards to S/MIME certificates? 
This sounds interesting. Or do you only mean that passkeys as well as S/MIME 
both use asymmetric keys?


I just meant that passkeys are a real-life example how the management of 
asymmetric keys can be simplified for end-users. It's likely possible 
that this infrastructure could be leveraged in the future for S/MIME as 
well. I'm not aware that anyone is trying or has done so yet.


smime.p7s
Description: S/MIME Cryptographic Signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Philip Paeps via mailop]

On 2024-02-15 02:51:17 (+0800), Gellner, Oliver via mailop wrote:

On 13.02.2024 at 17:05 John Levine via mailop wrote:

It appears that Taavi Eomäe via mailop  said:


On 13/02/2024 05:16, John Levine via mailop wrote:
Right now if you get a message from Gmail or Yahoo with a valid 
DKIM signature, you
can be quite confident that it came from whichever Gmail or Yahoo 
user

is in the From header.


That's absolutely not the guarantee provided by DKIM though.


More to the point, whether it's DKIM nor S/MIME or PGP, bad guys can
and do sign their mail, too.


True, however I never came across a S/MIME- or PGP-signed spam or 
phishing message - and we receive a lot of S/MIME emails. I wonder if 
others on this list have made different experiences.


I see a fair amount of S/MIME phishing.  As John points out: S/MIME is a 
very regional thing.  As far as I can tell, it's something people in 
Europe do a lot and people elsewhere do very rarely.


Having said that: I have seen S/MIME and even PGP signed spear fishing.

The spammers do use DKIM though, but that’s probably only because 
they have to or because the service they are using performs this task 
automatically anyway.


If the large mailbox providers made S/MIME and/or PGP mandatory, it 
wouldn't take very long for automated systems to start doing exactly 
that.  And I wouldn't be at all surprised if the spammers got their 
automation in place before legitimate senders.


Honestly, we're not going to "fix" this problem.

Philip
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[John Levine via mailop]

It appears that Gellner, Oliver via mailop  said:
>
>> On 13.02.2024 at 17:05 John Levine via mailop wrote:
>> It appears that Taavi Eomäe via mailop  said:
>>>
>>> On 13/02/2024 05:16, John Levine via mailop wrote:
 Right now if you get a message from Gmail or Yahoo with a valid DKIM 
 signature, you
 can be quite confident that it came from whichever Gmail or Yahoo user
 is in the From header.
>>>
>>> That's absolutely not the guarantee provided by DKIM though.
>>
>> More to the point, whether it's DKIM nor S/MIME or PGP, bad guys can
>> and do sign their mail, too.
>
>True, however I never came across a S/MIME- or PGP-signed spam or phishing 
>message - and we receive a lot of S/MIME emails.

I suspect that's because none of the large webmail systems understand
S/MIME so why bother.  Spammers go for volume.

It seems to be a regional thing. There is basically no S/MIME in the
U.S. other than internal mail in organizations with their own key
management.

R's,
John
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Gellner, Oliver via mailop]

> On 13.02.2024 at 17:05 John Levine via mailop wrote:
> It appears that Taavi Eomäe via mailop  said:
>>
>> On 13/02/2024 05:16, John Levine via mailop wrote:
>>> Right now if you get a message from Gmail or Yahoo with a valid DKIM 
>>> signature, you
>>> can be quite confident that it came from whichever Gmail or Yahoo user
>>> is in the From header.
>>
>> That's absolutely not the guarantee provided by DKIM though.
>
> More to the point, whether it's DKIM nor S/MIME or PGP, bad guys can
> and do sign their mail, too.

True, however I never came across a S/MIME- or PGP-signed spam or phishing 
message - and we receive a lot of S/MIME emails. I wonder if others on this 
list have made different experiences.
The spammers do use DKIM though, but that’s probably only because they have to 
or because the service they are using performs this task automatically anyway.

—
BR Oliver


dmTECH GmbH
Am dm-Platz 1, 76227 Karlsruhe * Postfach 10 02 34, 76232 Karlsruhe
Telefon 0721 5592-2500 Telefax 0721 5592-2777
dmt...@dm.de * www.dmTECH.de
GmbH: Sitz Karlsruhe, Registergericht Mannheim, HRB 104927
Geschäftsführer: Christoph Werner, Martin Dallmeier, Roman Melcher

Datenschutzrechtliche Informationen
Wenn Sie mit uns in Kontakt treten, beispielsweise wenn Sie an unser 
ServiceCenter Fragen haben, bei uns einkaufen oder unser dialogicum in 
Karlsruhe besuchen, mit uns in einer geschäftlichen Verbindung stehen oder sich 
bei uns bewerben, verarbeiten wir personenbezogene Daten. Informationen unter 
anderem zu den konkreten Datenverarbeitungen, Löschfristen, Ihren Rechten sowie 
die Kontaktdaten unserer Datenschutzbeauftragten finden Sie 
hier.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Gellner, Oliver via mailop]

> On 13.02.2024 at 10:11 Taavi Eomäe via mailop wrote:
>
> I've described one of the reasons why that's the case. The other reason is 
> probably the fact that key management is incredibly difficult. Which is also 
> probably why it has seen adoption in environments that simplify it - large 
> organizations or entire countries. Both of these aspects have seen advances 
> recently, the CA/B Forum S/MIME baseline and implementations for 
> synchronizing cryptographic keys (currently in the form of Passkeys).

Do you have more information about passkeys in regards to S/MIME certificates? 
This sounds interesting. Or do you only mean that passkeys as well as S/MIME 
both use asymmetric keys?

—
BR Oliver


dmTECH GmbH
Am dm-Platz 1, 76227 Karlsruhe * Postfach 10 02 34, 76232 Karlsruhe
Telefon 0721 5592-2500 Telefax 0721 5592-2777
dmt...@dm.de * www.dmTECH.de
GmbH: Sitz Karlsruhe, Registergericht Mannheim, HRB 104927
Geschäftsführer: Christoph Werner, Martin Dallmeier, Roman Melcher

Datenschutzrechtliche Informationen
Wenn Sie mit uns in Kontakt treten, beispielsweise wenn Sie an unser 
ServiceCenter Fragen haben, bei uns einkaufen oder unser dialogicum in 
Karlsruhe besuchen, mit uns in einer geschäftlichen Verbindung stehen oder sich 
bei uns bewerben, verarbeiten wir personenbezogene Daten. Informationen unter 
anderem zu den konkreten Datenverarbeitungen, Löschfristen, Ihren Rechten sowie 
die Kontaktdaten unserer Datenschutzbeauftragten finden Sie 
hier.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[황병희]

On Wed, 2024-02-14 at 21:31 +0900, Byunghee HWANG (황병희) via mailop
wrote:
> Hellow Cyril,
> 
> On Wed, 2024-02-14 at 11:06 +0100, Cyril - ImprovMX via mailop wrote:
> > That's a good argument. I can do even better:
> > 
> > Email is not designed for spam. Stop spamming. Problem solved.
> 
> Yes, you are right. And I know what you're thinking.
> 
> But please give me a chance to say this.
> 
> Even if you catch spam emails with SPF, I think you should be able to
> distinguish between legitimate emails -- this is forwarding emails.
> 
> Isn't it?
> 
> That's why I like Google. Google accepts forwarding emails even if
> SPF/DMARC fails.

Actually, i don't solve SPAM problem with SPF. So I don't use SPF.

As I continued to say in previous threads, this is because forwarding
is necessary. SPF causes problems in forwarding.

My goal is to receive all emails from the Debian project's debian-bugs-
dist mailing to my Gmail INBOX. Yes, my main goal is to contribute to
the Debian project. Hence I needed forwarding technology. 

After all, I've found the way. That is DKIM/ARC.

Thank you!


Sincerely, Byunghee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//


signature.asc
Description: This is a digitally signed message part
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Cyril - ImprovMX via mailop]

> Even if you catch spam emails with SPF, I think you should be able to
> distinguish between legitimate emails -- this is forwarding emails.

SPF/DKIM/DMARC and spam are two entirely different things.
Talking about spam and SPF is like talking about fish and fruit salad.

I think John Levine now has an automated snippet to mention this every 15
minutes ;)

Le mer. 14 févr. 2024 à 13:34, Byunghee HWANG (황병희) via mailop <
mailop@mailop.org> a écrit :

> Hellow Cyril,
>
> On Wed, 2024-02-14 at 11:06 +0100, Cyril - ImprovMX via mailop wrote:
> > That's a good argument. I can do even better:
> >
> > Email is not designed for spam. Stop spamming. Problem solved.
>
> Yes, you are right. And I know what you're thinking.
>
> But please give me a chance to say this.
>
> Even if you catch spam emails with SPF, I think you should be able to
> distinguish between legitimate emails -- this is forwarding emails.
>
> Isn't it?
>
> That's why I like Google. Google accepts forwarding emails even if
> SPF/DMARC fails.
>
>
> Sincerely, Byunghee
>
> ps. Your mail was my spam trap -- HTML Email.
>
> --
> ^고맙습니다 _布德天下_ 감사합니다_^))//
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
>
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[황병희]

Hellow Cyril,

On Wed, 2024-02-14 at 11:06 +0100, Cyril - ImprovMX via mailop wrote:
> That's a good argument. I can do even better:
> 
> Email is not designed for spam. Stop spamming. Problem solved.

Yes, you are right. And I know what you're thinking.

But please give me a chance to say this.

Even if you catch spam emails with SPF, I think you should be able to
distinguish between legitimate emails -- this is forwarding emails.

Isn't it?

That's why I like Google. Google accepts forwarding emails even if
SPF/DMARC fails.


Sincerely, Byunghee

ps. Your mail was my spam trap -- HTML Email.

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//


signature.asc
Description: This is a digitally signed message part
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Cyril - ImprovMX via mailop]

That's a good argument. I can do even better:

Email is not designed for spam. Stop spamming. Problem solved.

...

Le mer. 14 févr. 2024 à 01:56, Benny Pedersen via mailop 
a écrit :

> Byunghee HWANG  via mailop skrev den 2024-02-14 01:00:
>
> > I really strongly agree with this opinion. That's why I wish people in
> > the world didn't use SPF. SPF is a serious obstacle when forwarding.
>
> spf is not designed for forwarding, stop forwarding, problem solved
>
> dmarc need spf to find aligned mails
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
>
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[황병희]

Hellow Benny,

> (...) please be open minded, you already is using opensource

Thanks, usually i don't say 'No' to someone i like. In any case. I'm
going to try your advice someday.

Thanks again Benny!


Sincerely, Byunghee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//


signature.asc
Description: This is a digitally signed message part
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Benny Pedersen via mailop]

Byunghee HWANG  via mailop skrev den 2024-02-14 05:45:


spf is not designed for forwarding, stop forwarding, problem solved

Yes, you are right!


good then :=)


And if Google stops email service, i will also stop forwarding.


https://wiki.debian.org/PostfixAndSASL

see section SASL authentication in the Postfix SMTP client

optional try this https://github.com/roundcube/roundcubemail/issues/7610

please be open minded, you already is using opensource
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[황병희]

Hellow Benny,

> spf is not designed for forwarding, stop forwarding, problem solved

Yes, you are right!

And if Google stops email service, i will also stop forwarding.


Sincerely, Byunghee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//


signature.asc
Description: This is a digitally signed message part
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Benny Pedersen via mailop]

Byunghee HWANG  via mailop skrev den 2024-02-14 01:00:


I really strongly agree with this opinion. That's why I wish people in
the world didn't use SPF. SPF is a serious obstacle when forwarding.


spf is not designed for forwarding, stop forwarding, problem solved

dmarc need spf to find aligned mails

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[황병희]

Hellow Slavko,

> If we will not change something, we will waste more power
> in fighting, than for providing service. And IMO providing
> service have to be goal...

I really strongly agree with this opinion. That's why I wish people in
the world didn't use SPF. SPF is a serious obstacle when forwarding.


Sincerely, Byunghee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//


signature.asc
Description: This is a digitally signed message part
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[John Levine via mailop]

It appears that Marco Moock via mailop  said:
>> >>S/MIME will be applied to the forwarded messages and people will
>> >>assume everything is fine even when the original message is forged.
>> >> 
>> That’s why you apply S/MIME only if the original message can be
>> verified as genuine, if your forwarding server supports S/MIME
>> addition.

In case I haven't mentioned this in the past 15 minutes, crooks can
sign their mail, too. There is no connection whatsoever between
whether something is signed and whether it's mail you want. The
signature is only useful when you have a reputation for its identity.

R's,
John
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Marco Moock via mailop]

Am 12.02.2024 um 15:35:30 Uhr schrieb Sebastian Nielsen:

> >>If you forward spam (automatic forwarding), you will be listed as
> >>the spammer because even DKIM is valid.  
> That’s why you do spam filtering in the forwarding server.

There is no 100% solution for that and even a small amount of spam can
cause a block.

> >>S/MIME will be applied to the forwarded messages and people will
> >>assume everything is fine even when the original message is forged.
> >> 
> That’s why you apply S/MIME only if the original message can be
> verified as genuine, if your forwarding server supports S/MIME
> addition.

Which forwarding servers support it?
The common solutions seems to be a sieve rule that runs on the MDA. Do
Cyrus, Dovecot, courier etc. support S/MIME/GPG checking and adding?

-- 
Gruß
Marco

Spam und Werbung bitte an ichschickerekl...@cartoonies.org
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Slavko via mailop]

Dňa 12. februára 2024 15:41:58 UTC používateľ Laura Atkins via mailop 
 napísal:

>In the face of those facts, what value does this bring to email?

It seems as very good question, targeting the root of problem, as
nobody was enough brave to argue...

I ask more or less the same. Despite the fact, that SPF/DMARC
can stop the obvious/simple spoofing, they are only "better than
nothing" and i feel, as when target was not to win with spoofing,
but fight with it (as fight for fight). And i feel, that personal/small
bussines was not (enough) considered (in some of them).

Perhaps it is time to stop playing SPAMers's game and
start to play own one. How many providers was arested (or
at least disconnected from Internet) for supporting of bad
actors? How many shops/vendors was closed due selling
defective (insecure) devices? How many people was penalized
due damage from their own devices? Nobody is responsible,
thus nobody care... 

Yes, sometime things doesn't work as intended, but if car
is defective, either its vendor or owner must ensure that it
is repaired (or so). Cars must often go to preventive check
of its state (here every two years), etc, etc. And network
devices? Again, nobody care...

To drive car, one needs licence, but every stupid can connect
own device to Internet...

If we will not change something, we will waste more power
in fighting, than for providing service. And IMO providing
service have to be goal...

regards


-- 
Slavko
https://www.slavino.sk/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[John Levine via mailop]

It appears that Taavi Eomäe via mailop  said:
>-=-=-=-=-=-
>-=-=-=-=-=-
>-=-=-=-=-=-
>
>On 13/02/2024 05:16, John Levine via mailop wrote:
>> Right now if you get a message from Gmail or Yahoo with a valid DKIM 
>> signature, you
>> can be quite confident that it came from whichever Gmail or Yahoo user
>> is in the From header.
>
>That's absolutely not the guarantee provided by DKIM though.

Like Dave said, it's not, but this started with an assertion that Gmail
should S/MIME sign its mail, and Gmail firmly controls what's in your
From header.

More to the point, whether it's DKIM nor S/MIME or PGP, bad guys can
and do sign their mail, too.

R's,
John
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Taavi Eomäe via mailop]

On 13/02/2024 05:16, John Levine via mailop wrote:

Right now if you get a message from Gmail or Yahoo with a valid DKIM signature, 
you
can be quite confident that it came from whichever Gmail or Yahoo user
is in the From header.


That's absolutely not the guarantee provided by DKIM though.


smime.p7s
Description: S/MIME Cryptographic Signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Taavi Eomäe via mailop]

On 12/02/2024 21:57, Dave Crocker via mailop wrote:
While it has gained respectable amounts of implementation in MUAs, it 
has achieved use only in specialized environments.  Any technology 
with a record that poor should be treated extremely skeptically, when 
considering future use


I've described one of the reasons why that's the case. The other reason 
is probably the fact that key management is incredibly difficult. Which 
is also probably why it has seen adoption in environments that simplify 
it - large organizations or entire countries. Both of these aspects have 
seen advances recently, the CA/B Forum S/MIME baseline and 
implementations for synchronizing cryptographic keys (currently in the 
form of Passkeys).


In the end email is not going anywhere in the next 10-20 years, it would 
be relatively short-sighted to assume that the expectations about 
communications integrity will not increase. If that demand is not 
satisfied somehow then we can only hypothesize about the potential outcomes.



BIMI is a marketing protocol, for promoting brand logos.  What 
anti-abuse benefit do you believe accrues with its use, and how 
exactly do you believe it will achieve that?


It's a bit more than that, but I'm not going to debate that.

A combination of identity validated S/MIME certificate and organization 
validated BIMI provides rather strong guarantees about the signer of a 
letter. It would also probably ameliorate the cost of the validation 
processes and simplify programmatic validation. If you find BIMI 
expensive you should see how much a proper S/MIME deployment costs... 
This is all assuming that an organization aims to get all their ducks in 
a row.




smime.p7s
Description: S/MIME Cryptographic Signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Dave Crocker via mailop]

On 2/12/2024 7:13 PM, Mark Milhollan via mailop wrote:

On Mon, 12 Feb 2024, Dave Crocker wrote:

Certificates are not magic symbols of safety.


I never said they were.  I said, paraphrasing though I see I should 
have been explicit, that Google could increase the number of people 
using S/MIME though not any additional MUAs since theirs already has 
S/MIME support though different. 



Right.  Except almost certainly wrong.

Just making certs easier to get will increase S/MIME use.  This ignores 
a collection of other usability and management issues that represent 
significant barriers to adoption and use.  And that's just with S/MIME 
itself, nevermind the integration of its use into a helpful reception 
management function.


My point is that serious efforts at achieving real efficacy that is 
better than what we get now will require considerably wider and deeper 
design thinking that just making certs easier.


d/

--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
mast:@dcrocker@mastodon.social

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Dave Crocker via mailop]

On 2/12/2024 7:16 PM, John Levine via mailop wrote:

Right now if
you get a message from Gmail or Yahoo with a valid DKIM signature, you
can be quite confident that it came from whichever Gmail or Yahoo user
is in the From header.



By way of using this as an example of the need for larger systems 
thinking, the assessment that it came from such a user is not in the 
actual DKIM specification.  DKIM's semantic is dramatically less 
ambitious than that.  It only says that the signer had 'some' 
responsibility for (handling) the message.  Very modest semantic, indeed.


However operational practice makes it a reasonable assessment, at least 
for mail signed by some platforms.


d/

--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
mast:@dcrocker@mastodon.social
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[John Levine via mailop]

It appears that Mark Milhollan via mailop  said:
>On Mon, 12 Feb 2024, Dave Crocker wrote:
>
>> 1. S/MIME has been around for 25 years.  While it has gained
>>respectable amounts of implementation in MUAs, it has achieved use
>>only in specialized environments. 
>
>Google could greatly accelerate its uptake by automatically providing 
>every freemail account with a certificate (DV cert style, i.e., without 
>a fullname) and adding it and a signature to every message, and an 
>indicator on messages received. ...

I'm with Dave, I don't see what difference it would make. Right now if
you get a message from Gmail or Yahoo with a valid DKIM signature, you
can be quite confident that it came from whichever Gmail or Yahoo user
is in the From header.

There is plenty of signed spam, and S/MIME signatures wouldn't make
it any less spammy.

R's,
John
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Mark Milhollan via mailop]

On Mon, 12 Feb 2024, Dave Crocker wrote:

On 2/12/2024 4:37 PM, Mark Milhollan via mailop wrote:

On Mon, 12 Feb 2024, Dave Crocker wrote:



 1. S/MIME has been around for 25 years. While it has gained
    respectable amounts of implementation in MUAs, it has achieved use
    only in specialized environments.


Google could greatly accelerate its uptake by automatically providing every 
freemail account with a certificate (DV cert style, i.e., without a 
fullname) and adding it and a signature to every message, and an indicator 
on messages received. 


Certificates are not magic symbols of safety.


I never said they were.  I said, paraphrasing though I see I should have 
been explicit, that Google could increase the number of people using 
S/MIME though not any additional MUAs since theirs already has S/MIME 
support though different.  If only Gmail did it for their freemail that 
could be called just 1 more specialized environment but it might drive 
others to implement it breaking a barrier.  Haven't they done similar 
for TLS transport since otherwise messages get a "bad" indicator, or did 
their effort really do nothing to help increase transport security?


Of all of email's problem's, the most intractable is the widespread and 
continuing insistence that its problems can be solved simply.


I only said it might simply increase the level of use, perhaps 
dramatically, not that it solved anything.



/mark
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Dave Crocker via mailop]

On 2/12/2024 4:37 PM, Mark Milhollan via mailop wrote:

On Mon, 12 Feb 2024, Dave Crocker wrote:


1. S/MIME has been around for 25 years. While it has gained
   respectable amounts of implementation in MUAs, it has achieved use
   only in specialized environments.


Google could greatly accelerate its uptake by automatically providing 
every freemail account with a certificate (DV cert style, i.e., 
without a fullname) and adding it and a signature to every message, 
and an indicator on messages received. 



Certificates are not magic symbols of safety.

Please think through the maintenance and use issues, end-to-end, 
including how to handle new, legitimate folk you've never met before but 
-- it will turn out -- you don't mind getting an unsolicited message from.


Of all of email's problem's, the most intractable is the widespread and 
continuing insistence that its problems can be solved simply.


d/

--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
mast:@dcrocker@mastodon.social

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Mark Milhollan via mailop]

On Mon, 12 Feb 2024, Dave Crocker wrote:


1. S/MIME has been around for 25 years.  While it has gained
   respectable amounts of implementation in MUAs, it has achieved use
   only in specialized environments. 


Google could greatly accelerate its uptake by automatically providing 
every freemail account with a certificate (DV cert style, i.e., without 
a fullname) and adding it and a signature to every message, and an 
indicator on messages received.  Automatic, no muss, no fuss.  If they 
did that a goodly fraction of global email could be signed within a 
year.  They could go further, collecting certificates and encrypting 
when writing to those contacts so that user-to-user encrypted email 
could become globally significant -- yes there are tedious details 
involved.  Most likely Apple, Microsoft, and Yahoo could as well 
accelerating things further.  Sadly I doubt any of them will, and for 
smaller operators it is too cost prohibitive to consider as yet.


Or for that matter Google might do similar with OpenPGP, as well or 
instead of S/MIME.  Smaller providers could do this, but alas I doubt 
enough would.


Of course not everyone wants signed or encrypted email, so probably it 
would need to be opt-in.  And many mailing lists would still have issues 
since they want to alter the message body.



/mark
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Damon via mailop]

> BIMI is a marketing protocol, for promoting brand logos.  What anti-abuse 
> benefit do you believe accrues with its use, and how exactly do you believe 
> it will achieve that?
>
> d/

But Dave - It only costs $1300USD per domain and $500USD for each
additional domain for the cert, not including all the other costs for
the aforementioned anti-abuse benefits. What a deal!.. or do I mean
steal.

I do believe attaching anti-spam/anti-phish benefits to the promotion
of BIMI was a poor choice.
It's pure marketing imho.
As an email receiver, programmatically I can't verify the mark, so
this is left to the human reader to attempt to do so.

I don't have any issues with it being used as an extension of branding.

-Damon
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Dave Crocker via mailop]

On 2/9/2024 1:16 AM, Taavi Eomäe via mailop wrote:
My hope is that at some point we would be able to do "BIMI" with just 
S/MIME signed mail at some point. Seems like a good combination.



1. S/MIME has been around for 25 years.  While it has gained
   respectable amounts of implementation in MUAs, it has achieved use
   only in specialized environments.  Any technology with a record that
   poor should be treated extremely skeptically, when considering
   future use.
2. BIMI is a marketing protocol, for promoting brand logos.  What
   anti-abuse benefit do you believe accrues with its use, and how
   exactly do you believe it will achieve that?

d/

--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
mast:@dcrocker@mastodon.social
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Dave Crocker via mailop]

On 2/9/2024 6:50 AM, Scott Mutter via mailop wrote:
I think the issue with SPF and DKIM is that it's becoming trivial for 
ALL email to have SPF and DKIM that pass muster.  At which point, 
you're right back where you started.



At the start, we had no way to assess email streams.  Good mixed with 
bad in ways that made it almost impossible to distinguish them.


With SPF and DKIM, receivers have relatively 'noise free' message 
flows.  A flow that has an authenticated identifier associated with it 
is highly likely to actually be email associated with the owner of that 
identifier.  This permits relatively noise-free analysis of their 
behavior, without concern that some other factor -- like someone else 
using the identifier -- is injecting email into that flow.


In fact, it is /good/ that bad actors also use these technologies, since 
it makes it much easier to identify their crappy email.


d/

--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
mast:@dcrocker@mastodon.social

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Randolf Richardson, Postmaster via mailop]

> Dnia  9.02.2024 o godz. 13:03:28 Philip Paeps via mailop pisze:
> > 
> > Most people don't actually use email anymore.  Email is for
> > marketing and receipts.
> 
> Yeah, that's probably the main reason why they can live with such
> problematic service like Gmail.

I've encountered more problems with Microsoft's systems than with 
GMail's, although I do agree that GMail is far from perfect.  I don't 
recall any delivery problems to Yahoo's systems for any of our users.

> I have heard numerous times from Gmail users that they "just didn't get the
> email from someone" and they treat it as something normal, that the email
> just got lost somewhere. In such cases they try to arrange the communication
> some other way, eg. using Facebook Messenger or any other similar tool. They
> don't have the attitude (which I am very committed to) that email is
> something very basic that just "has to work", and if a message gets lost
> somewhere, it's at least a case that needs investigating, and not just
> taking it for granted.

Some eMail systems accept-and-delete [at least some] messages 
instead of rejecting with a 5yz code, which tends to result in users 
incorrectly blaming the sender, especially (it seems) when the 
receiving system that they're relying on doesn't provide any 
technical support (e.g., because it's a free service).

> But sadly it's not a common attitude nowadays.

I agree, and I suspect a major part of the problem is that many 
users have come to expect unreliability from their Operating Systems, 
and so that attitude ends up extending (quite unfairly in many cases) 
to other technologies ... such as eMail.

Users get comfortable with other things too, such as accepting an 
endless barrage of security warnings just because there are so many 
of them in some environments.  Most users are non-technical, so 
there's a tendancy to develop coping habits instead of considering 
warnings with a critical eye, and I find it hard to blame users for 
this because they just want/need to be productive without having to 
decipher warnings filled with computer-industry jargon and require a 
lot of extra work on their part to parse-and-understand.

-- 
Postmaster - postmas...@inter-corporate.com
Randolf Richardson, CNA - rand...@inter-corporate.com
Inter-Corporate Computer & Network Services, Inc.
Vancouver, Beautiful British Columbia, Canada
https://www.inter-corporate.com/


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[John Levine via mailop]

It appears that Sebastian Nielsen via mailop  said:
>-=-=-=-=-=-
>-=-=-=-=-=-
>You just regard all email which passes DMARC as trusted, as if the mail was 
>S/MIME signed by the sender personally.The sender has
>chosen to trust that shared provider. Its not "your problem" as a receiver if 
>that mail is fraudulent.If you act on a fraudulent
>email, sent by a fraudster via a shared host which does not employ user 
>separation, you simply act as the email was genuine, and
>charge the claimed sender of any mishaps that arise out of the email.After 
>all, sender is in a position to choose a provider that
>does employ user separation, but did not, eiter intentionally or by negligect. 
>Sender bears ALL responsibility.Best regards

Um, nothing personal, but I am glad I am not one of your mail users.

R's,
John
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Laura Atkins via mailop]

> On 12 Feb 2024, at 14:33, Sebastian Nielsen via mailop  
> wrote:
> 
> >>Do they also allow you to search for the original sender?
> No not via sender search, as the encapsulated email is part of the BODY of 
> the container email.
> So usually you have to search via body search.

So you are still changing the fundamental way email works. 
>  
> >>And, again, what is the overall benefit to the end user from this scheme? 
> Benefit is that email can be verified in a more streamlined way, which 
> minimizes phishing and spam, if no servers are authorized to use any other’s 
> email address, even if forwarding an email.
> It benefits users in the long run, as less and less people will be scammed by 
> bank phishing and similar schemes, making email a more secure communication 
> medium, by using already established systems like SPF, DMARC and DKIM to 
> verify email’s legitimacy.

Is this actually the case, though? I’ve heard a lot of folks claim that, 
somehow, SPF, DMARC and DKIM verify an email’s legitimacy. But we’ve seen how 
bad actors are currently sending malicious mail that pass SPF and DMARC or DKIM 
and DMARC. I mean, someone created a PayPal account and sent PayPal phish that 
passed DMARC. Other folks have used SPF escalation attacks to send DMARC 
passing phishing mail. 

These attacks are happening so how does breaking forwarding help the end user? 
What is to stop the bad actors from setting up systems where they are simply 
forwarders who create a fake email with SPF / DKIM and DMARC and then 
encapsulate it and forward it on to the end user? 

Additionally, most actual research shows that trust indicators simply don’t 
work for end users. I’ve seen studies related to email trust / brand indicators 
in the inbox not changing user behavior and there are lots of studies that show 
that’s the case with the web and the lock or the green bar or whatever type of 
SSL there is. 

So we have a situation where a) trust indicators can’t be trusted because they 
are already being exploited by bad actors to send SPF / DKIM / DMARC passing 
email and b) wrapping up an email and forwarding it through an untrusted source 
means authentication can be trivially forged, and c) trust indicators don’t 
actually work. 

In the face of those facts, what value does this bring to email?

laura 


-- 
The Delivery Expert

Laura Atkins
Word to the Wise
la...@wordtothewise.com

Delivery hints and commentary: http://wordtothewise.com/blog






___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Andy Smith via mailop]

Hi,

On Mon, Feb 12, 2024 at 02:44:43PM +0100, Sebastian Nielsen via mailop wrote:
> >> it basically makes it impossible to respond to the original email sender
> 
> Nope, you just open the encapsulated email (open the .EML attachment), and 
> respond to that.

Going back to my anecdote that last month a poster to the North
American Network Operators Group mailing list complained about the
changing of subject lines "messing up" message grouping in gmail, as
if Gmail's UI was the optimal/only way for email threads to be
presented: also in the last couple of months someone on the UK
Network Operators Forum mailing list complained that "DMARC messes
up the format of list email".

What I eventually established was that they were referring to this
Mailman DMARC mitigation setting of encapsulating a post inside a
post from the list server, when the sender has a DMARC policy of
reject etc.

I do not recall which of the major mailbox providers they were
using for it to look "messed up" but again the issue here is that
even some of the most technically adept users on the Internet today
are not using email software that copes well with that. There is a
big gap in the user experience and user training that I'm not sure
any entity has the will and ability to plug.

Myself, I appreciate the encapsulation option for the reasons you
state. I understand what's going on and my mail software copes with
it¹. But I don't find it usable in general at this time.

Thanks,
Andy

¹ Though I do use "notmuch" quite extensively and haven't yet found
  a good way to have it index such emails: from notmuch's point of
  view it only records the header keywords of the outer email
  container, with the inner [arts only being matchable by body text
  search. In simple words:

  $ notmuch search 'from:joe.blo...@example.com'

  will not match list mail from joe.blo...@example.com that's been
  encapsulated in such a fashion.

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Sebastian Nielsen via mailop]

>>Do they also allow you to search for the original sender?

No not via sender search, as the encapsulated email is part of the BODY of the 
container email.

So usually you have to search via body search.

 

>>And, again, what is the overall benefit to the end user from this scheme? 

Benefit is that email can be verified in a more streamlined way, which 
minimizes phishing and spam, if no servers are authorized to use any other’s 
email address, even if forwarding an email.

It benefits users in the long run, as less and less people will be scammed by 
bank phishing and similar schemes, making email a more secure communication 
medium, by using already established systems like SPF, DMARC and DKIM to verify 
email’s legitimacy.

 

 

Best regards, Sebastian Nielsen



 

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Marco Moock via mailop]

Am 09.02.2024 um 13:59:57 Uhr schrieb Andy Smith via mailop:

> When these people are your paying customers, or you are being paid
> to get email to these people, there is limited up side in berating
> people about their choice of mail service. A fact which of course is
> used and abused by the huge mailbox providers for their commercial
> benefit.

I don't see any way to fulfill that without the disadvantages it has.

-- 
Gruß
Marco

Spam und Werbung bitte an ichschickerekl...@cartoonies.org
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Marco Moock via mailop]

Am 09.02.2024 um 22:06:05 Uhr schrieb Sebastian Nielsen via mailop:

> Or people could stop forwarding emails in idiotic ways, because when
> you forward an email, you are actually forging the original sender.
> 
> 
> Ergo, if you forward a email from genuineu...@genuineserver.com to
> myacco...@gmail.com via an account called exam...@example.org ..
> Technically, you encapsulate the email in a new message/rfc822 object
> and add "Fwd: " in the subject header.

If you forward spam (automatic forwarding), you will be
listed as the spammer because even DKIM is valid.

Filters on the sender won't work anymore at the destination the
forwards points to.

S/MIME will be applied to the forwarded messages and people will assume
everything is fine even when the original message is forged.

-- 
Gruß
Marco

Spam und Werbung bitte an ichschickerekl...@cartoonies.org
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Jaroslaw Rafa via mailop]

Dnia 12.02.2024 o godz. 14:47:41 Sebastian Nielsen via mailop pisze:
> When you pass traffic on layer 7, you are the de facto recipient of the
> traffic, and when you then “resend” that received traffic somewhere else
> than its actually destined, you become responsible.  That’s why a reverse
> proxy operator becomes responsibility for content he “host”, even if that
> is just forwarded requests to a third-party.

Don't think in terms of network layers. Think at one level above the network
layers :), on the level of conceptual integrity and flow of the
communication as a whole. We may call it a philosophy of communication.

We have four parts to any communication: both parties that are
communicating, communication channel (which may include proxies, forwarders
etc. - it's not important at philosophical level) and the message itself.

The communication is integral and true if both parties know who are they
communicating with (ie. none of the parties is mis-represented) and the
contents of the message is not altered.

If you are hiding the original IP that is behind a proxy, you are
mis-representing one of the parties, so you are modifying the communication.
(BTW. As far as I remember from setting up Squid, it adds the
"X-Forwarded-For:" header by default, you don't need to configure anything
special. So it's not true that "all proxies are anonymous by default".)

Similarly in reverse proxy case you are mis-representing one of the parties,
because you are posing as someone else. You make the message apparently
come from your domain, while in fact it comes from another source. You are
pretending you host the contents, even if you actually don't host it.

Which you shouldn't be doing, because you are just a part of a communication
channel. And it doesn't matter if you do it on layer 7 or on lower layers.

If you are just passing on the message, without modifying its contents, and
without mis-representing neither sender nor recipient of the message (note
that a "traditionally" forwarded email has both From: and To: headers
indicating the original sender and recipient!), you are just a part of a
communication channel, and, from logical point of view, you shouldn't have
any responsibility.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Marco Moock via mailop]

Am 10.02.2024 um 15:52:22 Uhr schrieb Andre van Eyssen:

> On Fri, 9 Feb 2024, Marco Moock via mailop wrote:
> 
> > Outlook supports that and knowing about it is a question of
> > training.  
> 
> I'd like to suggest that understanding of email is declining in the 
> general population. "Training" is a big ask when the grasp of the
> basics is mostly missing.

I agree with that, but security is nasty for those people at any time,
but necessary if you want to avoid certain attacks.

-- 
Gruß
Marco

Spam und Werbung bitte an ichschickerekl...@cartoonies.org
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Laura Atkins via mailop]

> On 12 Feb 2024, at 13:44, Sebastian Nielsen via mailop  
> wrote:
> 
> >> it basically makes it impossible to respond to the original email sender
> Nope, you just open the encapsulated email (open the .EML attachment), and 
> respond to that.
>  
> Some mail clients show the encapsulated email in a “frame” which has its own 
> reply buttons.

Do they also allow you to search for the original sender? Or is this another 
way we’re hiding the sender of a message (much like rewriting mailing lists 
do)?  

And, again, what is the overall benefit to the end user from this scheme? 

laura 


-- 
The Delivery Expert

Laura Atkins
Word to the Wise
la...@wordtothewise.com

Delivery hints and commentary: http://wordtothewise.com/blog






___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Jaroslaw Rafa via mailop]

Dnia 12.02.2024 o godz. 14:44:43 Sebastian Nielsen via mailop pisze:
> 
> Nope, you just open the encapsulated email (open the .EML attachment), and
> respond to that.

Very cumbersome. Speaking from my own experience.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Sebastian Nielsen via mailop]

>> An "anonymous" proxy, configured specifically to hide the original poster
No, all proxies are per definition anonymous unless they specifically add the 
header X-Forwaded-For.
Otherwise, the IP becomes “automatically” hidden, if it passes communication 
unmodified.

That’s why they have become responsible in many cases. People who don’t 
understand proxies, just set up one, without configuring it properly, and then 
it starts forwarding traffic anonymously without adding any identification 
headers.

>> Like the telecom operator job is to pass any traffic and not to block 
>> anything.
It’s a entirely different thing, when traffic is passed at a lower layer than 
layer 7.
When you pass traffic at a lower layer than layer 7, then you are just a mere 
conduit and the “ISP” exception of responsibility apply.
Same applies if you forward traffic internally in a organization, as you are 
just passing the ethernet packets to its final destination.

When you pass traffic on layer 7, you are the de facto recipient of the 
traffic, and when you then “resend” that received traffic somewhere else than 
its actually destined, you become responsible. That’s why a reverse proxy 
operator becomes responsibility for content he “host”, even if that is just 
forwarded requests to a third-party.

Think like this:
A mail is destined from sen...@sender.com to forwardacco...@forwardoperator.org
forwardacco...@forwardoperator.org then forwards the email to 
someu...@anotheraccount.com

When the first mail is sent, then forwardoperator.org is the defacto recipient 
of the message. They receive the message.
But due to a configuration in their server, that message is now sent (as a new 
message) to someu...@anotheraccount.com

Do you understand why the forward operator (and the proxy operator) receives 
responsibility now?
So its nothing wrong that people who configure a email forward, becomes 
responsible for the messages they forward. It is as it should be.


If you want to do forwarding on a lower level than layer 7, then you simply 
"aim" the domain's MX records to the final SMTP, and then configure that SMTP 
to accept mails for another domain, and LOCALLY forward that email into a 
specific account. That may require a paid account at some email operators.
The local forward will ensure any validations doesn't fail, because then its 
already inside that mail operator's file system, and thus all signatures and 
similar are already verified.

Best regards, Sebastian Nielsen

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Sebastian Nielsen via mailop]

>> it basically makes it impossible to respond to the original email sender

Nope, you just open the encapsulated email (open the .EML attachment), and 
respond to that.

 

Some mail clients show the encapsulated email in a “frame” which has its own 
reply buttons.

 

Best regards, Sebastian Nielsen

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Jaroslaw Rafa via mailop]

Dnia 12.02.2024 o godz. 12:15:08 Sebastian Nielsen via mailop pisze:
> 
> However, if an end user SENDS something via the proxy, let's say a forum
> post, the proxy usually bears the responsibility for the content, which we
> have seen in numerous court cases where a proxy have been used to hide the
> origin of illegal content, where the proxy owner have knowlingly been a
> forwarder of such a content (eg, been negligent and refusing to for
> example block forum posts from his proxy).

Which is fundamentally wrong.

An "anonymous" proxy, configured specifically to hide the original poster is
a totally different thing and you should not mix it in here. Such a kind of
proxy is *actively modifying* the communication, so of course its owner
bears responsibility - it was his deliberate decision to modify the
communication.

Like in the case your described, when a HUMAN user MANUALLY forwards mail
and modifies the headers or encapsulates mail in another mail - it was his
deliberate decision to do so, and he, not the original sender, bears
responsibility for the forwarded (MODIFIED) mail.

Let's talk about regular proxy that doesn't hide the originating IP. The
same applies for regular automatic (not manual) mail forwarding.

A proxy job is by definition to pass ANY traffic, NOT to block anything.
Pass it in as unchanged form as possible from the purely technical point of
view.

Of course, the proxy can deny access altogether to the user who is not
authorized to use the proxy. But if user is allowed, the proxy should NOT
mess with traffic.

Like the telecom operator job is to pass any traffic and not to block
anything. If telecom operators block anything (and we know they do), even if
it's required by law, that only means that this law is nonsense and against
logical reasoning.

Nobody who is an intermediate link in a communication should mess with the
contents of the communication. Only the end receiver has a *logical* (let's
put legal aside) right to reject/block/filter anything.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Laura Atkins via mailop]

The problem with encapsulating like that is it basically makes it impossible to 
respond to the original email sender. It destroys functionality that has been 
around since the early stages of email. If we’re going to break email for 
people, then we should at least give them some good reason to break it. 

So what is the tangible win here?

laura 

> On 12 Feb 2024, at 11:15, Sebastian Nielsen via mailop  
> wrote:
> 
>>> Many antispam filters will right away classify such an email as spam.
> 
> No, that’s not true, UNLESS the antispam filter resides as a local software 
> in the client's software as a plugin to the email client, which would of 
> course detect the "attached file" even its not technically an attached file.
> 
> Remember that it’s the end user client who renders the encapsulated email as 
> an attachment.
> Technically it is not an attachment, and will not get detected as an 
> attachment in mail filters.
> Its technically an email encapsulated in an outer email.
> NDR also is technically the original email encapsulated in an outer email.
> 
> Technically, an encapsulated email looks like this:
> 
> From: exam...@example.org
> To: exam...@example.com
> Subject: Fwd: Hi!
> Content-Type: message/rfc822
> 
>   From: exam...@example.org
>   To: exam...@example.com
>   Subject: Hi!
>   Content-Type: text/plain
> 
>   Content text.
> 
> Spam filters react on 'Content-Disposition: attachment; filename="test.txt"' 
> and similar things.
> 
>>> Conceptually, it's more like a HTTP proxy server.
> 
> No, because in the proxy case, it’s the "sender" who asks the proxy server to 
> "fetch" something from "receiver"s location. It’s the opposite way, the 
> "sender" trust the proxy, and know that the "content" is genuine if he trust 
> the proxy, thus the proxy bears no responsibility for the content from a 
> location he asked the proxy to fetch content from.
> 
> However, if an end user SENDS something via the proxy, let's say a forum 
> post, the proxy usually bears the responsibility for the content, which we 
> have seen in numerous court cases where a proxy have been used to hide the 
> origin of illegal content, where the proxy owner have knowlingly been a 
> forwarder of such a content (eg, been negligent and refusing to for example 
> block forum posts from his proxy).
> 
> --
> You could see it more like a reverse proxy.
> 
> A reverse proxy is a proxy, which is configured to show a domain (let's say 
> example.org) and show another web page (let's say letsencrypt.org) inside. 
> The reverse proxy of course bears ALL responsibility for the content its 
> "hosting" via its proxy function, meaning if letsencrypt.org would 
> accidentially host something illegal, the proxy owner will take the blow for 
> the content visible via "his website".
> 
> Best regards, Sebastian Nielsen
> 
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop

-- 
The Delivery Expert

Laura Atkins
Word to the Wise
la...@wordtothewise.com

Delivery hints and commentary: http://wordtothewise.com/blog






___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Benny Pedersen via mailop]

Jaroslaw Rafa via mailop skrev den 2024-02-12 11:34:

Dnia 12.02.2024 o godz. 01:36:09 Benny Pedersen via mailop pisze:

if spf should be pr email addresses, thay could add ipv6 pr sender
email :=)

and have ipv4 with nullMX or simply remove ipv4 in mx, will it ever
happen ?


Yeah, use only IPv6 for sending mail and cut off deliverability to half 
of

the Internet.


gives less problems, not more problems to solve


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Sebastian Nielsen via mailop]

>>Many antispam filters will right away classify such an email as spam.

No, that’s not true, UNLESS the antispam filter resides as a local software in 
the client's software as a plugin to the email client, which would of course 
detect the "attached file" even its not technically an attached file.

Remember that it’s the end user client who renders the encapsulated email as an 
attachment.
Technically it is not an attachment, and will not get detected as an attachment 
in mail filters.
Its technically an email encapsulated in an outer email.
NDR also is technically the original email encapsulated in an outer email.

Technically, an encapsulated email looks like this:

From: exam...@example.org
To: exam...@example.com
Subject: Fwd: Hi!
Content-Type: message/rfc822

From: exam...@example.org
To: exam...@example.com
Subject: Hi!
Content-Type: text/plain

Content text.

Spam filters react on 'Content-Disposition: attachment; filename="test.txt"' 
and similar things.

>>Conceptually, it's more like a HTTP proxy server.

No, because in the proxy case, it’s the "sender" who asks the proxy server to 
"fetch" something from "receiver"s location. It’s the opposite way, the 
"sender" trust the proxy, and know that the "content" is genuine if he trust 
the proxy, thus the proxy bears no responsibility for the content from a 
location he asked the proxy to fetch content from.

However, if an end user SENDS something via the proxy, let's say a forum post, 
the proxy usually bears the responsibility for the content, which we have seen 
in numerous court cases where a proxy have been used to hide the origin of 
illegal content, where the proxy owner have knowlingly been a forwarder of such 
a content (eg, been negligent and refusing to for example block forum posts 
from his proxy).

--
You could see it more like a reverse proxy.

A reverse proxy is a proxy, which is configured to show a domain (let's say 
example.org) and show another web page (let's say letsencrypt.org) inside. The 
reverse proxy of course bears ALL responsibility for the content its "hosting" 
via its proxy function, meaning if letsencrypt.org would accidentially host 
something illegal, the proxy owner will take the blow for the content visible 
via "his website".

Best regards, Sebastian Nielsen

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Jaroslaw Rafa via mailop]

Dnia 12.02.2024 o godz. 01:36:09 Benny Pedersen via mailop pisze:
> if spf should be pr email addresses, thay could add ipv6 pr sender
> email :=)
> 
> and have ipv4 with nullMX or simply remove ipv4 in mx, will it ever
> happen ?

Yeah, use only IPv6 for sending mail and cut off deliverability to half of
the Internet.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Jaroslaw Rafa via mailop]

Dnia 10.02.2024 o godz. 05:02:12 Sebastian Nielsen via mailop pisze:
> Disadvantages --> Every email will look like an empty email containing a
> attachment that you have to click to open.

Many antispam filters will right away classify such an email as spam.

> Also, that’s how forwarding ALWAYS have work when you press the "Forward" 
> button (and "Forward as attachment" is the message/rfc822 way) in your MUA 
> and have always worked with SPF and DKIM for decades.
> So why shouldn't we adopt it also for server-configured forwarding?

Because these are two different things.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Sebastian Nielsen via mailop]

You just regard all email which passes DMARC as trusted, as if the mail was 
S/MIME signed by the sender personally.The sender has chosen to trust that 
shared provider. Its not "your problem" as a receiver if that mail is 
fraudulent.If you act on a fraudulent email, sent by a fraudster via a shared 
host which does not employ user separation, you simply act as the email was 
genuine, and charge the claimed sender of any mishaps that arise out of the 
email.After all, sender is in a position to choose a provider that does employ 
user separation, but did not, eiter intentionally or by negligect. Sender bears 
ALL responsibility.Best regards Sebastian Nielsen
 Originalmeddelande Från: Slavko via mailop  
Datum: 2024-02-11  22:19  (GMT+01:00) Till: 'Mailing List'  
Ämne: Re: [mailop] Is forwarding to Gmail basically dead? Dňa 11. februára 2024 
19:06:31 UTC používateľ Sebastian Nielsen via mailop  
napísal:>>>On my site, users can use only own address/aliases, but i can use 
any (including any domain)...>>Of course since you are administrator. Nothing 
strange with that.It was not meant as self-presentation, but as particular 
examplethat one site can have multiple different rules.>It all about trust. 
Choose providers you trust.But i asked as receiver how to verify, not as domain 
owner. Asreceiver i cannot choose from which provider message arrives,but i 
have to decide if i will accept it or not. The DMARC (etc)is tool to help me to 
choose properly/better, but in case ofshared site its success can be as useful 
as dice roll...Anyway, what is trusted for domain owner not necessarymust be 
trusted for receiver too and vice versa...regards-- 
Slavkohttps://www.slavino.sk/___mailop
 mailing listmailop@mailop.orghttps://list.mailop.org/listinfo/mailop___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Benny Pedersen via mailop]

Sebastian Nielsen via mailop skrev den 2024-02-11 18:33:


It’s a matter of a simple configuration.


checked spf for big domains:

gmail.com 328,960 individual IPv4 addresses
outlook.com 506,999 individual IPv4 addresses (65.55.238.128/26 listed 
twice in spf)
hotmail.com 148,087 individual IPv4 addresses (65.55.238.128/26 listed 
twice in spf)

facebook.com 1,792 individual IPv4 addresses no ipv6 in spf

if spf should be pr email addresses, thay could add ipv6 pr sender email 
:=)


and have ipv4 with nullMX or simply remove ipv4 in mx, will it ever 
happen ?


if anything is free it will be abused, it have being so like internet 
was born, today solutions are many but none will do the hard work on 
progress


f...@userid.gmail.com single spf ip with ipv4 and ipv6
b...@o365user.morefun.long.domain.names.outlook.com single spf ip with 
ipv4 and ipv6


that first step to not share ips pr user

when this are mapped, then spf is more useful then it is now with easily 
forged spf as now


a very pro one here https://dmarcian.com/spf-survey/?domain=yahoo.com

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Gellner, Oliver via mailop]

Am 11.02.2024 um 18:40 schrieb Sebastian Nielsen via mailop :

>> because SPF is too easy to forge.)

Wrong. When a shared space is used, its up to that particular space, to enforce 
so customers cannot use other customer’s email addresses.

In the same way you cannot, and should not be able to use 
someu...@hotmail.com when logged in as 
anotheru...@hotmail.com , in the same way, 
Office365, Gmail, AmazonSES etc, should enforce so a customer logged into their 
SMTP relay with someth...@customer1.com cannot 
use someth...@customer2.com as sender address.

It’s a matter of a simple configuration.

In an ideal world this would be true, but in reality it’s not only a „matter of 
a simple configuration“.
For example the paper „Weak Links in Authentication Chains„ 
https://www.usenix.org/system/files/sec21-shen-kaiwen.pdf or the recent SMTP 
smuggling attack showed different ways how to use an Office365 account to send 
messages from foreign domains that are perfectly authenticated but completely 
fake.

Some of those problems can be and have been fixed, but huge and complex 
collaboration platforms offer a large enough surface to contain more than one 
loophole.

So you simply choose a provider who you trust enforces that as a domain owner. 
That’s why SPF exist.

Well, if I as a receiver would trust email service providers to properly verify 
all outgoing messages of their users before accepting them for delivery, then I 
could skip SPF checks for their networks altogether, as no spoofed email could 
originate from there. Unfortunately this does resemble the reality.

—
BR Oliver

dmTECH GmbH
Am dm-Platz 1, 76227 Karlsruhe * Postfach 10 02 34, 76232 Karlsruhe
Telefon 0721 5592-2500 Telefax 0721 5592-2777
dmt...@dm.de * www.dmTECH.de
GmbH: Sitz Karlsruhe, Registergericht Mannheim, HRB 104927
Geschäftsführer: Christoph Werner, Martin Dallmeier, Roman Melcher

Datenschutzrechtliche Informationen
Wenn Sie mit uns in Kontakt treten, beispielsweise wenn Sie an unser 
ServiceCenter Fragen haben, bei uns einkaufen oder unser dialogicum in 
Karlsruhe besuchen, mit uns in einer geschäftlichen Verbindung stehen oder sich 
bei uns bewerben, verarbeiten wir personenbezogene Daten. Informationen unter 
anderem zu den konkreten Datenverarbeitungen, Löschfristen, Ihren Rechten sowie 
die Kontaktdaten unserer Datenschutzbeauftragten finden Sie 
hier.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Andrew C Aitchison via mailop]

On Sun, 11 Feb 2024, Sebastian Nielsen via mailop wrote:


because SPF is too easy to forge.)


Wrong. When a shared space is used, its up to that particular space,
to enforce so customers cannot use other customer’s email addresses.


Since some of these shared spaces have demonstrated that they
aren't interested in keeping spam from leaving their spaces,
why should recipients trust them to get this right ?

Yes, their customers should be able to trust them to stop such forgeries
but the little I know about such contracts doesn't inspire me.
Otherwise I might suggest that those customers put in clauses guaranteeing
no spam from addresses associated with with the customer's mail.

--
Andrew C. Aitchison  Kendal, UK
   and...@aitchison.me.uk___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Slavko via mailop]

Dňa 11. februára 2024 19:06:31 UTC používateľ Sebastian Nielsen via mailop 
 napísal:

>>>On my site, users can use only own address/aliases, but i can use any 
>>>(including any domain)...
>
>Of course since you are administrator. Nothing strange with that.

It was not meant as self-presentation, but as particular example
that one site can have multiple different rules.

>It all about trust. Choose providers you trust.

But i asked as receiver how to verify, not as domain owner. As
receiver i cannot choose from which provider message arrives,
but i have to decide if i will accept it or not. The DMARC (etc)
is tool to help me to choose properly/better, but in case of
shared site its success can be as useful as dice roll...

Anyway, what is trusted for domain owner not necessary
must be trusted for receiver too and vice versa...

regards


-- 
Slavko
https://www.slavino.sk/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Sebastian Nielsen via mailop]

>>And how you can know if site enforces that? And i don't mean guess, nor 
>>believe, but really **know** with particular message?

Since you on your domain are in control of SPF, you of course choose a provider 
you **know** enforces that.
So you simply choose a provider who you trust enforces that as a domain owner. 
That’s why SPF exist.

>>On my site, users can use only own address/aliases, but i can use any 
>>(including any domain)...

Of course since you are administrator. Nothing strange with that. In the same 
way the admins at Lets Encrypt, VeriSign, Entrust - you name it, could tell 
their servers to issue a certificate for sebbe.eu without any approval. The CAA 
record lets you choose which providers you trust, in the same way SPF lets you 
choose the providers you trust.

It all about trust. Choose providers you trust.

Best regards, Sebastian Nielsen


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Slavko via mailop]

Dňa 11. februára 2024 17:33:30 UTC používateľ Sebastian Nielsen via mailop 
 napísal:
>>> because SPF is too easy to forge.)

>Wrong. When a shared space is used, its up to that particular space, to 
>enforce so customers cannot use other customer’s email addresses.

And how you can know if site enforces that? And i don't mean
guess, nor believe, but really **know** with particular message?

On my site, users can use only own address/aliases, but i can
use any (including any domain)...

regards

-- 
Slavko
https://www.slavino.sk/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Sebastian Nielsen via mailop]

>> because SPF is too easy to forge.)

 

Wrong. When a shared space is used, its up to that particular space, to enforce 
so customers cannot use other customer’s email addresses.

 

In the same way you cannot, and should not be able to use someu...@hotmail.com 
  when logged in as anotheru...@hotmail.com 
  , in the same way, Office365, Gmail, 
AmazonSES etc, should enforce so a customer logged into their SMTP relay with 
someth...@customer1.com   cannot use 
someth...@customer2.com   as sender address.

 

It’s a matter of a simple configuration.

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Gellner, Oliver via mailop]

On 09.02.2024 at 18:22 schrieb Scott Mutter via mailop wrote:

On Fri, Feb 9, 2024 at 9:56 AM Gellner, Oliver via mailop 
mailto:mailop@mailop.org>> wrote:
While I'm no advocate on external email forwarding, SPF does not perform a good 
job on identifying emails regardless of forwarding. Most companies send emails 
from shared IP addresses (Office 365, GSuite, Sendgrid, Amazon SES, ...), so 
their SPF records are all, well... identical, which is not really useful to 
tell them apart. This opens a window for various attacks, see for example the 
recent SMTP smuggling attack. A better approach would be to get rid of SPF and 
base DMARC solely on DKIM.

Well, this is why I distinguish a properly set SPF record.

A sender has to know EXACTLY what IPs are going to be sending out legitimate 
emails from their domain name.  Not a "maybe these IPs" or "sometimes this IP 
and sometimes this other IP" it has to be an EXACT list.  And if the sender 
doesn't know what the EXACT list is... then what else are they forgetting?

But external forwarders is always going to break this.

PayPal can list EXACTLY all of the IPs that they will send out messages from.

Yes, but this requires that every sender has their own distinct IP addresses. 
However eg the over one million companies which use Office365 send their email 
from the same servers and IP addresses. So even if they all had strict SPF 
entries for their domains, this wouldn’t help to tell them apart. (For this 
reason the BIMI logo display within Gmail for example relies only on DKIM when 
performing its DMARC verification, because SPF is too easy to forge.)

The same applies to messages sent via Gsuite, Amazon SES and almost all other 
email service providers, including all shared hosting platforms on the planet. 
There are only a few SaaS providers like Cisco that provide unique sending IP 
addresses for each customer.
That’s why SPF should be retired in my opinion - it was invented in and for a 
different era when most senders were running their own MTA.

—
BR Oliver

dmTECH GmbH
Am dm-Platz 1, 76227 Karlsruhe * Postfach 10 02 34, 76232 Karlsruhe
Telefon 0721 5592-2500 Telefax 0721 5592-2777
dmt...@dm.de * www.dmTECH.de
GmbH: Sitz Karlsruhe, Registergericht Mannheim, HRB 104927
Geschäftsführer: Christoph Werner, Martin Dallmeier, Roman Melcher

Datenschutzrechtliche Informationen
Wenn Sie mit uns in Kontakt treten, beispielsweise wenn Sie an unser 
ServiceCenter Fragen haben, bei uns einkaufen oder unser dialogicum in 
Karlsruhe besuchen, mit uns in einer geschäftlichen Verbindung stehen oder sich 
bei uns bewerben, verarbeiten wir personenbezogene Daten. Informationen unter 
anderem zu den konkreten Datenverarbeitungen, Löschfristen, Ihren Rechten sowie 
die Kontaktdaten unserer Datenschutzbeauftragten finden Sie 
hier.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[황병희]

Good morning everyone,

On Thu, 2024-02-08 at 13:37 +0900, Byunghee HWANG (황병희) via mailop
wrote:
> Hellow Jarland,
> 
> 2-07 at 20:51 -0600, Jarland Donnell via mailop wrote:
> > (...)
> > Is it time to throw in the towel on email forwarding? Nearly 100%
> > of 
> > users who forward email do so because they want it in Gmail. (...)
> 
> How about this?
> https://gitlab.com/soyeomul/stuff/-/raw/7a68692f2a6f7c5b03f7a5fa04bb79167c04cab2/82963489e8bbeb08644aeba29f722...@mxroute.com
> 

For the record, i attach server log while forwarding...


Feb  8 03:02:35 yw-1204 postfix/smtpd[38197]: connect from yw-
0919.doraji.xyz[2600:1900:4000:af49:0:3::]
Feb  8 03:02:35 yw-1204 postfix/smtpd[38197]: Trusted TLS connection
established from yw-0919.doraji.xyz[2600:1900:4000:af49:0:3::]: TLSv1.3
with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X 
25519 server-signature RSA-PSS (2048 bits) client-signature RSA-PSS
(2048 bits)
Feb  8 03:02:36 yw-1204 postfix/smtpd[38197]: 28E65217: client=yw-
0919.doraji.xyz[2600:1900:4000:af49:0:3::]
Feb  8 03:02:36 yw-1204 postfix/cleanup[38200]: 28E65217: message-
id=<82963489e8bbeb08644aeba29f722...@mxroute.com>
Feb  8 03:02:36 yw-1204 opendkim[647]: RFC2822.From: Jarland Donnell
via mailop 
Feb  8 03:02:36 yw-1204 opendkim[647]: RFC2822.Reply-To:
jarl...@mxroute.com
Feb  8 03:02:36 yw-1204 opendkim[647]: RFC2821.MailFrom:
mailop-boun...@mailop.org
Feb  8 03:02:36 yw-1204 opendkim[647]: RFC2821.ORCPT:
soyeomul+...@gmail.com
Feb  8 03:02:36 yw-1204 opendkim[647]: RFC2822.RCVD-1: from
filter006.mxroute.com ([136.175.111.2] filter006.mxroute.com)#012
(Authenticated sender: mN4UYu2MZsgR)#012 by mail-108-mta73.mxroute.com
(ZoneMTA  ) with ESMTPSA id 18d86a07387466.001#012 for
#012 (version=TLSv1.3
cipher=TLS_AES_256_GCM_SHA384);#012 Thu, 08 Feb 2024 02:51:18 +
Feb  8 03:02:36 yw-1204 opendkim[647]: RFC5598.ADMD (Best Guess):
mailop.org
Feb  8 03:02:36 yw-1204 opendkim[647]: 28E65217: DKIM-Signature field
added (s=yw-1204-doraji-xyz, d=doraji.xyz)
Feb  8 03:02:36 yw-1204 opendkim[647]: 28E65217: DKIM-Signature field
added (s=YW, d=doraji.xyz)
Feb  8 03:02:36 yw-1204 postfix/qmgr[29723]: 28E65217:
from=, size=5812, nrcpt=1 (queue active)
Feb  8 03:02:36 yw-1204 postfix/smtpd[38197]: disconnect from yw-
0919.doraji.xyz[2600:1900:4000:af49:0:3::] ehlo=2 starttls=1 mail=1
rcpt=1 data=1 quit=1 commands=7
Feb  8 03:02:36 yw-1204 postfix/smtp[38201]: Verified TLS connection
established to gmail-smtp-in.l.google.com[2a00:1450:400c:c00::1a]:25:
TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exch
ange X25519 server-signature ECDSA (P-256) server-digest SHA256
Feb  8 03:02:37 yw-1204 postfix/smtp[38201]: 28E65217:
to=, relay=gmail-smtp-
in.l.google.com[2a00:1450:400c:c00::1a]:25, delay=0.86,
delays=0.26/0.02/0.32/0.27, dsn=2.0.0, status=se  nt (250 2.0.0 OK
1707361357 l9-20020a05600c4f0900b0040fdd32af73si137461wmq.225 - gsmtp)
Feb  8 03:02:37 yw-1204 postfix/qmgr[29723]: 28E65217: removed



Forwarder's duties are:

(1) Delivering to Gmail without failure.
(2) Preserving the RFC2822.From header as is.

So DKIM(+ARC for big ESPs) is best solution, i think.

More screenshot, here: (DMARC p=REJECT email with forwarding)
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1043539#93


Sincerely, Byunghee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Thomas Walter via mailop]

Hello Sebastian,

On 10.02.24 05:02, Sebastian Nielsen via mailop wrote:

just because SPF and DMARC are so badly designed that they can't handle it doesnt make it 
"forging" anything.


It isn't badly designed.
Forwarding a email, is the equvalient of, when you receive a signed envelope 
from me containing a letter, you forge my signature on the new envelope.


It's actually the equivalent of striking through the recipient, writing 
a new one on the envelope and putting it back into the mailbox.


This is a quite common behavior if people have moved for example.

Regards,
Thomas Walter

--
Thomas Walter
Datenverarbeitungszentrale

FH Münster
- University of Applied Sciences -
Corrensstr. 25, Raum B 112
48149 Münster

Tel: +49 251 83 64 908
Fax: +49 251 83 64 910
www.fh-muenster.de/dvz/


smime.p7s
Description: S/MIME Cryptographic Signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Benny Pedersen via mailop]

John Levine via mailop skrev den 2024-02-10 05:25:

PS: Perhaps  this list needs a FAQ of Well Known Bad Ideas so we can 
stop having this

argument over and over.


or make mailman patch that stops mailman from breaking dkim

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Benny Pedersen via mailop]

John Levine via mailop skrev den 2024-02-10 05:22:

It appears that Sebastian Nielsen via mailop  said:
just because SPF and DMARC are so badly designed that they can't 
handle it doesnt make it "forging" anything.


It isn't badly designed.
Forwarding a email, is the equvalient of, when you receive a signed 
envelope from me containing a letter, you forge my

signature on the new envelope.


Sorry, but repeating this doesn't make this any less wrong.


+1


I don't know what you imagine "signed envelope" means in this context
and I'm not sure I want to know.


means dkim signed envelope, that breaks if not using srs ?


The postal equivalent of forwarding
is forwarding, you write the person's new address on the envelope and
drop it back in the mail. It has the same return address because it's
the same letter.


+1


People have been making this victim-blaming argument for 20 years,
ever since SPF was designed in a way that failed to handle normal
forwarding.


when envelope sender domain changes, its a new spf domain to take 
responsible of spf, but this will forever be unaligned results on dmarc



It was silly then, and it's no less silly now.


lets make more books on it :=)


This is my last comment on the topic, at least for this round.


we could join another maillist that does not break dkim, in 2024 its 
gone more sadly :/


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Benny Pedersen via mailop]

Sebastian Nielsen via mailop skrev den 2024-02-10 05:11:
And also as a side note, this list server (mailop) also does sender 
rewriting to From: mailop@mailop.org to prevent SPF and DMARC from 
tripping on list mail.

So its obvious it’s the right way to do it.
Same have the list "Exim-Users" begun to do.


stop breaking dkim, stop just stop say spf is a problem for unaligned 
mails, its not right gun to take


you writed dmarc, so i reply on it, i just hope on a better world



___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Andre van Eyssen via mailop]

On Fri, 9 Feb 2024, Marco Moock via mailop wrote:


Outlook supports that and knowing about it is a question of training.


I'd like to suggest that understanding of email is declining in the 
general population. "Training" is a big ask when the grasp of the basics 
is mostly missing.


--
Andre van Eyssen.  Phone: +61 417 211 788
mail: an...@purplecow.org  http://andre.purplecow.org
About & Contact:  http://www.purplecow.org/andre.html
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[John Levine via mailop]

It appears that Sebastian Nielsen via mailop  said:
>And also as a side note, this list server (mailop) also does sender rewriting 
>to From: mailop@mailop.org to prevent SPF and
>DMARC from tripping on list mail.

Yes, we know.  DMARC has been screwing up mailing lists for a decade now.

>So its obvious it’s the right way to do it.

Actually, it is so wrong that ARC was specifically invented so lists can stop 
doing it.

R's,
John

PS: Perhaps  this list needs a FAQ of Well Known Bad Ideas so we can stop 
having this
argument over and over.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[John Levine via mailop]

It appears that Sebastian Nielsen via mailop  said:
>>>just because SPF and DMARC are so badly designed that they can't handle it 
>>>doesnt make it "forging" anything.
>
>It isn't badly designed.
>Forwarding a email, is the equvalient of, when you receive a signed envelope 
>from me containing a letter, you forge my
>signature on the new envelope.

Sorry, but repeating this doesn't make this any less wrong.

I don't know what you imagine "signed envelope" means in this context
and I'm not sure I want to know. The postal equivalent of forwarding
is forwarding, you write the person's new address on the envelope and
drop it back in the mail. It has the same return address because it's
the same letter.

People have been making this victim-blaming argument for 20 years,
ever since SPF was designed in a way that failed to handle normal
forwarding.  It was silly then, and it's no less silly now.

This is my last comment on the topic, at least for this round.

R's,
John

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Sebastian Nielsen via mailop]

And also as a side note, this list server (mailop) also does sender rewriting 
to From: mailop@mailop.org to prevent SPF and DMARC from tripping on list mail.
So its obvious it’s the right way to do it.
Same have the list "Exim-Users" begun to do.

-Ursprungligt meddelande-
Från: John Levine via mailop  
Skickat: den 10 februari 2024 04:35
Till: mailop@mailop.org
Kopia: sebast...@sebbe.eu
Ämne: Re: [mailop] Is forwarding to Gmail basically dead?

It appears that Sebastian Nielsen via mailop  said:
>Or people could stop forwarding emails in idiotic ways, because when 
>you forward an email, you are actually forging the original sender.

Aw, come on. People have been forwarding mail for 40 years, and just because 
SPF and DMARC are so badly designed that they can't handle it doesnt make it 
"forging" anything.

>Ergo, if you forward a email from genuineu...@genuineserver.com to 
>myacco...@gmail.com via an account called exam...@example.org ..
>Technically, you encapsulate the email in a new message/rfc822 object and add 
>"Fwd: " in the subject header.

You can do that if you want, but it's not a substitute for the forwarding we've 
been doing forever.

R's,
John
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Sebastian Nielsen via mailop]

>>just because SPF and DMARC are so badly designed that they can't handle it 
>>doesnt make it "forging" anything.

It isn't badly designed.
Forwarding a email, is the equvalient of, when you receive a signed envelope 
from me containing a letter, you forge my signature on the new envelope.

That people have doing it for 40 years, doesn't make it right today. We had 
open relay servers for 30-40 years too, but times have changed. Now every 
public facing SMTP that offers relay is password protected for obvious reasons.
So its time to change our views of whats the "correct" way to forward an email. 
We need a new standard, that does work with SPF, even when DMARC is set to 
strict identity alignment which means also "MIME From:" must be rewritten.

Of course, lets go back to that signed envelope again. For obvious reasons, you 
can't forward the envelope, as you needed to open it and destroy the seal, to 
know where it should go.
What you do then, is write YOUR signature on the envelope with a  statement 
that you verified my signature on the previous envelope.

That’s what the "new era" forwarding is, where you encapsulate the new email in 
a new message/rfc822 object.

If you don't want the receivers of your forwardings to have to click an message 
attachment, you can also forward in the following fashion:
From: Replace with  (ergo the account email was originally sent to, 
which has a forward configured)
To: Replace with 
Reply-To: If non-existent or empty, Replace with 
X-Original-From: 
Subject: Add "Fwd: " to .

Delete any DKIM (as they are now invalid) and resign the email with your DKIM 
and DMARC.
 This however, destroys the integrity of the original email, but that gives the 
most transparent behaviour.

So it’s a give or take there, either forward it as a encapsulation 
(message/rfc822 object in a new container), but then receiver has to click an 
attachment.
Advantages --> Preserves the original email in its original format, unmodified 
in a new container with the rewritten headers.
Disadvantages --> Every email will look like an empty email containing a 
attachment that you have to click to open.

Or you could rewrite headers in-place, but then you lose integrity:
Advantages --> Receiver does not need to click an attachment.
Disadvantages --> The integrity of the original email is lost.


Also, that’s how forwarding ALWAYS have work when you press the "Forward" 
button (and "Forward as attachment" is the message/rfc822 way) in your MUA and 
have always worked with SPF and DKIM for decades.
So why shouldn't we adopt it also for server-configured forwarding?

Best regards, Sebastian Nielsen

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[John Levine via mailop]

It appears that Sebastian Nielsen via mailop  said:
>Or people could stop forwarding emails in idiotic ways, because when you 
>forward an email, you are actually forging the
>original sender.

Aw, come on. People have been forwarding mail for 40 years, and just
because SPF and DMARC are so badly designed that they can't handle it
doesnt make it "forging" anything.

>Ergo, if you forward a email from genuineu...@genuineserver.com to 
>myacco...@gmail.com via an account called exam...@example.org ..
>Technically, you encapsulate the email in a new message/rfc822 object and add 
>"Fwd: " in the subject header.

You can do that if you want, but it's not a substitute for the forwarding we've 
been doing forever.

R's,
John
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Sebastian Nielsen via mailop]

Or people could stop forwarding emails in idiotic ways, because when you 
forward an email, you are actually forging the original sender.


Ergo, if you forward a email from genuineu...@genuineserver.com to 
myacco...@gmail.com via an account called exam...@example.org ..
Technically, you encapsulate the email in a new message/rfc822 object and add 
"Fwd: " in the subject header.

Then if you receive mail like this:

From: genuineu...@genuineserver.com
To: exam...@example.org
Subject: Hey
Content-Type: text/plain

Content


Then you forward it as:

From: exam...@example.org
To: myacco...@gmail.com
Reply-To: genuineu...@genuineserver.com
Subject: Fwd: Hey
Content-Type: message/rfc822

From: genuineu...@genuineserver.com
To: exam...@example.org
Subject: Hey
Content-Type: text/plain

Content


So simple.
You verify SPF and DKIM on your end, then add headers for SPF/DKIM verification 
but so the receiving server doesn't remove them.
Like "X-Auth-Results: SPF=PASS, DKIM=PASS"

Then you add your own DKIM signature, forward the email.
Encapsulated version preserves the original in full, meaning the receiver can 
verify both the container AND the forwarded email against the original source.

-Ursprungligt meddelande-
Från: Marco Moock via mailop  
Skickat: den 9 februari 2024 17:11
Till: mailop@mailop.org
Kopia: Scott Mutter 
Ämne: Re: [mailop] Is forwarding to Gmail basically dead?

Am 09.02.2024 um 08:50:52 Uhr schrieb Scott Mutter via mailop:

> This is part of the issue I have with all of these band-aid solutions 
> when it comes to "fixing" the spam problem with email.  You're going 
> to continue to have these issues with email until people realize that 
> they are going to have to let go of some of these grandfathered 
> standards - like external email forwarding.  If external email 
> forwarding was not a thing, then a properly constructed SPF record is 
> going to do a pretty good job (a complete job?) of identifying 
> messages that are forged (phishing) and those that are legitimate.

A good solution for phishing is S/MIME. Sadly, the adoption is very low.
If all banks, online shops, government would use that, users could simply check 
the sender and forging messages would be much, much harder.


--
Gruß
Marco

Spam und Werbung bitte an ichschickerekl...@cartoonies.org 
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Jaroslaw Rafa via mailop]

Dnia  9.02.2024 o godz. 18:06:41 Slavko via mailop pisze:
> Hmm, and are you sure that regular users know what S/MIME is and
> are able to reliable distinguish email with and without it? I don't think
> so...

While they are probably not capable of signing S/MIME mail (which requires
getting your personal certificate in the first place), they don't have to
do *anything* to verify S/MIME on incoming mail if they use any decent mail
client, because the client verifies it for them automatically and displays
the verification result prominently next to the message, in a quite clear
and obvious way.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Graeme Fowler via mailop]

On 9 February 2024 17:17:47 Scott Mutter via mailop  wrote:

This is why we can't have nice things.


I disagree. The continual chase of money over everything - ethics, morals, 
decency included - is why we can't have nice things.


It's one thing for someone to run a technical operation to provide people 
who can't with a service while providing a small number of other people 
with a living.


It's something else entirely for someone without ethics, morals or decency 
to realise that there are catastrophically large holes in a bunch of 
internet protocols that can be abused to make extremely large sums of cash, 
whether very very quickly or over a much longer period.


The trust model that the Internet was built on was wrecked the moment 
serious money was available to people, legitimately or otherwise.


Apologies if that all sounds a bit conspiratorial but so far as I'm aware 
that's the sad reality we live in!


Graeme
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Marco Moock via mailop]

Am 09.02.2024 um 18:06:41 Uhr schrieb Slavko via mailop:

> Hmm, and are you sure that regular users know what S/MIME is and
> are able to reliable distinguish email with and without it? I don't
> think so...

Outlook supports that and knowing about it is a question of training.
At our university, a relevant amount of people are using it.

-- 
Gruß
Marco

Spam und Werbung bitte an ichschickerekl...@cartoonies.org
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Slavko via mailop]

Dňa 9. februára 2024 16:06:36 UTC používateľ Marco Moock via mailop 
 napísal:

>A good solution for phishing is S/MIME. Sadly, the adoption is very low.
>If all banks, online shops, government would use that, users could
>simply check the sender and forging messages would be much, much harder.

Hmm, and are you sure that regular users know what S/MIME is and
are able to reliable distinguish email with and without it? I don't think
so...

regards


-- 
Slavko
https://www.slavino.sk/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Scott Mutter via mailop]

On Fri, Feb 9, 2024 at 9:56 AM Gellner, Oliver via mailop 
wrote:

> Whether an email passes SPF or DKIM is no indicator of whether its spam.
> It just allows you to tie messages to the reputation of a domain, similar
> as you rate messages based on the IP address they are coming from.
> While I'm no advocate on external email forwarding, SPF does not perform a
> good job on identifying emails regardless of forwarding. Most companies
> send emails from shared IP addresses (Office 365, GSuite, Sendgrid, Amazon
> SES, ...), so their SPF records are all, well... identical, which is not
> really useful to tell them apart. This opens a window for various attacks,
> see for example the recent SMTP smuggling attack. A better approach would
> be to get rid of SPF and base DMARC solely on DKIM.
>

Well, this is why I distinguish a properly set SPF record.

A sender has to know EXACTLY what IPs are going to be sending out
legitimate emails from their domain name.  Not a "maybe these IPs" or
"sometimes this IP and sometimes this other IP" it has to be an EXACT
list.  And if the sender doesn't know what the EXACT list is... then what
else are they forgetting?

But external forwarders is always going to break this.

PayPal can list EXACTLY all of the IPs that they will send out messages
from.  And if you're not using an external email forwarders to receive your
email, then you can be sure that any email coming from the paypal.com
domain name that is being sent from an IP published in that SPF list,
actually came from PayPal (now whether or not if the PayPal servers have
been hacked or compromised is another story - insert whatever
domain/organization you want in place of PayPal, the lesser the
organization the more likely that security is not a paramount concern).
But the second you forward mail from PayPal to an external email address,
the precise SPF record is rendered useless.

This is why organizations never bothered to set EXACT SPF records, because
what was the point?  External forwarders were too prevalent to  make it
worthwhile.

This is why we can't have nice things.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Marco Moock via mailop]

Am 09.02.2024 um 08:50:52 Uhr schrieb Scott Mutter via mailop:

> This is part of the issue I have with all of these band-aid solutions
> when it comes to "fixing" the spam problem with email.  You're going
> to continue to have these issues with email until people realize that
> they are going to have to let go of some of these grandfathered
> standards - like external email forwarding.  If external email
> forwarding was not a thing, then a properly constructed SPF record is
> going to do a pretty good job (a complete job?) of identifying
> messages that are forged (phishing) and those that are legitimate.

A good solution for phishing is S/MIME. Sadly, the adoption is very low.
If all banks, online shops, government would use that, users could
simply check the sender and forging messages would be much, much harder.


-- 
Gruß
Marco

Spam und Werbung bitte an ichschickerekl...@cartoonies.org
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Gellner, Oliver via mailop]

On 09.02.2024 at 15:51 Scott Mutter via mailop wrote:

> On Thu, Feb 8, 2024 at 12:20 PM Randolf Richardson, Postmaster via mailop 
> wrote:
>> Spammers forging eMail accounts is the primary reason SPF and DKIM
>> are so prevalent these days.

>> I believe the day will come when it will be pointless to send eMail
>> from a domain that doesn't have a properly-configured SPF record and
>> all of its outbound mail signed with DKIM.

> I think the issue with SPF and DKIM is that it's becoming trivial for ALL 
> email to have SPF and DKIM that pass muster.  At which point, you're right 
> back where you started.  Lots of spam getting into the Inbox because they all 
> pass SPF and DKIM.
> This is part of the issue I have with all of these band-aid solutions when it 
> comes to "fixing" the spam problem with email.  You're going to continue to 
> have these issues with email until people realize that they are going to have 
> to let go of some of these grandfathered standards - like external email 
> forwarding.  If external email forwarding was not a thing, then a properly 
> constructed SPF record is going to do a pretty good job (a complete job?) of 
> identifying messages that are forged (phishing) and those that are legitimate.

Whether an email passes SPF or DKIM is no indicator of whether its spam. It 
just allows you to tie messages to the reputation of a domain, similar as you 
rate messages based on the IP address they are coming from.
While I'm no advocate on external email forwarding, SPF does not perform a good 
job on identifying emails regardless of forwarding. Most companies send emails 
from shared IP addresses (Office 365, GSuite, Sendgrid, Amazon SES, ...), so 
their SPF records are all, well... identical, which is not really useful to 
tell them apart. This opens a window for various attacks, see for example the 
recent SMTP smuggling attack. A better approach would be to get rid of SPF and 
base DMARC solely on DKIM.

--
BR Oliver


dmTECH GmbH
Am dm-Platz 1, 76227 Karlsruhe * Postfach 10 02 34, 76232 Karlsruhe
Telefon 0721 5592-2500 Telefax 0721 5592-2777
dmt...@dm.de * www.dmTECH.de
GmbH: Sitz Karlsruhe, Registergericht Mannheim, HRB 104927
Geschäftsführer: Christoph Werner, Martin Dallmeier, Roman Melcher

Datenschutzrechtliche Informationen
Wenn Sie mit uns in Kontakt treten, beispielsweise wenn Sie an unser 
ServiceCenter Fragen haben, bei uns einkaufen oder unser dialogicum in 
Karlsruhe besuchen, mit uns in einer geschäftlichen Verbindung stehen oder sich 
bei uns bewerben, verarbeiten wir personenbezogene Daten. Informationen unter 
anderem zu den konkreten Datenverarbeitungen, Löschfristen, Ihren Rechten sowie 
die Kontaktdaten unserer Datenschutzbeauftragten finden Sie 
hier.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Michael Peddemors via mailop]

On 2024-02-08 22:11, Marco Moock via mailop wrote:

Am Thu, 8 Feb 2024 10:46:51 -0800
schrieb Michael Peddemors via mailop :


The only way this will stop, is when the network operators are forced
to be accountable for outbound traffic


dnsbl exists and some lists (e.g. uceprotect L3) entirely list ISPs
that have a huge amount of spammers in their network.
The more servers that block those ISPs, the less customers will use
them for mail.



FYI, this about a lot more threats than just email of course.  But you 
won't see the 'Too big to block' on those RBL's usually.



--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Reg. TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Scott Mutter via mailop]

On Thu, Feb 8, 2024 at 12:20 PM Randolf Richardson, Postmaster via mailop <
mailop@mailop.org> wrote:

> > Am 08.02.2024 schrieb Cyril - ImprovMX via mailop :
> >
> > > But forwarding an email from a domain that have DMARC enabled (with a
> > > policy different than "none") could still work if the sender signed
> > > their email with DKIM. Isn't it correct?
> >
> > That is true. But not all domains have DKIM.
>
> Spammers forging eMail accounts is the primary reason SPF and DKIM
> are so prevalent these days.
>
> I believe the day will come when it will be pointless to send
> eMail
> from a domain that doesn't have a properly-configured SPF record and
> all of its outbound mail signed with DKIM.
>
> I think the issue with SPF and DKIM is that it's becoming trivial for ALL
email to have SPF and DKIM that pass muster.  At which point, you're right
back where you started.  Lots of spam getting into the Inbox because they
all pass SPF and DKIM.

This is part of the issue I have with all of these band-aid solutions when
it comes to "fixing" the spam problem with email.  You're going to continue
to have these issues with email until people realize that they are going to
have to let go of some of these grandfathered standards - like external
email forwarding.  If external email forwarding was not a thing, then a
properly constructed SPF record is going to do a pretty good job (a
complete job?) of identifying messages that are forged (phishing) and those
that are legitimate.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Andy Smith via mailop]

Hello,

On Fri, Feb 09, 2024 at 07:00:34AM +0100, Marco Moock via mailop wrote:
> Am Thu, 8 Feb 2024 17:10:57 +
> schrieb Andy Smith via mailop :
> 
> > Last month there was a complaint on the NANOG (North American
> > Network Operator's Group) that changing the subject line of an email
> > mid-thread disrupted the way emails are grouped, the implication
> > being that the way gmail groups emails is THE correct way to do so.
> 
> GMail is crap, and I don't care about the problems the users have with
> that if I can. Public mailing lists are a place where I can.

I wasn't really trying to pass judgement on gmail either way, just
answering the question of why I think people who appear to have
another address end up wanting to forward it to gmail and yahoo
instead of using it directly.

Even amongst some of the most technical communities today, their use
of gmail is so prevalent (sometimes it is the only email they have
ever used in their lives) that it even sets expectations for how all
email services must work. Actually devoting effort to setting up an
alternative is a big step for even technical users.

When these people are your paying customers, or you are being paid
to get email to these people, there is limited up side in berating
people about their choice of mail service. A fact which of course is
used and abused by the huge mailbox providers for their commercial
benefit.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Marco Moock via mailop]

Am 09.02.2024 schrieb Jaroslaw Rafa via mailop :

> Dnia  9.02.2024 o godz. 07:13:31 Marco Moock via mailop pisze:
> > S/MIME exists and I really don't understand why banks and online
> > shops don't consequently use it.  
> 
> I must say that my bank is and always was using it. Same for my phone
> provider.

Mine doesn't, my ISP too.

but DHL, a German parcel service, uses it.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Jaroslaw Rafa via mailop]

Dnia  9.02.2024 o godz. 07:13:31 Marco Moock via mailop pisze:
> S/MIME exists and I really don't understand why banks and online shops
> don't consequently use it.

I must say that my bank is and always was using it. Same for my phone
provider.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Benny Pedersen via mailop]

Philip Paeps via mailop skrev den 2024-02-09 10:56:


You are not wrong.


+1, maybe #metoo

But you should treat ARC signatures in exactly the same way you treat 
DKIM signatures


no not at all unless world like to step on own foots


: as one signal.


what ever this means


Blindly trusting ARC signatures is not going to go well for you.


there is 2 ways to see it:

1: aligned mails
2: unaligned mails

for this 2 there is 2 catagories for trustness that is important:

a: maillists with List-ID header and arc signed/arc sealed should not 
seen as unaligned, becurse origin sender is aligned
b: mails that is sent to another non maillist with then is forwarded 
should be handled like a: imho


the rest is imho aligned and untrusted dkim untrusted arc, if dmarc says 
reject plese do


sadly opendmarc does not yet use openarc results, i dont know if rspamd 
does all well here, but i think what i write above is the way to go, or 
atleast debate


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Jaroslaw Rafa via mailop]

Dnia  9.02.2024 o godz. 13:03:28 Philip Paeps via mailop pisze:
> 
> Most people don't actually use email anymore.  Email is for
> marketing and receipts.

Yeah, that's probably the main reason why they can live with such
problematic service like Gmail.

I have heard numerous times from Gmail users that they "just didn't get the
email from someone" and they treat it as something normal, that the email
just got lost somewhere. In such cases they try to arrange the communication
some other way, eg. using Facebook Messenger or any other similar tool. They
don't have the attitude (which I am very committed to) that email is
something very basic that just "has to work", and if a message gets lost
somewhere, it's at least a case that needs investigating, and not just
taking it for granted.

But sadly it's not a common attitude nowadays.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Jaroslaw Rafa via mailop]

Dnia  9.02.2024 o godz. 06:58:40 Marco Moock via mailop pisze:
> Not possible if some receivers require SPF, like Google for bulk
> senders.
> One possibility is to add ?all instead of -all. That makes it possible
> that sites that check SPF and reject on -, but accept no SPF, will
> accept the message.

-all is never a good idea, but I had problem with deliverability to Google
also when using ?all, despite the fact that I'm in no way a bulk sender (I
already described my problems several times here - Google files all mail
from my domain to recipients' spam folder).

I seem to have better results with ~all (mail is less often going to spam).
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Marco Moock via mailop]

Am 09.02.2024 schrieb Julian Bradfield via mailop :

> On 2024-02-09, Marco Moock via mailop  wrote:
> > I don't know if any MTA out there supports [DKIM] directly or
> > supports Milter.  
> 
> Exim supports it, even in the rather old version in Debian 10 that I
> use.

My sentence was wrong, I wanted to ask if there are MTA that don't
support it directly nor support milter.

sendmail, Postfix and Exim support it. All MTA with Milter support it,
Cisco ESA supports it.

I think the reasons for not implementing it are the same as the reasons
for not implementing DNSSEC, IPv6 or S/MIME.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Marco Moock via mailop]

Am 09.02.2024 schrieb Matus UHLAR - fantomas via mailop
:

> It was noted that not using DKIM can be used for preventing of
> forwarding because of legal requirements.

A rather bad solution for that because it depends on the checks of the
receiver of the forwarded message.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Philip Paeps via mailop]

On 2024-02-09 15:50:36 (+0800), Cyril - ImprovMX via mailop wrote:
But to get circle back at email forwarding and Gmail issues, there is 
one
point that bothers me with ARC and I'd like that someone could tell me 
that

I'm wrong (with valid arguments, of course).

ARC tells the receiver party that the sender is not the original one, 
but
that sender signed the previous state of AR headers (SPF, DKIM and 
DMARC
state), which they now somehow broke but "it's okay because the 
original

source was different".

Now, if I'm a bad person, I can easily create fake previous headers 
that
looks like it's coming from, say, the IRS, and say that it's passing 
the
SPF and DMARC with great success. I would sign my ARC with my domain, 
which
I control, and in theory, the receiving party would receive an email 
from
me, supposedly originated from the IRS with valid SPF and DMARC 
because I

told so, and signed it ?

This would work if you could trust me in that scenario, but how can 
you?


I'm definitely opposed on building a (white) list of allowed domains, 
as it
would give even more power to the big ones (you'd certainly include 
GAFAM
in it) and gives nearly an impossible state for all the small ones, or 
the

new ones.

If you exclude that whitelisting, ARC (for validating) is absolutely
useless.
Am I wrong?


You are not wrong.  But you should treat ARC signatures in exactly the 
same way you treat DKIM signatures: as one signal.  Blindly trusting ARC 
signatures is not going to go well for you.


Forwarding is generally only seen on the last hop these days.  Unless 
you're the final recipient, ARC won't be a very meaningful signal.  If 
you are the final recipient, you could check how often you've seen that 
ARC signer.  Or that {source,signer,recipient} tuple.  Or a subset.


The only thing ARC tells you is that the forwarder is making some claim 
about the Authentication-Results header.  What you make of that is up to 
you.


Philip
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Julian Bradfield via mailop]

On 2024-02-09, Marco Moock via mailop  wrote:
> I don't know if any MTA out there supports [DKIM] directly or supports
> Milter.

Exim supports it, even in the rather old version in Debian 10 that I
use.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Matus UHLAR - fantomas via mailop]

On 08.02.24 21:51, Archange via mailop wrote:
Sorry if I wasn’t clear, I did not meant alignment when I wrote “require”.  
Just that they are implemented and passing.


But indeed I am not sure of the value in SPF passing without alignment 
though (in a context of DMARC and DKIM working — outside of that it 
definitively has close to zero, it just means you took the time to set it 
up).


The envelope sender is supposed to receive the mail.
Can be used to find out there's problem with forwarded address.

Now that I think about it I’m not sure what SPF brings at all when there is 
DKIM… I can’t see a scenario where one would be able to correctly DKIM 
sign a message but not send from an allowed IP.


- SPF is older than DKIM and easier to implement
- SPF is designed for rejecting at SMTP level, unlike DKIM (DMARC does this)

It was noted that not using DKIM can be used for preventing of forwarding 
because of legal requirements.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Boost your system's speed by 500% - DEL C:\WINDOWS$\*.*
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Taavi Eomäe via mailop]

On 09/02/2024 08:13, Marco Moock via mailop wrote:

S/MIME exists and I really don't understand why banks and online shops
don't consequently use it.


I'd guess it's because until recently, there were way bigger fish to 
fry. Now attention has been turned back towards it, the CA/B Forum 
S/MIME baseline was adopted just recently. Making it possible to 
automate S/MIME certificate renewal (automation which we've come to 
realize is quite vital to avoid downtime).


Not to mention the relative complexity of implementing it on both sides. 
I discovered a major flaw in Apple Mail's S/MIME implementation 
CVE-2023-40440 . S/MIME by 
now is old enough that we've got a layer of cruft to remove before it's 
usable.


My hope is that at some point we would be able to do "BIMI" with just 
S/MIME signed mail at some point. Seems like a good combination.


smime.p7s
Description: S/MIME Cryptographic Signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Taavi Eomäe via mailop]

On 08/02/2024 20:23, Randolf Richardson, Postmaster via mailop wrote:

Are there any particular DKIM/ARC mangles you've seen that come to
mind for you that are particularly noteable?  =D


The few we've seen were forwarded from Microsoft or GSuite to some 
gateway that broke both signatures (but passed SPF). It's quite rare, 
there have been only a few cases across hundreds of millions, but we 
keep an eye on this stuff.


It's way more common that there's no DKIM in the first place, which is a 
pity.


smime.p7s
Description: S/MIME Cryptographic Signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Taavi Eomäe via mailop]

On 09/02/2024 04:17, Andre van Eyssen via mailop wrote:
The bulk of problematic email now -- I see phishing as the concern 
rather than spam that gets easily tagged -- comes with valid SPF and 
is signed with DKIM. Technical solutions just don't work these days [...]


That's the joy of authenticated mail though, isn't it? Instead of having 
to deal with both the non-technical and technical you can deal with just 
the former and ban specific signers for example.




smime.p7s
Description: S/MIME Cryptographic Signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Cyril - ImprovMX via mailop]

I agree with Slavko here.
Uceprotect must not be used to block spammers as it wrongly list entire
block that includes legitimate sender in it, for the sole purpose that some
spammers are in that block.

But to get circle back at email forwarding and Gmail issues, there is one
point that bothers me with ARC and I'd like that someone could tell me that
I'm wrong (with valid arguments, of course).

ARC tells the receiver party that the sender is not the original one, but
that sender signed the previous state of AR headers (SPF, DKIM and DMARC
state), which they now somehow broke but "it's okay because the original
source was different".

Now, if I'm a bad person, I can easily create fake previous headers that
looks like it's coming from, say, the IRS, and say that it's passing the
SPF and DMARC with great success. I would sign my ARC with my domain, which
I control, and in theory, the receiving party would receive an email from
me, supposedly originated from the IRS with valid SPF and DMARC because I
told so, and signed it ?

This would work if you could trust me in that scenario, but how can you?

I'm definitely opposed on building a (white) list of allowed domains, as it
would give even more power to the big ones (you'd certainly include GAFAM
in it) and gives nearly an impossible state for all the small ones, or the
new ones.

If you exclude that whitelisting, ARC (for validating) is absolutely
useless.
Am I wrong?

Le ven. 9 févr. 2024 à 08:03, Slavko via mailop  a
écrit :

> Dňa 9. februára 2024 6:11:29 UTC používateľ Marco Moock via mailop <
> mailop@mailop.org> napísal:
>
> >dnsbl exists and some lists (e.g. uceprotect L3) entirely list ISPs
> >that have a huge amount of spammers in their network.
> >The more servers that block those ISPs, the less customers will use
> >them for mail.
>
> No, that is wrong understanding of UCEPROTECT's L2 & L3,
> they are for signaling to ISPs, that something is wrong in their
> network(s).
>
> As i prove some months ago, L2 listed whole /22 block due
> 4 or 7 (i don't remember exactly, you can search archive) issues.
> Do you consider that as huge? I don't...
>
> But yes, using its L2/L3 to reject will solve all your issues with
> incoming mails and you save a lot of disk space :-D
>
> regards
>
>
> --
> Slavko
> https://www.slavino.sk/
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
>
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Slavko via mailop]

Dňa 9. februára 2024 6:11:29 UTC používateľ Marco Moock via mailop 
 napísal:

>dnsbl exists and some lists (e.g. uceprotect L3) entirely list ISPs
>that have a huge amount of spammers in their network.
>The more servers that block those ISPs, the less customers will use
>them for mail.

No, that is wrong understanding of UCEPROTECT's L2 & L3,
they are for signaling to ISPs, that something is wrong in their
network(s).

As i prove some months ago, L2 listed whole /22 block due
4 or 7 (i don't remember exactly, you can search archive) issues.
Do you consider that as huge? I don't...

But yes, using its L2/L3 to reject will solve all your issues with
incoming mails and you save a lot of disk space :-D

regards


-- 
Slavko
https://www.slavino.sk/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Marco Moock via mailop]

Am Fri, 09 Feb 2024 13:17:48 +1100 (AEDT)
schrieb Andre van Eyssen via mailop :

> The bulk of problematic email now -- I see phishing as the concern
> rather than spam that gets easily tagged -- comes with valid SPF and
> is signed with DKIM.

S/MIME exists and I really don't understand why banks and online shops
don't consequently use it.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Marco Moock via mailop]

Am Thu, 8 Feb 2024 10:46:51 -0800
schrieb Michael Peddemors via mailop :

> The only way this will stop, is when the network operators are forced
> to be accountable for outbound traffic

dnsbl exists and some lists (e.g. uceprotect L3) entirely list ISPs
that have a huge amount of spammers in their network.
The more servers that block those ISPs, the less customers will use
them for mail.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Marco Moock via mailop]

Am Thu, 08 Feb 2024 10:20:50 -0800
schrieb "Randolf Richardson, Postmaster via mailop" :

> > Am 08.02.2024 schrieb Cyril - ImprovMX via mailop
> > : 
> > > But forwarding an email from a domain that have DMARC enabled
> > > (with a policy different than "none") could still work if the
> > > sender signed their email with DKIM. Isn't it correct?  
> > 
> > That is true. But not all domains have DKIM.  
> 
>   Spammers forging eMail accounts is the primary reason SPF and
> DKIM are so prevalent these days.

Could be combated by consequently using S/MIME.

>   I believe the day will come when it will be pointless to send
> eMail from a domain that doesn't have a properly-configured SPF
> record and all of its outbound mail signed with DKIM.

It is already there in some cases.

>   All this extra work is thanks to spammers -- they deserve
> zero compassion for their theft-of-service, their fraudulent
> activities, and the forgeries they actively engage in.  They should
> all be permanently banished from the internet, and put through the
> courts of law for any criminal acts they willingly participated in.

Use a dnsbl that lists those spammers and their spam-friendly ISPs,
e.g. uceprotect with all levels. If non-spammers now cancel their
contract there, those companies can be blocked for mail without hitting
ham mails.

> > > The only case where email forwarding is in trouble is for senders
> > > enabling DMARC without sending DKIM-signed emails.  
> > 
> > It makes much more trouble.
> > If MAIL FROM: isn't being changed, a bounce (for whatever reason)
> > goes to the original sender and confuses people and systems (some
> > unsubscribe if a hard bounce is received).
> > 
> > Spam that isn't being detected by your own systems is being
> > forwarded to foreign mail providers and they may list you on a
> > dnsbl.  
> 
>   That is a problem, and many users choose to forward their 
> publicly-published eMail accounts that spammers know about (e.g., 
> from scraping web sites, sharing lists, etc.), or rely on filters to 
> forward spam, to free webmail provider accounts because they regard 
> such free accounts as throw-away accounts that help them avoid 
> clogging up their main accounts.
> 
>   Of course, this doesn't help legitimate providers maintain a
> good reputation because, to the free webmail provider, they look like
> a source of spam (as you noted).  It gets worse because the user 
> periodically logs in to delete all the spam (after checking for any 
> legitimate mail that might have come through, presumeably), so the 
> pattern that the webmail provider sees is a user who keeps deleting 
> nearly every message they receive ... which, to them, likely looks 
> like a user receiving too much spam and just deleting nearly all of 
> it every time they log in.

I don't know who invented that mechanism, but it is really bad when
using mailing lists.
I delete entire threads that I am not interested in without reading
(subject is enough). I also delete read threads with no reply in some
cases.

>   Some universities don't even provide a forwarding option for
> the eMail accounts they set up for their students, and this trend
> will probably continue to grow for the very reasons you laid out.

We need to be able to forward them within the site because we have many
mail systems around (some operated by institutes) and those users have
a general mail address and want to forward that to the inbox inside.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[Marco Moock via mailop]

Am Thu, 8 Feb 2024 17:10:57 +
schrieb Andy Smith via mailop :

> Last month there was a complaint on the NANOG (North American
> Network Operator's Group) that changing the subject line of an email
> mid-thread disrupted the way emails are grouped, the implication
> being that the way gmail groups emails is THE correct way to do so.

GMail is crap, and I don't care about the problems the users have with
that if I can. Public mailing lists are a place where I can.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop