Re: DIS: DMARC bounces (attn Murphy)
On Thu, 6 Jun 2019 at 02:08, omd wrote: > > On Wed, Jun 5, 2019 at 6:30 PM James Cook wrote: > > (I'm not suggesting we use Discourse, just that maybe similar options are > > available with the current software.) > > It seems Mailman does support something like that: > > https://wiki.list.org/DEV/DMARC > https://www.gnu.org/software/mailman/mailman-admin/sender-filters.html > > ...Okay, I've gone ahead and set dmarc_moderation_action to "Munge > From" on all three lists. Changing the From address is annoying > (sorry Murphy), but it only applies to messages from domains with > p=reject DMARC entries, and the alternative is for those messages to > not be deliverable properly. > > Incidentally, Gmail seems to accept such messages but send them to > Spam. I set my Agora filter to never send to Spam, so I get a banner > saying "This message was not sent to Spam because of a filter you > created." I'm not sure this worked. Two pieces of evidence: 0. I didn't get Murphy's July 2 Metareport (yet?). 1. Murphy's 2019-06-17 Metareport appears in my inbox as "From: Edward Murphy "... did e manually add "OFF:" to the subject? Can anyone else confirm this change working or not working? - Falsifian
Re: DIS: DMARC bounces (attn Murphy)
On Thu, 6 Jun 2019 at 02:08, omd wrote: > ...Okay, I've gone ahead and set dmarc_moderation_action to "Munge > From" on all three lists. Changing the From address is annoying > (sorry Murphy), but it only applies to messages from domains with > p=reject DMARC entries, and the alternative is for those messages to > not be deliverable properly. Thanks! Let's hope it works well. > Incidentally, Gmail seems to accept such messages but send them to > Spam. I set my Agora filter to never send to Spam, so I get a banner > saying "This message was not sent to Spam because of a filter you > created." I get some with that banner now, but I'm fairly sure some of Murphy's emails never even made it to spam.
Re: DIS: DMARC bounces (attn Murphy)
On Wed, Jun 5, 2019 at 6:30 PM James Cook wrote: > (I'm not suggesting we use Discourse, just that maybe similar options are > available with the current software.) It seems Mailman does support something like that: https://wiki.list.org/DEV/DMARC https://www.gnu.org/software/mailman/mailman-admin/sender-filters.html ...Okay, I've gone ahead and set dmarc_moderation_action to "Munge From" on all three lists. Changing the From address is annoying (sorry Murphy), but it only applies to messages from domains with p=reject DMARC entries, and the alternative is for those messages to not be deliverable properly. Incidentally, Gmail seems to accept such messages but send them to Spam. I set my Agora filter to never send to Spam, so I get a banner saying "This message was not sent to Spam because of a filter you created."
Re: DIS: DMARC bounces (attn Murphy)
On Wed., Jun. 5, 2019, 21:03 James Cook, wrote: > > Sure, it would fix the DMARC issue, but it would also make it very hard > to > > tell at a glance who sent which message. Modern mailers have a lot of > > features for that, but they’re all based around the from line. > > I just checked the way Discourse does it (or did it in October 2018). > I see for example an email from "Marcos Benevides > ", where the nix...@discoursemail.com is the > same for all senders. > > With that method you could see the name at a glance, but it might be > tricky to tell exactly which email address it was sent from, which is > probably bad. But maybe it could be configured to say "Jon Doe > (john...@webmail.com) ". > (I'm not suggesting we use Discourse, just that maybe similar options are available with the current software.) >
Re: DIS: DMARC bounces (attn Murphy)
> Sure, it would fix the DMARC issue, but it would also make it very hard to > tell at a glance who sent which message. Modern mailers have a lot of > features for that, but they’re all based around the from line. I just checked the way Discourse does it (or did it in October 2018). I see for example an email from "Marcos Benevides ", where the nix...@discoursemail.com is the same for all senders. With that method you could see the name at a glance, but it might be tricky to tell exactly which email address it was sent from, which is probably bad. But maybe it could be configured to say "Jon Doe (john...@webmail.com) ".
Re: DIS: DMARC bounces (attn Murphy)
On Tue, Jun 4, 2019 at 8:46 PM James Cook wrote: > On Wed, 15 May 2019 at 20:22, ais...@alumni.bham.ac.uk > wrote: > > Translated to English, this states that the email should not be > > considered valid if the Subject fail was modified in transit. Of > > course, the Subject of the email actually was modified (by the list > > software, inserting the BAK:), so the message fails to verify. The > > cryptography behind DKIM can't detect that a message is "almost right", > > it's just a simple pass/fail (in particular, the recipients can't > > distinguish an entirely forged email from an email that's correct apart > > from the subject line). > > I think I've seen some mailing lists rewrite every message as being > "from" some email address under the list's control, which I'm guessing > would fix the DMARC issue. Are there significant disadvantages to > that? I guess it makes it tricky to figure out how to reply in > private; is there some way to work around that via a reply-to address > that wouldn't also make it tricky to reply to the list? Sure, it would fix the DMARC issue, but it would also make it very hard to tell at a glance who sent which message. Modern mailers have a lot of features for that, but they’re all based around the from line. -Aris > >
Re: DIS: DMARC bounces (attn Murphy)
On Wed, 15 May 2019 at 20:22, ais...@alumni.bham.ac.uk wrote: > Translated to English, this states that the email should not be > considered valid if the Subject fail was modified in transit. Of > course, the Subject of the email actually was modified (by the list > software, inserting the BAK:), so the message fails to verify. The > cryptography behind DKIM can't detect that a message is "almost right", > it's just a simple pass/fail (in particular, the recipients can't > distinguish an entirely forged email from an email that's correct apart > from the subject line). I think I've seen some mailing lists rewrite every message as being "from" some email address under the list's control, which I'm guessing would fix the DMARC issue. Are there significant disadvantages to that? I guess it makes it tricky to figure out how to reply in private; is there some way to work around that via a reply-to address that wouldn't also make it tricky to reply to the list?
DIS: DMARC bounces (attn Murphy)
I just received an email from agora-business (the list) to my callforjudgm...@yahoo.co.uk email address warning me that I was bouncing emails, and asking me to confirm that the email was still valid. (The address still works, and I still use it to receive Agoran mail; it's just that I can no longer send from it easily, so I use a different address for sending.) That might seem strange, given that I'm receiving a lot of messages to that email address too; it's not like everything is bouncing. The culprit is probably DMARC; Yahoo! are notorious for DMARC enforcement. DMARC bounces happen when the sender of an email specifies some rules about how the email should look (e.g. sent via a particular server, or signed with a particular key), and the email, upon being received, doesn't comply with them. In other words, someone – but not most people – is sending emails that look invalid to the recipient. I'm pretty sure that the person in question is Murphy. E's been having trouble getting messages through, and eir recent message to BAK let me see what the headers on eir emails look like (because it's currently this @alumni.bham.ac.uk email address that's subscribed to BAK). It's possible to diagnose the problem from a couple of headers on the email: DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1557931409; s=zm2019; d=zoho.com; i=emurph...@zoho.com; h=To:From:Subject:Message-ID:Date:MIME-Version:Content-Type:Content-Transfer-Encoding; l=6; bh=fdkeB/A0FkbVP2k4J4pNPoeWH6vqBm9+b0C3OY87Cw8=; b=mY+jo1/fI+p3ILjXOQGQ/PsgPFmqzsl5wJUzCg7YuHVXIsT1ZFZ9HSXy1NYS95lX AhYAlfHTWZikn+OfP+ECfVFiHkmpsjDTgtnGAYKjzIKN+nVOg0HBMBGgADCGKuD0xuO 4GUSndRa9qmZ5GSLcmtSdwrqukQzr64Vrs1GQhdo= Authentication-Results: spf=none (sender IP is 145.0.1.64) smtp.mailfrom=listserver.tue.nl; alumni.bham.ac.uk; dkim=fail (signature did not verify) header.d=zoho.com;alumni.bham.ac.uk; dmarc=fail action=oreject header.from=zoho.com;compauth=fail reason=000 The "dmarc=fail" is explaining the immediate cause of what's going on here: the email claims to be from zoho.com, but could not be verified as actually coming from there. The main causal factor is the "h=" part of the DKIM-Signature line: DKIM-Signature: … h=To:From:Subject:… Translated to English, this states that the email should not be considered valid if the Subject fail was modified in transit. Of course, the Subject of the email actually was modified (by the list software, inserting the BAK:), so the message fails to verify. The cryptography behind DKIM can't detect that a message is "almost right", it's just a simple pass/fail (in particular, the recipients can't distinguish an entirely forged email from an email that's correct apart from the subject line). zoho.com's DMARC settings are to tell the recipient to reject any apparently forged message that claims to be from them (without even sending it to a spam folder). So in theory, anyone who can actually receive Murphy's emails has a non-compliant mailserver :-) I used to have a similar problem back when I posted from my yahoo.co.uk email address. There's a fairly simple workaround to it: just type the DIS:/BUS:/OFF:/BAK: part of the subject line manually, rather than letting the list software add it. If you do that, then the list software doesn't modify the email in transit, so the DKIM signature starts verifying and allows the email to go through. (Incidentally, the "DMARC failures mean your email doesn't go through /and/ bounce other people off the lists" issue is fairly well known; people warned that it would happen as soon as sites started using restrictive DMARC settings. There's no really good solution to it at the list software level, though.) -- ais523