Re: DIS: DMARC bounces (attn Murphy)

2019-07-02 Thread James Cook
On Thu, 6 Jun 2019 at 02:08, omd  wrote:
>
> On Wed, Jun 5, 2019 at 6:30 PM James Cook  wrote:
> > (I'm not suggesting we use Discourse, just that maybe similar options are
> > available with the current software.)
>
> It seems Mailman does support something like that:
>
> https://wiki.list.org/DEV/DMARC
> https://www.gnu.org/software/mailman/mailman-admin/sender-filters.html
>
> ...Okay, I've gone ahead and set dmarc_moderation_action to "Munge
> From" on all three lists.  Changing the From address is annoying
> (sorry Murphy), but it only applies to messages from domains with
> p=reject DMARC entries, and the alternative is for those messages to
> not be deliverable properly.
>
> Incidentally, Gmail seems to accept such messages but send them to
> Spam.  I set my Agora filter to never send to Spam, so I get a banner
> saying "This message was not sent to Spam because of a filter you
> created."

I'm not sure this worked. Two pieces of evidence:
0. I didn't get Murphy's July 2 Metareport (yet?).
1. Murphy's 2019-06-17 Metareport appears in my inbox as "From: Edward
Murphy "... did e manually add "OFF:" to the
subject?

Can anyone else confirm this change working or not working?

- Falsifian


Re: DIS: DMARC bounces (attn Murphy)

2019-06-06 Thread James Cook
On Thu, 6 Jun 2019 at 02:08, omd  wrote:
> ...Okay, I've gone ahead and set dmarc_moderation_action to "Munge
> From" on all three lists.  Changing the From address is annoying
> (sorry Murphy), but it only applies to messages from domains with
> p=reject DMARC entries, and the alternative is for those messages to
> not be deliverable properly.

Thanks! Let's hope it works well.

> Incidentally, Gmail seems to accept such messages but send them to
> Spam.  I set my Agora filter to never send to Spam, so I get a banner
> saying "This message was not sent to Spam because of a filter you
> created."

I get some with that banner now, but I'm fairly sure some of Murphy's
emails never even made it to spam.


Re: DIS: DMARC bounces (attn Murphy)

2019-06-05 Thread omd
On Wed, Jun 5, 2019 at 6:30 PM James Cook  wrote:
> (I'm not suggesting we use Discourse, just that maybe similar options are
> available with the current software.)

It seems Mailman does support something like that:

https://wiki.list.org/DEV/DMARC
https://www.gnu.org/software/mailman/mailman-admin/sender-filters.html

...Okay, I've gone ahead and set dmarc_moderation_action to "Munge
From" on all three lists.  Changing the From address is annoying
(sorry Murphy), but it only applies to messages from domains with
p=reject DMARC entries, and the alternative is for those messages to
not be deliverable properly.

Incidentally, Gmail seems to accept such messages but send them to
Spam.  I set my Agora filter to never send to Spam, so I get a banner
saying "This message was not sent to Spam because of a filter you
created."


Re: DIS: DMARC bounces (attn Murphy)

2019-06-05 Thread James Cook
On Wed., Jun. 5, 2019, 21:03 James Cook,  wrote:

> > Sure, it would fix the DMARC issue, but it would also make it very hard
> to
> > tell at a glance who sent which message. Modern mailers have a lot of
> > features for that, but they’re all based around the from line.
>
> I just checked the way Discourse does it (or did it in October 2018).
> I see for example an email from "Marcos Benevides
> ", where the nix...@discoursemail.com is the
> same for all senders.
>
> With that method you could see the name at a glance, but it might be
> tricky to tell exactly which email address it was sent from, which is
> probably bad. But maybe it could be configured to say "Jon Doe
> (john...@webmail.com) ".
>

(I'm not suggesting we use Discourse, just that maybe similar options are
available with the current software.)

>


Re: DIS: DMARC bounces (attn Murphy)

2019-06-05 Thread James Cook
> Sure, it would fix the DMARC issue, but it would also make it very hard to
> tell at a glance who sent which message. Modern mailers have a lot of
> features for that, but they’re all based around the from line.

I just checked the way Discourse does it (or did it in October 2018).
I see for example an email from "Marcos Benevides
", where the nix...@discoursemail.com is the
same for all senders.

With that method you could see the name at a glance, but it might be
tricky to tell exactly which email address it was sent from, which is
probably bad. But maybe it could be configured to say "Jon Doe
(john...@webmail.com) ".


Re: DIS: DMARC bounces (attn Murphy)

2019-06-04 Thread Aris Merchant
On Tue, Jun 4, 2019 at 8:46 PM James Cook  wrote:

> On Wed, 15 May 2019 at 20:22, ais...@alumni.bham.ac.uk
>  wrote:
> > Translated to English, this states that the email should not be
> > considered valid if the Subject fail was modified in transit. Of
> > course, the Subject of the email actually was modified (by the list
> > software, inserting the BAK:), so the message fails to verify. The
> > cryptography behind DKIM can't detect that a message is "almost right",
> > it's just a simple pass/fail (in particular, the recipients can't
> > distinguish an entirely forged email from an email that's correct apart
> > from the subject line).
>
> I think I've seen some mailing lists rewrite every message as being
> "from" some email address under the list's control, which I'm guessing
> would fix the DMARC issue. Are there significant disadvantages to
> that? I guess it makes it tricky to figure out how to reply in
> private; is there some way to work around that via a reply-to address
> that wouldn't also make it tricky to reply to the list?



Sure, it would fix the DMARC issue, but it would also make it very hard to
tell at a glance who sent which message. Modern mailers have a lot of
features for that, but they’re all based around the from line.

-Aris

>
>


Re: DIS: DMARC bounces (attn Murphy)

2019-06-04 Thread James Cook
On Wed, 15 May 2019 at 20:22, ais...@alumni.bham.ac.uk
 wrote:
> Translated to English, this states that the email should not be
> considered valid if the Subject fail was modified in transit. Of
> course, the Subject of the email actually was modified (by the list
> software, inserting the BAK:), so the message fails to verify. The
> cryptography behind DKIM can't detect that a message is "almost right",
> it's just a simple pass/fail (in particular, the recipients can't
> distinguish an entirely forged email from an email that's correct apart
> from the subject line).

I think I've seen some mailing lists rewrite every message as being
"from" some email address under the list's control, which I'm guessing
would fix the DMARC issue. Are there significant disadvantages to
that? I guess it makes it tricky to figure out how to reply in
private; is there some way to work around that via a reply-to address
that wouldn't also make it tricky to reply to the list?


DIS: DMARC bounces (attn Murphy)

2019-05-15 Thread ais...@alumni.bham.ac.uk
I just received an email from agora-business (the list) to my 
callforjudgm...@yahoo.co.uk email address warning me that I was
bouncing emails, and asking me to confirm that the email was still
valid. (The address still works, and I still use it to receive Agoran
mail; it's just that I can no longer send from it easily, so I use a
different address for sending.) That might seem strange, given that I'm
receiving a lot of messages to that email address too; it's not like
everything is bouncing.

The culprit is probably DMARC; Yahoo! are notorious for DMARC
enforcement. DMARC bounces happen when the sender of an email specifies
some rules about how the email should look (e.g. sent via a particular
server, or signed with a particular key), and the email, upon being
received, doesn't comply with them. In other words, someone – but not
most people – is sending emails that look invalid to the recipient.

I'm pretty sure that the person in question is Murphy. E's been having
trouble getting messages through, and eir recent message to BAK let me
see what the headers on eir emails look like (because it's currently
this @alumni.bham.ac.uk email address that's subscribed to BAK). It's
possible to diagnose the problem from a couple of headers on the email:

DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 t=1557931409;  s=zm2019; d=zoho.com; i=emurph...@zoho.com;
 
h=To:From:Subject:Message-ID:Date:MIME-Version:Content-Type:Content-Transfer-Encoding;
 l=6; bh=fdkeB/A0FkbVP2k4J4pNPoeWH6vqBm9+b0C3OY87Cw8=;
 b=mY+jo1/fI+p3ILjXOQGQ/PsgPFmqzsl5wJUzCg7YuHVXIsT1ZFZ9HSXy1NYS95lX
 AhYAlfHTWZikn+OfP+ECfVFiHkmpsjDTgtnGAYKjzIKN+nVOg0HBMBGgADCGKuD0xuO
 4GUSndRa9qmZ5GSLcmtSdwrqukQzr64Vrs1GQhdo=
Authentication-Results: spf=none (sender IP is 145.0.1.64)
 smtp.mailfrom=listserver.tue.nl; alumni.bham.ac.uk; dkim=fail (signature
 did not verify) header.d=zoho.com;alumni.bham.ac.uk; dmarc=fail
 action=oreject header.from=zoho.com;compauth=fail reason=000

The "dmarc=fail" is explaining the immediate cause of what's going on
here: the email claims to be from zoho.com, but could not be verified
as actually coming from there. The main causal factor is the "h=" part
of the DKIM-Signature line:

DKIM-Signature: … h=To:From:Subject:…

Translated to English, this states that the email should not be
considered valid if the Subject fail was modified in transit. Of
course, the Subject of the email actually was modified (by the list
software, inserting the BAK:), so the message fails to verify. The
cryptography behind DKIM can't detect that a message is "almost right",
it's just a simple pass/fail (in particular, the recipients can't
distinguish an entirely forged email from an email that's correct apart
from the subject line). 

zoho.com's DMARC settings are to tell the recipient to reject any
apparently forged message that claims to be from them (without even
sending it to a spam folder). So in theory, anyone who can actually
receive Murphy's emails has a non-compliant mailserver :-)

I used to have a similar problem back when I posted from my yahoo.co.uk
email address. There's a fairly simple workaround to it: just type the
DIS:/BUS:/OFF:/BAK: part of the subject line manually, rather than
letting the list software add it. If you do that, then the list
software doesn't modify the email in transit, so the DKIM signature
starts verifying and allows the email to go through.

(Incidentally, the "DMARC failures mean your email doesn't go through
/and/ bounce other people off the lists" issue is fairly well known;
people warned that it would happen as soon as sites started using
restrictive DMARC settings. There's no really good solution to it at
the list software level, though.)

-- 
ais523