Re: [Mailman-Users] (relatively) new DMARC issues - and Gmail
Have you considered sending your message to the Mailop mailing list? I know that there are a couple of Gmail admins / coworkers that are subscribed to Mailop and will respond to issues like this. Plus, it might also be a better forum and get more engagement / suggestions / gratitude by others learning from your toils. On 03/31/2018 12:31 PM, Lindsay Haisley wrote: At some point Amazon (amazon.com) started publishing a DMARC "p=quarantine" policy, which means that any email which gets redirected and hits my dmarc_shield piece is going to have its From address re- written to "postmas...@fmp.com" (fmp.com has a proper SPF record). I'm sure that Amazon is just one of /many/ companies that are working with DMARC. - Seeing as how some ~> more governments are (going to be) requiring DMARC, I expect that we will see more of this. I don't know what Gmail's policy is with regard to "p=quarantine" - whether it rejects such email outright or relegates it to the recipient's spam folder. I know that if the sending site publishes "p=reject", redirected email is refused by Gmail at the front door. I'll have to test the "p=quarantine" behavior. I'm confident that Mailop subscribers can respond to this. Here's the really annoying thing. My dmarc_shield processor rewrites the From header as per SOP for Mailman with the proper switch turned on. The From header address becomes "postmas...@fmp.com" with the original From address in the address comment (from xxx at yyz.com). If the email didn't already have a Reply-To address, the original From address is inserted as the Reply-To address. If a Gmail user replies to such an email, the reply goes to the Reply-To address, but Gmail **whitelists** the From address! Thereafter, any email which comes in with a munged From address is accepted, bypassing Gmail's otherwise pretty good spam filtering. I'm noticing a lot of spam email going out with From addresses for which a DMARC "p=reject" policy is published, which means that any such spam redirected to the Gmail user via FMP is also whitelisted. Bah! It's a fucking war zone out there! I'm confident that Mailop subscribers can respond to this too. Probably including reasons as to why something is done. I speculate that it's to prevent abuse of meaningless addresses being used in the From: address and causing replies to go somewhere other than back to the (purported) sender. The only possible solution here would be to randomize the username portion of the rewritten From address, which makes the email look more like spam, and the Gmail user would end up with a whole lot of useless whitelisted address which would need to be deleted. Not to mention the fact that FMP's mail server might be blocked from sending ANY email to Gmail. I initially thought about something like an MD5 hash of the (purported) From address. Though that still suffers from the multiple addresses being white listed. Despite that, I'd consider forwarding from a "forwarding" (sub)domain. Something to hopefully help articulate to the human looking at the complaints that the message is forwarded. Plus this I would expect this to help differentiate email reputation for fmp.com from the (sub)domain used for forwarding. (I don't know if a sub-domain would suffice or if it should be a different parallel / sibling domain, fmp-forwarding.com.) -- Grant. . . . unix || die -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] (relatively) new DMARC issues - and Gmail
On 03/31/2018 11:31 AM, Lindsay Haisley wrote: > > At some point Amazon (amazon.com) started publishing a DMARC > "p=quarantine" policy, which means that any email which gets redirected > and hits my dmarc_shield piece is going to have its From address re- > written to "postmas...@fmp.com" (fmp.com has a proper SPF record). Why do you feel this is necessary? I suppose it is possible that amazon publishises a DMARC policy and does NOT DKIM sign it's outgoing email but relies solely on SPF domain alignment to pass DMARC, but I think this would be a rare exception. If the mail from Amazon is DKIM signed with an aligned domain and you make no transformations that would break that sig, i.e. you are a simple .forward or alias type forwarder, the DKIM sig will still validate at the receiver and you don't need to munge the From: > Here's the really annoying thing. My dmarc_shield processor rewrites > the From header as per SOP for Mailman with the proper switch turned > on. The From header address becomes "postmas...@fmp.com" with the > original From address in the address comment (from xxx at yyz.com). If > the email didn't already have a Reply-To address, the original From > address is inserted as the Reply-To address. If a Gmail user replies to > such an email, the reply goes to the Reply-To address, but Gmail > **whitelists** the From address! Thereafter, any email which comes in > with a munged From address is accepted, bypassing Gmail's otherwise > pretty good spam filtering. I'm noticing a lot of spam email going out > with From addresses for which a DMARC "p=reject" policy is published, > which means that any such spam redirected to the Gmail user via FMP is > also whitelisted. Bah! It's a fucking war zone out there! The first question is why would the ultimate gmail recipient reply to the spam in the first place. The next question is assuming it is spam, does it originate from an amazon server. If not, it should fail DMARC when you receive it and you should consider honoring the amazon DMARC police and not forward the mail. And if it does originate from an amazon server with a valid DKIM sig are you making transformations that invalidate the DKIM sig? Again, if not, if you are a simple forwarder, you shouldn't need to mung the From:. I understand part of the intent is a heads-up to people like me, and in my case, I am not a simple forwarder, but I'm hopeful that eventually at least, ARC can help, but I still don't understand why this is an issue for you. It seems your case is simple. If it fails DMARC when it reaches you, honor the p=quarantine and don't forward the mail. If it passes DMARC based on DKIM, forward it without munging the From:. That leaves only the case where it passes DMARC solely on SPF, and my guess is that this is an empty or almost empty set. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
