Re: [Mailman-Users] ARC, was non-subscribers getting through--email address in "Real Name"
John R Levine writes: > Large mail systems already know where all the mailing lists are. Hm. Well, that may be true for Google et al, but the systems at my employer regularly mark internal business mail as "possible spam", occasionally mark it as "almost certainly spam", and pass through actual spam (vs. crap from my employer that I really don't want :-/) unmarked daily. They don't even know who their own hosts are! (We have two /16s, identification is trivial and there's no excuse for not knowing.) I get the feeling there are an awful lot of admins who need all the help they can get. > * - PS to Stephen, I know you understand the difference but a lot of other > people reading this clearly don't. I'm on Twitter, I don't take anything personally anymore. ;-) Steve -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] ARC, was non-subscribers getting through--email address in "Real Name"
> As I said a few messages ago, if lists did more stringent tests on > incoming mail, a lot of this complexity could be avoided, I don't understand this. If lists got a pass, every spam would grow RFC 2369 header fields. No? Large mail systems already know where all the mailing lists are. It's obvious from the tags in the DMARC reports I get from Gmail. The reason we have kludgy ARC rather than just whitelist list servers is that lists don't filter inbound spam, so ARC gives the recipient systems clues to do filtering retroactively. If lists filtered better, e.g., by doing DMARC checks on INBOUND mail, that's checking INBOUND mail as it ARRIVES at list servers*, there'd be much less leakage and no need for retroactive filtering. Nobody's going to whitelist on List-ID, they'll do it with IP addresses. Regards, John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly * - PS to Stephen, I know you understand the difference but a lot of other people reading this clearly don't. -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] ARC, was non-subscribers getting through--email address in "Real Name"
John Levine writes: > As I said a few messages ago, if lists did more stringent tests on > incoming mail, a lot of this complexity could be avoided, I don't understand this. If lists got a pass, every spam would grow RFC 2369 header fields. No? So ISTM the received chain needs to be authenticated for the recipient to trust any last-hop sender, list or not. > but they don't so it can't. Origin checks are generally very useful and effective in my experience. But I don't see how authentication can be avoided. -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] ARC, was non-subscribers getting through--email address in "Real Name"
On 07/22/2018 11:02 PM, Stephen J. Turnbull wrote: You're misunderstanding. The ARC community doesn't discourage whitelisting other sites. The work to do whitelisting does. Thank you for clarifying Stephen. I was afraid that you were somehow implying that there was some sort of guideline on what sits should and should not implement ARC. I didn't think that was what you were meaning to imply, but the doubt was there, hence the questioning. Mailing lists are *known* to *frequently* (almost always) break DKIM signatures in a way amenable to repair by ARC.[1] ACK The other main pain points for DMARC are third-party services that are authorized by the owner of a mailbox to send mail "on behalf of", without participation of the adminstrator of the mailbox's domain. An example is invoicing services. These do not benefit from ARC *at all* because they have a valid DKIM signature from the originating domain, who can be trusted for that service, but don't get such a signature from the mailbox's domain as required for DMARC From validation. I hear and acknowledge what you're saying. I would think / hope / expect that such services would be from a different (sub)domain of the client that they are sending email on behalf of. I would also expect the from address to reflect the sub-contractor's (sub)domain with a Reply-To: directing replies to proper main (parent) domain. (Or some mailbox associated there in.) I would also expect to see some sort of verbiage stating that "This message was sent on the behalf of $Parent by $3rdPartyContractor." I would also hope / expect to see some sort of linking text / acknowledgement from the parent that they have (sub)contracted some services to a 3rd party. But, I learn more and more every day that I have different expectations than most people. The other *possible* use case for ARC would be non-mailing list forwarding. But these almost never break the DKIM signature of the originator. They may not break DKIM. But depending on how they operate, they may break SPF directly (re-sending with the original SMTP envelope From: thus violating SPF) -or- indirectly (re-sending with something like SRS) thus breaking DMARC alignment. My understanding is that DMARC can be configured to require both SPF and DKIM alignment. Maybe it's only for reporting and not for pass / fail tests. I'd have to go back and re-read the specifics about DMARC again. The point being that simple .forward(ing) may still break things. I maintain that detecting such is one of the functional purposes of DMARC. This is independent of is such benign or malicious. I guess large services like GMail can eventually add a feature where a user can configure GMail to recognize and whitelist specific sites where they have mailboxes set to forward to GMail. But I doubt this will ever be a standard feature of MDAs. It will be complex and fragile to implement, and almost never used. Agreed to both aspects. Footnotes: [1] Note that I disagree somewhat with John. I suspect that humongous providers like GMail, Yahoo!, and Microsoft will automatically accept ARC in the presence of a RFC 2369 List-* header, and blacklist on bad behavior, as they do now. That's not perfect from a list admin's point of view---it requires a lot of resources to do that well, so small sites probably won't---but it's not too bad. I question the wisdom of making processing of ARC conditional on RFC 2369 List-* headers. I mainly say this because there is nothing that prevents malicious actors from inserting (possibly bogus) List-* headers. (Or lots of tiny lists of single recipients.) -- Grant. . . . unix || die -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] ARC, was non-subscribers getting through--email address in "Real Name"
In article you write: >On Sun, Jul 22, 2018 at 3:18 PM Grant Taylor via Mailman-Users < >mailman-users@python.org> wrote: > >> On 07/21/2018 02:24 PM, John Levine wrote: >> > I know people working on whiteish lists to use with ARC, to say that >> > these domain are known to host real mailing lists so you should believe >> > their ARC assertions. > >Why not just have that list, and a X-Trust-Me: YES header? It would be much >simpler to implement than ARC. There turns out to be an actual answer to this question, which I have asked people from Google. When someone gets his address book stolen from his botted PC, spamware will send spam to everyone in his address book using his address on the From: line. If some of those addresses are lists, those lists will generally forward the spam even though they are otherwise legit. Google tells me this happens often enough that they can't just whitelist mailing lists, and ARC gives them the clues to tell forwarded bot spam from forwarded real mail. I've certainly seen it both on lists I run and lists I subscribe to. As I said a few messages ago, if lists did more stringent tests on incoming mail, a lot of this complexity could be avoided, but they don't so it can't. R's, John -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] ARC, was non-subscribers getting through--email address in "Real Name"
On Sun, Jul 22, 2018 at 3:18 PM Grant Taylor via Mailman-Users < mailman-users@python.org> wrote: > On 07/21/2018 02:24 PM, John Levine wrote: > > I know people working on whiteish lists to use with ARC, to say that > > these domain are known to host real mailing lists so you should believe > > their ARC assertions. > Why not just have that list, and a X-Trust-Me: YES header? It would be much simpler to implement than ARC. Joseph Brennan Columbia University I T -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] ARC, was non-subscribers getting through--email address in "Real Name"
Grant Taylor via Mailman-Users writes: > I'm questioning why domains that do use ARC headers that don't run > mailing lists should not be white listed. You're misunderstanding. The ARC community doesn't discourage whitelisting other sites. The work to do whitelisting does. Mailing lists are *known* to *frequently* (almost always) break DKIM signatures in a way amenable to repair by ARC.[1] The other main pain points for DMARC are third-party services that are authorized by the owner of a mailbox to send mail "on behalf of", without participation of the adminstrator of the mailbox's domain. An example is invoicing services. These do not benefit from ARC *at all* because they have a valid DKIM signature from the originating domain, who can be trusted for that service, but don't get such a signature from the mailbox's domain as required for DMARC From validation. The other *possible* use case for ARC would be non-mailing list forwarding. But these almost never break the DKIM signature of the originator. I guess large services like GMail can eventually add a feature where a user can configure GMail to recognize and whitelist specific sites where they have mailboxes set to forward to GMail. But I doubt this will ever be a standard feature of MDAs. It will be complex and fragile to implement, and almost never used. Footnotes: [1] Note that I disagree somewhat with John. I suspect that humongous providers like GMail, Yahoo!, and Microsoft will automatically accept ARC in the presence of a RFC 2369 List-* header, and blacklist on bad behavior, as they do now. That's not perfect from a list admin's point of view---it requires a lot of resources to do that well, so small sites probably won't---but it's not too bad. -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] ARC, was non-subscribers getting through--email address in "Real Name"
On 07/22/2018 02:05 PM, John Levine wrote: Every domain added to a whitelist like this involves manual work. Yes. Why would you waste time on domains that aren't likely to send mail with ARC headers? I'm not suggesting wasting time on domains that wouldn't send ARC headers. I'm questioning why domains that do use ARC headers that don't run mailing lists should not be white listed. -- Grant. . . . unix || die -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] ARC, was non-subscribers getting through--email address in "Real Name"
In article <1fb88a39-0acd-f34f-c504-9eb217a75...@spamtrap.tnetconsulting.net> you write: >Is there some place that I can find out more about these people and / or >their projects? See the archives of the ARC mailing lists. >Aside: What does hosting mailing lists or not have to do with believing >their ARC assertions? - I would hope that the ARC white lists state >that these senders are probably trust worthy, independent of mailing >lists or not. Every domain added to a whitelist like this involves manual work. Why would you waste time on domains that aren't likely to send mail with ARC headers? R's, John -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] ARC, was non-subscribers getting through--email address in "Real Name"
On 07/21/2018 02:24 PM, John Levine wrote: I know people working on whiteish lists to use with ARC, to say that these domain are known to host real mailing lists so you should believe their ARC assertions. Is there some place that I can find out more about these people and / or their projects? Aside: What does hosting mailing lists or not have to do with believing their ARC assertions? - I would hope that the ARC white lists state that these senders are probably trust worthy, independent of mailing lists or not. -- Grant. . . . unix || die -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] ARC, was non-subscribers getting through--email address in "Real Name"
In article you write: >On 07/19/2018 05:27 PM, Mark Sapiro wrote: >> The problem is downstream has to trust me. If I'm gmail.com, I'll probably >> be trusted. If I'm msapiro.net, probably not. Python.org, who knows. > >Yep. > >I've not yet seen any indication that there will be any good way to >establish this trust relationship, save for traditional >Business-to-Business methods. At least I'm not aware of anything more >automatic. > >Thus I question how useful ARC will be for small operators. :-/ I know people working on whiteish lists to use with ARC, to say that these domain are known to host real mailing lists so you should believe their ARC assertions. R's, John -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org