Re: [mailop] So, about this iOS10 unsubscribe feature...

2017-05-23 Thread steve 

would break basic security on a fair few RESTful APIs too!


On 24/05/17 16:36, Bill Cole wrote:

On 23 May 2017, at 22:03, John Levine wrote:


I would expect that if it's invalid for
POST, it's likely invalid for GET, too.


That is not a reasonable expectation.


Or rather, it's a reasonable 90% expectation and maybe even 99% but 
there is no assurance that a URL which is valid for a GET request will 
behave in the same way in response to a POST request.


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop



--
Steve Holdoway BSc(Hons) MIITP
https://www.greengecko.co.nz/
Linkedin: https://www.linkedin.com/in/steveholdoway
Skype: sholdowa


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] So, about this iOS10 unsubscribe feature...

2017-05-23 Thread Suresh Ramasubramanian 
Something that reproduces this issue would be great.  Saves us all playing the 
guessing game.

--srs

> On 24-May-2017, at 10:06 AM, Bill Cole 
>  wrote:
> 
> That is not a reasonable expectation.
> 
> 
> Or rather, it's a reasonable 90% expectation and maybe even 99% but there is 
> no assurance that a URL which is valid for a GET request will behave in the 
> same way in response to a POST request.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] So, about this iOS10 unsubscribe feature...

2017-05-23 Thread Bill Cole 

On 23 May 2017, at 22:03, John Levine wrote:


I would expect that if it's invalid for
POST, it's likely invalid for GET, too.


That is not a reasonable expectation.


Or rather, it's a reasonable 90% expectation and maybe even 99% but 
there is no assurance that a URL which is valid for a GET request will 
behave in the same way in response to a POST request.


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] So, about this iOS10 unsubscribe feature...

2017-05-23 Thread John Levine 
In article <6898.1495560...@turing-police.cc.vt.edu> you write:
>-=-=-=-=-=-
>-=-=-=-=-=-
>
>On Tue, 23 May 2017 09:29:34 -0400, Joey Rutledge said:
>> Do you guys have any samples of the invalid Unsubscribe headers?  There is a
>> newish spec (RFC8058; https://tools.ietf.org/html/rfc8058) that I’ve seen
>> floating around and wondering if those are the headers screwing things up.

Nope.  The one-click unsub in 8058 uses the same URL from the same
List-Unsubscribe header as always.  The only difference is that the
client does a POST rather than GET to indicate that it's one-click.
But since it's the same URL, I would expect that if it's invalid for
POST, it's likely invalid for GET, too.

R's,
John

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] ARC lesson please

2017-05-23 Thread Brandon Long via mailop 
On Mon, May 22, 2017 at 10:26 PM, Steve Atkins  wrote:

>
> > On May 22, 2017, at 10:01 PM, Hal Murray 
> wrote:
> >
> >> ARC is the very-near-future solution to much of this. Get your vendors
> on it.
> >> http://arc-spec.org
> >
> > I'm missing something.  What keeps a bad guy from setting up shop and
> > claiming to be forwarding mail and claiming that SPF was valid on the
> crap he
> > is sending?
>

Whether you trust the forwarder is up to the receiver, of course.  One
wouldn't expect to trust every forwarder.

How one would learn which forwarders to trust is more complicated, of
course.  Having a receiver wide whitelist or having the end user or admin
whitelist forwarders is certainly the simpler explanation.  One could also
imagine a registry of well known and correctly working forwarders.

Of course, if a forwarder is compromised, then trusting it is moot.

Also, the assumption here is for DMARC rejection or possibly other cases
like spam reputation calculation.  You should still run your
spam/av/malware/phishing filters on the messages.

> It seems to me that a critical step for doing things right is that the
> user
> > has to get involved and agree to receive forwarded mail, including all
> the
> > spam that gets past the spam filters at the forwarder.  I think that
> would
> > work for geeks but it's probably too complicated for the typical user.
> Do
> > you have to be geeky enough to set up forwarding?
> >
> > The same holds for mailing lists but you don't have to be a geek to get
> added
> > to one.  I think it would be great if the mail environment asked me if I
> > wanted to get added to a list before it started accepting mail for that
> list.
> > I wonder if a typical user could handle that.
> >
> > I don't know what happens to transactional mail.
> >
> > Is this only going to work for big players who generate or receive enough
> > traffic so the receiver can develop a useful reputation?
>

I think smaller operators will be able to use whitelisting quite
effectively.  You should be able to augment your logging of dmarc rejects
or any arc intermediaries and maybe couple with other spam signals and
output a list of potential intermediaries to whitelist.

I'd also expect that at some point, someone will set up a whitelist rbl for
intermediaries as well


Brandon
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Hosted exchange/Office 365 specific domain junk issue (MLV:ovrnspm)

2017-05-23 Thread Michael Wise via mailop 

I’d need the full headers from BOTH samples.
My suspicion is that the IPs used in each are different.
Otherwise, without solid forensic data (the full headers), I’m not prepared to, 
“Guess Authoritatively”. 

We need the full headers of both samples, from both the BCL:2 and BCL:7 emails.

Aloha,
Michael.
--
Michael J Wise
Microsoft Corporation| Spam Analysis
"Your Spam Specimen Has Been Processed."
Got the Junk Mail Reporting 
Tool ?

From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Stefano Bagnara
Sent: Tuesday, May 23, 2017 10:43 AM
To: mailop 
Subject: Re: [mailop] Hosted exchange/Office 365 specific domain junk issue 
(MLV:ovrnspm)

On 23 May 2017 at 19:34, Michael Wise 
> wrote:

Machine Learning Verdict.

But it was the BCL value of the sending IP that classified it as SCL:9 High 
Confidence Spam..

Can you add something more?
The same message is not blocked from other office domains (BCL:1 & SCL:1).

is the BCL something related to internal abuse collection for that specific 
domain? (the postmaster told me that they don't think the emails are spam, but 
in fact I see "low open rates" and this is the only "monitor" I have (didn't 
receive complaints and the postmaster confirmed they are happy to receive that 
messages). Or is it just related to the fact that the sender send the same 
message to 2000 recipients for that domain and this "alone" is enough to 
trigger MLV?

What are the inputs for the BCL value for an IP? I guess this is not "shared" 
(because BCL is 1 when I send the same message to another recipient) but then 
if it is not shared this domain just received this messages from that IP and 
they say they are happy to receive it.

Iis there anything I can suggest their postmaster to do about this "false 
positive"?



Aloha,
Michael.
--
Michael J Wise
Microsoft Corporation| Spam Analysis
"Your Spam Specimen Has Been Processed."
Got the Junk Mail Reporting 
Tool
 ?

From: mailop 
[mailto:mailop-boun...@mailop.org] On Behalf 
Of Stefano Bagnara
Sent: Tuesday, May 23, 2017 5:24 AM
To: mailop >
Subject: [mailop] Hosted exchange/Office 365 specific domain junk issue 
(MLV:ovrnspm)

Hi all,

One of my customer is sending an email to 2000 recipients in the 
unicampania.it
 domain (the domain is a university domain and the sender is a labor-union for 
the university employees), a domain hosted pointing to the outlook protection 
MX and using an hosted exchange service.

Here is an excerpt of the junked email their postmaster sent back to me:
X-Forefront-Antispam-Report: 
CIP:213.171.189.21;IPV:NLI;CTRY:IT;EFV:NLI;SFV:SPM;SFS:(8196002)(3163022)(300031)(438002)(286005)(359002)(199003)(34991)(189002)(349012);DIR:INB;SFP:;SCL:9;SRVR:AM4PR0501MB2274;H:ms21.mailvox.it;FPR:;SPF:Pass;MLV:ovrnspm;A:1;MX:1;PTR:ms21.mailvox.it;CAT:HSPM;LANG:it;
X-DkimResult-Test: Passed
X-Microsoft-Antispam:
UriScan:;BCL:7;PCL:0;RULEID:(22001)(421252002)(81800236)(3001016)(71702078);SRVR:AM4PR0501MB2274;
X-Exchange-Antispam-Report-Test: UriScan:(81227570615382);
X-Exchange-Antispam-Report-CFA-Test:
BCL:7;PCL:0;RULEID:(601004)(701104)(2401047)(13018025)(8121501046)(13016025)(9101536074)(10201501046)(3002001)(93006095)(93005095);SRVR:AM4PR0501MB2274;BCL:7;PCL:0;RULEID:;SRVR:AM4PR0501MB2274;
X-CustomSpam: Bulk Mail | Bulk Mail
SpamDiagnosticOutput: 1:6
SpamDiagnosticMetadata: Default:7
X-MS-Exchange-Organization-SCL: 6

I'm in touch with the

Re: [mailop] Hosted exchange/Office 365 specific domain junk issue (MLV:ovrnspm)

2017-05-23 Thread Stefano Bagnara 
On 23 May 2017 at 19:34, Michael Wise  wrote:

>
>
> Machine Learning Verdict.
>
>
>
> But it was the BCL value of the sending IP that classified it as SCL:9
> High Confidence Spam..
>

Can you add something more?
The same message is not blocked from other office domains (BCL:1 & SCL:1).

is the BCL something related to internal abuse collection for that specific
domain? (the postmaster told me that they don't think the emails are spam,
but in fact I see "low open rates" and this is the only "monitor" I have
(didn't receive complaints and the postmaster confirmed they are happy to
receive that messages). Or is it just related to the fact that the sender
send the same message to 2000 recipients for that domain and this "alone"
is enough to trigger MLV?

What are the inputs for the BCL value for an IP? I guess this is not
"shared" (because BCL is 1 when I send the same message to another
recipient) but then if it is not shared this domain just received this
messages from that IP and they say they are happy to receive it.

Iis there anything I can suggest their postmaster to do about this "false
positive"?



>
>
> Aloha,
>
> Michael.
>
> --
>
> *Michael J Wise*
> Microsoft Corporation| Spam Analysis
>
> "Your Spam Specimen Has Been Processed."
>
> Got the Junk Mail Reporting Tool
>  ?
>
>
>
> *From:* mailop [mailto:mailop-boun...@mailop.org] *On Behalf Of *Stefano
> Bagnara
> *Sent:* Tuesday, May 23, 2017 5:24 AM
> *To:* mailop 
> *Subject:* [mailop] Hosted exchange/Office 365 specific domain junk issue
> (MLV:ovrnspm)
>
>
>
> Hi all,
>
>
>
> One of my customer is sending an email to 2000 recipients in the
> unicampania.it
> 
> domain (the domain is a university domain and the sender is a labor-union
> for the university employees), a domain hosted pointing to the outlook
> protection MX and using an hosted exchange service.
>
>
>
> Here is an excerpt of the junked email their postmaster sent back to me:
>
> X-Forefront-Antispam-Report: CIP:213.171.189.21;IPV:NLI;
> CTRY:IT;EFV:NLI;SFV:SPM;SFS:(8196002)(3163022)(
> 300031)(438002)(286005)(359002)(199003)(34991)(
> 189002)(349012);DIR:INB;SFP:;SCL:9;SRVR:AM4PR0501MB2274;H:ms21.mailvox.it
> 
> ;FPR:;SPF:Pass;*MLV:ovrnspm*;A:1;MX:1;PTR:ms21.mailvox.it
> 
> ;*CAT:HSPM*;LANG:it;
> X-DkimResult-Test: Passed
> X-Microsoft-Antispam:
> UriScan:;BCL:7;PCL:0;RULEID:(22001)(421252002)(81800236)(
> 3001016)(71702078);SRVR:AM4PR0501MB2274;
> X-Exchange-Antispam-Report-Test: UriScan:(81227570615382);
> X-Exchange-Antispam-Report-CFA-Test:
> *BCL:7*;PCL:0;RULEID:(601004)(701104)(2401047)(13018025)(
> 8121501046)(13016025)(9101536074)(10201501046)(
> 3002001)(93006095)(93005095);SRVR:AM4PR0501MB2274;BCL:7;
> PCL:0;RULEID:;SRVR:AM4PR0501MB2274;
> X-CustomSpam: Bulk Mail | Bulk Mail
> SpamDiagnosticOutput: 1:6
> SpamDiagnosticMetadata: Default:7
> X-MS-Exchange-Organization-SCL: 6
>
>
>
> I'm in touch with the unicampania.it
> 
> admin that say that they have no specific filter and they started using
> hosted exchanged only recently. If I send the same message to my own
> office365 hosted account (on a different domain) it is delivered in inbox
> with SCL=1 instead of SCL=9 (and with BCL:2 instead of BCL:7).
>
>
>
> Does anyone know what are the meanings of the "MLV" part of the header?
> This is the first time I see that "MLV:ovrnspm". We all guess what spm is
> for, but what about "ovrn" ?
>
>
>
> The receiving postmaster told me that they are using an "almost
> unconfigured" version of hosted exchange and they didn't apply any specific
> rule (the postmaster for the receiving domain know the sender).
>
>
>
> I know how to open a ticket for the Outlook.com platform, but this is
> something specific to the hosted exchange (and maybe specific to a custom
> domain, even if they didn't

Re: [mailop] Hosted exchange/Office 365 specific domain junk issue (MLV:ovrnspm)

2017-05-23 Thread Michael Wise via mailop 

Machine Learning Verdict.

But it was the BCL value of the sending IP that classified it as SCL:9 High 
Confidence Spam..

Aloha,
Michael.
--
Michael J Wise
Microsoft Corporation| Spam Analysis
"Your Spam Specimen Has Been Processed."
Got the Junk Mail Reporting 
Tool ?

From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Stefano Bagnara
Sent: Tuesday, May 23, 2017 5:24 AM
To: mailop 
Subject: [mailop] Hosted exchange/Office 365 specific domain junk issue 
(MLV:ovrnspm)

Hi all,

One of my customer is sending an email to 2000 recipients in the 
unicampania.it
 domain (the domain is a university domain and the sender is a labor-union for 
the university employees), a domain hosted pointing to the outlook protection 
MX and using an hosted exchange service.

Here is an excerpt of the junked email their postmaster sent back to me:
X-Forefront-Antispam-Report: 
CIP:213.171.189.21;IPV:NLI;CTRY:IT;EFV:NLI;SFV:SPM;SFS:(8196002)(3163022)(300031)(438002)(286005)(359002)(199003)(34991)(189002)(349012);DIR:INB;SFP:;SCL:9;SRVR:AM4PR0501MB2274;H:ms21.mailvox.it;FPR:;SPF:Pass;MLV:ovrnspm;A:1;MX:1;PTR:ms21.mailvox.it;CAT:HSPM;LANG:it;
X-DkimResult-Test: Passed
X-Microsoft-Antispam:
UriScan:;BCL:7;PCL:0;RULEID:(22001)(421252002)(81800236)(3001016)(71702078);SRVR:AM4PR0501MB2274;
X-Exchange-Antispam-Report-Test: UriScan:(81227570615382);
X-Exchange-Antispam-Report-CFA-Test:
BCL:7;PCL:0;RULEID:(601004)(701104)(2401047)(13018025)(8121501046)(13016025)(9101536074)(10201501046)(3002001)(93006095)(93005095);SRVR:AM4PR0501MB2274;BCL:7;PCL:0;RULEID:;SRVR:AM4PR0501MB2274;
X-CustomSpam: Bulk Mail | Bulk Mail
SpamDiagnosticOutput: 1:6
SpamDiagnosticMetadata: Default:7
X-MS-Exchange-Organization-SCL: 6

I'm in touch with the 
unicampania.it
 admin that say that they have no specific filter and they started using hosted 
exchanged only recently. If I send the same message to my own office365 hosted 
account (on a different domain) it is delivered in inbox with SCL=1 instead of 
SCL=9 (and with BCL:2 instead of BCL:7).

Does anyone know what are the meanings of the "MLV" part of the header? This is 
the first time I see that "MLV:ovrnspm". We all guess what spm is for, but what 
about "ovrn" ?

The receiving postmaster told me that they are using an "almost unconfigured" 
version of hosted exchange and they didn't apply any specific rule (the 
postmaster for the receiving domain know the sender).

I know how to open a ticket for the Outlook.com platform, but this is something 
specific to the hosted exchange (and maybe specific to a custom domain, even if 
they didn't configure anything): is there an only form for 
office365/hosted-exchange issues?

Stefano

--
Stefano Bagnara
Void Labs / VOXmail.it
Apache James/jSPF/jDKIM





___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] So, about this iOS10 unsubscribe feature...

2017-05-23 Thread valdis . kletnieks 
On Tue, 23 May 2017 09:29:34 -0400, Joey Rutledge said:
> Do you guys have any samples of the invalid Unsubscribe headers?  There is a
> newish spec (RFC8058; https://tools.ietf.org/html/rfc8058) that I’ve seen
> floating around and wondering if those are the headers screwing things up.

That probably isn't it - 8058 adds a new "one-click' option to the very old
List-Unsubscribe: (how old? RFC2369 is from last century).  Or more properly,
it's a method to tag the URI as being a one-click auto-ambush link, and that
gratuitously following it in the MTA may piss the user off.

For it to add to your queues, somebody would need to be using the one-click
unsub with a mailto: URI, *and* your local e-mail purgatory software needs
to (a) chase the URI as part of anti-spam/malware protection and (b) do so
even if it's a mailto: rather than http: or ftp: or gopher: or so on.

Having said that, I've seen lots more questionable design decisions



pgpvrkeAxU5L5.pgp
Description: PGP signature
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] So, about this iOS10 unsubscribe feature...

2017-05-23 Thread Joey Rutledge 
Do you guys have any samples of the invalid Unsubscribe headers?  There is a 
newish spec (RFC8058; https://tools.ietf.org/html/rfc8058 
) that I’ve seen floating around and 
wondering if those are the headers screwing things up.  Not saying it is, but 
I’m recently familiar with the modification of the header as it’s something 
we’ve recently implemented.

Joey Rutledge

> On May 22, 2017, at 10:40 PM, Dave Warren  wrote:
> 
> On Mon, May 22, 2017, at 18:59, frnk...@iname.com  
> wrote:
>> Just starting last week we started seeing our outbound queues fill up with 
>> undeliverable client messages generated because of this one-click 
>> unsubscribe feature.  Since this Apple feature has been in place for over 
>> six months, I’m surprised we haven’t seen this until now.
> 
> Is the problem iOS 10 doing something wrong, or is it just some bulk mail 
> sender has started sending mail with invalid Unsubscribe information and 
> users that try to unsubscribe are generating queue noise?
> 
> I don't use the feature much myself on a day to day basis, but I did monkey 
> with it a bit when it first came out and it seems to work as described.
> 
> 
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] So, about this iOS10 unsubscribe feature...

2017-05-23 Thread frnkblk 
It appears to be the second -- some bulk mail sender has started sending mail 
with invalid Unsubscribe information and users that try to unsubscribe are 
generating queue noise.

 

Frank

 

From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Dave Warren
Sent: Monday, May 22, 2017 9:41 PM
To: mailop@mailop.org
Subject: Re: [mailop] So, about this iOS10 unsubscribe feature...

 

On Mon, May 22, 2017, at 18:59, frnk...@iname.com   
wrote:

Just starting last week we started seeing our outbound queues fill up with 
undeliverable client messages generated because of this one-click unsubscribe 
feature.  Since this Apple feature has been in place for over six months, I’m 
surprised we haven’t seen this until now.

 

Is the problem iOS 10 doing something wrong, or is it just some bulk mail 
sender has started sending mail with invalid Unsubscribe information and users 
that try to unsubscribe are generating queue noise?

 

I don't use the feature much myself on a day to day basis, but I did monkey 
with it a bit when it first came out and it seems to work as described.

 

 

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Hosted exchange/Office 365 specific domain junk issue (MLV:ovrnspm)

2017-05-23 Thread Stefano Bagnara 
Hi all,

One of my customer is sending an email to 2000 recipients in the
unicampania.it domain (the domain is a university domain and the sender is
a labor-union for the university employees), a domain hosted pointing to
the outlook protection MX and using an hosted exchange service.

Here is an excerpt of the junked email their postmaster sent back to me:

> X-Forefront-Antispam-Report:
> CIP:213.171.189.21;IPV:NLI;CTRY:IT;EFV:NLI;SFV:SPM;SFS:(8196002)(3163022)(300031)(438002)(286005)(359002)(199003)(34991)(189002)(349012);DIR:INB;SFP:;SCL:9;SRVR:AM4PR0501MB2274;H:
> ms21.mailvox.it;FPR:;SPF:Pass;*MLV:ovrnspm*;A:1;MX:1;PTR:ms21.mailvox.it;
> *CAT:HSPM*;LANG:it;
> X-DkimResult-Test: Passed
> X-Microsoft-Antispam:
>
> UriScan:;BCL:7;PCL:0;RULEID:(22001)(421252002)(81800236)(3001016)(71702078);SRVR:AM4PR0501MB2274;
> X-Exchange-Antispam-Report-Test: UriScan:(81227570615382);
> X-Exchange-Antispam-Report-CFA-Test:
> *BCL:7*
> ;PCL:0;RULEID:(601004)(701104)(2401047)(13018025)(8121501046)(13016025)(9101536074)(10201501046)(3002001)(93006095)(93005095);SRVR:AM4PR0501MB2274;BCL:7;PCL:0;RULEID:;SRVR:AM4PR0501MB2274;
> X-CustomSpam: Bulk Mail | Bulk Mail
> SpamDiagnosticOutput: 1:6
> SpamDiagnosticMetadata: Default:7
> X-MS-Exchange-Organization-SCL: 6


I'm in touch with the unicampania.it admin that say that they have no
specific filter and they started using hosted exchanged only recently. If I
send the same message to my own office365 hosted account (on a different
domain) it is delivered in inbox with SCL=1 instead of SCL=9 (and with
BCL:2 instead of BCL:7).

Does anyone know what are the meanings of the "MLV" part of the header?
This is the first time I see that "MLV:ovrnspm". We all guess what spm is
for, but what about "ovrn" ?

The receiving postmaster told me that they are using an "almost
unconfigured" version of hosted exchange and they didn't apply any specific
rule (the postmaster for the receiving domain know the sender).

I know how to open a ticket for the Outlook.com platform, but this is
something specific to the hosted exchange (and maybe specific to a custom
domain, even if they didn't configure anything): is there an only form for
office365/hosted-exchange issues?

Stefano

--
Stefano Bagnara
Void Labs / VOXmail.it
Apache James/jSPF/jDKIM
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop