Re: [mailop] 2 questions about BCC and mailing lists

[Brandon Long via mailop]

On Mon, Jan 31, 2022 at 9:06 PM John Levine via mailop 
wrote:

> It appears that Geoff Mulligan via mailop  said:
> >1. If a recipient on an email message is both in the To: or Cc: and on
> >the mailing list, should the listserver send the message to the recipient:
> >  a) By default
> >  b) Not by default (but configurable)
> >  c) Never
>
> This is a theological issue.  Some people insist that since the recipient
> already
> got one copy, it is a crime against nature to send another.  But some of
> us file our
> list mail differently from our personal mail, and find it ignorant and
> condescending
> to imagine that we don't want both copies.
>
> You can't win.  Mailman makes it a per-recipient option.
>
> >2. If a mailing list is in the BCC: should a message be delivered to the
> >list:
> >  a) Yes - always
> >  b) No - never
> >  c) Configurable
> >  d) Convert it to a CC:
>
> You mean if the list's address isn't on the To or Cc line?  My practical
> advice
> would be to reject it or put it in the moderation queue since in practice
> such
> messages are about 99.9% from spambots.  "If you want to send mail to
> these lists,
> send it like a normal person would."
>

I mean, I think "mailing list in the BCC" is a pretty rare case, though I
guess less so because
of our decision with Gmail to send the messages with a Bcc header.   More
likely case
is "not in the to/cc".

Anyways, Google Groups doesn't modify the Bcc, it'll leave it as is.  The
general reasoning
was making it easier for people to know why they got a message, even if
some were confused
why they got a message if they weren't on the to/cc/bcc "you mistakenly
told me they also sent
to this mailing list".

Brandon
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] 2 questions about BCC and mailing lists

[John Levine via mailop]

It appears that Geoff Mulligan via mailop  said:
>1. If a recipient on an email message is both in the To: or Cc: and on 
>the mailing list, should the listserver send the message to the recipient:
>  a) By default
>  b) Not by default (but configurable)
>  c) Never

This is a theological issue.  Some people insist that since the recipient 
already
got one copy, it is a crime against nature to send another.  But some of us 
file our
list mail differently from our personal mail, and find it ignorant and 
condescending
to imagine that we don't want both copies.

You can't win.  Mailman makes it a per-recipient option.

>2. If a mailing list is in the BCC: should a message be delivered to the 
>list:
>  a) Yes - always
>  b) No - never
>  c) Configurable
>  d) Convert it to a CC:

You mean if the list's address isn't on the To or Cc line?  My practical advice
would be to reject it or put it in the moderation queue since in practice such
messages are about 99.9% from spambots.  "If you want to send mail to these 
lists,
send it like a normal person would."

R's,
John
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] 2 questions about BCC and mailing lists

[Grant Taylor via mailop]

On 1/31/22 11:07 AM, Sebastian Nielsen via mailop wrote:
1: never, as the original email has already been sent to the recipient 
by the original server.


I disagree.

I /expressly/ want the copy of messages from the mailing list, /NOT/ the 
copy directly addressed to me.


Mailman (2.x) has an option to specify how I want it to behave in this 
regard.  So I'm not the only person that wants this.


EXCEPTION: If the message was submitted to the listserver by another 
means - for example webform/unix call, or via an authenticated session 
(where sender is either authenticated by username/password or by a IP 
ACL) and the email messages comes directly from a MUA (like Thunderbird 
or Microsoft Outlook), then send it to the extra recipient, as you 
are in this case the first server in chain and have responsibility 
to deliver it to the extra recipient.


I think that's *highly* dependent on if the listserver is functioning as 
the MSA or not.  Even then, I would expect the MSA to use port 587 or 
465 for client communications.  I suppose it is possible for the Mailing 
List Manager to provide it's own SMTP functionality and behave as the 
MSA -- on TCP port 25 to receive email from the world.


EXCEPTION2: If the recipient and the mailing list is in the same domain 
(for example firstname.lastn...@company.org and mailingl...@company.org 
) or 2 domains for which the list server is both responsible for, 
then you also by default take responsibility for delivering the email 
to the second recipient (by default).


I feel like  you're likely combining the MSA / MTA / MLM functions, 
things which I believe should be completely independent of each other.


2: I would say, convert it to a CC. Then you avoid being classified 
by spam because neither the list address nor the recipient of the 
email comes up as one of the mail's recipients, which usually is a 
sign of spam.


Most of the mailing lists that I've seen require the mailing list itself 
to be either a To: or CC: explicitly as an anti-spam / anti-abuse 
mechanism.  Thus mostly negating this concern.




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] 2 questions about BCC and mailing lists

[Grant Taylor via mailop]

On 1/31/22 12:44 PM, Jaroslaw Rafa via mailop wrote:
Ah, I did not assume that the mailing list server is different from 
the originating server. For me, the question *only* has sense when 
it is the same server. If they are different servers, then there is 
no problem at all.


Remember, SMTP servers operate on the SMTP envelope.

As such, the first SMTP server would send one copy directly to the 
recipient's SMTP server and another copy to the MLM's SMTP server.  The 
MLM's SMTP server would not receive the direct recipient as part of the 
envelope.  Thus it would not have SMTP level data that a copy should go 
to the first recipient.


The *only* job of mailing list software is to resend the mail it 
receives to list members. It should completely ignore recipients in 
"To:" or "Cc:" headers, they are of no interest for a mailing list and 
they have already been taken care of by the originating server, as you 
indicated. In case of two different servers, you are right of course.


Mailman (2.x) has an option to not send additional copies to subscribers 
if they are either To: or CC: recipients.  This is (at least) a 
per-recipient settings.  (I don't know if there is a mailing list / 
Mailman server default.)




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] 2 questions about BCC and mailing lists

[Grant Taylor via mailop]

On 1/31/22 11:31 AM, Jaroslaw Rafa via mailop wrote:

The message should be delivered to list,


There is a big difference in the message being delivered to the 
(mailing) list (manager) and the MLM re-distributing it to subscribers.


The former should happen.

The latter is dependent on MLM / list abuse settings.



--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Gmail does not validate DKIM for forwarded messages?

[Brandon Long via mailop]

On Sun, Jan 30, 2022 at 4:21 AM Edgaras | SENDER via mailop <
mailop@mailop.org> wrote:

> Hello,
>
> We noticed in Google Postmaster Tools a lot of bad reputation IPs which do
> not belong to us, and are actually forbidden from sending emails on our
>  behalf via SPF -all, yet Gmail thinks the messages from these IPs were
> fully authenticated.
>
> After investigating some reports, it looks like a DKIM replay attack,
> where Gmail does not validate the original DKIM signature (which includes
> Message-ID:Reply-To:To: fields), and even ignores SPF permerror, if the
> message contains ARC headers.
>
> Full headers below, any insights or suggestions would be appreciated:
>
>
> Delivered-To: incident-repor...@gmail.com
> Received: by 2002:ab0:340c:0:0:0:0:0 with SMTP id z12csp1291860uap;
> Fri, 28 Jan 2022 15:34:21 -0800 (PST)
> X-Google-Smtp-Source:
> ABdhPJxGsLcEEUpdbgGs3QgR03Rr9huo0nZHyOFLB9HDsbANUeb9dkNH/PpuXMfWArmb2WtJtVZk
> X-Received: by 2002:a17:902:cec8:: with SMTP id
> d8mr10494650plg.98.1643412861553;
> Fri, 28 Jan 2022 15:34:21 -0800 (PST)
> ARC-Seal: i=2; a=rsa-sha256; t=1643412861; cv=pass;
> d=google.com; s=arc-20160816;
>
> b=VU0Qf7i3UDk9cIk0HEQEv2hW46LmdHN1Z9UysluJsh4o1O1v5t12RrICEe8YlzFcZZ
>
>  UziO53/5IMPjyEVGqLIEyLq0v0Dz5B4gtR94biUHiyIVYEEbn+20dr6ONrGE/IKsYBWD
>
>  2pBDc/D+Ppe4rBBhwQOckw9xK9f/l+RS1sbRU1AY2sW2hqJZzjSZUe0scWUGvbwB4RZl
>
>  IS+F5z/T/ZLZ9s1v4JXmOoEnKu5b9oZ3XhJgc5EVYuAWJRFOrqIA7bRS8ISDJ+J/eYtJ
>
>  fI9gWI5UkkM6qIgY/wFngV0FifP2Yauo/ts7su9FzFmxgHJdCLioQiFy4E6EEv8qN78c
>  YrAA==
> ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
> s=arc-20160816;
> h=date:date:content-transfer-encoding:mime-version:to:reply-to:from
>  :subject:subject:message-id:dkim-signature:dkim-signature
>  :delivered-to;
> bh=JYMTX3Rr+OZICy76j7DTKZeSFGH9xqoJ5IlXE//bwFY=;
>
> b=FdwHNKthXMrmoT3OevMII/o6PzRZR8UA6zIwTYBTTF2EA63hRW6yJVj7mQLBEyAQ6x
>
>  WzjOhIf9zLeqzNYraveRpGQRcXUE/PqTaKDbzhTcqPfP9g82ea9dLhHgviwerKh1IhAp
>
>  3dri2wT2epRaIYnzEX2gMzmt8YiYjj3sHgvDDjg4Up4W1pYPmP4zx7N0UYxihu0B7eP6
>
>  4igCLE8hfq1VPzWistU6uTe+HkSIupCpz8X1pQ41DcjLuwjfIsy18HXLH8yXqwyg37u5
>
>  +HX04rA5UlBMEOQnZhHneFGM7JrDU4Z7Yg6o/+uFkL7RfPE265N9CUS0YevgBX5D4IEY
>  VwuA==
> ARC-Authentication-Results: i=2; mx.google.com;
>dkim=temperror (no key for signature) header.i=@
> knowledgemodish.org.uk header.s=sender header.b=heNp+Lc9;
>dkim=pass header.i=@sendersrv.com header.s=smtp header.b=Ra7fdByf;
>arc=pass (i=1 spf=pass spfdomain=sendersrv.com dkim=pass dkdomain=
> sendersrv.com);
>spf=permerror (google.com: permanent error in processing during
> lookup of 921108683ccq405...@universidadebrasil.edu.br:
> host.universidadebrasil.email not found) smtp.mailfrom=
> 921108683ccq405...@universidadebrasil.edu.br
> Return-Path: <921108683ccq405...@universidadebrasil.edu.br>
> Received: from lingojam.com ([212.83.129.110])
> by mx.google.com with ESMTP id
> j9si7146126plx.86.2022.01.28.15.34.21
> for ;
> Fri, 28 Jan 2022 15:34:21 -0800 (PST)
> Received-SPF: permerror (google.com: permanent error in processing during
> lookup of 921108683ccq405...@universidadebrasil.edu.br:
> host.universidadebrasil.email not found) client-ip=212.83.129.110;
> Authentication-Results: mx.google.com;
>dkim=temperror (no key for signature) header.i=@
> knowledgemodish.org.uk header.s=sender header.b=heNp+Lc9;
>dkim=pass header.i=@sendersrv.com header.s=smtp header.b=Ra7fdByf;
>arc=pass (i=1 spf=pass spfdomain=sendersrv.com dkim=pass dkdomain=
> sendersrv.com);
>spf=permerror (google.com: permanent error in processing during
> lookup of 921108683ccq405...@universidadebrasil.edu.br:
> host.universidadebrasil.email not found) smtp.mailfrom=
> 921108683ccq405...@universidadebrasil.edu.br
>

I'm confused, this says the DKIM did pass.

You can also see that the bodyhash (bh=) in the AMS and DKIM headers is all
the same, so the body itself didn't change?

Note that although ARC from gmail to gmail can be used to bypass a DKIM
failure, that's not what's happening here.

A replay attack is the most likely explanation, yes.

Brandon



>
> Delivered-To: ysoul8...@gmail.com
> Received: by 2002:a02:a14a:0:0:0:0:0 with SMTP id m10csp394823jah;
> Fri, 28 Jan 2022 07:31:40 -0800 (PST)
> X-Received: by 2002:a2e:2a04:: with SMTP id
> q4mr6116831ljq.428.1643383900388;
> Fri, 28 Jan 2022 07:31:40 -0800 (PST)
> ARC-Seal: i=1; a=rsa-sha256; t=1643383900; cv=none;
> d=google.com; s=arc-20160816;
>
> b=Lnn5XQ1j10ikEZENe8i0XPsyPhwpp7AAaEODfKuODEjNcgDxtfjOyVE4biwI1oWuel
>
>  znv1YmtupI95DExnRKpyq20MVqQL9IhRrMxK/O5lrxz9u8tgwzFpq4fTh4urmZTy/dnW
>
>  EWvT5WZWdK0+8k5+1WRtiCiLTj5cg6VIT+vrC+1ut/X2o9bMghmgqZETCQpMGSHvcWkB
>
>  WN1iuiszzcHB+/v6LTtAwxJIi3UGrsmEj5IwfSOyIEljA+S2ZYKFGm/08s4ulS5nfRru
>
>  gFLMH+hrsAi4YyJwSDhkNegHZYYUFmB24zA2CCwss+FJSlKSRtliiVnVP2TfWbUfxxA4
>  QD9w==
> ARC-Mess

Re: [mailop] 2 questions about BCC and mailing lists

[Bob Proulx via mailop]

Geoff Mulligan via mailop wrote:
> 1. If a recipient on an email message is both in the To: or Cc: and on the
> mailing list, should the listserver send the message to the recipient:
>  a) By default
>  b) Not by default (but configurable)
>  c) Never

If a message was sent to me directly and also to a mailing list to
which I am subscribed then if I don't get both copies of the message I
look to see what failed that I didn't get the message from the mailing
list to which I was validly subscribed.

The direct copy will show the headers of the message and the body as
sent by the sender directly to me the recipient.  The mailing list
copy will have been process, will have List-*: headers added, will
possibly have footers and subject tags added, will possibly be
converted to a digest (dog help us), and these days will have broken
DKIM by doing so.

Mailman has an option "Filter out duplicate messages to listmembers
(if possible)" that avoids mailing to the subscriber if it sees the
subscriber address in a To or Cc field.  I really hate that feature.

However configurable is best as there are others that like that feature.

> 2. If a mailing list is in the BCC: should a message be delivered to the
> list:
>  a) Yes - always
>  b) No - never
>  c) Configurable
>  d) Convert it to a CC:

Configurable.  Because one size does not fit everyone.  But sometimes
there is only one size available.

I would always say never.  Because what is a recipient going to do?

1) What is this message?  Why am I getting it?  I don't recognize the
author of this message.  Is it spam?  It must be spam!  Report as
spam.  Get the mailing list host on a DNSBL.

2) Most MUAs will look at the To and Cc headers when generating a
direct reply or a group follow-up.  Not having the mailing list in the
visible recipient means that most MUAs will follow-up only to the
visible addresses and no response will ever make it back to the
mailing list.

3) No mention was made of any List-Post header but that is critical to
this discussion.  With a List-Post header an MUA _might_ do the right
thing with a group follow-up response.  Regardless too few MUAs
understand List-Post and too few will do the Right Thing generating a
reply back to the mailing list.

> Thanks - I'm trying to improve my simple mailing list system
> (www.listdist.com)

It's disheartening to me to see a developer of mailing list software
not realize that they are thread-jacking (aka thread stealing) a
previous discussion. :-(

Bob
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Anyone from Zoho on list?

[Udeme Ukutt via mailop]

I replied off list directly to you, Omid.

Udeme - LinkedIn

On Mon, Jan 31, 2022 at 4:41 PM Omid Majdi via mailop 
wrote:

> Apologies for the additional noise, but also looking for anyone on list
> (or a contact) for Zoho. We're experiencing some deliverability issues,
> potentially related to a block list that we believe we are now removed from.
>
> Thanks!
>
> Omid Majdi
> Product Lead
> DuckDuckGo
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
>
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Gmail does not validate DKIM for forwarded messages?

[Dave Crocker via mailop]

On 1/31/2022 7:43 AM, Al Iverson via mailop wrote:
In this scenario, my mailing list manager strips the original DKIM 
signature and applies its own, as I am now the party responsible for the 
message. (I also rewrite the from address.) This has worked fine for me, 
but not everyone is a fan of this methodology.



You're dealing with two different issues.

One is a broken DKIM signature, because mailing list processing almost 
always messes with the content.  (And that's always been ok, as I think 
it should be.  Adding a new signature of citing the list's domain makes 
complete sense, for exactly the reason you state.


The modified From: is because of a problem created be extended use of 
DMARC.  What is not generally noted is that, in effect, this is a means 
of defeating DMARC.


However, the From: modification also messes with the recipient's MUA 
handling of mail from the same person, where the mail that goes through 
a list with the From: modified isn't recognized as from the same author 
as sends mail directly to the recipient.


An attempt to work around the downside of the list's workaround is the 
Author: field that was recently specified:


 Email Author Header Field
 https://www.rfc-editor.org/rfc/rfc9057

d/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Could a RoadRunner rep contact off list?

[Michael Peddemors via mailop]

There is an interesting botnet generating a very specific threat 
traffic, but 99% of it appears to be from compromised servers.


Just got a strange case leaking from RoadRunner MTA's, that would like 
to discuss, it might help them find some compromised accounts.


--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Anyone here with an optimum.net contact?

[Douglas Vought via mailop]

I was trying to send an email to one of their subscribers, but we're 
blocked (funnily enough, their page about mail blocking links to 
Spamhaus which shows we have no issues). They don't have a postmaster@. 
Any help would be greatly appreciated.


Best,

Douglas

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [EXTERNAL] Anyone from Comcast on list?

[Brotman, Alex via mailop]

Omid,

Feel free to contact me off list, we'll see what's going on.

--
Alex Brotman
Sr. Engineer, Anti-Abuse & Messaging Policy
Comcast

From: mailop  On Behalf Of Omid Majdi via mailop
Sent: Monday, January 31, 2022 2:17 PM
To: mailop_at_mailop.org_o...@duck.com 
Subject: [EXTERNAL] [mailop] Anyone from Comcast on list?

Looking for anyone on list (or a contact) for Comcast. We're experiencing some 
deliverability issues, potentially related to a block list that we believe we 
are now removed from.

Thanks!

Omid Majdi
Product Lead
DuckDuckGo
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Anyone from Zoho on list?

[Omid Majdi via mailop]

Apologies for the additional noise, but also looking for anyone on list (or a 
contact) for Zoho. We're experiencing some deliverability issues, potentially 
related to a block list that we believe we are now removed from.

Thanks!

Omid Majdi
Product Lead
DuckDuckGo

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] 2 questions about BCC and mailing lists

[Mark Fletcher via mailop]

On Mon, Jan 31, 2022 at 10:04 AM Geoff Mulligan via mailop <
mailop@mailop.org> wrote:

> 1. If a recipient on an email message is both in the To: or Cc: and on
> the mailing list, should the listserver send the message to the recipient:
>   a) By default
>   b) Not by default (but configurable)
>   c) Never
>
> We always send the message back to the sender (assuming they're set to
receive every message). We have an option, checked by default, where we
munge the Message-ID of the email that we send back to the original sender
(and only them). This is to force Gmail and others to display the message
sent from us (otherwise they consider it a duplicate and don't show it).
Our users really like to see their message returned from the list, as a way
to know that it was actually sent successfully.



> 2. If a mailing list is in the BCC: should a message be delivered to the
> list:
>   a) Yes - always
>   b) No - never
>   c) Configurable
>   d) Convert it to a CC:
>

We do A.

Cheers,
Mark
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] 2 questions about BCC and mailing lists

[Jaroslaw Rafa via mailop]

Dnia 31.01.2022 o godz. 20:16:11 Sebastian Nielsen via mailop pisze:
> >>I would say a). 
> 
> Why? Then you end up with 3 copies of the email.
> 
> Remember this:
> You have sender's server, which we can call ServerA.
> 
> If recipient is yourn...@example.org and list is mailingl...@examplelist.org
> 
> ServerA (sender's server) will now send the email to yourn...@example.org AND 
> mailingl...@examplelist.org
> List server, should now ONLY send to list members of 
> mailingl...@examplelist.org
> 
> If List server now sends to the To: recipient aswell, you will end up with 3 
> copies:

Ah, I did not assume that the mailing list server is different from the
originating server. For me, the question *only* has sense when it is the
same server. If they are different servers, then there is no problem at all.
The *only* job of mailing list software is to resend the mail it receives
to list members. It should completely ignore recipients in "To:" or "Cc:"
headers, they are of no interest for a mailing list and they have already
been taken care of by the originating server, as you indicated. In case of
two different servers, you are right of course.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] 2 questions about BCC and mailing lists

[Dave Crocker via mailop]

On 1/31/2022 9:43 AM, Geoff Mulligan via mailop wrote:
1. If a recipient on an email message is both in the To: or Cc: and on 
the mailing list, should the listserver send the message to the recipient:

  a) By default
  b) Not by default (but configurable)
  c) Never


by default.  redundancy is safer than failed delivery and the mailing 
cannot know enough to know what other components are doing or what the 
users actually want.


The only time pruning is reasonable is when the entity doing the pruning 
has complete knowing.  Typically, that is only at the time of 
submission, so that multiple occurrences of the /same/ recipient address 
gets turned into a single SMTP RCTP-To.


Pruning at receive time might make sense, but it carries some dangers. 
Pruning anywhere along the path strikes me as gross dereliction of duty.



2. If a mailing list is in the BCC: should a message be delivered to the 
list:

  a) Yes - always
  b) No - never
  c) Configurable
  d) Convert it to a CC:


The question presumes that the handling system can know it is a mailing 
list.  It can't.


And by the way, if an author puts a mailing list into a BCC, of course 
they want the message delivered to the list.  What is the basis for 
pretending to know better and override that decision?


d/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Anyone from Comcast on list?

[Omid Majdi via mailop]

Looking for anyone on list (or a contact) for Comcast. We're experiencing some 
deliverability issues, potentially related to a block list that we believe we 
are now removed from.

Thanks!

Omid Majdi
Product Lead
DuckDuckGo

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] 2 questions about BCC and mailing lists

[Sebastian Nielsen via mailop]

>>I would say a). 

Why? Then you end up with 3 copies of the email.

Remember this:
You have sender's server, which we can call ServerA.

If recipient is yourn...@example.org and list is mailingl...@examplelist.org

ServerA (sender's server) will now send the email to yourn...@example.org AND 
mailingl...@examplelist.org
List server, should now ONLY send to list members of mailingl...@examplelist.org

If List server now sends to the To: recipient aswell, you will end up with 3 
copies:
1: The email that ServerA sent to you personally
2: The email that List server sent to you personally
3: The email that List server sent to you by the mailing list

Thus list server should never send to any specified To: recipients, only to 
list recipients.

*UNLESS*
The list server have received the mail directly from a MUA via an authenticated 
session (either a session which is authenticated via a IP ACL, or 
username/password auth)
In this case, the list server is the initial server, or ServerA in this case.
OR
The list server have received the mail via external means (for example, from a 
webscript via a pipe)
Same here, then the list server is the initial server, or ServerA in this case.
OR
The list server is responsible (configured to receive mail for) for the To: 
recipient domain (in this case, example.org ).
In this case, the list server will only receive 1 copy of the email from 
ServerA as ServerA will find out it’s the same server responsible for both 
recipient, and it will deliver the whole email once for both recipients. List 
server should now deliver 2 emails to recipient, both To: recipient and mailing 
list recipient.

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] 2 questions about BCC and mailing lists

[Jaroslaw Rafa via mailop]

Dnia 31.01.2022 o godz. 10:43:52 Geoff Mulligan via mailop pisze:
> 1. If a recipient on an email message is both in the To: or Cc: and
> on the mailing list, should the listserver send the message to the
> recipient:
>  a) By default
>  b) Not by default (but configurable)
>  c) Never

I would say a). Personally if a message is sent twice (ie. directly to me
and to mailing list) I want to receive both copies, so it is clear that the
mail is sent and received correctly. I hate mail being mysteriously lost in
transit. If it has been sent twice, it should arrive twice. I can for
example then put the copy that came from the mailing list into the folder
for that mailing list, and leave the copy that came directly to me in the
inbox.

> 2. If a mailing list is in the BCC: should a message be delivered to
> the list:
>  a) Yes - always
>  b) No - never
>  c) Configurable
>  d) Convert it to a CC:

I think the best option is d). The message should be delivered to list,
because everything that comes to the mailing list address should be
delivered to the list and it doesn't matter IMHO that the list address isn't
mentioned in To: or Cc: field (that is, if the list allows posting from this
particular sender, of course). But to avoid list members being confused why
did they receive the message, Bcc: should be converted to Cc:.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Gmail does not validate DKIM for forwarded messages?

[Alessandro Vesely via mailop]

On Mon 31/Jan/2022 16:43:05 +0100 Al Iverson wrote:

What will that do to legitimate messages that pass through
a mailing list that changes the subject line but does not
use DKIM ?


In this scenario, my mailing list manager strips the original DKIM
signature and applies its own, as I am now the party responsible for the
message. (I also rewrite the from address.) This has worked fine for me,
but not everyone is a fan of this methodology.



There is no reason to strip the original DKIM signature.  There are DKIM 
filters which can remove such simple changes as the subject line, and verify 
the original signature.  For example, for the message I'm replying to, the top 
of the header in my INBOX includes the following:


Return-Path: 
Authentication-Results: wmail.tana.it;
  spf=pass smtp.mailfrom=mailop.org;
  dkim=pass reason="Original-From: transformed" header.d=wombatmail.com
From: Al Iverson 

Note that the From: line is at the top.  Near the bottom I have the following:

List-Subscribe: ,
 
Munged-From: Al Iverson via mailop 
Reply-To: Al Iverson 

The instruction which fixes MLM munging is illustrated here:
https://www.tana.it/sw/zdkimfilter/zdkimfilter.html#mlmtrans


Best
Ale
--






___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] 2 questions about BCC and mailing lists

[Alessandro Vesely via mailop]

On Mon 31/Jan/2022 18:43:52 +0100 Geoff Mulligan via mailop wrote:
1. If a recipient on an email message is both in the To: or Cc: and on the 
mailing list, should the listserver send the message to the recipient:

  a) By default



Send it by default, but let it be configurable.  The standard wording is:

Servers SHOULD
   simply utilize the addresses on the list; application of heuristics
   or other matching rules to eliminate some addresses, such as that of
   the originator, is strongly discouraged.
  https://datatracker.ietf.org/doc/html/rfc5321#section-3.9



  b) Not by default (but configurable)
  c) Never

2. If a mailing list is in the BCC: should a message be delivered to the list:
  a) Yes - always



All BCCs are delivered.  Your MSA cannot know if it is a mailing list.



  b) No - never
  c) Configurable
  d) Convert it to a CC:



Best
Ale
--







___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Gmail does not validate DKIM for forwarded messages?

[Sebastian Nielsen via mailop]

I feel this is the best option. Rewrite both MAIL FROM and MIME From:, and 
resign the message.

This avoids any authentication errors, including SPF.

 

Another method is to take the whole message (including its headers, which is a 
message/rfc822 object), and encapsulate it in a new message/rfc822 container, 
where the outer sender is the list, outer recipient is the list, and subject is 
“FW: ”.

 

The inner message/rfc822 container is kept as-is with all signatures and 
content intact.

In some MUAs this appears as a attached message, in other MUAs the message will 
be seen verbatim inside a frame or similar.

 

I think that this list are doing it pretty great, as I have noticed some other 
mailing lists then my own messages bounce from my server as the mailing list is 
trying to submit a message with MY address to MY server (effectively spoofing 
my email address) and my anti-spoofing configuration reacts and reject the 
message.

 

Från: Al Iverson via mailop  
Skickat: den 31 januari 2022 17:12
Till: mailop 
Ämne: Re: [mailop] Gmail does not validate DKIM for forwarded messages?

 

 

What will that do to legitimate messages that pass through
a mailing list that changes the subject line but does not
use DKIM ?

 

In this scenario, my mailing list manager strips the original DKIM signature 
and applies its own, as I am now the party responsible for the message. (I also 
rewrite the from address.) This has worked fine for me, but not everyone is a 
fan of this methodology.

 

Regards,

Al Iverson 




 

-- 

Al Iverson / Deliverability blogging at www.spamresource.com 
 

Subscribe to the weekly newsletter at wombatmail.com/sr.cgi 
 

DNS Tools at xnnd.com   / (312) 725-0130 / Chicago (Central 
Time)

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] 2 questions about BCC and mailing lists

[Sebastian Nielsen via mailop]

1: never, as the original email has already been sent to the recipient by the 
original server.
EXCEPTION: If the message was submitted to the listserver by another means - 
for example webform/unix call, or via an authenticated session (where sender is 
either authenticated by username/password or by a IP ACL) and the email 
messages comes directly from a MUA (like Thunderbird or Microsoft Outlook), 
then send it to the extra recipient, as you are in this case the first server 
in chain and have responsibility to deliver it to the extra recipient.

EXCEPTION2: If the recipient and the mailing list is in the same domain (for 
example firstname.lastn...@company.org and mailingl...@company.org ) or 2 
domains for which the list server is both responsible for, then you also by 
default take responsibility for delivering the email to the second recipient 
(by default).

2: I would say, convert it to a CC. Then you avoid being classified by spam 
because neither the list address nor the recipient of the email comes up as one 
of the mail's recipients, which usually is a sign of spam.

-Ursprungligt meddelande-
Från: Geoff Mulligan via mailop  
Skickat: den 31 januari 2022 18:53
Till: mailop@mailop.org
Ämne: [mailop] 2 questions about BCC and mailing lists

1. If a recipient on an email message is both in the To: or Cc: and on the 
mailing list, should the listserver send the message to the recipient:
  a) By default
  b) Not by default (but configurable)
  c) Never

2. If a mailing list is in the BCC: should a message be delivered to the
list:
  a) Yes - always
  b) No - never
  c) Configurable
  d) Convert it to a CC:


Thanks - I'm trying to improve my simple mailing list system 
(www.listdist.com)

Geoff

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] 2 questions about BCC and mailing lists

[Geoff Mulligan via mailop]

1. If a recipient on an email message is both in the To: or Cc: and on 
the mailing list, should the listserver send the message to the recipient:

 a) By default
 b) Not by default (but configurable)
 c) Never

2. If a mailing list is in the BCC: should a message be delivered to the 
list:

 a) Yes - always
 b) No - never
 c) Configurable
 d) Convert it to a CC:


Thanks - I'm trying to improve my simple mailing list system 
(www.listdist.com)


Geoff

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Gmail does not validate DKIM for forwarded messages?

[John Levine via mailop]

It appears that Andrew C Aitchison via mailop  said:
>Yes, but I cannot control what lists do with mails I send to them,
>so it would be useful to know what happens to messages that use
>Evan's recommendation then go through a list that doesn't follow 
>your suggestion, but alters the Subject: line.
>Would it create a situation where gmail rejects legitimate list messages
>from me as well as the fakes ?

Yes, this is the well known way that DMARC screws up mailing lists which
are doing exactly what they've been doing for the past three decades.

ARC is supposed to help recipients recognize this case and deal with
it reasonably, but don't hold your breath.

R's,
John
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Gmail does not validate DKIM for forwarded messages?

[Andrew C Aitchison via mailop]

Evan Burke:

I recommend including the Date and Subject fields twice in your DKIM
signature h= string, and possibly other key fields; that will break
the original signature if a second such header is later added.


Andrew C Aitchison:

What will that do to legitimate messages that pass through
a mailing list that changes the subject line but does not
use DKIM ?


On Mon, 31 Jan 2022, Al Iverson via mailop replied:

In this scenario, my mailing list manager strips the original DKIM
signature and applies its own, as I am now the party responsible for the
message. (I also rewrite the from address.) This has worked fine for me,
but not everyone is a fan of this methodology.


Yes, but I cannot control what lists do with mails I send to them,
so it would be useful to know what happens to messages that use
Evan's recommendation then go through a list that doesn't follow 
your suggestion, but alters the Subject: line.

Would it create a situation where gmail rejects legitimate list messages
from me as well as the fakes ?
As a list user I don't want to throw the baby out with the bath-water.


--
Andrew C. Aitchison Kendal, UK
and...@aitchison.me.uk
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Gmail does not validate DKIM for forwarded messages?

[Al Iverson via mailop]

> What will that do to legitimate messages that pass through
> a mailing list that changes the subject line but does not
> use DKIM ?
>

In this scenario, my mailing list manager strips the original DKIM
signature and applies its own, as I am now the party responsible for the
message. (I also rewrite the from address.) This has worked fine for me,
but not everyone is a fan of this methodology.

Regards,
Al Iverson


-- 
*Al Iverson /* Deliverability blogging at www.spamresource.com
Subscribe to the weekly newsletter at wombatmail.com/sr.cgi
DNS Tools at xnnd.com / (312) 725-0130 / Chicago (Central Time)
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Anyone from Vade

[Ken Robinson via mailop]

Yes, I used that tool and they said they fixed the problem this morning. I
have to test it to make sure it got fixed. They said to wait a few hours.

Ken

On Mon, Jan 31, 2022 at 8:16 AM Mathieu Bourdin 
wrote:

> Hi,
>
>
>
> Have you tried using their new sender tool ?
>
> https://sendertool.vadesecure.com/en/
>
>
>
>
>
> Mathieu Bourdin.
>
> Dolist.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *De :* mailop [mailto:mailop-boun...@mailop.org] *De la part de* Al
> Iverson via mailop
> *Envoyé :* dimanche 30 janvier 2022 18:40
> *À :* Ken Robinson 
> *Cc :* mailop 
> *Objet :* Re: [mailop] Anyone from Vade
>
>
>
> The person I knew at Vade seems to have left, but the process described
> here should still work:
>
> https://www.spamresource.com/2020/06/what-is-vade-threat-list-how-do-i.html
>
>
>
> Cheers,
>
> Al Iverson
>
>
>
> On Sun, Jan 30, 2022 at 9:23 AM Ken Robinson via mailop 
> wrote:
>
> My IP address has somehow gotten on the Vade Blocklist. It is not on any
> other blocklist as far as I can tell.
>
>
>
> How do I get it off the Vade list?
>
>
>
> My IP address is 172.110.191.18
>
>
>
> Thanks,
>
> Ken Robinson
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
>
>
>
>
> --
>
> *Al Iverson /* Deliverability blogging at www.spamresource.com
>
> Subscribe to the weekly newsletter at wombatmail.com/sr.cgi
>
> DNS Tools at xnnd.com / (312) 725-0130 / Chicago (Central Time)
>
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Gmail does not validate DKIM for forwarded messages?

[Edgaras | SENDER via mailop]

Hi Ángel,

it's Edgar, -as is a suffix in Lithuanian language :)

> I have been looking at your email, but I am confused at how it
was produced, and so which are the weird bits.

You are right, it was produced like this:
- first an attacker sent a test email from our platform (
bounces-test770...@sendersrv.com to
ysoul8...@gmail.com)
-  Then they "forwarded" it to incident-repor...@gmail.com  (we removed
actual reporter's address for privacy) from 212.83.129.110

> Some interesting bits:
> - Two Date: headers
> - Two different Subject: headers
> - Original Return-Path:  appears twice

It also has 2 ARC-* header sets. I think it may have been forwarded "twice"
to exploit some kind of bug in Gmail's ARC validation mechanism.

> PS: yes universidadebrasil.edu.br has a bad SPF record:

It's even worse than that, in this case Gmail does not check that the rDNS
for IP 212.83.129.110 does not match! rDNS for this IP is
nelson-montoya.painmitigate.com, which does not have A record.

So in a nutshell, someone exploiting this vulnerability can hijack anyone's
email reputation and send emails without regard for SPF, DKIM or rDNS
mismatch.

Is there someone from Google on this list, who can help? We rotated our
DKIM keys, but have already taken a big hit in domain reputation. The issue
was reported to Google via their Postmaster support form, but I'm not sure
if they have taken or will take any action.



-- Forwarded message --
From: "Ángel" 
To: mailop@mailop.org
Cc:
Bcc:
Date: Mon, 31 Jan 2022 01:43:15 +0100
Subject: Re: [mailop] Gmail does not validate DKIM for forwarded messages?
On 2022-01-30 at 14:09 +0200, Edgaras | SENDER wrote:
> Hello,
>
> We noticed in Google Postmaster Tools a lot of bad reputation IPs
> which do not belong to us, and are actually forbidden from sending
> emails on our  behalf via SPF -all, yet Gmail thinks the messages
> from these IPs were fully authenticated.
>
> After investigating some reports, it looks like a DKIM replay attack,
> where Gmail does not validate the original DKIM signature (which
> includes Message-ID:Reply-To:To: fields), and even ignores SPF
> permerror, if the message contains ARC headers.
>
> Full headers below, any insights or suggestions would be appreciated:


Hello Edgar(as)?

I have been looking at your email, but I am confused at how it was
produced, and so which are the weird bits.

It purports to be a mail from bounces-test770...@sendersrv.com to
ysoul8...@gmail.com, which then was "forwarded" (!) by 212.83.129.110
to incident-repor...@gmail.com with a MAIL FROM:<
921108683ccq405...@universidadebrasil.edu.br> and a EHLO of
lingojam.com


It makes sense that DKIM could be skipped if there is ARC, but then ARC
should be checked!

Some interesting bits:
- Two Date: headers
- Two different Subject: headers
- Original Return-Path:  appears twice

- A couple of headers have two consecutive dots where there should be
one: "212.83.129..110", "mx.google..com",

> Received-SPF: permerror (google.com: permanent error in processing
> during lookup of 921108683ccq405...@universidadebrasil.edu.br:
> host.universidadebrasil.email not found) client-ip=212.83.129..110;
> Authentication-Results: mx.google..com;

Note: the first Subject header wasn't encoding those utf-8 characters?



Best regards


PS: yes universidadebrasil.edu.br has a bad SPF record:
"v=spf1 include:spf.protection.outlook.com
include:universidadebrasil.edu.br ip4:192.99.207.72
include:host.universidadebrasil.email ip4:45.33.9.144
include:mailgrid.com.br -all" but no txt on
host.universidadebrasil.email

[image: Sender] Edgar Vaitkevičius, founder / CEO
ed...@sender.net
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Anyone from Vade

[Mathieu Bourdin via mailop]

Hi,

Have you tried using their new sender tool ?
https://sendertool.vadesecure.com/en/


Mathieu Bourdin.
Dolist.








De : mailop [mailto:mailop-boun...@mailop.org] De la part de Al Iverson via 
mailop
Envoyé : dimanche 30 janvier 2022 18:40
À : Ken Robinson 
Cc : mailop 
Objet : Re: [mailop] Anyone from Vade

The person I knew at Vade seems to have left, but the process described here 
should still work:
https://www.spamresource.com/2020/06/what-is-vade-threat-list-how-do-i.html

Cheers,
Al Iverson

On Sun, Jan 30, 2022 at 9:23 AM Ken Robinson via mailop 
mailto:mailop@mailop.org>> wrote:
My IP address has somehow gotten on the Vade Blocklist. It is not on any other 
blocklist as far as I can tell.

How do I get it off the Vade list?

My IP address is 172.110.191.18

Thanks,
Ken Robinson
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


--
Al Iverson / Deliverability blogging at 
www.spamresource.com
Subscribe to the weekly newsletter at 
wombatmail.com/sr.cgi
DNS Tools at xnnd.com / (312) 725-0130 / Chicago (Central Time)
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Gmail does not validate DKIM for forwarded messages?

[Andrew C Aitchison via mailop]

On Sun, 30 Jan 2022, Evan Burke via mailop wrote:


This is indeed a replay attack. It's quite widespread and appears to be
focused on taking advantage of domain reputation on the DKIM d= domain for
various email platforms. The end recipients appear to be exclusively Gmail,
as far as I've seen, and are delivered using BCC, leaving the To header
intact.

I recommend including the Date and Subject fields twice in your DKIM
signature h= string, and possibly other key fields; that will break the
original signature if a second such header is later added.
https://tools.wordtothewise.com/rfc/6376#section-8.15

e.g., instead of
h=Message-ID:Subject:From:Reply-To:To:MIME-Version:Content-Type:
Content-Transfer-Encoding:Date;
use
h=Message-ID:Subject:Subject:From:Reply-To:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Date:Date;


What will that do to legitimate messages that pass through
a mailing list that changes the subject line but does not
use DKIM ?

--
Andrew C. Aitchison Kendal, UK
and...@aitchison.me.uk
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop