Re: [mailop] Question for Google -- how am I able to be added to google groups without opting in?

[Brandon Long via mailop]

Yeah, double dashes is not allowed in rfc821 mailboxes unless quoted, I
wondered about that myself.  I guess the current groups impl isn't
enforcing those rules correctly, or maybe expects the mail server to quote
them.

In reality, most mail servers don't interpret addresses that strictly, and
I know we made that mistake early on for gmail too.

I have no idea what the current bounce handling looks like, but at least in
the past I think it would mark a user as potentially bouncing, and then any
message that made it through would unset that potentially bouncing state, so
it could differentiate between "blocking one message", "blocking all
messages" and "user doesn't exist".  So, if you're on another mailing list
that the mail does get through on, your bouncing state doesn't last.

Brandon

On Fri, Jun 17, 2022 at 9:50 AM Shaun via mailop  wrote:

> On Thu, 16 Jun 2022 11:38:00 -0400
> Dan Mahoney via mailop  wrote:
>
> > I'm getting regular spam from google groups.  (This week, it's in
> Arabic).  Since it's google groups, any abuse reports would just be
> devnulled.
> >
> > Sender: -2040---_...@googlegroups.com
> > List-Archive: 
> I've also been subscribed to some of these, e.g.
>
> --_-2030...@googlegroups.com
> --2050-_-org_-...@googlegroups.com
>
> Since Google Groups Return-Path and Sender headers are fashioned after
> the group's name, the envelope sender for messages from these groups
> begins with a hyphen. But the default Postfix configuration doesn't
> permit such a thing, so these have been getting rejected for many
> months:
>
>  In:  EHLO mail-ej1-f63.google.com
>  [...]
>  In:  MAIL
>  FROM:<--
> 2050-_-org_+bncbd6lzjuoxierbkv4rokqmgqer6om...@googlegroups.com>
>  SIZE=68726
>  Out: 501 5.1.7 Bad sender address syntax
>  In:  RCPT TO:
>  Out: 503 5.5.1 Error: need MAIL command
>  In:  DATA
>  Out: 503 5.5.1 Error: need RCPT command
>  In:  QUIT
>  Out: 221 2.0.0 Bye
>
> I think most list managers would have automatically unsubscribed a
> recipient after 50+ consecutive failures, but the Google Groups platform
> is undeterred; it must not recognize this particular pattern as a
> problem.
>
> Shaun
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
>
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Question for Google -- how am I able to be added to google groups without opting in?

[Brandon Long via mailop]

On Thu, Jun 16, 2022 at 7:26 PM Dan Mahoney  wrote:

> On Jun 16, 2022, at 3:55 PM, Brandon Long via mailop 
> wrote:
>
> You should get a welcome message when a user direct subscribes you to a
> group that should have an unsubscribe link in it.  The welcome message part
> of the flow that the group manager can set should be added to that message.
>
>
> I have not gotten any welcome messages.  But from what you say, there's no
> opt-in required?  No confirmation link?
>

I just created a new test group and added another of my email addresses to
it during the creation flow via direct add.  There was a captcha during the
flow, and my second address received a welcome message.

The welcome message contains the following:

If you do not wish to be a member of this group you can send an email to
listname+unsubscr...@googlegroups.com or follow this unsubscribe

link.
If you believe this group may contain spam, you can also report the group
for abuse.  For
additional information see our help center
.

If you do not wish to be added to Google Groups in the future you can opt
out here .
The opt-out link is https://groups.google.com/d/optout


>
> There are limits on how many people a group manager can add in this way,
> it's really not an efficient way to spam a lot of people, but there do seem
> to be some low level spammers who spend a lot of resources to spam very few
> people, and our abuse systems play a lot of wack-a-mole with them.
>
>
> There's a limit per-list perhaps, but they create multiple lists, and
> they're not paying people US wages to do this nonsense.
>

Like everything else, there are limits and limits.  There are limits on the
number of groups a gmail user can create, and limits on creating gmail
users, and it's turtles all the way down.  The end result is not zero,
though.


>   I no longer have any access to look at the abuse results for this group
> or owner.   And you can definitely report abuse on particular groups from
> the web ui, and that is useful to us to learn and improve.
>
>
> So any reports must be manual, and distinct from any other reporting
> method I may have.  You can do better.
>

Does any other reporting method you have involve authentication of the
reporter?


> I think that welcome message also has a link to the global settings, but
> it has been years since I've worked on this.  You can set the global
> settings from the web ui:
> https://support.google.com/groups/answer/9792489?hl=en&ref_topic=2458613
> That allows you to prevent group managers from inviting or directly adding
> your email address to groups.
>
>
> You're telling me I have to go create a google account for
> free...@gushi.org (again, only for my work with that project), just to
> stop it from being added to groups?
>

Or blackhole all mail from googlegroups to that account?  What's the point
of using these types of usage specific email accounts if not to be able to
do that?

Brandon
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] digilabsvc.com?

[Daniele Nicolodi via mailop]

Hello,

I am getting quite a few spam messages from the domain in the subject, 
all in Italian and all with the same content structure. Does this sender 
have some legit busyness or can I send the bytes coming from them 
directly to the recycle bin?


Thank you.

Cheers,
Dan
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Question for Google -- how am I able to be added to google groups without opting in?

[Dan Mahoney via mailop]

> On Jun 18, 2022, at 12:59 AM, Brandon Long via mailop  
> wrote:
> The opt-out link is https://groups.google.com/d/optout 
> 
This required adding freebsd@ as an alternate address to my profile.  I *hope* 
that does it.

> Does any other reporting method you have involve authentication of the 
> reporter?

Spamcop does, which is part of my normal workflow.  It's not perfect but it's 
the best thing we've got right now.  If you have the power to reach out to 
deputies@ and figure out how you can accept reports from them (since they are 
in standardized formats, easy for you to digest) it would be a huge leap 
forward, even if everything *else* you send to ab...@google.com gets the 
classic autoresponder that currently goes out.

>> I think that welcome message also has a link to the global settings, but it 
>> has been years since I've worked on this.  You can set the global settings 
>> from the web ui: 
>> https://support.google.com/groups/answer/9792489?hl=en&ref_topic=2458613 
>> 
>> That allows you to prevent group managers from inviting or directly adding 
>> your email address to groups.
> 
> You're telling me I have to go create a google account for free...@gushi.org 
>  (again, only for my work with that project), just 
> to stop it from being added to groups?  
> 
> Or blackhole all mail from googlegroups to that account?  What's the point of 
> using these types of usage specific email accounts if not to be able to do 
> that?

Ultimately, the result does tend to look like that, or adding it to a procmail 
rule that causes other bayesian learning to happen, or feeding it to other 
datapoints.  I just wish the possible behavior was something that made the 
originator stop thinking they've found a way to game your system.

I run some fairly popular lists relating to an open source dns server.  I have 
headaches galore every time I can't deliver to you because "someone changed 
something".  There's irony in having my users complain about that at the same 
time as I'm receiving spam from these groups.

-Dan___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Question for Google -- how am I able to be added to google groups without opting in?

[Jaroslaw Rafa via mailop]

People, please stop CC'ing me when you reply to this thread. Reply to list
only, I don't need a second copy of your messages.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Microsoft Announces Tenant Trusted ARC Seal

[Jaroslaw Rafa via mailop]

Dnia 17.06.2022 o godz. 21:35:08 Brandon Long via mailop pisze:
> There is a limit to the utility of that thing, however, ie SPF passing doesn't
> mean a message isn't spam,

And the reverse is true as well - SPF failing doesn't mean the message is
spam. Neither does it mean it is fake - just because of aspects discussed in
this thread (forwarding or mailing lists). That was the main goal of SPF -
ensuring that the message isn't fake - and it cannot even fulfill that one
goal properly. Why even use it at all?

Therefore, myself personally don't consider SPF nor DKIM being of any value
*at all* with regard to spam protection. I use them outbound, solely because
Google requires them; otherwise I wouldn't bother to implement them as I
never had any problems with any recipient besides Google due to lack of SPF
or DKIM. I completely ignore them on inbound mail. After passing RBLs and
some manual allow/deny lists, content analysis is *everything* that matters.

Yes, I know content analysis doesn't scale well. And that is the exact
problem of Google - your mail system has become too big to be effectively
manageable. Everything else are just results of this one problem.

A million of small mail operators serving 1000 accounts each will always
perform better than one big operator serving one billion accounts.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Microsoft Announces Tenant Trusted ARC Seal

[Noel Butler via mailop]

On 19/06/2022 00:03, Jaroslaw Rafa via mailop wrote:

this thread (forwarding or mailing lists). That was the main goal of 
SPF -
ensuring that the message isn't fake - and it cannot even fulfill that 
one

goal properly. Why even use it at all?


I was a very early (even in testing) user of SPF,  It's rather commical 
reading these FUD sayers about SPF and mailing lists, it has never been 
a problem with mailing lists, not using mailman nor its more common 
predecessor majordomo, and I've never noticed anything wrong with qmail 
users ezmlm.


If you have used some half baked concoction that doesn't conform to 
standards that's not an SPF failure, it's yours. I've enforced and 
published SPF since get go, I did extensive testing and never found ONE 
instance of a list problem.


As for forwarding, SPF is only a problem if you dont follow standards 
and re-write. Nearing two decades of SPF use (forget exactly its been so 
long) never had a mailing problem sending or receiving with SPF and I've 
always published hard fail, rarely forward Email, and it seems our 
customers don't either.


If it was so dooming and earth ending do you really think I'd be using 
it privately, let alone commercially (a couple top 5 national "end user" 
ISPs & one with web hosting)  for all this time, no, I'm not a 
masochist.


--
Regards,
Noel Butler

This Email, including attachments, may contain legally privileged 
information, therefore at all times remains confidential and subject to 
copyright protected under international law. You may not disseminate 
this message without the authors express written authority to do so.   
If you are not the intended recipient, please notify the sender then 
delete all copies of this message including attachments immediately. 
Confidentiality, copyright, and legal privilege are not waived or lost 
by reason of the mistaken delivery of this message.___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] digilabsvc.com?

[Al Iverson via mailop]

Data points:
- Supposedly a digital marketing company based in India
- Their website has an SSL issue
- I see no other mentions of them in 20 years of email discussion history
talking about spam or email marketing. Which I guess means they're not
necessarily well known spammers in my universe, but also, they're not
coming up as a known "legitimate" business in any way that I can see.

Verdict? Recycle bin, IMHO.

Cheers,
Al

On Sat, Jun 18, 2022 at 5:23 AM Daniele Nicolodi via mailop <
mailop@mailop.org> wrote:

> Hello,
>
> I am getting quite a few spam messages from the domain in the subject,
> all in Italian and all with the same content structure. Does this sender
> have some legit busyness or can I send the bytes coming from them
> directly to the recycle bin?
>
> Thank you.
>
> Cheers,
> Dan
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
>


-- 

Al Iverson / Deliverability blogging at www.spamresource.com
Subscribe to the weekly newsletter at wombatmail.com/sr.cgi
DNS Tools at xnnd.com / (312) 725-0130 / Chicago (Central Time)
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Microsoft Announces Tenant Trusted ARC Seal

[Dave Crocker via mailop]

On 6/18/2022 3:40 PM, Noel Butler via mailop wrote:
As for forwarding, SPF is only a problem if you dont follow standards 
and re-write



Hi.

You don't indicate what kind of rewriting you mean.  It probably doesn't 
matter, since you seem to feel that mailing lists have to follow some 
relevant standards. that would sustain SPF validation. However I don't 
have a guess at what standards you have in mind.


I also don't understand how SPF validates, when mail is simply relayed 
through an MTA that isn't pre-registered in the SPF DNS record. Are you 
thinking that it is natural and reasonable to pre-register all of the 
MTAs in a path, up to the receiving one that does SPF validation?


Please enlighten us.

d/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop