Re: [mailop] Mailserver software

[John R Levine via mailop]

On Wed, 17 Jul 2024, Eric Tykwinski wrote:

My guess would be iCloud Private Relay is turned on...
https://support.apple.com/guide/icloud/icloud-private-relay-mm8010d8daf3/icloud


Interesting thought but the docs appear to say it just does web traffic. 
I'm not inclined to set up an icloud+ account just to find out.


R's,
John


-Original Message-
From: mailop  On Behalf Of John Levine via mailop
Sent: Wednesday, July 17, 2024 12:47 PM
To: mailop@mailop.org
Cc: post...@sfina.com
Subject: Re: [mailop] Mailserver software

It appears that postfix--- via mailop  said:

On 2024-07-16 14:36, Bjoern Franke via mailop wrote:

Which iPhone / Android clients do you mean?


last time I tested Apple Mail, my IMAP server logged requests from
Apple's network.


I just tried Apple Mail on MacOS and an iPad and the IMAP server only saw 
requests from my home network's IP.  I have seen Outlook detour mail through 
headquarters but not Apple Mail.  In view of Apple's privacy claims, it'd be 
rather hard to justify sniffing all your mail.

R's,
John

PS: It is VERY VERY IMPORTANT when replying to this message, you *also* send a 
copy to me directly, because I handle the two copies differently. Everyone 
should, of course, be doing that anyway.

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Domains discrimination

[John R Levine via mailop]

On Wed, 10 Jul 2024, Raymond Dijkxhoorn wrote:

There is a specific gang using these domains. Can give hundreds as an example 
over the last few months.
They should be super easy to terminate yet nothing is happening…


It's hard to believe there is enough legit use of sa.com to be worth the 
hassle.  It's CentralNIC, they have real domains to sell too.


R's,
John


Op 10 jul 2024 om 23:07 heeft Faisal Misle via mailop  het 
volgende geschreven:

.sa.com is $200, but Sav is running a promo for $0.99 the first year and 
spammers are going to town!


On 7/10/24 10:51 PM, John Levine via mailop wrote:
It appears that Ralph Seichter via mailop  said:

If sombody tries to send mail from something.xxx or otherthing.auto, for
example, ...

Domains in .auto cost about $2500, and there's only 490 names, so I
would expect the trickle of mail to be qute clean. In .xxx they're
about $100, 7100 names, so that'd be pretty clean, too.
The problem is from the new TLDs that had low prices and absurd
expectations about registration numbers, then paniced and offered bulk
discounts which of course only are only of interest to crooks.
I agree that overall, the new TLD program has been a failure and makes
a mockery of ICANN's claim to operate as a public charity in the
interests of the public.
R's,
John
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop





Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] drunks and lampposts, Contact Qualtrics

[John R Levine via mailop]

On Fri, 5 Jul 2024, Tobias Fiebig wrote:

I think we had that discussion as well today; Something about me
claiming that sending mails looking that much like phishing actually
trains people to not question all the other funny mails coming in; I
think that is why I said 'this is going to my "this is why phishing
works" folder' about the message you are referring to below.


I really think you should look at some of the human factors research 
rather than guessing.  The SOUPS conferences are a good place to start.



By the way, the message you got from Qualtrics that provoked this
issue had a web bug.


Which one do you mean? The likely personally parameterized URI for the
survey, or the likely not so GDPR compliant 1px image sharing the same
parameters going to some "Watermark.php" at the bottom of the mail?


Web bug is the usual name for the 1 pixel thing.

R's,
John
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Debugging fwd issue meta.com to zoho.com (Help from user under meta.com needed)

[John R Levine via mailop]

On Wed, 5 Jun 2024, Tobias Fiebig wrote:

If you're not sending SMTPUTF8 mail, the DKIM signature headers
should be ASCII with no encoding needed. But if you are ending
SMTPUTF8 mail, you can put UTF-8 directly in the header and it
doesn't need any futher encoding either.


Yeah, even more odd, the actual data did not contain any UTF-8 anyway.
Meta now also fixed this.


Can you give an example of the signature headers that caused a
problem? They just sound wrong.


See attached. dkimpy/dkimverify failed on the original mail with:


I wouldn't verify that either.  It's just wrong.  You're not allowed to 
MIME encode strings in a DKIM-Signature header.*


Unfortunately there is a lot of badly written mail processing code that 
tries to be helpful by MIME encoding headers without checking whether the 
headers allow it.



My understanding, though, is that encoding _should_ be permissible
here, as it would be needed, e.g., when receiving a message from a
server with SMTPUTF8 which then must be forwarded via a server that
does not support it.


Nope.  You cannot downgrade a SMTUTF8 message to an ASCII message.  The 
experimental versions of EAI tried to do that and it never worked so they 
took it out of the standards track EAI RFCs.


You can wrap one as a message/global MIME part and send it as an 
attachment, but you can't "translate" the message..


R's,
John

* - I'm pretty sure that if you asked the author of RFC 8616, he'd say the 
same thing.

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Line too long

[John R Levine via mailop]

On Fri, 17 May 2024, Brandon Long wrote:

I don't know anyone who uses BINARYMIME.  Microsoft's MTAs say they do
but I've never tried to see if it works.


We did some testing with it and got some really inconsistent end to end 
responses even from services which advertised it.  The idea of saving 
bytes by not using base64 was appealing.


Back in 2016 I proposed CDAT which is like BDAT but with deflate 
compression (what gzip uses.)  That would shrink base64 to no bigger than 
the original data, but nobody was interested.


https://www.ietf.org/archive/id/draft-levine-smtp-compress-00.txt


And BINARYMIME is incompatible with the line length limit unless your
content happens to have new-lines in the right places or is shorter than
1000 bytes.


Right, the binary data probably isn't text so if it has any \r\n pairs 
it's just an accident.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] (Mis)use of DKIM's length tag and it's impact on DMARC and BIMI

[John R Levine via mailop]

On Fri, 17 May 2024, Brandon Long wrote:
I guess the part that's new to me is the apparent widespread (enough) 
use of the l= parameter.  I don't recall ever noticing its use before, 
though can't say it was ever top of mind when looking at various headers 
of messages.


I have to admit I'm surprised too.  I thought everyone knew it was bad.

In my file of DKIM signatures in newsletter/mailing list mail I've gotten 
over the past 15 years, I have about 200,000 signatures of which 6500 have 
l=something.  I divided it in half, and since 2018 there are 98,000 
signatures of which only 500 have l=something.


It's not very common and it's gotten less common, like one message in 
2000, but it does exist.



The example in the post of someone using l=1 really sounds like a
workaround for


I looked, I see a bunch of l=1 in mailings from the libertarians at 
reason.com which makes a perverse kind of sense.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] What is Yahoo TSS09 ?

[John R Levine via mailop]

I am moving my servers to new IP addresses, which is always fun. The
new block is 192.55.226/24 which was allocated in 1989 and has never
been live until this week.

So here's what AOL says to innocuous messagee from my users.

553 5.7.2 [TSS09] All messages from 192.55.226.66 will be permanently deferred; 
Retrying will NOT succeed.

I presume it has something to do with it being a hitherto unseen IP range

The volume is quite low, maybe 200 messages a day including from my
mailing lists, and does not look spammy. The highest volume list is
gossip about folk dancing.

Any suggestions?


To answer the obvious questions, it all has DKIM signatures and the SPF is 
updated, so it ain't that.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Are there other comparable services like spamcop.net / spamhaus.org?

[John R Levine via mailop]

On Wed, 3 Apr 2024, Laura Atkins wrote:

They do not accept third party samples and never have.


They are now. https://submit.spamhaus.org/


Huh.  Nobody tells me nothin'.

Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] One click unsubscribe in mailing list messages

[John R Levine via mailop]

On Sun, 25 Feb 2024, Ken O'Driscoll wrote:

Outlook has supported list-unsubscribe for at least a year, if not longer.
But, it's an add-on you need to proactively install so...


I'm looking at the list of add-ins and I don't see it.  Maybe it's Windows 
only and I'm on a Mac?


R's,
John


It appears that Hans-Martin Mosner via mailop  said:

Yes. I'm looking at you, thunderbird...

This should be a no-brainer, and it's a shame that the major open source

MUA doesn't seem to support it. There's

probably an add-on to do this, I just can't access the thunderbird add-on

search at the moment, so don't know for sure.

There is but it hasn't been updated to work with recent versions of
T'bird so it installs a button but the button doesn't do anything
useful. Oh well.

Still waiting for Outlook to do this, both the web site and the program.



___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop





Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[John R Levine via mailop]

Frustratingly, some see DKIM as too complicated and they run their own
mail servers and simply won't set it up.  I agree that it's annoying to
do ... but it's become pretty close to necessary these days.


The users with the worst problems were my local town government who were 
getting mail from US government agencies.  There is a mandate that 
agencies MUST do DMARC, so some of them said what's the cheapest easiest 
way to do it, publish an SPF record and DMARC p=reject?  OK, done.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [E] Re: Spamfolder mini rant (Was: Contact Google Postmaster)

[John R Levine via mailop]

That’s not the only option they offer. While they might use POP3 for most
accounts in the ancient “import” flow, they do support adding 3rd party
accounts properly via IMAP via their Gmailify feature.


Oh, OK.  That only works for a handful of large providers.  For my users 
it says too bad, POP only.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] ECDSA DKIM validation?

[John R Levine via mailop]

On Thu, 21 Dec 2023, Stuart Henderson wrote:

If you've had to talk someone not very technical through adding a DKIM
RSA key to a poorly implemented web interface from some cheap DNS
provider that doesn't handle long TXT records, you might feel
differently.


I take your point but I can only have limited sympathy for "you have to 
change your correctly working mail system because we don't care enough to 
fix our broken DNS crudware."



There is often a workaround in that case - using 1024 bit keys - but
then there *is* a cryptographic problem.


A 1536 bit key should fit in one string and that's plenty long for the 
forseeable future.  The largest RSA number known to be factored is 829 
bits, and that's nearly twice the length.  Keep in mind that DKIM keys are 
intended to protect messages for a few weeks, not years, so expensive 
attacks aren't worth it.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] ECDSA DKIM validation?

[John R Levine via mailop]

On Thu, 21 Dec 2023, Mike Hillyer wrote:

John Said:


I'm sure that Google has code somewhere that can validate ED25519
signatures.  But that does not mean that it would be a good idea for them
to use that code in production today and try to update their reputation
systems to deal with the dual signing that implies.


With the number of messages already arriving with multiple DKIM 
signatures I can't imagine their reputation systems don't already handle 
dual signing just fine. Granted this would be two signatures on the same 
domain, but that seems that a small change from handling a signature on 
the From plus one from the ESP and maybe even one for the 
list-unsubscribe domain.


If there's two signatures for the same domain, one is good and one is bad, 
which do you believe?  I know what the spec says, but we have no practical 
experience.


In any event, as I've said at least three times now, RSA keys are fine for 
the forseeable future so there is no benefit to using ED25519 keys unless 
there is an unexpected key break.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] ECDSA DKIM validation?

[John R Levine via mailop]

On Thu 21/Dec/2023 10:37:52 +0100 John Levine via mailop wrote:
Yes, your code should handle them.  No, that doesn't mean you should sign 
with them.


Yup.  The question was why Gmail doesn't /verify/ ed25519 signatures. 
Answering that they do so because it's not necessary to use them doesn't 
sound real.  That way, they are damaging the halo of steady innovators that 
their pushing on authentication might evoke...


Sorry, but I don't understand what you are saying.

I'm sure that Google has code somewhere that can validate ED25519 
signatures.  But that does not mean that it would be a good idea for them 
to use that code in production today and try to update their reputation 
systems to deal with the dual signing that implies.


As I've said several times, unless there is a cryptographic problem with 
RSA, there is no reason to *use* any other kind of signature.


R's,
John
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] dnsbl.spam.fail

[John R Levine via mailop]

I also block most mail from Hetzner's network. It's not a vendetta,
it's not extortion, it's purely practical. My time is not unlimited,
the vast majority of the mail from that network is spam and if a tiny
bit of real mail gets lost, so be it. It is not worth my time to make
exceptions in my filtering rules.


If you're the only user on the system, then sure, fine -- your mail, your 
choice, but in my case I have "normal" users, ...


I also have normal users, and if they complain I make their mail work. 
But they've never complained about losing mail from Hetzner.


They complain a lot about losing mail but it very rarely has to do with 
local blocks.  More often it's either that the sender is taking a long 
time to get around to it, or don't send at all because their ESP decided 
not to send it.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Gmail says "Message bounced due to organizational settings."

[John R Levine via mailop]

I'm doing some work for arxiv.org, the preprint server at Cornell university.

Many gmail users have reported that when they try to send mail to
arxiv.org addresses to update their subscriptions, it fails saying
Message Blocked, with the explanation "Message bounced due to
organizational settings."

This affects some but not all mail from Gmail. I am reasonably sure
that Gmail is not trying to deliver this mail before rejecting it.

Any suggestions?


Is this gmail.com  directly or google hosted domains?


I see complaints from gmail.com addresses so I don't think it's just 
hosted domains.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] greylisting, SendGrid is deleting your mail

[John R Levine via mailop]

Do you have any idea how many of those would be tripped up by a
Postfix-style banner delay?


Good question. I've been meaning to add a greet pause but haven't yet
gotten around to it.


I got around to it and now do a greet pause before I greylist.  Most of 
the hosts on the Spamhaus BLs are early talkers but that's not a surprise 
and I wouldn't waste effort greylisting them.  Instead I accept the mail, 
reject at the end of data, and put it in the spamtrap to collect 
statistics.


After it runs for a while I'll see what the numbers look like

Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
"I dropped the toothpaste", said Tom, crestfallenly.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] SPF: Does include: a host without TXT entry invalidate the whole SPF entry?

[John R Levine via mailop]

If you don't care enough to publish a valid SPF record, why should
we think you care whether we deliver your mail?


The customer in question used an ESP to send marketing emails.
That ESP told him what host to include in his SPF record.

Probably some years later, that ESP changed domain and that include
became invalid.


Quite possibly, but I don't see why that is anyone else's problem.  As I 
said, if you want people to accept your mail, act like you want people to 
accept your mail.  If you don't have the skills to do that, get help from 
someone who does.


If people make reasonable requests for help, that is fine, but don't 
expect people to work around stuff you can and should fix.


R's,
John
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] push and pull, Microsoft Office365 not rejecting emails when instructed so by SPF recored?

[John R Levine via mailop]

Not really.  Partly it's that they don't want to send stuff by SMTP where a 
glitch could bounce the statement into some random admin's mailbox or a 
spam scanner might do who knows what with it.  But mostly it's that they 
want to train their users to use a web browser with an SSL connection to 
look at their bank info.


if you want to believe so... as a lawyer who had to argue around those 
timestamps and statements, I am pretty confident that the *main advantage* I 
listed outweighs by a few $-digits all the reasons you list, combined.


It probably differs by country.  I have talked to a lot of people who do 
security for bank computer systems here in the U.S.


I am fairly sure that in the U.S. there is generally no obligation on the 
bank to prove that a customer has seen a statement.  If you move and don't 
give the bank your new address, that's your problem, not the bank's problem.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] push and pull, Microsoft Office365 not rejecting emails when instructed so by SPF recored?

[John R Levine via mailop]

On Tue, 30 May 2023, post...@sfina.com wrote:

https://cr.yp.to/im2000.html

You can tell from its name how long ago it was, and from the fact that you
never heard of it before how successful it was.


If I may respectfully encourage you to look at how you receive your online 
banking statements, most likely they are delivered by a system that is 
conceptually pretty much like DJB described it back then. ...


Conceptually, sure, but the notice they send me telling me to look at 
their web site is a lot more than just a link to the server where the 
statement is.


The main advantage for the financial institution is proof on the balance 
of probability of the timestamp and statements that have been delivered 
to the customer.


Not really.  Partly it's that they don't want to send stuff by SMTP where 
a glitch could bounce the statement into some random admin's mailbox or a 
spam scanner might do who knows what with it.  But mostly it's that they 
want to train their users to use a web browser with an SSL connection to 
look at their bank info.



Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] address rewriting, Thoughts on envelope address local-part length limits

[John R Levine via mailop]

On Mon, 15 May 2023, Brandon Long wrote:

Yes, VERP and SRS are the two most obvious cases where their design
inherently doesn't work
with the limit (encoding the full email address into the mailbox portion)

You'd need to either get fancy with the domain portion, which has its own
complications (multi-level star DNS?) or use a lookup table.


The wildcard isn't hard, since a DNS wildcard matches any number of 
labels.  (You may be confusing it with wildcard SSL certs which use the 
same syntax but only match a single label.)  One wildcard is plenty for my 
DMARC rewriter to, say, bl...@google.com.dmarc.fail:


;; QUESTION SECTION:
;*.dmarc.fail.  IN  MX

;; ANSWER SECTION:
*.dmarc.fail.   10  IN  MX  20 mx1.dmarc.fail.

Once the mail arrives I need a lookup table to track which domains I'm 
rewriting and which addresses in those domains, to keep from turning into 
an open relay.


I believe that LISTSERV rewrites addresses to a hash of the address which 
fixes the length problem but also needs a lookup table.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] SPF behavior on email forwarding

[John R Levine via mailop]

In other words, SPF check is not something what helps with SPAM
here, seems that spammers adapted to it...


As far as I know, SPF was never meant as an anti-spam measure.


It was most definitely touted as an anti-spam measure.  Some of us were there.


Absolutely. Spent time listening to Meng Wong talk about it, totally ignoring 
the forwarding problem.


Which was really strange since Meng ran pobox.com, a forwarding service.

Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Mailing Lists and domains with DMARC reject

[John R Levine via mailop]

Would a MUA send a POST to a known domain if it was found on a message 
coming from an unknown, or anyway different domain?


Maybe.  It's quite common for a message to come from some company and the 
links to point back to the ESP.


Isn't it difficult to agree on opaque tokens in that case?


No.

Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Mailing Lists and domains with DMARC reject

[John R Levine via mailop]

Yes, the idea was to prevent malicious unsubs by sending fake spam with 
someone else's one-click unsub.


Would a MUA send a POST to a known domain if it was found on a message coming 
from an unknown, or anyway different domain?


Maybe.  It's quite common for a message to come from some company and the 
links to point back to the ESP.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Mailing Lists and domains with DMARC reject

[John R Levine via mailop]

Yeah, RFC4871 was a proposed standard, RFC6376, four years later became an 
Internet standard.  Once there was a level in between...


Seems that 4 years was not enough ;-) Or we understand idea behind that
RFC wrongly...


Keep in mind that DMARC was invented long after SPF and DKIM.  Also that 
the original goal of DMARC was to protect heavily phished domains like 
paypal.com and its authors did not expect anyone to use it on domains that 
send mail to lists.  It was several years later that AOL and Yahoo started 
abusing DMARC to outsource the cost of phishes using address books that 
they let crooks steal.


And why does RFC8058 require that fields such as List-Unsubscribe-Post: 
MUST be signed?


Is it special "One click" case? I was not interested in it yet...


Yes, the idea was to prevent malicious unsubs by sending fake spam with 
someone else's one-click unsub.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] warming up IPs, Microsoft?

[John R Levine via mailop]

Huh. We don't have any issues sending email to them from Linode, including

a small number from one of our new IP addresses I've been trying to warm up.


Linode has a bunch of different IP address blocks and I would expect 
recipients to block the ones that send annoying amounts of spam.  That's 
what I do.  So as likely as not, you're just lucky that you don't have 
annoying neighbors.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] warming up IPs, Microsoft?

[John R Levine via mailop]

It also occurs to me that you don't need to do your computing and mail on 
the same VM.  Mail is rather lightweight so you could run a mail server at 
Tektonic, and send messages from other places via port 587 submission.


On Sun, 5 Mar 2023, Mark Fletcher wrote:


On Sun, Mar 5, 2023 at 10:20 AM John R Levine  wrote:



I've been happy with a small provider called Tektonic.  If you've never
heard of them, that's a good sign.

Thanks for the recommendation; unfortunately they wouldn't work for us.

Their largest VM is less than half the size we would need for our
databases, also they don't appear to have an API to provision new VMs.

Thanks,
Mark



Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] warming up IPs, Microsoft?

[John R Levine via mailop]

Thanks for the recommendation; unfortunately they wouldn't work for us.

Their largest VM is less than half the size we would need for our
databases, also they don't appear to have an API to provision new VMs.


If you need a big VM there's always AWS.  They do a surprisingly good job 
of managing outbound mail.  You get 62K messages/mo for free, then 10c per 
1000 messages sent from a VM.  If you want big databases, you can run them 
in your own VM but it's easier and probably just as cheap to use one of 
their managed ones.


You have to validate each domain you use for sending, which is a modest 
pain, but that's one of the reasons their mail stream is pretty clean.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] warming up IPs, Microsoft?

[John R Levine via mailop]

On Sun, 5 Mar 2023, Mark Fletcher wrote:

Best I can tell, in our 9+ years, being hosted by Linode has never been an

issue wrt deliverability, and as a hosting provider, they've been nothing
but responsive and reliable. That said, they were recently bought by
Akamai, and have just raised prices. So I guess I need to start at least
paying attention to other hosting options. Who do you recommend these days?


I've been happy with a small provider called Tektonic.  If you've never 
heard of them, that's a good sign.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Does gmail accept unicode character in From domain? I don't think so

[John R Levine via mailop]

It occurs to me that if you only have a handful of addresses with accented 
Latin characters, they are probably typos, not real addresses.


Unless you're sending mail to south or southeast Asia, just get rid of 
them.


On Fri, 3 Mar 2023, Alex Burch wrote:


Thanks everyone. Is there any reason not to just always use punycode for
the domain and keep it pure ascii? Seems safer that way. Are there any
known risks to doing that?

About swaks, there is an open MR to add SMTPUTF8 support:
https://github.com/jetmore

If John Jetmore is here, please merge that sucker!

Thanks,
Alex


--

Alexander Burch
ActiveCampaign / Senior Deliverability Engineer
abu...@activecampaign.com
1 North Dearborn St Suite 500, Chicago IL, 60602








On Thu, Mar 2, 2023 at 6:20 PM John Levine  wrote:


It appears that Alex Burch via mailop  said:

-=-=-=-=-=-
-=-=-=-=-=-

I am using unicode in the From: not the MAIL FROM. Do you have to specify
it SMTPUTF8 in the MAIL FROM to use it in the From header? I don't see
anything about that here:

https://urldefense.com/v3/__https://www.rfc-editor.org/rfc/rfc6531__;!!JIZ-LZtDGnv5HBqN_A!LLHjvWO9Lj3NLPOW2WO4wfuIRc6jsmEppjd-E6-oOHDWAguRDF1IVTyo6F7qheRN7lfhCKHmFEIrsWFs$

See section 3.6 which refers to an "internationalized message" and RFC
6532 which explains what that means. It roughly means you can have
UTF-8 in the headers.


I was under the impression that if the client offered SMTPUTF8 extension
then you could go ahead and use unicode in the headers like From.


You can, but you have to put the SMTPUTF8 parameter on the MAIL FROM to say
it's an internationalized message.

I did a bunch of EAI mail tests for ICANN's UASG and Gmail passed most of
them.
If you use the correct envelope and headers, it'll work.

Someone else asserted that nobody handes Unicode domain names, and he is
wrong,
although the have to be encoded as A-labels when you do the DNS lookup, as
described in RFCs 5894 and 5895.

R's,
John







Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Does gmail accept unicode character in From domain? I don't think so

[John R Levine via mailop]

We are an ESP and we have a lot of customers who send with characters like
ü or á, usually in the local part but occasionally in the domain. I think
if we converted all from addresses to pure ascii punycode, we'd solve our
problems rather than trying to keep them unicode and rely on SMTPUTF8
working.


If an address has ü or á in the local part, it is an EAI address and you 
cannot "convert it to punycode."  Domains have A-label versions but local 
parts do not.



I see Yahoo does not even offer SMTPUTF8


Right, they're behind the curve.  Gmail and Microsoft do and their support 
is pretty good.


Sounds like you should either go to the modest effort to make SMTPUTF8 
sending work, or go through your lists and delete the non-ASCII addresses 
since they'll just bounce or get lost.





Thanks,
Alex


--

Alexander Burch
ActiveCampaign / Senior Deliverability Engineer
abu...@activecampaign.com
1 North Dearborn St Suite 500, Chicago IL, 60602








On Fri, Mar 3, 2023 at 9:32 AM John R Levine  wrote:


Thanks everyone. Is there any reason not to just always use punycode for
the domain and keep it pure ascii? Seems safer that way. Are there any
known risks to doing that?


"Always" in what context?  The whole point of IDNs and EAI is so that
people who don't speak English can use mail addresses they can read.

If you mean in your lists of addresses to send to, sure you can use
A-labels (the ones that contain punycode) and it'll work, although if the
local parts have UTF-8 characters, you still have to do SMTPUTF8 so it's
not much of a shortcut.

Most of the people with EAI addresses are in India, Thailand, and other
parts of south and east Asia.  If you don't do a lot of business there,
you don't need to worry about them.

R's,
John



About swaks, there is an open MR to add SMTPUTF8 support:


https://urldefense.com/v3/__https://github.com/jetmore__;!!JIZ-LZtDGnv5HBqN_A!MykNXx6yo6uaoX3D_3VQ1iI9p1jeUkSw6Rl62hNqBo1YB1pKliY2BMyPv3L5IAND_HKUjZ2XbsMeFi_m$


If John Jetmore is here, please merge that sucker!

Thanks,
Alex


--

Alexander Burch
ActiveCampaign / Senior Deliverability Engineer
abu...@activecampaign.com
1 North Dearborn St Suite 500, Chicago IL, 60602
<

https://urldefense.com/v3/__https://www.facebook.com/activecampaign__;!!JIZ-LZtDGnv5HBqN_A!MykNXx6yo6uaoX3D_3VQ1iI9p1jeUkSw6Rl62hNqBo1YB1pKliY2BMyPv3L5IAND_HKUjZ2XbqfZAr-s$


<

https://urldefense.com/v3/__http://www.twitter.com/activecampaign__;!!JIZ-LZtDGnv5HBqN_A!MykNXx6yo6uaoX3D_3VQ1iI9p1jeUkSw6Rl62hNqBo1YB1pKliY2BMyPv3L5IAND_HKUjZ2Xbna6n5jx$


<

https://urldefense.com/v3/__https://www.linkedin.com/company/activecampaign-inc-__;!!JIZ-LZtDGnv5HBqN_A!MykNXx6yo6uaoX3D_3VQ1iI9p1jeUkSw6Rl62hNqBo1YB1pKliY2BMyPv3L5IAND_HKUjZ2Xbot0HO8K$


<

https://urldefense.com/v3/__https://plus.google.com/107063868317743606466__;!!JIZ-LZtDGnv5HBqN_A!MykNXx6yo6uaoX3D_3VQ1iI9p1jeUkSw6Rl62hNqBo1YB1pKliY2BMyPv3L5IAND_HKUjZ2Xbvl4yHSI$






On Thu, Mar 2, 2023 at 6:20 PM John Levine  wrote:


It appears that Alex Burch via mailop  said:

-=-=-=-=-=-
-=-=-=-=-=-

I am using unicode in the From: not the MAIL FROM. Do you have to

specify

it SMTPUTF8 in the MAIL FROM to use it in the From header? I don't see
anything about that here:



https://urldefense.com/v3/__https://www.rfc-editor.org/rfc/rfc6531__;!!JIZ-LZtDGnv5HBqN_A!LLHjvWO9Lj3NLPOW2WO4wfuIRc6jsmEppjd-E6-oOHDWAguRDF1IVTyo6F7qheRN7lfhCKHmFEIrsWFs$


See section 3.6 which refers to an "internationalized message" and RFC
6532 which explains what that means. It roughly means you can have
UTF-8 in the headers.


I was under the impression that if the client offered SMTPUTF8

extension

then you could go ahead and use unicode in the headers like From.


You can, but you have to put the SMTPUTF8 parameter on the MAIL FROM to

say

it's an internationalized message.

I did a bunch of EAI mail tests for ICANN's UASG and Gmail passed most

of

them.
If you use the correct envelope and headers, it'll work.

Someone else asserted that nobody handes Unicode domain names, and he is
wrong,
although the have to be encoded as A-labels when you do the DNS lookup,

as

described in RFCs 5894 and 5895.

R's,
John







Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail.
https://urldefense.com/v3/__https://jl.ly__;!!JIZ-LZtDGnv5HBqN_A!MykNXx6yo6uaoX3D_3VQ1iI9p1jeUkSw6Rl62hNqBo1YB1pKliY2BMyPv3L5IAND_HKUjZ2Xbt5FsPoR$





Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org

Re: [mailop] Does gmail accept unicode character in From domain? I don't think so

[John R Levine via mailop]

Thanks everyone. Is there any reason not to just always use punycode for
the domain and keep it pure ascii? Seems safer that way. Are there any
known risks to doing that?


"Always" in what context?  The whole point of IDNs and EAI is so that 
people who don't speak English can use mail addresses they can read.


If you mean in your lists of addresses to send to, sure you can use 
A-labels (the ones that contain punycode) and it'll work, although if the 
local parts have UTF-8 characters, you still have to do SMTPUTF8 so it's 
not much of a shortcut.


Most of the people with EAI addresses are in India, Thailand, and other 
parts of south and east Asia.  If you don't do a lot of business there, 
you don't need to worry about them.


R's,
John



About swaks, there is an open MR to add SMTPUTF8 support:
https://github.com/jetmore

If John Jetmore is here, please merge that sucker!

Thanks,
Alex


--

Alexander Burch
ActiveCampaign / Senior Deliverability Engineer
abu...@activecampaign.com
1 North Dearborn St Suite 500, Chicago IL, 60602








On Thu, Mar 2, 2023 at 6:20 PM John Levine  wrote:


It appears that Alex Burch via mailop  said:

-=-=-=-=-=-
-=-=-=-=-=-

I am using unicode in the From: not the MAIL FROM. Do you have to specify
it SMTPUTF8 in the MAIL FROM to use it in the From header? I don't see
anything about that here:

https://urldefense.com/v3/__https://www.rfc-editor.org/rfc/rfc6531__;!!JIZ-LZtDGnv5HBqN_A!LLHjvWO9Lj3NLPOW2WO4wfuIRc6jsmEppjd-E6-oOHDWAguRDF1IVTyo6F7qheRN7lfhCKHmFEIrsWFs$

See section 3.6 which refers to an "internationalized message" and RFC
6532 which explains what that means. It roughly means you can have
UTF-8 in the headers.


I was under the impression that if the client offered SMTPUTF8 extension
then you could go ahead and use unicode in the headers like From.


You can, but you have to put the SMTPUTF8 parameter on the MAIL FROM to say
it's an internationalized message.

I did a bunch of EAI mail tests for ICANN's UASG and Gmail passed most of
them.
If you use the correct envelope and headers, it'll work.

Someone else asserted that nobody handes Unicode domain names, and he is
wrong,
although the have to be encoded as A-labels when you do the DNS lookup, as
described in RFCs 5894 and 5895.

R's,
John







Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Mail Sending Self-Test Platform

[John R Levine via mailop]

Still, i am a bit wondering; Looking at the data flushed in so far (and
already multiple bugs filed against implementations)... there are a lot
of funny milters and often unmaintained software integrated in funny
docker stacks (probably preaching to the choir there, but i have a lot
of grievances with those setups), and generally a lot of awry things
(example.com. IN TXT "v=spf1 include:example.com -all" is, for example,
far more common than i'd have ever believed...).


In the DMARC working group we've had endless arguments about what changes 
will or won't break existing DMARC setups, informed by a lot of opinions 
and very little data.  Actual data would be greatly appreciated.


It's not surprising that there are a lot of broken DMARC and SPF records. 
The question is whether anyone cares.  My impression is that in many cases 
there was a checklist item "DMARC" so someone did the absolute mimimum.  A 
p=none policy, a sloppy SPF record, and no DKIM is a strong hint.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Mail Sending Self-Test Platform

[John R Levine via mailop]

dmarcv1 is a typo in the description (i correctly check for DMARC1,
otherwise this would have shown up earlier);

??

The actual complaint is psd=n; Lemme see if i can make the report more
clear re: where it complained.

Do you maybe have some context on psd=n? I can't find it in 7489.


It's in RFC 9091 and in the DMARC update currently in draft form at the 
IETF.  The intention was always that you could put private clauses in 
DMARC records which get ignored by clients that don't understand them, but 
the ABNF was overly clever.  That's fixed in the new draft too.





With best regards,
Tobias

On Tue, 2023-02-28 at 17:32 -0500, John Levine wrote:

It appears that Tobias Fiebig via mailop  said:

Heho,

after our paper on mail sending configurations some time ago [1],
we
now glued that together into a self-service site:

https://email-security-scans.org/

I'd be happy to hear your feedback, especially if things do not
work as
expected (then, your test ID and ideally stored emails would be
really
helpful,


It's complaining that my DMARC record is invalid because it doesn't
start with "v=DKIMv1".  What?

Test ID ttada96061gfwnvbuthbycansr5h34

R's,
John





Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] DMARC Stockholm syndrome, Reject vs spam folders

[John R Levine via mailop]

On Fri, 16 Sep 2022, Brandon Long wrote:

For thirty years we all used mailing lists that didn't mess with the
author's name or address, so you could easily reply eiher to the
authors or the list (and please don't mansplain to me what Reply-To
does.) That stopped working when AOL and Yahoo repurposed DMARC to
outsource the support costs of incoming spam due to their own security



For 30 years, we allowed mailing lists to modify messages and take partial
"ownership" of them (the mailing list gets the bounces), without
modifying who the message was "from".  When digital signatures were
introduced and then linking them to the sender, it made that untenable...
but the reason we added the signature and linkage was because of bad
actors, and the number of "we always did it this way" things that
have fallen to our fight with bad actors has been quite large.


I think you're basically agreeing with me.  When we came up with DKIM we 
deliberately designed it so that the DKIM domain was separate from any 
other identity in the message.  ADSP was supposed to connect the DKIM 
domain to the From: domain but did it so badly and failed in so many cases 
that nobody used it.  So the next round was DMARC, which handled more 
situations than ADSP, and was intended for heavily forged domains like 
paypal.com.


Unsurprisingly, like any retrofit, DMARC handles a lot of cases but fails 
on others, with mailing lists being the most notable example.  (You used 
to be able to do things like forward an article from a newspaper web site 
to a friend and put your own return address on it, which was useful.) The 
response too often is to blame the victim and retroactively redefine 
perfectly normal and legitimate activities as bad, just because the 
security model du jour can't describe them.


I think we both hope that ARC turns out to be an adequate band-aid to 
increase the amount of legitimate mail that DMARC can handle so that the 
most painful failures work again.  But I think send an article is dead 
forever.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] FW: Did Google become stricter about RFC 5322?

[John R Levine via mailop]

On Fri, 15 Jul 2022, Michael Ellis wrote:

The body text lines are likely more than 998 characters. They have a feature to 
break long lines but they didn't enable it. The headers lines will all be well 
below 998 characters.


That's probably what's wrong.  5322 says all the lines, not just the 
headers, have to be no more than 1000 octets including the \r\n





Each header is separated by \r\n

Here is an example of the date: Fri, 15 Jul 2022 12:51:19 -0500   I think this 
is correct.

-Original Message-
From: John Levine [mailto:jo...@taugh.com]
Sent: July 15, 2022 1:16 PM
To: mailop@mailop.org
Cc: m...@bacchusbrew.com
Subject: Re: [mailop] FW: Did Google become stricter about RFC 5322?

It appears that Michael Ellis via mailop  said:

Am I missing something as well? Google just rejected a client due to PTR on 
mailop-boun...@mailop.org but it seems fine to me ...



Gmail, 550-5.7.1 this message has been blocked. Please review 550
5.7.1
RFC 5322 specifications for more information.


PTRs aren't RFC 5322


As far as I can tell, the message is compliant.  It doesn't have any of
the obvious problems, at least.  From, To, Message-ID and Date are
supplied.  No duplicate headers.


How long are the text lines?

Is there \r\n at the end of each line in the header and body?

Is the Date: in the correct form?

R's,
John




Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] FTC Report on Feasibility of Creating a 'Do Not Email' List

[John R Levine via mailop]

Note that, in spite of DMARC, we still do not have per-user
authentication.

We have at least two flavors in PGP and S/MIME,


When something exists for 30 years and has market penetration that cannot 
even rise to the level of being called 'meager'. /WE/ -- it, the Internet 
community -- does not have that thing.


Hm, your copy of the message appears to have been cut off.  Here's the 
rest which you presumably missed:


 but even though both are technically sound, nobody uses them outside of a
 few specialized communities which suggests that it's not going to happen.

 There is also the difference between "this mail is from
 b...@sludgemail.com" and "this mail is from Bob Smith whose current
 address is b...@sludgemail.com".  The PGP web of trust is supposed to
 validate real names, but even among PGP users few pay attention to WOT.

Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Spamhaus: Get more details about LISTING (Could a DMARC Report Address point to a spamtrap)?

[John R Levine via mailop]

On Tue, 17 May 2022, Tobias Fiebig wrote:
However, judging from the state of DMARC reporting by the bounces 
hitting my report-from (_large_ orgs having non existent mailboxes in 
there etc.), I'd argue that the only thing that prevents ruf/rua that 
are stale for a decade is the age of RFC7489.


They're just reporting what they recieve.  It shouldn't be a big surprise 
that spamware makes up addresses, some of which happen to be in your 
domains.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] SMTP line wrapping breaking DKIM signatures when forwarding

[John R Levine via mailop]

On Thu, 28 Apr 2022, Dave Crocker wrote:

Actually, for the current discussion, there is only a single issue:

Should an intermediate relay get fussy and modify the substance
of a message?


That is one way to look at it, but as I said in the message you just 
replied to, in this case not a particularly helpful one.


We can also have endless discussions about what "substance" means, e.g., 
just the body, body and some headers, body in ways that doesn't bother 
DKIM?


R's,
John
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] DKIM by the third party

[John R Levine via mailop]

My main point is this: ESPs and other 3rd party SMTP services - should be 
aware that using an SPF record that validates against the provider's domain 
in the SMTP envelope-FROM (and not the actual client's domain) - AND ALSO - 
having only one DKIM record which uses the provider's domain in the DKIM 
record (and, again, not the actual client's domain) - so the combination of 
these 2 - is insufficient and substandard for validating the identity of the 
sender, especially in those cases where that service provider routinely 
allows spammers and scammer to abuse their service.


Oh, sure.  If you're doing B2C or B2B mail which isn't going to run into 
the edge cases of individual or discussion list mail, it makes sense to 
publish a strict DMARC policy and add a DKIM signature which matches the 
header From: address.  Leave the envelope address alone so the ESP can do 
the bounce handling.


So my question was simply asking if Amazon had some checks in place to 
prevent this scenario? ...since I saw some examples of them coming close to 
this fiasco.


They do.  See the link in my message.  I wouldn't say their abuse handling 
is fabulous, but considering their scale, it could be a lot worse.


The lowest tiers of AWS are very cheap, so it's not hard to sign up and do 
a few small scale experiments.


R's,
John

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Fwd: RFC 9228 on Delivered-To Email Header Field

[John R Levine via mailop]

On Thu, 14 Apr 2022, Dave Crocker wrote:

Without knowing what mail software your provider is running, there is
no way to tell.


The benefit of an over-the-wire approach to specification writing is that all 
that matters is what goes... over the wire.  One does not need to know the 
'intent' or 'thinking' or who the source is, or whatever about the source of 
the data that goess over the wire.  One merely needs to know what goes over 
the wire, and compare it to what is in the specification.


So, just so I don't misunderstand, you're saying that one can tell what a 
complex piece of software does by examining a single example of its 
output.  That's quite impressive.



Section 4, second bullet

If a receiving system's delivery process applies mappings or
transformations from the address used by the MHS to a local value,
this new value SHOULD also be recorded into a separate Delivered-To:
field when transit and processing using that address successfully
complete. This ensures a detailed record of the sequence of handling
addresses used for the message.


covers that form of string.


It doesn't, we explained why last year, but since I doubt anyone else is 
interestied in this p*ing match, I'm really done now.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] not a way to do abuse contacts, What am I supposed to do with abuse complaints on legit mail?

[John R Levine via mailop]

On Mon, 17 Jan 2022, Dan Mahoney wrote:

It is quite simple to use RDAP to get the abuse contact email for
anyone who has provided the info to their RIR.  I do it all the time.
The problem is that too many operators don't bother.  If they don't
tell the RIR, they are not likely to spend effort putting extra
stuff in their rDNS.


What do you do when abuse complaints are just observably bounced or blackholed, 
and not accepting email from gma^W that provider isn't an option?


Nothing surprising.  Sometimes you can tell it's a SWIP to a customer so I 
can add the host's contact address.  Sometimes a provider just doesn't 
care but I find in those cases, they rarely send any mail my users are 
likely to want so I just send their mail to the shredder.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Sendgrid spam of the day -- crypto.com phish

[John R Levine via mailop]

For full headers see http://spample.iecc.com/eam/23683557

R's,
John
-- Forwarded message --
Date: Fri, 31 Dec 2021 20:36:03
From: Crypto.com 
To: i...@taugh.com
Subject: Case ID 23045 -Important Notice: Update Your Account


[8fGHc0PkvWohUASUVORK5CYII=]

Dear Valued Customer,

We need your help resolving an issue with your account Thus, we have 
temporarily limited what you can do with your account until the issue is
resolved.

We understand it may be frustrating not to have full access to your account. We 
want to work with you to get your account back to normal as quickly
as possible.

we just need some more information about your account or latest transactions

Signin


[wOiaohJxQ4ALABJRU5ErkJggg==]


Crypto.‌com
Blog
App
Exchange
[0mjBE6HZp4K5v8a0yHn2l6YAvVOKWlrTmBW0NReWVb73z7d+DcNR9mxUxRFURRFURRFURRFURRFkeIfjS9wMMPxVGkASUVORK5CYII=]
[ZvpBEal58LABJRU5ErkJggg==]
[i4NcpdSCAElFTkSuQmCC]
[j0mXXMufsAElFTkSuQmCC]
[92++x9gBJRU5ErkJggg==]
[wFBQUFBQUFBQUFBQUFBQVnxD+nNitl9LEuSABJRU5ErkJggg==]
[9VQ7D8PYJv8BJI4C6XpQKPUASUVORK5CYII=]
[gHQO0i8xRfY1ABJRU5ErkJggg==]
Contact us at:

contact‌@crypto.‌com

Copyright © 2021 Crypto.‌com, All Rights Reserved.


Crypto.‌com
U‌nit 15‌06-‌7 1‌5/‌F P‌acific P‌laza, 4‌10-‌41‌8 D‌es Vo‌eux R‌oad W‌est, 
H‌ong K‌ong

If you no longer wish to receive promotional communications from Crypto.‌com, 
please click here.
(you will no longer receive emails from us about updates and exclusive 
privileges/promotions)



[open?upn=rojQG26eAcf4GkAb-2FyFQAZwk55TQvR0RJfEiRLCZlOKwhfSqOVGh5NdQdcZjD-2Fp6I9psdg851hMnLzMDeazatb99lFbrpuk8VFjzewDY94wZ8dDE1t7sDA1XxcWGHrX9nWLL
5f3wguoGqKUNiDU0AQhnqrCBlKnAGJKFibIcXWDmprzwJtZxVBlLW1eRXNi-2B1ll3I8zmc5BoEoKH26WGbA-3D-3D]
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Privacy research spam apparently from a grad student at Princeton

[John R Levine via mailop]

Which domain?  Feel free to encode it out as need be.


It was in my first message:

 From: Privacy Practices 

Registered at Namecheap, mail sent from AWS

R's,
John


On Dec 14, 2021, at 6:49 PM, John Levine via mailop  wrote:

It appears that Simon Arlott via mailop  said:

On 14/12/2021 18:53, John Levine via mailop wrote:

I think this is different and really is a botched survey from a grad student.  
Poking
around his department's web site, it seems like the sort of stuff he is 
interested in.


I heard back from the student.  It's real, he thinks spamming scraped addreses 
is dandy.

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Privacy research spam apparently from a grad student at Princeton

[John R Levine via mailop]

I got a couple of copies of this message to addresses scraped off my 
websites.  It was sent from AWS cloud using a recently registered domain 
so it's likely a phish, but "Ross Teixeira" is a real person, a grad 
student at Princeton.  Needless to say, sending blasts of spam to scraped 
addresses is not going to get useful research results.


Anyone else get this?  If you want to complain, Princeton's IRB which is 
supposed to review every experiment with human subjects is at 
i...@princeton.edu.  Or if you want to ask Mr. Teixeira what the bleep he 
was thinking, he's at rteixe...@princeton.edu.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

-- Forwarded message --
Date: Tue, 14 Dec 2021 03:03:40
From: Privacy Practices 
To: infri...@iecc.com
Subject: Questions About iecc.com Privacy Practices for Princeton University
Research


To Whom It May Concern,

We are researchers at Princeton University conducting a study of how websites 
are implementing the EU and UK General Data Protection Regulation (GDPR) and 
the California Consumer Privacy Act (CCPA). We are
reaching out to you because this email address is provided as a contact on the 
website iecc.com.

Your website may be required to implement one or both of GDPR and CCPA, and we 
would appreciate if you would answer a few brief questions about your privacy 
practices.

1) Does iecc.com implement GDPR or CCPA? If not, could you please explain why? 
If you are uncertain about whether iecc.com is required to implement these laws 
or answer questions like ours, we have included
informative resources at the end of this email.

2) If you implement GDPR or CCPA, do you process data access requests from 
individuals who are not residents of the EU or UK (for GDPR) or who are not 
residents of California (for CCPA)?

3) If you implement GDPR or CCPA, do you process data access requests via 
email, a website, or telephone? If via a website, what is the URL?

4) If you implement GDPR or CCPA, what personal information must a user submit 
for you to verify and process a data access request?

5) If you implement GDPR or CCPA, what personal information do you provide in 
response to a data access request?

Thank you in advance for your answers to these questions. If there is a better 
contact for questions about privacy practices on iecc.com, I kindly ask that 
you forward my request to them.

Sincerely,
Ross Teixeira

--

We offer these resources about GDPR and CCPA for your convenience. Please note 
that we cannot provide legal advice about whether iecc.com is required to 
implement these laws or respond to our questions like
ours about GDPR and CCPA practices.

* Article 3 of the GDPR, which specifies coverage: 
https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679=EN#d1e1455-1-1

* European Data Protection Board guidance on GDPR coverage: 
https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32018-territorial-scope-gdpr-article-3-version_en

* California Attorney General guidance on CCPA coverage: 
https://oag.ca.gov/privacy/ccpa#sectiona

* Section 1798.140 of the California Civil Code, which specifies the businesses 
that CCPA covers:
https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?sectionNum=1798.140.=8.4.45=CIV


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Bonus sendgrid spam of the day

[John R Levine via mailop]

Same outfit, same spamtrap address, this time touting our pals at AARP.

So who is https://www.ninesevenpebble.com/ ?

Full spam at http://spample.iecc.com/saa/23681599

Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

-- Forwarded message --
Date: Sat, 11 Dec 2021 08:03:28
From: Membership Offer 
Reply-To: no-re...@smartfinancehome.com
To: john...@zeusprod.com
Subject: December Offer from AARP

AARP - Join & Explore the Benefits

https://rdtrk201.com/?E=MFMTckPk18yTGQ7tjbZyueoobSK6wlK5=

This is a Paid Advertisement.

To unsubscribe please click here 
https://www.ninesevenpebble.com/o-fjch-j43-2f665da82da7ba7c9121aac5a0b4c0e0

4376 Forestdale Drive, #4, Park City, UT 84098, United States
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Sendgrid spam of the day

[John R Levine via mailop]

Sent to an address that has never been real but has been getting a lot of 
spam recently, touting insurance via one of those fake review sites that 
collects affiliate fees.


Full copy here: http://spample.iecc.com/sys/23681598

Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

-- Forwarded message --
Date: Sat, 11 Dec 2021 11:03:42
From: Liberty Mutual Insurance 
Reply-To: no-re...@smartfinancehome.com
To: john...@zeusprod.com
Subject: Here's how to only pay for what you need.

Spring RateCut

https://www.smartfinancecentral.com/click.php?source=liberty_mutual=liberty_mutual==234578

Can we help you cut your rate?

You could save $947.
 Only pay for what you need with customized insurance from Liberty Mutual.

Get my customized quote 
https://www.smartfinancecentral.com/click.php?source=liberty_mutual=liberty_mutual==234578

or call 1-844-764-0144 
https://www.smartfinancecentral.com/click.php?source=liberty_mutual=liberty_mutual_mi==234578

Savings validated by new customers who switched to Liberty Mutual between 
1/2020-10/2020 and participated in a countrywide survey. Savings may vary. 
Comparison does not apply in MA.

Coverage provided and underwritten by Liberty Mutual Insurance Company or its 
subsidiaries or affiliates, 175 Berkeley Street, Boston, MA 02116 USA. Equal 
Housing Insurer. Learn more about our privacy policy at 
libertymutual.com/privacy 
https://www.libertymutualgroup.com/about-lm/corporate-information/privacy-policy.

©2021 Liberty Mutual Insurance

This email was sent to you on behalf of Liberty Mutual by a third-party 
marketing company. You are receiving email from this third-party marketing 
company because you have previously expressed your interest in receiving 
commercial email through a site or sites associated with them.

This email message contains information regarding products and services offered 
by Liberty Mutual Insurance Company. If you do not wish to receive email 
messages from Liberty Mutual that are advertising or promotional in nature, 
please unsubscribe here https://pages.email-libertymutual.com/tp-unsubscribe.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] WhatCounts/Costco silliness

[John R Levine via mailop]

From memory, I believe ...


Why are you guessing?  The CAN SPAM law and the FTC's CAN SPAM rule are 
easy to find online.



lot of mail programs now recognize List-Unsubscribe and give you an

option in the frame of

the message which is easier to recognize


1. But others do not


Well, if you know the recipient is at Gmail, you know they show the unsub 
link, and there are plenty of senders that separate mail per large 
recipient.  Law is not software, you have to show reasonable intent.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] WhatCounts/Costco silliness

[John R Levine via mailop]

List-Unsubscribe: 
List-Unsubscribe-Post: List-Unsubscribe=One-Click

I don't know which fools to blame; The client Costco, or their ESP
WhatCounts.  Perhaps both.


Definitely both.


I don't work for or with WhatCounts, but I know who does, so I nudged them.


Considering that every message sent without working unsubscribe is a CAN 
SPAM violation, I'd think some tooling to check that the link at least 
connects to a server would be in order.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] how SSL works, was IMAP and SMTP in the same or separated IPs?

[John R Levine via mailop]

On Fri, 15 Oct 2021, Michael wrote:
I prefer to think that the company I pay $$ to for a cert, makes enough 
they don't have to sell our data.  Remember, each lookup against Let's 
Encrypt shares information, that can be resold.


Sorry, but that is simply wrong.  It's not how SSL works.

The whole point of the signature chain from a CA certificate is so that a 
client can check any cert against its local list of signers, without 
any external queries.  In theory a client can use OCSP to ask a signer 
whether a cert has been revoked, in practice nobody does because it's slow 
and revocations are rare.


Let's Encrypt is run by the Internet Security Research Group, a Californa 
non-profit funded by large gifts from organizations like Cisco, Facebook, 
Akamai, Amazon, EFF, ISOC and the Ford and Gates foundations, and small 
gifts from people like me.  I happen to know a few of their directors and 
technical advisory board members, and I expect you do, too.  FWIW, their 
privacy policy specifically says that the do not sell user information 
including OCSP queries, but it would make no sense for them to do so.


If you want online verification of certs, that's DNSSEC and DANE, but for 
a variety of political and technical reasons, hardly anyone other than 
Comcast uses them for mail.


R's,
John

PS: Looking at the privacy policy for Sectigo, the new name for Comodo, I 
see:


Re-Targeting

Sectigo has relationships with third-party advertising companies and 
permits the operation of a retargeting consumer marketing program. These 
third-party advertisers may place cookies on your computer for the 
collection of pseudonymised consumer information, but they do not collect 
personal information and we do not give them personal information. This 
Privacy Policy does not apply to these third-party advertisers but if you 
would like additional information, please visit Network Advertising 
Initiative at www.networkadvertising.org/managing/opt_out.asp, which also 
allows you to opt-out of such retargeting programs.



___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Gosh I love sendgrid

[John R Levine via mailop]

Today's phish, sent directly from sendgrid to my father who has been dead since 
2019.

Relevant Received headers in the unlikely event anyone might want to track it 
down:

Received: from o3.ptr4431.ordersnapp.com (o3.ptr4431.ordersnapp.com 
[167.89.47.140])  by mail1.iecc.com ([64.57.183.56])

  with ESMTPS via TCP (port 20674/25) id 682323596
  tls TLS1_3_ECDHE_RSA_AES_128_GCM_AEAD sni mx1.gurus.org; 11 Sep 2021 18:41:35 
-
Received: by filterdrecv-55446c4d49-sgpf9 with SMTP id 
filterdrecv-55446c4d49-sgpf9-1-613CF85E-32

2021-09-11 18:41:34.618842626 + UTC m=+850909.425078822
Received: from EC2AMAZ-GM5P31T.ec2.internal (unknown)
by geopod-ismtpd-3-0 (SG) with ESMTP id PyG_AmsvSzySaVHEQAwcBQ
for ; Sat, 11 Sep 2021 18:41:34.502 + (UTC)

Regards,
John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

-- Forwarded message --
Date: Sat, 11 Sep 2021 14:41:34
From: Security Center 
To: xxx
Subject: Account Security Update 11 September, 2021

[DZGVOMC.png]
We recently detected an unusual activity, We are sorry for the inconvience 
caused. Hope you are safe at home   Ꭰеаr chase member,
I'm not the only one here who's not married.We recently detected an unusual 
activity. tay Safe Stay Homeon yoI'm not the only one here who's not
married.ur J.P MorgI'm not the only one here who's not married.an CI'm not the 
only one here who's not married.hase online banking account. UnfortuI'm
not the only one here who's not married.na tely, we had to suspend your online 
bankiI'm not the only one here who's not married.ng in order to ensure
the safety of your account. I'm not the only one here who's not married.This 
suspension is temporary. We require some additional information. I'm not the 
only one here who's not married.We are sorry for the inconvience caused.

Verify now
Sincerely,
ChaI'm not the only one here who's not married.se BanI'm not the only one here 
who's not married.king


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] DMARC: Anyone using pct=n with n !=0 and n !=100?

[John R Levine via mailop]

On Mon, 23 Aug 2021, A. Schulze wrote:

Am 21.08.2021 um 20:30 schrieb John Levine:

It appears that A. Schulze via mailop  said:

We review the reports once per month and inverstigate findings
Depending on the current situation we plan to increase pct=


If you mean the DMARC aggregate and failure reports, are you aware that the 
pct=N setting

does not affect the reports at all?


yes, I mean the daily aggregated reports, we review them at all once a month


I'm confused.  Since the pct doesn't affect the reports, what's the point?
Once you get the number of failures low enough, just set pct=100 and be 
done with it.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] m-365 still works like a spammer !

[John R Levine via mailop]

On Sat, 24 Jul 2021, Lukas Tribus wrote:

See SPF-aware greylisting:

https://poolp.org/posts/2019-12-01/spf-aware-greylisting-and-filter-greylist/


Interesting idea, might try it sometime, but on my small system fuzzing 
IPs works well enough.  I do have a whitelist but I find I only need to 
add something to it about once a year.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] DMARC Reject

[John R Levine via mailop]

Remember that when you publish p=reject, you're saying your mail is very 
UNimportant.  If there's any doubt that a message is really from you, 
don't deliver it, throw it away.  This makes sense if you are Paypal, 
you're phished 24/7/365, and your mail only says "something happened, look 
at your account."  For the rest of us, we'd probably prefer that our mail 
were delivered.



As it stands from what I seen in the DMARC logs I am not aware of any group 
trying to use are domain names but as a PUD that is a concern I have


When I look at your mail I see that it has a DKIM signature from 
gcpud.onmicrosoft.com, not gcpud.org, so your DMARC authentication is SPF 
only.


If you're sending paperless electric bills from gcpud.org to people who 
use a forwarding address, e.g., from their university or a professional 
association, SPF can't handle the forward so with p=quarantine they will 
have to fish their bills out of the spam folder every month.  With 
p=reject they won't get the bills at all.  That doesn't seem like 
excellent customer service.



I could just leave it at p= quarantine and wait to see if I actually see if 
things pop off on the two domains we use


Since you're not seeing any attacks, I would set it back to p=none until 
you can get aligned DKIM signatures.


R's,
John


-Original Message-
From: John Levine 
Sent: Monday, July 19, 2021 6:43 PM
To: mailop@mailop.org
Cc: Samual Carman 
Subject: Re: [mailop] DMARC Reject

It appears that Samual Carman via mailop  said:

I am considering rolling out a p=Reject policy at my company and before I did 
that I wanted to see where we are at as industry.


Different operators publish different policies.  In the IETF group where we are 
working on a DMARC revision, we're finding that the practical difference 
between p=quarantine and p=reject is insignificant.

Have you been collecting DMARC reports?  Are you confident that you know the 
paths your mail takes?
On the one hand, do you actually see people maliciously forging your domain, 
and on the other hand are you willing to screw up the mail of people who 
participate in lists like this one?

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] So how do you actually manage to send mails to outlook/hotmail?

[John R Levine via mailop]

On Mon, 12 Jul 2021, Marcus Hoffmann wrote:

(Others at Hetzner seem to do fine. I really do not get the whole rating 
IP neighborhoods thing, but let's not get into that again. I can't change it anyway.)


I can only speak for myself, but I have all of Hetzner's IPs routed into 
the spam trap, and I poke holes on the rare occasion that one of my users 
reports missing mail they care about.  I suppose that if you send enough 
mail that the recepients notice they are missing, you can get exceptions 
added.  Seems like a lot of work.



Netcup isn't fabulous, but it's better than Hetzner.


So, what would be even better then? (Netcup was just the next best available 
option here in DE. And well, the cheapest.)


Someone suggested routing emails to MS and google domains through Amazon SES. 
Would that actually make things better?


It might, Amazon does some fairly sophisticated filtering.  But if your 
mail from Netcup works, you might as well stick with that.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Greylisting never passing on retry

[John R Levine via mailop]

On Wed, 21 Apr 2021, Peter Nicolai Mathias Hansteen wrote:

SMTP was defined in the late 1970s and we didn't invent greylisting
until about 2003. I don't think you can blame them for not being
clairvoyant.


No clairvoyance was required for taking account of greylisting in the 2008 
update that the article was about, but you’re probably right in a largish chunk 
of cases about this bit:


That update quite deliberately did *not* make changes that were 
incompatible with decades of existing practice.  Forcing large mail farms 
to send retries from the same IP would be a significant and painful change 
which means that in practice they would have ignored it.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] SPF prevents enabling IPv4+IPv6?

[John R Levine via mailop]

On Tue, 2 Mar 2021, Otto J. Makela wrote:

Unfortunately, RFC 7208 section 4.6.4 DNS Lookup limits also states:

  As described at the end of Section 11.1, there may be cases where it
  is useful to limit the number of "terms" for which DNS queries return
  either a positive answer (RCODE 0) with an answer count of 0, or a
  "Name Error" (RCODE 3) answer.  These are sometimes collectively
  referred to as "void lookups".  SPF implementations SHOULD limit
  "void lookups" to two.  An implementation MAY choose to make such a
  limit configurable.  In this case, a default of two is RECOMMENDED.

I read this as meaning most implementations will let you only have
two NOERRORs, and then it's game over. As I said, I doubt SPF was
intended to cause this side effect.


Hm, missed that, it does seem wrong.

On the other hand, if you're going to support IPv6, it seems to me that 
it you put host names in your SPF record, those names should have both A 
and  records.  As other people have pointed out, using the IP 
addresses is often a better idea anyway.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Spamhaus Public Mirror Error Return Code Update

[John R Levine via mailop]

On Tue, 16 Feb 2021, Alessandro Vesely wrote:

rcode[*], such as FORMERR/
REFUSED, possibly followed by a more precise extended error code[†].


Except that REFUSED means something else,


When Spamhaus sends REFUSED, it means you're trying to query a server than 
only paying customers can use, but you didn't provide a customer password.


Is it that requiring people to install a DNSBL-specific plugin earns 
Spamhaus something?


If you see any of these codes, your setup is broken.


What I see is something like this:

Feb 16 09:30:44 north courieresmtpd: 
error,relay=193.188.30.85,port=50761,from=,to=: 
550 Rejected - see http://www.spamhaus.org/query/bl?ip=193.188.30.85


I don't see the actual code.


The hint will be that every single message appears to be blacklisted.

Having been through this a few times with a tiny BL that I run, no matter 
what you return a lot of clueless people will keep hammering on you year 
after year.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] What's the point of secondary MX servers?

[John R Levine via mailop]

Unfortunately, many sending clients (newsletters, announcements, etc.) 
do not retry if the initial delivery fails.


That's impressively broken.  Do you have specific examples?

Back when I was tuning my greylister I found some rather strange retries, 
but I don't recall many senders that didn't retry and didn't look like 
spambots.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] What's the point of secondary MX servers?

[John R Levine via mailop]

I use minger to validate secondary mx with the primary for account validity, is 
that not common then?


If the primary is up, why would anyone be sending mail to the secondary?

R's,
John



Sent from my iPad


On 17 Dec 2020, at 21:28, John Levine via mailop  wrote:

As we all know, MX records have a priority number, and mail senders
are supposed to try the highest priority/lowest number servers first,
then fall back to the lower priority.

I understand why secondary MX made sense in the 1980s, when the net
was flakier, there was a lot of dialup, and there were hosts that only
connected for a few hours or even a few minutes a day.

But now, in 2020, is there a point to secondary servers? Mail servers
are online all the time, and if they fail for a few minutes or hours,
the client servers will queue and retry when they come back.

Secondary servers are a famous source of spam leaks, since they
generally don't know the set of valid mailboxes and often don't keep
their filtering in sync?  What purpose do they serve now?

R's,
John

PS: I understand the point of multiple MX with the same priority for
load balancing.  The question is what's the point of a high priorty
server that's always up, and a lower priority server that's, I dunno,
probably always up, too.



___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop








Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Google and Spam detection

[John R Levine via mailop]

Gmail has repeatedly said that they do not accept unauthenticated mail on IPv6.


And with very good reason. Consider that you can very easily have a dedicated 
IP address for every email message you will ever send :-)


Of course.  Doesn't everyone do that?

Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Rolling DKIM Key Disclosure

[John R Levine via mailop]

"Sorry, I think what you're looking for isnt useful, you're misinformed" isn't 
exactly a useful response when someone,
especially a customer, asks for something, sadly.


So what do you say when they demand 100% inbox placement and the ability 
to remotely delete mail they've already sent?


Customers ask for silly things all the time.  We say no.

R's,
John



On 7/11/20 3:02 PM, John Levine wrote:

In article <4ac6b77b-375b-4cc0-b2f5-84f769683...@as397444.net> you write:

More like “customer sees that DKIM is used to authenticate DNC leaks, decides 
that DKIM is a
terrible idea for a political entity to have on, let alone any random business”.


Sounds like a customer deep into cypherpunk silliness.

For one thing, while it was kind of cute that we could still check the
DKIM signatures on old DNC mail (I did) that's only because Gmail
never rotates their keys. The signing key was still in the DNS.
Monthly key rotation like I do should be plenty to avoid that unless
messages are leaking in close to real time, in which case DKIM is the
least of your problems.

The other is that nobody I know found the DKIM validation to be more
than a curiosity. People believed the messages were real because they
knew who used the account and they were otherwise plausible. There was
no cryptographic signature on the Pentagon papers in 1971 but that
doesn't seem to have been any impediment to people taking them
seriously.___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Rolling DKIM Key Disclosure

[John R Levine via mailop]

Hmm? SSS/TLS has never signed the content of a website. It only authenticates 
temporary symmetric encryption keys which
are used to encrypt (not sign) the contents.


Aw, come on.  Web servers send a certificate at the beginning of the 
transaction.  If I cared, it would take about 10 seconds to do wgets and 
save the certificate.


Technically, you're right that the cert doesn't sign the contents, but 
this is a distinction only someone deep into cyperpunk silliness cares 
about.


R's,
John


On 7/11/20 2:50 PM, John Levine wrote:

In article <22b8aa44-cab8-4467-a18b-ee463997c...@as397444.net> you write:

As for use-case, I don’t find it strange that folks may not want to 
cryptographically sign all
their mail without any option to turn that off.


They put up with it on their web sites.

This still impresses me as a customer not worth the hassle.___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Is Gmails DMARC check broken?

[John R Levine via mailop]

In article <947f2235-ae10-47b5-90cd-f096d5648...@wordtothewise.com> you write:


Why is Google applying a strict reject when the policy is p=none?


It is my understanding that Google requires all IPv6 mail to be SPF or
DKIM authenticated with or without DMARC.

The "aspf=s" is probably the reason since the mail servers have names
in three Gaullish subdomains of imp.ch and I doubt those domains are
on the From: line of mail.

Beyond that I'm also wondering if the /32 in the SPF record is too big
and smells too close to +all.  The MTAs are all in the same /64 so put
that in the SPF record.



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] what is spam was Re: [External] Re: Horrible week for email deliverability - Looking for help with RackSpace/Emailsrvr

[John R Levine via mailop]

On Fri, 27 Mar 2020, Kevin A. McGrail wrote:

And I take a the approach that there are implicit consent in
transactions.  For example, you buy something from XYZ big box store's
website.  There is a 100% implicit consent that you can receive emails
about that order such as a receipt and shipping status.


Sure, but even there it rapidly gets grey.  When they send you a note 
saying "you ordered PRODUCT three days ago, please review it for our other 
customers"?  Or if you ignore it and they send you three more?


There's also a lot of fuzz about what's consent.  How about a prechecked 
box saying "send me valuable offers from our treasured marketing 
partners?"  Feel free to imagine how visible or not the checkbox might be.


That's where the rule comes in about sending mail people want.

Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [External] Re: Horrible week for email deliverability - Looking for help with RackSpace/Emailsrvr

[John R Levine via mailop]

Messages of all type but not a single feedback loop complaint.  These
are definitely FPs as I disagree with your statement that a notice about
COVID-19 from someone who signed up to a list would be false positives.

?? These are confirmed, opt-in customer / community lists.  Things like

Fire Department staff and Knights of Columbus member lists.


Oh, OK.  If the mail has a clear relation to what the users signed up for, 
you're right, it's FP's


As I'm sure you're aware, we've seen way too much spam from people who 
imagine that COVID is an excuse to reanimate zombie lists.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [EXTERNAL] Strange MIME headers from Microsoft

[John R Levine via mailop]

Yeah, looking for someone to have a peek at that.
Rather Strange, to say the least.


I looked at the logs, there's quite a few, all seem from outlook hosted 
accounts.



-Original Message-
From: mailop  On Behalf Of John Levine via mailop
Sent: Friday, March 6, 2020 9:35 AM
To: mailop@mailop.org
Subject: [EXTERNAL] [mailop] Strange MIME headers from Microsoft



Take a look at this archived message sent from an Outlook hosted user:



https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmailarchive.ietf.org%2Farch%2Fmsg%2Flast-call%2FxTEWTOyy4HOX-wyvFVaOicn2P-I%2F%23data=02%7C01%7Cmichael.wise%40microsoft.com%7Cff4f318df5b24e654fb008d7c1f52e92%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637191131102826023sdata=%2Br4mkYri0davTs5Z3J4HCvcuGWtydtlexGxI8FykX%2Bs%3Dreserved=0



The Message-ID, ARC-Seal and some private headers are MIME encoded, like this:



Message-ID: =?utf-8?q?=3CMWHPR1301MB209609A6C565A653FD477AA585E30=40MWHPR130?= 
=?utf-8?q?1MB2096=2Enamprd13=2Eprod=2Eoutlook=2Ecom=3E?=



That is completely invalid under the mail standards (I checked with the guys 
who wrote them) and oddly pointless, since if you decode the MIME glop, it's an 
ordinary ASCII ID:



Message-ID: 
mailto:mwhpr1301mb209609a6c565a653fd477aa585...@mwhpr1301mb2096.namprd13.prod.outlook.com>>



I only see this in messages from outlook.com so I'm pretty sure they're doing 
it, not some intermediate system.  Anyone there we can get to look at it and 
fix it?



R's,

John



___

mailop mailing list

mailop@mailop.org

https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fchilli.nosignal.org%2Fcgi-bin%2Fmailman%2Flistinfo%2Fmailopdata=02%7C01%7Cmichael.wise%40microsoft.com%7Cff4f318df5b24e654fb008d7c1f52e92%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637191131102826023sdata=0wdchpRx9ssEJ161kTFXs%2BuH1MkXr6JbgbGihxubCx8%3Dreserved=0



Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [FEEDBACK] whose address, was Approach to dealing with List Washing services, industry feedback..

[John R Levine via mailop]

message (this time to the correct address), it will end up in the
recipient's spam folder, without them knowing why.
Don't do it to them. Just delete those messages, don't put them to spam.


I disagree. If the sender wants eyeballs to see their emails, they need
some incentive to put in place the systems that'll validate the correct
recipients. Like double-opt-in. Especially before persistent and repeat
use of an address where you don't actually know the recipient wants your
mail.


In my experience the wrong-John mail consists of a great deal of 
individual and transaction mail and very little ordinary bulky stuff. 
These days most legit mailers have working unsubs so if someone signs me 
up, or more likely a store from which they've bought something assumes I 
want endless ads for stuff sort of like what I didn't buy, one click on 
the unsub button makes it stop.


Not so for wedding invitations, tax notices, and so forth.

Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] BIMI

[John R Levine via mailop]

On Tue, 10 Dec 2019, Brandon Long wrote:
I guess it depends on how small.  It's also that it's kind of self 
limiting, in the sense that if it's expensive enough that only few do 
it, then it doesn't have the same perceived bad effects like it would if 
99% of mail had it.


I think it could be a long tail thing -- if all the businesses $100M or 
bigger do BIMI, that's a large fraction of the mail but a small fraction 
of the number of businesses.


The overall request for it probably has to do with the perception that 
email is competing these days with other messaging products which are 
almost entirely proprietary.  If I'm contacted by a vendor on 
FB/Twitter/Messenger/Instagram/whatever, it will be branded... and email 
looks outdated.


I sadly realize that I am the last person in the world using Alpine.


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Gmail marking email from me as spam

[John R Levine via mailop]

Are they still fundamentally constrained by their choice of network
provider, despite complying with every possible security and delivery
behaviour to warrant and verify the content and sender of every email?


Yes.  Remember, nobody else cares as much about the mail you send as you do.


Has the prevailing method of deciding worthiness now become permanently
biased towards the 'prior reputation' factor?


Yes.  See above.


If so, would an operator ever be able to build the kind of reputation to
have reliable delivery to the big public services, without resorting to
using third party delivery providers? To me that feels like an expensive
cop-out and is assisting the creation of a de facto oligopoly (never mind
all the arguments about a two-tier email ecosystem, net neutrality etc).


Find a provider that keeps its spamming customers under control.  It's not 
hard, they do exist, but you're not likely to find them selling self-serve 
VPS for $2/mo.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Gmail marking email from me as spam

[John R Levine via mailop]

It's a basic mistake to operate on whole netblocks and not
individual senders.


i somewhat disagree


There are definitely networks that are so dirty that it's not worth 
accepting their mail.  OVH hovers on the bad side of that line.


If I were more interested in getting my mail to work than in lecturing 
strangers on how to run their networks, and for some reason I still wanted 
to keep my server at OVH (they're certainly cheap) I would reconfigure my 
outgoing mail to use OVH's smarthosts which have a somewhat better rep 
than their cruddy hosting blocks.


And, of course, I would get a real domain name rather than a free one.

Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Gmail marking email from me as spam

[John R Levine via mailop]

Just because you should by default accept mail from everyone
*unless* the sender proved to be nasty/harmful/mailicious etc.?


what if the look quite plausibly harmful?


Right.  I didn't get the message you were responding to, so I looked in 
the logs and see the IP is in the middle of a block at OVH that gushes 
spam so it went straight to the spam trap.  The logs say that it's the 
only message of the last several hundred from that block that arguably 
wasn't spam, so that's a pretty low error rate.



Well, Gmail is basically "free stuff" as well. Yahoo is "free
stuff". In my country, Onet, WP and Interia are big free e-mail
providers as well. Should nobody accept mail from them just because
they are free?


They manage to keep the ratio of good mail to junk acceptable.  As others 
have pointed out, whether they're "free" is open to debate.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Anyone on this List with Access to Amazon SES Maillogs?

[John R Levine via mailop]

Hi, this is very odd, could you send a traceroute to those IPv6
destinations? I can confirm the servers do NOT refuse IPv6 connections.
I suppose there is a transit problem from certain ISP.


No, you're refusing the connections.  When I connect via an IPv6 tunnel 
from HE you refuse the connection, when I connect from a VPS somewhere 
else, you accept it.  Traceroutes show it's going to you, not anywhere 
else.


Contrary to rumor, there are plenty of real people using HE tunnels. 
You're probably blocking SES, too.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop