Re: [uknof] Strange DKIM Failures via UKNOF
--- Begin Message --- Hi Giorgio, On Wed, Dec 27, 2023 at 09:01:32PM +0100, Giorgio Bonfiglio via uknof wrote: > It’s in the interest of an ML operator to ensure subscribers do > get emails - no? I personally think so, yes, but there is no RFC that says an Internet mailing list must support or preserve DKIM and not every mailing list operator has thought about it, or if they have, not all agree. If you want to say that it's your opinion that mailing lists need to preserve DKIM, then that's fine and I agree with you - mailing lists I operate do. If you want to say that running a mailing list that invalidates DKIM signatures will negatively impact deliverability, again I would agree with you. I can't speak for the uknof list operators as to why they either didn't think about it or don't wish to bother with it. I'm just saying that it's a fact that not everyone agrees with DKIM; not everyone has spent time on it. Even though it does unavoidably impact deliverability, these days. I think we pretty much agree that it would be a good idea not to invalidate DKIM signatures. I think the only point where we differ is that you came at this from the point of view that preserving DKIM is a requirement for running a mailing list. Whereas I am more like, "well, it impacts deliverability, so…" There is not much to separate these views. > Do you disagree with the statement that a server processing a > DKIM-signed email in ways which break the DKIM signature and still > not taking action towards it is an (implicit) breach of the RFC? Which RFC? The DKIM RFC, RFC6376 tells us what would and wouldn't invalidate a DKIM signature, but there is no authority external to that RFC that tells anyone to care about RFC 6376. Except, I suppose, for the de facto authority of the major mailbox providers who will more often make such mails disappear. But as mentioned it is unclear what form if any this mailing list will continue to exist in and until that is decided it doesn't seem likely that anyone is going to be changing any list settings. mailop might be a better venue to talk more about whether Internet mailing lists in general are required to support DKIM. https://www.mailop.org/ Though I think the view will still mostly only go as far as "invalidating DKIM will negatively affect deliverability, so if you care about that…" Thanks, Andy --- End Message ---
Re: [uknof] Strange DKIM Failures via UKNOF
--- Begin Message --- Hi Giorgio, On Wed, Dec 27, 2023 at 10:51:51AM +0100, Giorgio Bonfiglio via uknof wrote: > this stuff became RFC and not recently… Shouldn’t a well respected > tech list be configured in a way which doesn’t break validation? How DKIM works is in an RFC, but how to operationally use it isn't, so much. It's not universally agreed that mailing list operators SHOULD (or MUST) NOT change the subject lines as the emails go through. Not every mailing list operator believes that, and there is no standard to tell them they are right/wrong. On top of that, this has gone through different fashions as time went on: First¹ wave: we don't stick tags in the subject or change the Reply-To; we are all adults here with competent MUAs and we can all filter email based on headers. Second wave: Not everyone has access to good MUAs so we'll add subject tags to make it easier for people to filter either by software or brain alone. And we'll set a Reply-To because we want all discussion to go back onto the list. Third wave: If you change the subject of an email you'll break DKIM, so either do it and also change From address to be the list, take responsibility and DKIM sign as the mailing list; or don't change anything and let DKIM remain intact. I have no idea if uknof ended up the way it is through luck, habit or design, but there is no RFC comment on what should be done, only what should happen in each case. So you're asking on the basis of it being obvious to you, but it's not obvious. Nevertheless it's a decision to make for mailing lists in the DKIM and DMARC era. Personally I'd replace mailing lists with Discourse and the problem is gone. Thanks, Andy ¹ I appreciate that some readers may now be shouting, "first wave? FIRST!? I was participating in technical group discussions over UUCP" at their screen. But you know what I mean. --- End Message ---
Re: [uknof] Strange DKIM Failures via UKNOF
--- Begin Message --- Hello, On Wed, Dec 27, 2023 at 09:59:15AM +, James Bensley via uknof wrote: > I'm also getting mangled emails from UKNOF. What do you mean by mangled? If you mean that your mails, as distributed by uknof, come as an email From: the list with your original email as an attachment inside, then I'd say that is almost certainly through the DMARC mitigation settings of the list reacting to your domain's DMARC setting. It doesn't happen with every email so I don't think it's set to happen unconditionally. Your DMARC policy for bensley.me is "quarantine", so I think that is causing the DMARC mitigation of "wrap_message": https://docs.mailman3.org/projects/mailman/en/latest/src/mailman/handlers/docs/dmarc-mitigations.html > If anyone knows which mailman setting needs tweaking, I'd love to > know. We could then ask the hosting provider to tweak said > setting. I don't think the list would want to turn off DMARC mitigations since them people's emails would start being rejected for failing DMARC. Is it the wrapping of your mail as an attachment inside a mail from the list that you particularly do not like? If so then the other option would be to just change the from address (and not attach original email), but that loses some information from your original email. You could stop using DMARC yourself. Thanks, Andy --- End Message ---
Re: [uknof] Extortion?
Hello, On Tue, Feb 04, 2020 at 06:57:03PM +, Aled Morris wrote: > Has anyone else had this recently? accompanied with a massive and > sustained DDoS? and can you recommend a law enforcement agency who will > take it seriously? (unlike local plod) I had one of these last year for about £6k in bitcoin. Have you actually been attacked? Although some of these have been genuine threats most of them are empty. Mine stated a date that the attack would start on, so I did some basic preparation in case it actually happened, but it didn't. ActionFraud were not interested since it was for less than £10k. Reported it to the police just to get a crime number just in case, but it must have been a slow day in Hounslow because they sent a copper around within 20 minutes to ask me all about it in quite a lot of detail and then ultimately say, "this is beyond us, just leave it with ActionFraud" as expected. That bitcoin address doesn't seem to have received any payments yet, but of course if they are serious and not idiots they will have given you a unique one. Hopefully you won't end up paying (hey, I've heard of techies being overruled by management on this sort of thing) but if you are forced to then maybe ask for a new payment address as now all of uknof can tell whether you paid. :) https://www.blockchain.com/btc/address/14XUpNzEPYWVhsXmG3A15wC5Ffirxuk7dB Cheers, Andy
Re: [uknof] Anyone at plymouth.ac.uk or csirt.ja.net can look into this?
Hi Rob, On Tue, Dec 17, 2019 at 11:29:13AM +, Rob Evans wrote: > >Over the last year I've sent multiple abuse reports to > >ab...@plymouth.ac.uk and not even received an auto-reply. A couple > >of weeks ago upon receiving another mail I sent an abuse report to > >i...@csirt.ja.net and have again heard nothing. > > That surprises me. There are definitely CSIRT folk on this list, but I'll > forward internally as well (though their approach will just be to Plymouth). Thanks, someone from csirt.ja.net did just follow up to my report from 4 December. Cheers, Andy
[uknof] Anyone at plymouth.ac.uk or csirt.ja.net can look into this?
Hi, There's a recruitment company called Tank Recruitment (http://tankrec.com) who over the last year or so have continually been sending us unsolicited recruitment leads. I'm aware I can't call it spam since it's B2B, but there's 2 issues: * They send them to addresses they have harvested out of the RIPE Database * They send them from an IP address belonging to plymouth.ac.uk [141.163.218.163] Also their "unsubscribe" option requires you to email them and ask them to stop sending. Over the last year I've sent multiple abuse reports to ab...@plymouth.ac.uk and not even received an auto-reply. A couple of weeks ago upon receiving another mail I sent an abuse report to i...@csirt.ja.net and have again heard nothing. If there's anyone at plymouth.ac.uk or csirt.ja.net reading this who is able to re-educate this company or at least stop it happening from your network, please do get in touch off-list and I'll send you samples of their output. Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting
Re: [uknof] Notice of Claimed Infringement from A.B.C.D at 2019-06-05T06:41:07Z - Ref
Hi Peter, That's correct, in this case the host was a proxy frontend to some public services and is locked down to only be able to talk to its backends, no http/s out, no DNS except to internal resolvers. Basically I looked into it as much as I could justify, and to be honest the only reason why I queried it with IP-Echelon was to see what the scope for error was there, due to me not finding anything, only to be discouraged by multiple auto form replies. I'm not going to re-image the host on the strength of that. The way I understand these torrent notifications to work is that companies like IP-Echelon join the tracker and passively get a list of every IP address seen to be participating. The thing is, I also understand that some trackers inject a certain percentage of completely random IPs in order to frustrate companies like IP-Echelon… Cheers, Andy On Fri, Jun 07, 2019 at 02:37:09PM +, Peter Knapp wrote: > So does the host have no HTTP/HTTPS access, or name server lookups etc? > > BT will use all those ports these days. > > Peter > > > -Original Message- > From: uknof [mailto:uknof-boun...@lists.uknof.org.uk] On Behalf Of Andy Smith > Sent: 07 June 2019 15:28 > To: uknof@lists.uknof.org.uk > Subject: Re: [uknof] Notice of Claimed Infringement from A.B.C.D at > 2019-06-05T06:41:07Z - Ref > > Hi Peter, > > Just iptables on the host, it's just that this particular host has a > restrictive firewall on both input and output and given the ports > and IPs listed in the report it should not have been possible for > that activity to happen. > > Of course, if it had been compromised then maybe the firewall got > altered and then put back again afterwards but this all gets a bit > far-fetched for the sake of downloading a movie by BitTorrent. > > Like I say, I looked into it and couldn't find any indication that > it had actually happened, and the reporting company was completely > impossible to communicate with. > > Cheers, > Andy > > On Fri, Jun 07, 2019 at 02:07:50PM +, Peter Knapp wrote: > > Love to know what firewall you're using that guarantees you can't get any > > form of BT through it please? > > > > Pete > > > > > > -Original Message- > > From: uknof [mailto:uknof-boun...@lists.uknof.org.uk] On Behalf Of Andy > > Smith > > Sent: 07 June 2019 15:04 > > To: uknof@lists.uknof.org.uk > > Subject: Re: [uknof] Notice of Claimed Infringement from A.B.C.D at > > 2019-06-05T06:41:07Z - Ref > > > > Hello, > > > > On Fri, Jun 07, 2019 at 05:38:10PM +0400, Stephen Wilcox wrote: > > > On Fri, 7 Jun 2019 at 17:25, Andy Smith wrote: > > > > However, one day they sent one that implicated one of our > > > > infrastructure hosts and I could not see any way in which that could > > > > be torrenting, so I asked for more information. Every form of > > > > contact I made resulted in an auto response suggesting that if I am > > > > confused I should ask my network admin about it. > > > > > > So you're saying people who work at infrastructure companies - ISPs, DCs > > > etc, they don't do torrents and the like, and they would not do so with > > > on-premise equipment. > > > > No, I'm saying that unlike customer services in this specific case I > > had full access to it and was able to audit it to the best of my > > ability and found no such activity. BitTorrent wouldn't even have > > been able to get through its firewall. > > > > Cheers, > > Andy > > > > -- > > https://bitfolk.com/ -- No-nonsense VPS hosting
Re: [uknof] Notice of Claimed Infringement from A.B.C.D at 2019-06-05T06:41:07Z - Ref
Hi Peter, Just iptables on the host, it's just that this particular host has a restrictive firewall on both input and output and given the ports and IPs listed in the report it should not have been possible for that activity to happen. Of course, if it had been compromised then maybe the firewall got altered and then put back again afterwards but this all gets a bit far-fetched for the sake of downloading a movie by BitTorrent. Like I say, I looked into it and couldn't find any indication that it had actually happened, and the reporting company was completely impossible to communicate with. Cheers, Andy On Fri, Jun 07, 2019 at 02:07:50PM +, Peter Knapp wrote: > Love to know what firewall you're using that guarantees you can't get any > form of BT through it please? > > Pete > > > -Original Message- > From: uknof [mailto:uknof-boun...@lists.uknof.org.uk] On Behalf Of Andy Smith > Sent: 07 June 2019 15:04 > To: uknof@lists.uknof.org.uk > Subject: Re: [uknof] Notice of Claimed Infringement from A.B.C.D at > 2019-06-05T06:41:07Z - Ref > > Hello, > > On Fri, Jun 07, 2019 at 05:38:10PM +0400, Stephen Wilcox wrote: > > On Fri, 7 Jun 2019 at 17:25, Andy Smith wrote: > > > However, one day they sent one that implicated one of our > > > infrastructure hosts and I could not see any way in which that could > > > be torrenting, so I asked for more information. Every form of > > > contact I made resulted in an auto response suggesting that if I am > > > confused I should ask my network admin about it. > > > > So you're saying people who work at infrastructure companies - ISPs, DCs > > etc, they don't do torrents and the like, and they would not do so with > > on-premise equipment. > > No, I'm saying that unlike customer services in this specific case I > had full access to it and was able to audit it to the best of my > ability and found no such activity. BitTorrent wouldn't even have > been able to get through its firewall. > > Cheers, > Andy > > -- > https://bitfolk.com/ -- No-nonsense VPS hosting
Re: [uknof] Notice of Claimed Infringement from A.B.C.D at 2019-06-05T06:41:07Z - Ref
Hello, On Fri, Jun 07, 2019 at 05:38:10PM +0400, Stephen Wilcox wrote: > On Fri, 7 Jun 2019 at 17:25, Andy Smith wrote: > > However, one day they sent one that implicated one of our > > infrastructure hosts and I could not see any way in which that could > > be torrenting, so I asked for more information. Every form of > > contact I made resulted in an auto response suggesting that if I am > > confused I should ask my network admin about it. > > So you're saying people who work at infrastructure companies - ISPs, DCs > etc, they don't do torrents and the like, and they would not do so with > on-premise equipment. No, I'm saying that unlike customer services in this specific case I had full access to it and was able to audit it to the best of my ability and found no such activity. BitTorrent wouldn't even have been able to get through its firewall. Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting
Re: [uknof] Notice of Claimed Infringement from A.B.C.D at 2019-06-05T06:41:07Z - Ref
Hi John, On Fri, Jun 07, 2019 at 01:08:49PM +, John Bourke wrote: > We got a "Notice of Claimed Infringement" for a torrent download of copyright > material by one of the reseller's customers. We can identify the end > customer from logs. > > What is best practice when dealing with these complaints ? We used to pass these on to the customer for the customer to take whatever action they think best. However, one day they sent one that implicated one of our infrastructure hosts and I could not see any way in which that could be torrenting, so I asked for more information. Every form of contact I made resulted in an auto response suggesting that if I am confused I should ask my network admin about it. After that, since the reports are provably inaccurate to some degree and there is no way to work with the reporters, we started to send them to /dev/null. > Is there a risk that our public NAT addresses will be blacklisted ? Unlikely. These companies do not operate any service; they are contracted to the media rights owners to go out and hunt possible infringers and intimidate them into stopping. No doubt they keep records of everything they have found and might one day take some en masse action to gather the contact details of the subscribers but it seems unlikely that they are going to feed all the IPs into some sort of blacklist for a future streaming service or similar. > Should we enforce an Acceptable Use Policy ? If you want to investigate this third party's allegation that your customer was torrenting something they shouldn't be torrenting, and then take action compatible with your AUP, that would be your decision. As I say, we drew the line at passing the notice on to the customer, and then after discovering that the reports could be wrong and there was no way to query them, we started binning them with no action. Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting
Re: [uknof] Investigatory Powers Act
Hi Neil, On Sat, Jan 14, 2017 at 09:43:52PM +, Neil J. McRae wrote: > Contract law is typically always trumped by statute… Yes, absolutely agreed. I forgot to mention that I did seek specific advice on that in late 2010 with relation to the Counter Terrorism Act and it is very clear that if you agree that not updating a canary is a disclosure then Section 19 (1) of that act trumps any contractual clause you could construct: http://www.legislation.gov.uk/ukpga/2008/28/section/19 I haven't sought advice on same for IP Bill but I would be surprised if it isn't similar. Cheers, Andy
Re: [uknof] Investigatory Powers Act
Hello, On Sat, Jan 14, 2017 at 08:10:28PM +, Mike Jones wrote: > If I was a lawyer I could probably word it in a way that forced you to > issue a press release saying that you were shutting down your canary > due to it being a pointless waste of resources with no legal validity. I'm not any sort of lawyer but if I was the government's lawyer then I would do what the government typically does in the face of such antics which is to just unhelpfully reiterate the law to people, so that they have no idea what will happen without getting expensive legal advice and/or just going for it. Expecting them to do something useful like actually tell you what to do seems wildly optimistic, even if the "what to do" would be something unpalatable. I have been asked several times by customers to implement a warrant canary but have only gone so far as to discuss it informally with a barrister who was helping me with something else at the time (late 2010, so at the time more to do with Security Service Act, Counter Terrorism Act and Regulation of Investigatory Powers Act, but broadly just about secret warrants). The key thing that warrant canaries seem to rely on is that the government can't force you to make a false statement (by making you continue to update your canary even after receiving a warrant that should stop you). However, I suggested that the government would not force you to lie, they would just reiterate your obligations under the law and leave you to respond in whatever way you saw fit. Which may be to lie and continue updating your canary if your legal advice was that that was the safest thing to do, but that would be your choice, not something the government ever brought up. Or you could take a stand and hope that your actions wouldn't get you prosecuted. Point being that if you were prosecuted you might find it hard to rely on, "you can't force me to make a false statement" as a defence. The barrister agreed that was a plausible turn of events but of course to provide more comprehensive advice they'd want paying to put the time in to research it. That was enough for me to conclude that it wasn't something I'd want to start doing in case I found myself in the position of having to choose between lying, voluntarily just shutting up shop immediately, or going to prison. Since then I have heard people (non-lawyers) in the industry speak of more elaborate wheezes like putting the update of the canary into the contract so not updating it would be a breach of contract, which you would argue that you can't be forced to do. But it all just seems like puffery and marketing until someone gets some proper advice that they can share, and then maybe still not until it gets tested in court. And I can't afford that. Cheers, Andy
Re: [uknof] Jon Boyer or Jon Blank - ipv4hosting.com
Hello, On Mon, Sep 19, 2016 at 11:08:07PM +0200, Marek Isalski wrote: > > On 19 Sep 2016, at 22:57, Gavin Henrywrote: > > Anybody else had 3 emails from them today? > > Their "pitch" for leasing them address space suggests that we would be able > to block port 25 outbound if their customer announced that leased address > space. And then in the next paragraph, "oh and to preserve your IPv4 blocks' > reputation, we'll make sure they filter port 25 on their routers". I've today received this exact email from Jon Blank of ipv4salvation.com, sent to RIPE DB contacts via SendGrid. SendGrid repsonded to an abuse report within about 10 minutes saying they had suspended the account, though I imagine it will be no problem for "Jon Blank" to sign up again of course. Cheers, Andy