Re: [uknof] Strange DKIM Failures via UKNOF

[Andy Smith via uknof]

--- Begin Message ---
Hi Giorgio,

On Wed, Dec 27, 2023 at 09:01:32PM +0100, Giorgio Bonfiglio via uknof wrote:
> It’s in the interest of an ML operator to ensure subscribers do
> get emails - no?

I personally think so, yes, but there is no RFC that says an
Internet mailing list must support or preserve DKIM and not every
mailing list operator has thought about it, or if they have, not all
agree.

If you want to say that it's your opinion that mailing lists need to
preserve DKIM, then that's fine and I agree with you - mailing lists
I operate do.

If you want to say that running a mailing list that invalidates DKIM
signatures will negatively impact deliverability, again I would
agree with you.

I can't speak for the uknof list operators as to why they either
didn't think about it or don't wish to bother with it. I'm just
saying that it's a fact that not everyone agrees with DKIM; not
everyone has spent time on it. Even though it does unavoidably
impact deliverability, these days.

I think we pretty much agree that it would be a good idea not to
invalidate DKIM signatures. I think the only point where we differ
is that you came at this from the point of view that preserving DKIM
is a requirement for running a mailing list. Whereas I am more like,
"well, it impacts deliverability, so…" There is not much to separate
these views. 

> Do you disagree with the statement that a server processing a
> DKIM-signed email in ways which break the DKIM signature and still
> not taking action towards it is an (implicit) breach of the RFC?

Which RFC?

The DKIM RFC, RFC6376 tells us what would and wouldn't invalidate a
DKIM signature, but there is no authority external to that RFC that
tells anyone to care about RFC 6376.

Except, I suppose, for the de facto authority of the major mailbox
providers who will more often make such mails disappear.

But as mentioned it is unclear what form if any this mailing list
will continue to exist in and until that is decided it doesn't seem
likely that anyone is going to be changing any list settings.

mailop might be a better venue to talk more about whether Internet
mailing lists in general are required to support DKIM.

https://www.mailop.org/

Though I think the view will still mostly only go as far as
"invalidating DKIM will negatively affect deliverability, so if you
care about that…"

Thanks,
Andy

--- End Message ---

Re: [uknof] Strange DKIM Failures via UKNOF

[Andy Smith via uknof]

--- Begin Message ---
Hi Giorgio,

On Wed, Dec 27, 2023 at 10:51:51AM +0100, Giorgio Bonfiglio via uknof wrote:
> this stuff became RFC and not recently… Shouldn’t a well respected
> tech list be configured in a way which doesn’t break validation?

How DKIM works is in an RFC, but how to operationally use it isn't,
so much. It's not universally agreed that mailing list operators
SHOULD (or MUST) NOT change the subject lines as the emails go
through. Not every mailing list operator believes that, and there is
no standard to tell them they are right/wrong.

On top of that, this has gone through different fashions as time
went on:

First¹ wave: we don't stick tags in the subject or change the
Reply-To; we are all adults here with competent MUAs and we can all
filter email based on headers.

Second wave: Not everyone has access to good MUAs so we'll add
subject tags to make it easier for people to filter either by
software or brain alone. And we'll set a Reply-To because we want
all discussion to go back onto the list.

Third wave: If you change the subject of an email you'll break DKIM,
so either do it and also change From address to be the list, take
responsibility and DKIM sign as the mailing list; or don't change
anything and let DKIM remain intact.

I have no idea if uknof ended up the way it is through luck, habit
or design, but there is no RFC comment on what should be done, only
what should happen in each case.

So you're asking on the basis of it being obvious to you, but it's
not obvious. Nevertheless it's a decision to make for mailing lists
in the DKIM and DMARC era.

Personally I'd replace mailing lists with Discourse and the problem
is gone.

Thanks,
Andy

¹ I appreciate that some readers may now be shouting, "first wave?
  FIRST!? I was participating in technical group discussions over
  UUCP" at their screen. But you know what I mean. 

--- End Message ---

Re: [uknof] Strange DKIM Failures via UKNOF

[Andy Smith via uknof]

--- Begin Message ---
Hello,

On Wed, Dec 27, 2023 at 09:59:15AM +, James Bensley via uknof wrote:
> I'm also getting mangled emails from UKNOF.

What do you mean by mangled? If you mean that your mails, as
distributed by uknof, come as an email From: the list with your
original email as an attachment inside, then I'd say that is almost
certainly through the DMARC mitigation settings of the list reacting
to your domain's DMARC setting.

It doesn't happen with every email so I don't think it's set to
happen unconditionally. Your DMARC policy for bensley.me is
"quarantine", so I think that is causing the DMARC mitigation of
"wrap_message":


https://docs.mailman3.org/projects/mailman/en/latest/src/mailman/handlers/docs/dmarc-mitigations.html

> If anyone knows which mailman setting needs tweaking, I'd love to
> know. We could then ask the hosting provider to tweak said
> setting.

I don't think the list would want to turn off DMARC mitigations
since them people's emails would start being rejected for failing
DMARC.

Is it the wrapping of your mail as an attachment inside a mail from
the list that you particularly do not like? If so then the other
option would be to just change the from address (and not attach
original email), but that loses some information from your original
email.

You could stop using DMARC yourself. 

Thanks,
Andy

--- End Message ---

Re: [uknof] Extortion?

[Andy Smith]

Hello,

On Tue, Feb 04, 2020 at 06:57:03PM +, Aled Morris wrote:
> Has anyone else had this recently?  accompanied with a massive and
> sustained DDoS?  and can you recommend a law enforcement agency who will
> take it seriously? (unlike local plod)

I had one of these last year for about £6k in bitcoin.

Have you actually been attacked? Although some of these have been
genuine threats most of them are empty. Mine stated a date that the
attack would start on, so I did some basic preparation in case it
actually happened, but it didn't.

ActionFraud were not interested since it was for less than £10k.

Reported it to the police just to get a crime number just in case,
but it must have been a slow day in Hounslow because they sent a
copper around within 20 minutes to ask me all about it in quite a
lot of detail and then ultimately say, "this is beyond us, just
leave it with ActionFraud" as expected.

That bitcoin address doesn't seem to have received any payments yet,
but of course if they are serious and not idiots they will have
given you a unique one. Hopefully you won't end up paying (hey, I've
heard of techies being overruled by management on this sort of
thing) but if you are forced to then maybe ask for a new payment
address as now all of uknof can tell whether you paid. :)

https://www.blockchain.com/btc/address/14XUpNzEPYWVhsXmG3A15wC5Ffirxuk7dB

Cheers,
Andy

Re: [uknof] Anyone at plymouth.ac.uk or csirt.ja.net can look into this?

[Andy Smith]

Hi Rob,

On Tue, Dec 17, 2019 at 11:29:13AM +, Rob Evans wrote:
> >Over the last year I've sent multiple abuse reports to
> >ab...@plymouth.ac.uk and not even received an auto-reply. A couple
> >of weeks ago upon receiving another mail I sent an abuse report to
> >i...@csirt.ja.net and have again heard nothing.
> 
> That surprises me.  There are definitely CSIRT folk on this list, but I'll
> forward internally as well (though their approach will just be to Plymouth).

Thanks, someone from csirt.ja.net did just follow up to my report
from 4 December.

Cheers,
Andy

[uknof] Anyone at plymouth.ac.uk or csirt.ja.net can look into this?

[Andy Smith]

Hi,

There's a recruitment company called Tank Recruitment
(http://tankrec.com) who over the last year or so have continually
been sending us unsolicited recruitment leads. I'm aware I can't
call it spam since it's B2B, but there's 2 issues:

* They send them to addresses they have harvested out of the RIPE
  Database

* They send them from an IP address belonging to plymouth.ac.uk
  [141.163.218.163]

Also their "unsubscribe" option requires you to email them and ask
them to stop sending.

Over the last year I've sent multiple abuse reports to
ab...@plymouth.ac.uk and not even received an auto-reply. A couple
of weeks ago upon receiving another mail I sent an abuse report to
i...@csirt.ja.net and have again heard nothing.

If there's anyone at plymouth.ac.uk or csirt.ja.net reading this who
is able to re-educate this company or at least stop it happening
from your network, please do get in touch off-list and I'll send you
samples of their output.

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: [uknof] Notice of Claimed Infringement from A.B.C.D at 2019-06-05T06:41:07Z - Ref

[Andy Smith]

Hi Peter,

That's correct, in this case the host was a proxy frontend to some
public services and is locked down to only be able to talk to its
backends, no http/s out, no DNS except to internal resolvers.

Basically I looked into it as much as I could justify, and to be
honest the only reason why I queried it with IP-Echelon was to see
what the scope for error was there, due to me not finding anything,
only to be discouraged by multiple auto form replies. I'm not going
to re-image the host on the strength of that.

The way I understand these torrent notifications to work is that
companies like IP-Echelon join the tracker and passively get a list
of every IP address seen to be participating. The thing is, I also
understand that some trackers inject a certain percentage of
completely random IPs in order to frustrate companies like
IP-Echelon…

Cheers,
Andy

On Fri, Jun 07, 2019 at 02:37:09PM +, Peter Knapp wrote:
> So does the host have no HTTP/HTTPS access, or name server lookups etc?
> 
> BT will use all those ports these days.
> 
> Peter
> 
> 
> -Original Message-
> From: uknof [mailto:uknof-boun...@lists.uknof.org.uk] On Behalf Of Andy Smith
> Sent: 07 June 2019 15:28
> To: uknof@lists.uknof.org.uk
> Subject: Re: [uknof] Notice of Claimed Infringement from A.B.C.D at 
> 2019-06-05T06:41:07Z - Ref
> 
> Hi Peter,
> 
> Just iptables on the host, it's just that this particular host has a
> restrictive firewall on both input and output and given the ports
> and IPs listed in the report it should not have been possible for
> that activity to happen.
> 
> Of course, if it had been compromised then maybe the firewall got
> altered and then put back again afterwards but this all gets a bit
> far-fetched for the sake of downloading a movie by BitTorrent.
> 
> Like I say, I looked into it and couldn't find any indication that
> it had actually happened, and the reporting company was completely
> impossible to communicate with.
> 
> Cheers,
> Andy
> 
> On Fri, Jun 07, 2019 at 02:07:50PM +, Peter Knapp wrote:
> > Love to know what firewall you're using that guarantees you can't get any 
> > form of BT through it please?
> > 
> > Pete
> > 
> > 
> > -Original Message-
> > From: uknof [mailto:uknof-boun...@lists.uknof.org.uk] On Behalf Of Andy 
> > Smith
> > Sent: 07 June 2019 15:04
> > To: uknof@lists.uknof.org.uk
> > Subject: Re: [uknof] Notice of Claimed Infringement from A.B.C.D at 
> > 2019-06-05T06:41:07Z - Ref
> > 
> > Hello,
> > 
> > On Fri, Jun 07, 2019 at 05:38:10PM +0400, Stephen Wilcox wrote:
> > > On Fri, 7 Jun 2019 at 17:25, Andy Smith  wrote:
> > > > However, one day they sent one that implicated one of our
> > > > infrastructure hosts and I could not see any way in which that could
> > > > be torrenting, so I asked for more information. Every form of
> > > > contact I made resulted in an auto response suggesting that if I am
> > > > confused I should ask my network admin about it.
> > > 
> > > So you're saying people who work at infrastructure companies - ISPs, DCs
> > > etc, they don't do torrents and the like, and they would not do so with
> > > on-premise equipment.
> > 
> > No, I'm saying that unlike customer services in this specific case I
> > had full access to it and was able to audit it to the best of my
> > ability and found no such activity. BitTorrent wouldn't even have
> > been able to get through its firewall.
> > 
> > Cheers,
> > Andy
> > 
> > -- 
> > https://bitfolk.com/ -- No-nonsense VPS hosting

Re: [uknof] Notice of Claimed Infringement from A.B.C.D at 2019-06-05T06:41:07Z - Ref

[Andy Smith]

Hi Peter,

Just iptables on the host, it's just that this particular host has a
restrictive firewall on both input and output and given the ports
and IPs listed in the report it should not have been possible for
that activity to happen.

Of course, if it had been compromised then maybe the firewall got
altered and then put back again afterwards but this all gets a bit
far-fetched for the sake of downloading a movie by BitTorrent.

Like I say, I looked into it and couldn't find any indication that
it had actually happened, and the reporting company was completely
impossible to communicate with.

Cheers,
Andy

On Fri, Jun 07, 2019 at 02:07:50PM +, Peter Knapp wrote:
> Love to know what firewall you're using that guarantees you can't get any 
> form of BT through it please?
> 
> Pete
> 
> 
> -Original Message-
> From: uknof [mailto:uknof-boun...@lists.uknof.org.uk] On Behalf Of Andy Smith
> Sent: 07 June 2019 15:04
> To: uknof@lists.uknof.org.uk
> Subject: Re: [uknof] Notice of Claimed Infringement from A.B.C.D at 
> 2019-06-05T06:41:07Z - Ref
> 
> Hello,
> 
> On Fri, Jun 07, 2019 at 05:38:10PM +0400, Stephen Wilcox wrote:
> > On Fri, 7 Jun 2019 at 17:25, Andy Smith  wrote:
> > > However, one day they sent one that implicated one of our
> > > infrastructure hosts and I could not see any way in which that could
> > > be torrenting, so I asked for more information. Every form of
> > > contact I made resulted in an auto response suggesting that if I am
> > > confused I should ask my network admin about it.
> > 
> > So you're saying people who work at infrastructure companies - ISPs, DCs
> > etc, they don't do torrents and the like, and they would not do so with
> > on-premise equipment.
> 
> No, I'm saying that unlike customer services in this specific case I
> had full access to it and was able to audit it to the best of my
> ability and found no such activity. BitTorrent wouldn't even have
> been able to get through its firewall.
> 
> Cheers,
> Andy
> 
> -- 
> https://bitfolk.com/ -- No-nonsense VPS hosting

Re: [uknof] Notice of Claimed Infringement from A.B.C.D at 2019-06-05T06:41:07Z - Ref

[Andy Smith]

Hello,

On Fri, Jun 07, 2019 at 05:38:10PM +0400, Stephen Wilcox wrote:
> On Fri, 7 Jun 2019 at 17:25, Andy Smith  wrote:
> > However, one day they sent one that implicated one of our
> > infrastructure hosts and I could not see any way in which that could
> > be torrenting, so I asked for more information. Every form of
> > contact I made resulted in an auto response suggesting that if I am
> > confused I should ask my network admin about it.
> 
> So you're saying people who work at infrastructure companies - ISPs, DCs
> etc, they don't do torrents and the like, and they would not do so with
> on-premise equipment.

No, I'm saying that unlike customer services in this specific case I
had full access to it and was able to audit it to the best of my
ability and found no such activity. BitTorrent wouldn't even have
been able to get through its firewall.

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: [uknof] Notice of Claimed Infringement from A.B.C.D at 2019-06-05T06:41:07Z - Ref

[Andy Smith]

Hi John,

On Fri, Jun 07, 2019 at 01:08:49PM +, John Bourke wrote:
> We got a "Notice of Claimed Infringement" for a torrent download of copyright 
> material by one of the reseller's customers.  We can identify the end 
> customer from logs.
> 
> What is best practice when dealing with these complaints ?

We used to pass these on to the customer for the customer to take
whatever action they think best.

However, one day they sent one that implicated one of our
infrastructure hosts and I could not see any way in which that could
be torrenting, so I asked for more information. Every form of
contact I made resulted in an auto response suggesting that if I am
confused I should ask my network admin about it.

After that, since the reports are provably inaccurate to some degree
and there is no way to work with the reporters, we started to send
them to /dev/null.

> Is there a risk that our public NAT addresses will be blacklisted ?

Unlikely. These companies do not operate any service; they are
contracted to the media rights owners to go out and hunt possible
infringers and intimidate them into stopping.

No doubt they keep records of everything they have found and might
one day take some en masse action to gather the contact details of
the subscribers but it seems unlikely that they are going to feed
all the IPs into some sort of blacklist for a future streaming
service or similar.

> Should we enforce an Acceptable Use Policy ?

If you want to investigate this third party's allegation that your
customer was torrenting something they shouldn't be torrenting, and
then take action compatible with your AUP, that would be your
decision.

As I say, we drew the line at passing the notice on to the customer,
and then after discovering that the reports could be wrong and there
was no way to query them, we started binning them with no action.

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: [uknof] Investigatory Powers Act

[Andy Smith]

Hi Neil,

On Sat, Jan 14, 2017 at 09:43:52PM +, Neil J. McRae wrote:
> Contract law is typically always trumped by statute…

Yes, absolutely agreed. I forgot to mention that I did seek specific
advice on that in late 2010 with relation to the Counter Terrorism
Act and it is very clear that if you agree that not updating a
canary is a disclosure then Section 19 (1) of that act trumps any
contractual clause you could construct:

http://www.legislation.gov.uk/ukpga/2008/28/section/19

I haven't sought advice on same for IP Bill but I would be surprised
if it isn't similar.

Cheers,
Andy

Re: [uknof] Investigatory Powers Act

[Andy Smith]

Hello,

On Sat, Jan 14, 2017 at 08:10:28PM +, Mike Jones wrote:
> If I was a lawyer I could probably word it in a way that forced you to
> issue a press release saying that you were shutting down your canary
> due to it being a pointless waste of resources with no legal validity.

I'm not any sort of lawyer but if I was the government's lawyer then
I would do what the government typically does in the face of such
antics which is to just unhelpfully reiterate the law to people, so
that they have no idea what will happen without getting expensive
legal advice and/or just going for it. Expecting them to do
something useful like actually tell you what to do seems wildly
optimistic, even if the "what to do" would be something unpalatable.

I have been asked several times by customers to implement a warrant
canary but have only gone so far as to discuss it informally with a
barrister who was helping me with something else at the time (late
2010, so at the time more to do with Security Service Act, Counter
Terrorism Act and Regulation of Investigatory Powers Act, but
broadly just about secret warrants).

The key thing that warrant canaries seem to rely on is that the
government can't force you to make a false statement (by making you
continue to update your canary even after receiving a warrant that
should stop you).

However, I suggested that the government would not force you to lie,
they would just reiterate your obligations under the law and leave
you to respond in whatever way you saw fit. Which may be to lie and
continue updating your canary if your legal advice was that that was
the safest thing to do, but that would be your choice, not something
the government ever brought up.

Or you could take a stand and hope that your actions wouldn't get
you prosecuted. Point being that if you were prosecuted you might
find it hard to rely on, "you can't force me to make a false
statement" as a defence.

The barrister agreed that was a plausible turn of events but of
course to provide more comprehensive advice they'd want paying to
put the time in to research it. That was enough for me to conclude
that it wasn't something I'd want to start doing in case I found
myself in the position of having to choose between lying,
voluntarily just shutting up shop immediately, or going to prison.

Since then I have heard people (non-lawyers) in the industry speak
of more elaborate wheezes like putting the update of the canary into
the contract so not updating it would be a breach of contract, which
you would argue that you can't be forced to do. But it all just
seems like puffery and marketing until someone gets some proper
advice that they can share, and then maybe still not until it gets
tested in court.

And I can't afford that.

Cheers,
Andy

Re: [uknof] Jon Boyer or Jon Blank - ipv4hosting.com

[Andy Smith]

Hello,

On Mon, Sep 19, 2016 at 11:08:07PM +0200, Marek Isalski wrote:
> > On 19 Sep 2016, at 22:57, Gavin Henry  wrote:
> > Anybody else had 3 emails from them today?
> 
> Their "pitch" for leasing them address space suggests that we would be able 
> to block port 25 outbound if their customer announced that leased address 
> space.  And then in the next paragraph, "oh and to preserve your IPv4 blocks' 
> reputation, we'll make sure they filter port 25 on their routers".

I've today received this exact email from Jon Blank of
ipv4salvation.com, sent to RIPE DB contacts via SendGrid. SendGrid
repsonded to an abuse report within about 10 minutes saying they had
suspended the account, though I imagine it will be no problem for
"Jon Blank" to sign up again of course.

Cheers,
Andy