Reply to:
So what makes a spammer want to use a valid email address as a return or reply-to address to catch all the undeliverable, failure and bounced email that occures when sending UBE spam. Is there some legitimacy with spam detection on an email that contains a valid reply-to email address? To me, spam is one thing, but loading a mailbox with literally several thousands of bounced emails is abusive. I'm lucky as I have the option to click one button and remove them all on the server, but for a user to have to delete individually or as a group after downloading them all is just wrong. Any ideas on preventing or minimizing this type of spam? Thanks. Wes
Re: Reply to:
twofers a écrit : > So what makes a spammer want to use a valid email address as a return or > reply-to address to catch all the undeliverable, failure and bounced > email that occures when sending UBE spam. > this is to beat those who use "sender verification"/sender callout/(whatever you name it). > Is there some legitimacy with spam detection on an email that contains a > valid reply-to email address? > > To me, spam is one thing, but loading a mailbox with literally several > thousands of bounced emails is abusive. I'm lucky as I have the option > to click one button and remove them all on the server, but for a user to > have to delete individually or as a group after downloading them all is > just wrong. > > Any ideas on preventing or minimizing this type of spam? > you mean the stupid bounces? well, the solution is to have sites fix their broken setup and not return a bounce if the recipient doesn't exist (they should validate recipients at smtp time) nor if the message is detected as undesired (spam, malware, whatever). until then, the only thing you can do is limit the impact. SA has vbounce.pm. depending on your MTA, you can also block some the outscatter at smtp time. google for "backscatter".
Re: Reply to:
On 1-Aug-2009, at 06:14, twofers wrote: Any ideas on preventing or minimizing this type of spam? Yep, I reduced the number of emails being processed on my mail server by about 40% by enabling a backscatter RBL. postfix/main.cf: smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce, check_sender_access hash:$config_directory/backscatter permit postfix/backscatter: <> reject_rbl_client ips.backscatterer.org, reject_rbl_client bl.spamcannibal.org -- Rincewind had always been happy to think of himself as a racist. The One Hundred Meters, the Mile, the Marathon -- he'd run them all.
When Reply = To
In my setup (SA 3.1.0) I've done some tweaking here and there, but I'm not expert enough, nor smart enough to understand the cryptic nature of PHP (cryptic to me, at least) and the SA rules. When an email is spoofed as being from me and to me, the score is -100 (+- the other rules caught) as being in the whitelist. I have a database of email users of about 4000 and wrote a script that goes through them on command and builds my whitelist. I'm on Redhat v8.0, PHP v4.2.2-8.0.5, sendmail v8.12.5-7 -- karl _/ _/ _/ _/_/_/ __o _/ _/ _/ _/_/ _-\<._ _/_/_/ _/_/_/ (_)/ (_) _/ _/ _/ _/ .. _/ _/ arl _/_/_/ _/ earson[EMAIL PROTECTED] --- Senior Consulting Sys/DB Analyst http://consulting.ourldsfamily.com --- My Thoughts on Terrorism In America: http://www.ourldsfamily.com/wtc.shtml --- A right is not what someone gives you; it's what no one can take from you. -Ramsey Clark ---
Re: When Reply = To
From: <[EMAIL PROTECTED]>
In my setup (SA 3.1.0) I've done some tweaking here and there, but I'm not
expert enough, nor smart enough to understand the cryptic nature of PHP
(cryptic to me, at least) and the SA rules.
When an email is spoofed as being from me and to me, the score is -100 (+-
the other rules caught) as being in the whitelist. I have a database of
email users of about 4000 and wrote a script that goes through them on
command and builds my whitelist.
I'm on Redhat v8.0, PHP v4.2.2-8.0.5, sendmail v8.12.5-7
1) It's whitelist_from_rcvd you want.
2) It's should not be necessary to whitelist your own site. If it is then
investigate what aspects of your email load are causing the hits. Then
take the proper remedial action.
{^_^}
Re: When Reply = To
On Sun, January 29, 2006 12:50 am, jdow said:
> From: <[EMAIL PROTECTED]>
>
>> In my setup (SA 3.1.0) I've done some tweaking here and there, but I'm
>> not
>> expert enough, nor smart enough to understand the cryptic nature of PHP
>> (cryptic to me, at least) and the SA rules.
>>
>> When an email is spoofed as being from me and to me, the score is -100
>> (+-
>> the other rules caught) as being in the whitelist. I have a database of
>> email users of about 4000 and wrote a script that goes through them on
>> command and builds my whitelist.
>>
>> I'm on Redhat v8.0, PHP v4.2.2-8.0.5, sendmail v8.12.5-7
>
> 1) It's whitelist_from_rcvd you want.
> 2) It's should not be necessary to whitelist your own site. If it is then
>investigate what aspects of your email load are causing the hits. Then
>take the proper remedial action.
Okay, I've looked at whitelist_from_rcvd and added for email addresses on
my site. The format I'm using is:
whitelist_from_rcvd [EMAIL PROTECTED] mydomain.com
I'll watch and see if anymore of these fail to get tagged as spam.
I'm confused on how to take proper remedial action because I'm not sure
what to look for on item #2 above. Please point me in the right direction
and I'll get the rest of the work myself.
Thanks for your help.
Karl
>
> {^_^}
>
Re: When Reply = To
From: <[EMAIL PROTECTED]>
On Sun, January 29, 2006 12:50 am, jdow said:
From: <[EMAIL PROTECTED]>
In my setup (SA 3.1.0) I've done some tweaking here and there, but I'm
not
expert enough, nor smart enough to understand the cryptic nature of PHP
(cryptic to me, at least) and the SA rules.
When an email is spoofed as being from me and to me, the score is -100
(+-
the other rules caught) as being in the whitelist. I have a database of
email users of about 4000 and wrote a script that goes through them on
command and builds my whitelist.
I'm on Redhat v8.0, PHP v4.2.2-8.0.5, sendmail v8.12.5-7
1) It's whitelist_from_rcvd you want.
2) It's should not be necessary to whitelist your own site. If it is then
investigate what aspects of your email load are causing the hits. Then
take the proper remedial action.
Okay, I've looked at whitelist_from_rcvd and added for email addresses on
my site. The format I'm using is:
whitelist_from_rcvd [EMAIL PROTECTED] mydomain.com
I'll watch and see if anymore of these fail to get tagged as spam.
I'm confused on how to take proper remedial action because I'm not sure
what to look for on item #2 above. Please point me in the right direction
and I'll get the rest of the work myself.
Do you see ALL_TRUSTED in all or most of the email received? If so your
trust path is toast and many of the header consistency checks won't work
right. As far as other issues, my brain's not functioning well at the
moment. Migraine's do that to me. But I do note that it's fairly obvious
when an email has forged an Earthlink address. So perhaps catching it
here is easier than for you. I do not have anything at Earthlink whitelisted
at all. But then, the ALL_TRUSTED which honest Earthlink.net email gets
is an effective whitelist, anyway. I don't mind that most of the Earthlink
sales offers and such get clobbered by the spam filtering. {^_-}
{^_^}
Re: When Reply = To
On Sun, January 29, 2006 4:42 pm, jdow said:
> From: <[EMAIL PROTECTED]>
>>
>> On Sun, January 29, 2006 12:50 am, jdow said:
>>> From: <[EMAIL PROTECTED]>
>>>
In my setup (SA 3.1.0) I've done some tweaking here and there, but I'm
not
expert enough, nor smart enough to understand the cryptic nature of
PHP
(cryptic to me, at least) and the SA rules.
When an email is spoofed as being from me and to me, the score is -100
(+-
the other rules caught) as being in the whitelist. I have a database
of
email users of about 4000 and wrote a script that goes through them on
command and builds my whitelist.
I'm on Redhat v8.0, PHP v4.2.2-8.0.5, sendmail v8.12.5-7
>>>
>>> 1) It's whitelist_from_rcvd you want.
>>> 2) It's should not be necessary to whitelist your own site. If it is
>>> then
>>>investigate what aspects of your email load are causing the hits.
>>> Then
>>>take the proper remedial action.
>>
>> Okay, I've looked at whitelist_from_rcvd and added for email addresses
>> on
>> my site. The format I'm using is:
>>
>> whitelist_from_rcvd [EMAIL PROTECTED] mydomain.com
>>
>> I'll watch and see if anymore of these fail to get tagged as spam.
>>
>> I'm confused on how to take proper remedial action because I'm not sure
>> what to look for on item #2 above. Please point me in the right
>> direction
>> and I'll get the rest of the work myself.
>
> Do you see ALL_TRUSTED in all or most of the email received? If so your
> trust path is toast and many of the header consistency checks won't work
> right. As far as other issues, my brain's not functioning well at the
> moment. Migraine's do that to me. But I do note that it's fairly obvious
> when an email has forged an Earthlink address. So perhaps catching it
> here is easier than for you. I do not have anything at Earthlink
> whitelisted
> at all. But then, the ALL_TRUSTED which honest Earthlink.net email gets
> is an effective whitelist, anyway. I don't mind that most of the Earthlink
> sales offers and such get clobbered by the spam filtering. {^_-}
There aren't ever any ALL_TRUSTED entries in my headers. I've been very
careful to tune that as accurately as I can. I'm behind a dual-homed Linux
firewall which is behind a NATted Cisco gateway router, so it was a
trial-and-error process. I still am not completely confident it's right.
Currently I have:
clear_trusted_networks
internal_networks 127/8 10/8 172.20.20/24
trusted_networks172.20.20.2 10.0.0.1 127.0.0.1 My.Pub.lic.IP
dns_available test: mydomain.com
Karl
>
> {^_^}
>
Re: When Reply = To
From: <[EMAIL PROTECTED]>
On Sun, January 29, 2006 4:42 pm, jdow said:
...
Do you see ALL_TRUSTED in all or most of the email received? If so your
trust path is toast and many of the header consistency checks won't work
right. As far as other issues, my brain's not functioning well at the
moment. Migraine's do that to me. But I do note that it's fairly obvious
when an email has forged an Earthlink address. So perhaps catching it
here is easier than for you. I do not have anything at Earthlink
whitelisted
at all. But then, the ALL_TRUSTED which honest Earthlink.net email gets
is an effective whitelist, anyway. I don't mind that most of the Earthlink
sales offers and such get clobbered by the spam filtering. {^_-}
There aren't ever any ALL_TRUSTED entries in my headers. I've been very
careful to tune that as accurately as I can. I'm behind a dual-homed Linux
firewall which is behind a NATted Cisco gateway router, so it was a
trial-and-error process. I still am not completely confident it's right.
Currently I have:
clear_trusted_networks
internal_networks 127/8 10/8 172.20.20/24
trusted_networks172.20.20.2 10.0.0.1 127.0.0.1 My.Pub.lic.IP
dns_available test: mydomain.com
OK, do you in fact see messages from your own domain triggering as spam?
If so check the rules that triggered. Maybe they are not well suited for
the demands of your particular domain. You may need to override some scores
or remove some rule sets. Or if somebody internally is spamming then it
might be wise to turn them off. I treat whitelist and its kith and kin as
an admission that a site may be spammy in nature but it is spam I want
and have asked for. I work hard not to need it. Although there are some
commercial theatrical and financial sites I do want that do trigger the
standard rule sets, sometimes humorously well. So I whitelist them for
awhile until their format bugs me too much and then they drift back to
spam status. But if anti-spam rules are very regularly rating messages
from your site as spam it might be a good idea to check on what those
messages look like rather than wallpapering over them. (The SARE rule
set 70_sare-whitelist.cf is a good place to find suitable formats for
the whitelist_from_rcvd rule. Some sites you want to accept wild card
user names while other sites you want to be more restrictive about.
The whitelist_from_rcvd requires that the email not only claim the
correct sender address format but also that it originates from the
correct domain for that address.
{^_^}
Re: When Reply = To
On Sun, January 29, 2006 9:09 pm, jdow said:
> From: <[EMAIL PROTECTED]>
>>
>> On Sun, January 29, 2006 4:42 pm, jdow said:
> ...
>>> Do you see ALL_TRUSTED in all or most of the email received? If so your
>>> trust path is toast and many of the header consistency checks won't
>>> work
>>> right. As far as other issues, my brain's not functioning well at the
>>> moment. Migraine's do that to me. But I do note that it's fairly
>>> obvious
>>> when an email has forged an Earthlink address. So perhaps catching it
>>> here is easier than for you. I do not have anything at Earthlink
>>> whitelisted
>>> at all. But then, the ALL_TRUSTED which honest Earthlink.net email gets
>>> is an effective whitelist, anyway. I don't mind that most of the
>>> Earthlink
>>> sales offers and such get clobbered by the spam filtering. {^_-}
>>
>> There aren't ever any ALL_TRUSTED entries in my headers. I've been very
>> careful to tune that as accurately as I can. I'm behind a dual-homed
>> Linux
>> firewall which is behind a NATted Cisco gateway router, so it was a
>> trial-and-error process. I still am not completely confident it's right.
>>
>> Currently I have:
>>
>> clear_trusted_networks
>> internal_networks 127/8 10/8 172.20.20/24
>> trusted_networks172.20.20.2 10.0.0.1 127.0.0.1 My.Pub.lic.IP
>> dns_available test: mydomain.com
>
> OK, do you in fact see messages from your own domain triggering as spam?
> If so check the rules that triggered. Maybe they are not well suited for
> the demands of your particular domain. You may need to override some
> scores
> or remove some rule sets. Or if somebody internally is spamming then it
> might be wise to turn them off. I treat whitelist and its kith and kin as
> an admission that a site may be spammy in nature but it is spam I want
> and have asked for. I work hard not to need it. Although there are some
> commercial theatrical and financial sites I do want that do trigger the
> standard rule sets, sometimes humorously well. So I whitelist them for
> awhile until their format bugs me too much and then they drift back to
> spam status. But if anti-spam rules are very regularly rating messages
> from your site as spam it might be a good idea to check on what those
> messages look like rather than wallpapering over them. (The SARE rule
> set 70_sare-whitelist.cf is a good place to find suitable formats for
> the whitelist_from_rcvd rule. Some sites you want to accept wild card
> user names while other sites you want to be more restrictive about.
> The whitelist_from_rcvd requires that the email not only claim the
> correct sender address format but also that it originates from the
> correct domain for that address.
Nope, never spam from inside the network. I've never had that problem with
my users. I guess I'm lucky that way. There's no way (currently) to use my
hosts as open relays either.
It seems things have calmed down now with the use of the
whitelist_from_rcvd inclusion.
Thanks for that help.
Karl
>
> {^_^}
>
Re: When Reply = To
From: <[EMAIL PROTECTED]>
On Sun, January 29, 2006 9:09 pm, jdow said:
From: <[EMAIL PROTECTED]>
On Sun, January 29, 2006 4:42 pm, jdow said:
...
Do you see ALL_TRUSTED in all or most of the email received? If so your
trust path is toast and many of the header consistency checks won't
work
right. As far as other issues, my brain's not functioning well at the
moment. Migraine's do that to me. But I do note that it's fairly
obvious
when an email has forged an Earthlink address. So perhaps catching it
here is easier than for you. I do not have anything at Earthlink
whitelisted
at all. But then, the ALL_TRUSTED which honest Earthlink.net email gets
is an effective whitelist, anyway. I don't mind that most of the
Earthlink
sales offers and such get clobbered by the spam filtering. {^_-}
There aren't ever any ALL_TRUSTED entries in my headers. I've been very
careful to tune that as accurately as I can. I'm behind a dual-homed
Linux
firewall which is behind a NATted Cisco gateway router, so it was a
trial-and-error process. I still am not completely confident it's right.
Currently I have:
clear_trusted_networks
internal_networks 127/8 10/8 172.20.20/24
trusted_networks172.20.20.2 10.0.0.1 127.0.0.1 My.Pub.lic.IP
dns_available test: mydomain.com
OK, do you in fact see messages from your own domain triggering as spam?
If so check the rules that triggered. Maybe they are not well suited for
the demands of your particular domain. You may need to override some
scores
or remove some rule sets. Or if somebody internally is spamming then it
might be wise to turn them off. I treat whitelist and its kith and kin as
an admission that a site may be spammy in nature but it is spam I want
and have asked for. I work hard not to need it. Although there are some
commercial theatrical and financial sites I do want that do trigger the
standard rule sets, sometimes humorously well. So I whitelist them for
awhile until their format bugs me too much and then they drift back to
spam status. But if anti-spam rules are very regularly rating messages
from your site as spam it might be a good idea to check on what those
messages look like rather than wallpapering over them. (The SARE rule
set 70_sare-whitelist.cf is a good place to find suitable formats for
the whitelist_from_rcvd rule. Some sites you want to accept wild card
user names while other sites you want to be more restrictive about.
The whitelist_from_rcvd requires that the email not only claim the
correct sender address format but also that it originates from the
correct domain for that address.
Nope, never spam from inside the network. I've never had that problem with
my users. I guess I'm lucky that way. There's no way (currently) to use my
hosts as open relays either.
It seems things have calmed down now with the use of the
whitelist_from_rcvd inclusion.
I'm glad it worked and that there was no more serious problem lurking
behind the symptoms.
{^_-}
Blacklist for reply-to?
Is there a blacklist for domains in the reply-to header? I've noticed a lot of spam with no URL and mutating From but the reply-to domain is always aliyun dot com. I want to add a site-wide blacklist for that.
comparing From and Reply-To:
As a sort of follow up to my last message, I was wondering how complicated it is to write a rule that would compare the From: and Reply-To: headers, and set it to 0.001 or make it a meta rule that could be used in conjunction with others? Would this plugin suffice? http://wiki.apache.org/spamassassin/FromNotReplyTo Regards, Lawrence
Re: Blacklist for reply-to?
On 2/18/2018 3:06 PM, Kenneth Porter wrote: Is there a blacklist for domains in the reply-to header? I've noticed a lot of spam with no URL and mutating From but the reply-to domain is always aliyun dot com. I want to add a site-wide blacklist for that. http://msbl.org (I'm not associated with this. Also, it is very high quality and well-run! It should at least make a noticeable improvement, even if it doesn't catch all of them.) -- Rob McEwen https://www.invaluement.com
Re: Blacklist for reply-to?
It is not spam. You get it if you have an account with alibaba. Just configure it. Sent from ProtonMail Mobile On Sun, Feb 18, 2018 at 21:06, Kenneth Porter wrote: > Is there a blacklist for domains in the reply-to header? I've noticed a lot > of spam with no URL and mutating From but the reply-to domain is always > aliyun dot com. I want to add a site-wide blacklist for that.
Re: Blacklist for reply-to?
--On Sunday, February 18, 2018 4:21 PM -0500 Rupert Gallagher wrote: It is not spam. You get it if you have an account with alibaba. Just configure it. These emails are addressed to many of my web-page-only addresses that I've never used to sign up for anything. They're clearly unsolicited.
Re: Blacklist for reply-to?
Kenneth Porter skrev den 2018-02-18 22:39: These emails are addressed to many of my web-page-only addresses that I've never used to sign up for anything. They're clearly unsolicited. blacklist_to *@spamtrap.example.org in replyto force bayes learn on user in blacklist maybe use blacklist_from aswell, i cant remember if one or both is needed
Re: Blacklist for reply-to?
Question time! You receive spam with a reply-to your own address. What do you do? A: you blacklist your own address B: you ask around to do A for you C: you ask for advice Sent from ProtonMail Mobile On Sun, Feb 18, 2018 at 22:39, Kenneth Porter wrote: > --On Sunday, February 18, 2018 4:21 PM -0500 Rupert Gallagher wrote: > It is > not spam. You get it if you have an account with alibaba. Just > configure > it. These emails are addressed to many of my web-page-only addresses that > I've never used to sign up for anything. They're clearly unsolicited. > @protonmail.com>
Re: Blacklist for reply-to?
On Monday 19 February 2018 at 01:55:45, Rupert Gallagher wrote:
> Question time! You receive spam with a reply-to your own address. What do
> you do?
I take it that this is now a rather different question that the one you
originally asked in this thread, where the reply-to address was clearly not
your own?
> A: you blacklist your own address
Is there any reason why inbound mail should have your own address (and, by the
way, do you mean address, or domain?) as the reply-to?
For some people yes, for others, no. Your experience may not be standard.
> B: you ask around to do A for you
I'm not sure what that means.
> C: you ask for advice
Good idea; let's see what other replies you get.
Antony.
--
"I estimate there's a world market for about five computers."
- Thomas J Watson, Chairman of IBM
Please reply to the list;
please *don't* CC me.
Re: Blacklist for reply-to?
Antony Stone skrev den 2018-02-19 02:09: C: you ask for advice Good idea; let's see what other replies you get. i hate mondays :=)
Re: Blacklist for reply-to?
You need coffee... Sent from ProtonMail Mobile On Mon, Feb 19, 2018 at 02:09, Antony Stone wrote: > On Monday 19 February 2018 at 01:55:45, Rupert Gallagher wrote: > Question > time! You receive spam with a reply-to your own address. What do > you do? I > take it that this is now a rather different question that the one you > originally asked in this thread, where the reply-to address was clearly not > your own? > A: you blacklist your own address Is there any reason why inbound > mail should have your own address (and, by the way, do you mean address, or > domain?) as the reply-to? For some people yes, for others, no. Your > experience may not be standard. > B: you ask around to do A for you I'm not > sure what that means. > C: you ask for advice Good idea; let's see what other > replies you get. Antony. -- "I estimate there's a world market for about five > computers." - Thomas J Watson, Chairman of IBM Please reply to the list; > please *don't* CC me.
Re: Blacklist for reply-to?
On 2/18/2018 5:09 PM, Antony Stone wrote: On Monday 19 February 2018 at 01:55:45, Rupert Gallagher wrote: Question time! You receive spam with a reply-to your own address. What do you do? I take it that this is now a rather different question that the one you originally asked in this thread, where the reply-to address was clearly not your own? I have no clue what Rupert is on about. I just want something like blacklist_from that uses the reply-to header. I thought it was a simple technical question about how the config file directives map onto the actual headers. I'm not asking for site policy.
Re: Blacklist for reply-to?
On 19/02/2018 10:00, Kenneth Porter wrote: I have no clue what Rupert is on about. I just want something like blacklist_from that uses the reply-to header. I thought it was a simple technical question about how the config file directives map onto the actual headers. I'm not asking for site policy. Maybe something like this? header REPLYTO_KILLER reply-to =~ /@domain\.that\.you\.want\.blacklisted/ score REPLYTO_KILLER 1000
Re: Blacklist for reply-to?
On 2/18/2018 3:06 PM, Kenneth Porter wrote: Is there a blacklist for domains in the reply-to header? I've noticed a lot of spam with no URL and mutating From but the reply-to domain is always aliyun dot com. I want to add a site-wide blacklist for that. To my knowledge it doesn't exist. I documented it as an idea for GSOC at https://issues.apache.org/jira/browse/COMDEV-263 Regards, KAM
Re: Blacklist for reply-to?
I have a BZ raised for reply-to blacklist checking: https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7354 On 19/02/2018, 15:05, "Kevin A. McGrail" wrote: On 2/18/2018 3:06 PM, Kenneth Porter wrote: > Is there a blacklist for domains in the reply-to header? > > I've noticed a lot of spam with no URL and mutating From but the > reply-to domain is always aliyun dot com. I want to add a site-wide > blacklist for that. To my knowledge it doesn't exist. I documented it as an idea for GSOC at https://issues.apache.org/jira/browse/COMDEV-263 Regards, KAM -- Paul Stead Senior Engineer (Tools & Technology) Zen Internet Direct: 01706 902018 Web: zen.co.uk Winner of 'Services Company of the Year' at the UK IT Industry Awards This message is private and confidential. If you have received this message in error, please notify us and remove it from your system. Zen Internet Limited may monitor email traffic data to manage billing, to handle customer enquiries and for the prevention and detection of fraud. We may also monitor the content of emails sent to and/or from Zen Internet Limited for the purposes of security, staff training and to monitor quality of service. Zen Internet Limited is registered in England and Wales, Sandbrook Park, Sandbrook Way, Rochdale, OL11 1RY Company No. 03101568 VAT Reg No. 686 0495 01
Re: Blacklist for reply-to?
I wanted you to see your proposed solution from a different point of view, and I thought the quiz was spot on. As a number of you fell into the trap head first, I am now horrified. Whatever you do, just do not ask others to blacklist Alibaba, and do not blacklist yourself. Sent from ProtonMail Mobile On Mon, Feb 19, 2018 at 10:00, Kenneth Porter wrote: > On 2/18/2018 5:09 PM, Antony Stone wrote: > >> On Monday 19 February 2018 at 01:55:45, Rupert Gallagher wrote: >> >>> Question time! You receive spam with a reply-to your own address. What do >>> you do? >> >> I take it that this is now a rather different question that the one you >> originally asked in this thread, where the reply-to address was clearly not >> your own? > > I have no clue what Rupert is on about. I just want something like > blacklist_from that uses the reply-to header. I thought it was a simple > technical question about how the config file directives map onto the actual > headers. I'm not asking for site policy.
Re: Blacklist for reply-to?
On Mon, 19 Feb 2018, Rupert Gallagher wrote: Whatever you do, just do not ask others to blacklist Alibaba Are those getting hits on SPOOFED_FREEM_REPTO_CHN? Perhaps just bump the score for that locally? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...much of our country's counterterrorism security spending is not designed to protect us from the terrorists, but instead to protect our public officials from criticism when another attack occurs. -- Bruce Schneier --- 3 days until George Washington's 286th Birthday
Re: Blacklist for reply-to?
On 2/19/2018 12:20 PM, John Hardin wrote: Are those getting hits on SPOOFED_FREEM_REPTO_CHN? No, not seeing that one. After enough training I eventually see it land in Bayes. The RBLs are starting to flag it. X-Spam-Status: Yes, score=5.7 required=5.0 tests=BAYES_99,BAYES_999, FREEMAIL_FROM,RCVD_IN_BRBL_LASTEXT autolearn=no version=3.3.1 The subject and body are offering "image editing". The From is forged. But the Reply-to is consistent.
Re: Blacklist for reply-to?
On Mon, 19 Feb 2018, Kenneth Porter wrote: On 2/19/2018 12:20 PM, John Hardin wrote: Are those getting hits on SPOOFED_FREEM_REPTO_CHN? No, not seeing that one. After enough training I eventually see it land in Bayes. The RBLs are starting to flag it. X-Spam-Status: Yes, score=5.7 required=5.0 tests=BAYES_99,BAYES_999, FREEMAIL_FROM,RCVD_IN_BRBL_LASTEXT autolearn=no version=3.3.1 The subject and body are offering "image editing". I get *tons* of those. I'm wondering whether the freemail list is a bit stale, I'm seeing from addresses in .jp domains that look like they might be freemail... jmail.co.jp ezweb.ne.jp Are these freemail? o2online.de wanadoo.fr -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- People think they're trading chaos for order [by ceding more and more power to the Government], but they're just trading normal human evil for the really dangerous organized kind of evil, the kind that simply does not give a shit. Only bureaucrats can give you true evil. -- Larry Correia --- 3 days until George Washington's 286th Birthday
Re: Blacklist for reply-to?
On 02/19/2018 03:19 PM, John Hardin wrote: On Mon, 19 Feb 2018, Kenneth Porter wrote: On 2/19/2018 12:20 PM, John Hardin wrote: Are those getting hits on SPOOFED_FREEM_REPTO_CHN? No, not seeing that one. After enough training I eventually see it land in Bayes. The RBLs are starting to flag it. X-Spam-Status: Yes, score=5.7 required=5.0 tests=BAYES_99,BAYES_999, FREEMAIL_FROM,RCVD_IN_BRBL_LASTEXT autolearn=no version=3.3.1 The subject and body are offering "image editing". I get *tons* of those. I'm wondering whether the freemail list is a bit stale, I'm seeing from addresses in .jp domains that look like they might be freemail... jmail.co.jp ezweb.ne.jp Are these freemail? o2online.de wanadoo.fr The "freemail" domains also include domains that are commonly abused according to 20_freemail_domains.cf. Anyone wanting to get some domains added should open up a SpamAssassin Bugzilla: https://bz.apache.org/SpamAssassin I have added a few domains over the past few months but my mail flow isn't going to see many of the problem domains outside of the US like those listed above. -- David Jones
Re: Blacklist for reply-to?
David Jones skrev den 2018-02-19 22:35: https://bz.apache.org/SpamAssassin I have added a few domains over the past few months but my mail flow isn't going to see many of the problem domains outside of the US like those listed above. https://www.google.dk/search?q=github+freemail seems all is freemail ? would adding more freemail domains give a better detection of spam ?
Re: Blacklist for reply-to?
On 2018-02-19 (09:57 MST), Paul Stead wrote: > > This message is private and confidential. If you have received this message > in error, please notify us and remove it from your system. > > Zen Internet Limited may monitor email traffic data to manage billing, to > handle customer enquiries and for the prevention and detection of fraud. We > may also monitor the content of emails sent to and/or from Zen Internet > Limited for the purposes of security, staff training and to monitor quality > of service. I reject your terms. -- Rid yourself of doubt -- or should you? -George Carlin
Re: Blacklist for reply-to?
Hi, On Mon, Feb 19, 2018 at 3:20 PM, John Hardin wrote: > On Mon, 19 Feb 2018, Rupert Gallagher wrote: > >> Whatever you do, just do not ask others to blacklist Alibaba > > > Are those getting hits on SPOOFED_FREEM_REPTO_CHN? > > Perhaps just bump the score for that locally? KAM's rules are still setting FORGED_YAHOO_RCVD to zero, invalidating that rule for me. Perhaps he doesn't know the rule was removed or otherwise handled? https://bz.apache.org/SpamAssassin/show_bug.cgi?id=5561 Feb 19 17:37:29 mail01 amavis[30049]: SA info: rules: meta test SPOOFED_FREEM_REPTO_CHN has dependency 'FORGED_YAHOO_RCVD' with a zero score Is there anything further that needs to be done wrt this rule, or does it now just work as expected? He's also got KAM_GRABBAG5 and KAM_UAH_YAHOOGROUP_SENDER also being affecting by FORGED_YAHOO_RCVD.
Re: Blacklist for reply-to?
On Mon, 19 Feb 2018, Alex wrote: Hi, On Mon, Feb 19, 2018 at 3:20 PM, John Hardin wrote: On Mon, 19 Feb 2018, Rupert Gallagher wrote: Whatever you do, just do not ask others to blacklist Alibaba Are those getting hits on SPOOFED_FREEM_REPTO_CHN? Perhaps just bump the score for that locally? KAM's rules are still setting FORGED_YAHOO_RCVD to zero, invalidating that rule for me. Perhaps he doesn't know the rule was removed or otherwise handled? https://bz.apache.org/SpamAssassin/show_bug.cgi?id=5561 Feb 19 17:37:29 mail01 amavis[30049]: SA info: rules: meta test SPOOFED_FREEM_REPTO_CHN has dependency 'FORGED_YAHOO_RCVD' with a zero score Is there anything further that needs to be done wrt this rule, or does it now just work as expected? He's also got KAM_GRABBAG5 and KAM_UAH_YAHOOGROUP_SENDER also being affecting by FORGED_YAHOO_RCVD. Kevin, can that be set to advisory rather than completely killed? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The question of whether people should be allowed to harm themselves is simple. They *must*. -- Charles Murray --- 63 more days working to pay your (average) annual US tax bill before you're finally working for yourself.
Re: Blacklist for reply-to?
On 18/02/2018 21:06, Kenneth Porter wrote:
Is there a blacklist for domains in the reply-to header?
I've noticed a lot of spam with no URL and mutating From but the
reply-to domain is always aliyun dot com. I want to add a site-wide
blacklist for that.
If you are willing to write a little SA plugin and possibly mantain your
own dnsbl you can use something like this:
sub check_email_headers {
my ($self, $msg) = @_;
my %headers;
if (defined($msg->get( 'Reply-To:addr' ))) {
$headers{"Reply-To"} = $msg->get( 'Reply-To:addr' );
}
foreach my $header ( keys %headers) {
my @addresses = Email::Address->parse($headers{$header});
for my $address (@addresses) {
if (is_domain($address->host)) {
my $parser = Domain::PublicSuffix->new();
# domain is in $parser->get_root_domain($address->host) , you
can now look it up on your own dnsbl, Spamhaus DBL etc..
}
}
return 0;
}
I personally also check the domain in the body From, useful in example
to catch legit abused accounts that have the return-path set as the
abused account but the body From set differently.
Also, the "image editing" spam is almost all caught by the MSBL
(https://msbl.org/) , take a look at that bl and their plugin for more
inspiration
Daniele Duca
Re: Blacklist for reply-to?
Do you have the legal right to do so? On Tue, Feb 20, 2018 at 00:23, @lbutlr wrote: > On 2018-02-19 (09:57 MST), Paul Stead wrote: > ...@zeninternet.co.uk> > I reject your terms. @zeninternet.co.uk>
Re: Blacklist for reply-to?
On 2/19/2018 7:15 PM, John Hardin wrote: Kevin, can that be set to advisory rather than completely killed? Agreed. I'll comment out the setting of the score to zero in nonKAMrules.cf.
Re: Blacklist for reply-to?
The matter is controversial. Lists have own defaults, who often abuse their original aim of mere forwarding, especially when they redistribute from a long-term archive. On the other hand, people have own default banners for all outgoing correspondence, some with explicit reference to the applicable law and company policy. Sparks happen when they meet. A list's standpoint may be: if you do not want to be archived, then do not post. A person's standpoint may be that a mailing list standing as official publication is ludicrous, while individuals have a well established human right to freedom of speach. There are so many twists here that only a seasoned lawyer may have tell right from wrong. Sent from ProtonMail Mobile On Tue, Feb 20, 2018 at 14:55, Reindl Harald wrote: > Am 20.02.2018 um 14:02 schrieb Rupert Gallagher: > Do you have the legal > right to do so? does the fool with the disclaimer have any legal right to > define whatever terms when sending to a public mailing-list? > On Tue, Feb > 20, 2018 at 00:23, @lbutlr > wrote: >> On 2018-02-19 (09:57 MST), Paul Stead > wrote: > ... >> I reject your terms @kreme.com> @kreme.com>
Re: Blacklist for reply-to?
On 2018-02-20 (06:02 MST), Rupert Gallagher wrote: > > Do you have the legal right to do so? Absolutely. No one gets to inflict a contract on me. Especially not a entirely stupid nonsense thing that like that piece of crap that has no legal weight whatsoever. -- We are born naked, wet and hungry; then it's all downhill.
Re: Blacklist for reply-to?
Beware that companies use a legal note in their signature as advised by their lawyers, and many individuals do the same, to inform the reader about laws that apply regardless of where or when you are reading their note. A mail from Europe is subject to data protection. It does not matter if you disagree. R On Wed, Feb 21, 2018 at 00:01, Reindl Harald wrote: > bullshit any disclaimer at the end of the message you already read is useless > to start with - and send a message to the public with a disclaimer you can > only read after the other content you already have read is nothing but > idiotic as well as using accounts which add such disclaimers for mailing > lists period Am 20.02.2018 um 22:37 schrieb Rupert Gallagher: > The matter is > controversial. Lists have own defaults, who often > abuse their original aim > of mere forwarding, especially when they > redistribute from a long-term > archive. On the other hand, people have > own default banners for all > outgoing correspondence, some with explicit > reference to the applicable law > and company policy. Sparks happen when > they meet. A list's standpoint may > be: if you do not want to be > archived, then do not post. A person's > standpoint may be > that a mailing list standing as official publication is > ludicrous, > while individuals have a well established human right to freedom > of > speach. There are so many twists here that only a seasoned lawyer may > > have tell right from wrong. > > On Tue, Feb 20, 2018 at 14:55, Reindl Harald > > wrote: >> Am 20.02.2018 um 14:02 schrieb Rupert Gallagher: > Do you have >> > the legal right to do so? does the fool with the disclaimer have any >> legal > right to define whatever terms when sending to a public >> mailing-list? > On > Tue, Feb 20, 2018 at 00:23, @lbutlr > wrote: >> On >> 2018-02-19 (09:57 MST), > Paul Stead wrote: > ... >> I reject your terms @thelounge.net> > @thelounge.net>
Re: Blacklist for reply-to?
You are wrong. Sent from ProtonMail Mobile On Wed, Feb 21, 2018 at 00:07, @lbutlr wrote: > On 2018-02-20 (06:02 MST), Rupert Gallagher wrote: > > Do you have the legal > right to do so? Absolutely. No one gets to inflict a contract on me. > Especially not a entirely stupid nonsense thing that like that piece of crap > that has no legal weight whatsoever. -- We are born naked, wet and hungry; > then it's all downhill. @protonmail.com>
Re: Blacklist for reply-to?
On 2018-02-21 (00:20 MST), Rupert Gallagher wrote: > > Beware that companies use a legal note in their signature as advised by their > lawyers, and many individuals do the same, to inform the reader about laws > that apply regardless of where or when you are reading their note. Mostly they lie about what their claimed rights are. > A mail from Europe is subject to data protection. It does not matter if you > disagree. It does. I am not subject to European laws on data protection. -- "There's sex and death and human grime in monochrome for one thin dime and at least the trains all run on time but they don't go anywhere."
[OT] Reply All vs. Reply-To
On Sun, 19 Oct 2008, Michelle Konzack wrote: Am 2008-10-16 17:07:26, schrieb Benny Pedersen: On Thu, October 16, 2008 11:16, Justin Mason wrote: +1. This is not a useful topic for this forum. Please drop it. drop sending cc when you olso post on maillist FullACK! Michelle, Benny, et. al., why do you seek to shift your burden onto the rest of us? When I hit "reply" on a message from the SA list, the only recipient is the original sender. The list is configured this way and the SA list admins may have reasons for doing so. The list admin contact address is the place to lodge a complaint about this behavior. If I want the rest of the list to also see the reply - which is the most common case - I have to either manually add the list address to the message recipents, or hit "reply all" instead. For me the latter is simpler, and has become habit. I'm sure many if not most others are the same way. Avoiding also directly CCing the original sender (i.e. you) first requires that I remember that someone on the current thread doesn't want a direct copy, and then requires I break my train of thought in composing the reply to go edit the recipient list before hitting "send". I apologize most abjectly, but I often fail to do both. Again, I'm sure many if not most others are the same way. There is another solution that does not require you depend on the memory and courtesy of the other list members: before posting a message to the SA list, set your Reply-To: header to the SA list address. That way any well-behaved mail client when told to "reply all" will not directly send you a copy. This has been discussed at length before. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Mine eyes have seen the horror of the voting of the horde; They've looted the fromagerie where guv'ment cheese is stored; If war's not won before the break they grow so quickly bored; Their vote counts as much as yours. -- Tam --- 15 days until the Presidential Election
Re: comparing From and Reply-To:
On 2010-11-02 17:01, Lawrence @ Rogers wrote: As a sort of follow up to my last message, I was wondering how complicated it is to write a rule that would compare the From: and Reply-To: headers, and set it to 0.001 or make it a meta rule that could be used in conjunction with others? Would this plugin suffice? http://wiki.apache.org/spamassassin/FromNotReplyTo Regards, Lawrence I use this plugin for precisely that. We have modified the plugin to match particular addresses in order to score highly for phishing and whatnot. Chris
Re: comparing From and Reply-To:
On 02/11/2010 6:43 PM, Chris Conn wrote: On 2010-11-02 17:01, Lawrence @ Rogers wrote: As a sort of follow up to my last message, I was wondering how complicated it is to write a rule that would compare the From: and Reply-To: headers, and set it to 0.001 or make it a meta rule that could be used in conjunction with others? Would this plugin suffice? http://wiki.apache.org/spamassassin/FromNotReplyTo Regards, Lawrence I use this plugin for precisely that. We have modified the plugin to match particular addresses in order to score highly for phishing and whatnot. Chris I've gotten it working here and it seems to do exactly what I want. Compare the 2 e-mail addresses only, and ignore the extra crap like the name and such. I've set it to score 0.001 and used it as part of a few meta rules to help out with some spam.
Re: comparing From and Reply-To:
On Die, 2010-11-02 at 18:31 -0230, Lawrence @ Rogers wrote: > As a sort of follow up to my last message, I was wondering how > complicated it is to write a rule that would compare the From: and > Reply-To: headers, and set it to 0.001 or make it a meta rule that could > be used in conjunction with others? > > Would this plugin suffice? > > http://wiki.apache.org/spamassassin/FromNotReplyTo It's the only purpose of the Reply-To header to be different from To: - otherwise it can be omitted anyways. What did I miss? Bernd -- Bernd Petrovitsch Email : be...@petrovitsch.priv.at LUGA : http://www.luga.at
Re: comparing From and Reply-To:
Bernd Petrovitsch wrote: It's the only purpose of the Reply-To header to be different from To: - otherwise it can be omitted anyways. What did I miss? Hi Bernd, although I have seen scenarios using the feature, they never involved both addresses as free mail accounts. So a meta combined with freemail rules would do a great job Wolfgang
Re: comparing From and Reply-To:
On 2010/11/03 8:05 AM, haman...@t-online.de wrote: Bernd Petrovitsch wrote: It's the only purpose of the Reply-To header to be different from To: - otherwise it can be omitted anyways. What did I miss? Hi Bernd, although I have seen scenarios using the feature, they never involved both addresses as free mail accounts. So a meta combined with freemail rules would do a great job I think his point was more along the lines of skipping the test for difference, and just test for presence of Reply-To, because they are unlikely to ever be the same. -- /Jason smime.p7s Description: S/MIME Cryptographic Signature
Re: comparing From and Reply-To:
> On Die, 2010-11-02 at 18:31 -0230, Lawrence @ Rogers wrote: > > As a sort of follow up to my last message, I was wondering how > > complicated it is to write a rule that would compare the From: and > > Reply-To: headers, and set it to 0.001 or make it a meta rule that could > > be used in conjunction with others? > > > > Would this plugin suffice? > > > > http://wiki.apache.org/spamassassin/FromNotReplyTo On 03.11.10 10:13, Bernd Petrovitsch wrote: > It's the only purpose of the Reply-To header to be different from To: - > otherwise it can be omitted anyways. 100% correct > What did I miss? The fact is that many spams (and phishes) we receive contain Reply-To directed at different (mostly freemail) addresses. So, it can be useful to use it in metas... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. REALITY.SYS corrupted. Press any key to reboot Universe.
[Offtopic] List From and Reply-To
Why does this list apparently use the original From header of the poster’s message and doesn't set a Reply-To header at all? Hitting reply sends the response to poster directly and DMARC failures occur when posting to list. Not very elegant.
Re: List From and Reply-To
On 2018-05-30 15:49, Palvelin Postmaster wrote: > Why does this list apparently use the original From header of the > poster’s message and doesn't set a Reply-To header at all? Because that is the only right way. A list manager has no business modifying the contents of posted messages. It should be satisfied with the humble role of forwarding them to subscribers (simplifying, but only slightly so). If you want to reply to the list, use the appropriate UI in your client. For example, in mutt I hit 'L' to send this post. Hope this helps :-P -- Please don't Cc: me privately on mailing lists and Usenet, if you also post the followup to the list or newsgroup. To reply privately _only_ on Usenet and on broken lists which rewrite From, fetch the TXT record for no-use.mooo.com.
Fwd: List From and Reply-To
> Begin forwarded message: > > From: Ian Zimmerman > Subject: Re: List From and Reply-To > Date: 31 May 2018 at 8:24:11 EEST > To: users@spamassassin.apache.org > Reply-To: users@spamassassin.apache.org > > On 2018-05-30 15:49, Palvelin Postmaster wrote: > >> Why does this list apparently use the original From header of the >> poster’s message and doesn't set a Reply-To header at all? > > Because that is the only right way. > > A list manager has no business modifying the contents of posted > messages. It should be satisfied with the humble role of forwarding > them to subscribers (simplifying, but only slightly so). > > If you want to reply to the list, use the appropriate UI in your > client. For example, in mutt I hit 'L' to send this post. Are you and Bill Cole doing something different from other list members because your emails appear to have a Reply-To header? -- Palvelin.fi <http://palvelin.fi/> Hostmaster postmas...@palvelin.fi <mailto:postmas...@palvelin.fi>
Re: List From and Reply-To
> On 31 May 2018, at 16:46, Reindl Harald wrote: > > Am 31.05.2018 um 12:16 schrieb Palvelin Postmaster: >>> Begin forwarded message: >>> >>> *From: *Ian Zimmerman mailto:i...@very.loosely.org>> >>> *Subject: **Re: List From and Reply-To* >>> *Date: *31 May 2018 at 8:24:11 EEST >>> *To: *users@spamassassin.apache.org <mailto:users@spamassassin.apache.org> >>> *Reply-To: *users@spamassassin.apache.org >>> <mailto:users@spamassassin.apache.org> >>> >>> On 2018-05-30 15:49, Palvelin Postmaster wrote: >>> >>>> Why does this list apparently use the original From header of the >>>> poster’s message and doesn't set a Reply-To header at all? >>> >>> Because that is the only right way. >>> >>> A list manager has no business modifying the contents of posted >>> messages. It should be satisfied with the humble role of forwarding >>> them to subscribers (simplifying, but only slightly so). >>> >>> If you want to reply to the list, use the appropriate UI in your >>> client. For example, in mutt I hit 'L' to send this post. >> >> Are you and Bill Cole doing something different from other list members >> because your emails appear to have a Reply-To header? > > IT IS THE DECISION OF THE SENDER TO ADD A REPLY-TO-HEADER > > hence your wish that the list-server should mangle mails is a broken idea No need to shout. That point was already loud and clear from earlier posts. I was merely curious as to why some have a header and some don’t. My vote goes to enabling most popular mail clients to reply to the list (instead of the poster) with a simple reply. I subscribe to many which do. UX ftw! Evidence seems to point out I’m alone with my opinion in this list and I can certainly live with that. :) -- Palvelin.fi Hostmaster postmas...@palvelin.fi
Re: List From and Reply-To
On 2018-05-31 12:25, Antony Stone wrote: > Anyone is free to set a Reply-To header in the emails they send. This > will be preserved by the list server. > > I believe both Ian and Bill are doing this, yes. Correct. But Reply-To doesn't mean "follow up with list posts to this address"; it means "I don't want private replies on this list, ever". The relevant header for normal list follow-ups is List-Post. -- Please don't Cc: me privately on mailing lists and Usenet, if you also post the followup to the list or newsgroup. To reply privately _only_ on Usenet and on broken lists which rewrite From, fetch the TXT record for no-use.mooo.com.
Re: List From and Reply-To
Beware of the GDPR. If a current or former subscriber wants their address deleted, you are in hell. The mailing-list server can cleanup before itself with a reply-to the list only, and obfuscating the addresses, and deleting people's own banners and signatures. Sent from ProtonMail Mobile On Thu, May 31, 2018 at 17:23, Ian Zimmerman wrote: > On 2018-05-31 12:25, Antony Stone wrote: > Anyone is free to set a Reply-To > header in the emails they send. This > will be preserved by the list server. > > > I believe both Ian and Bill are doing this, yes. Correct. But Reply-To > doesn't mean "follow up with list posts to this address"; it means "I don't > want private replies on this list, ever". The relevant header for normal list > follow-ups is List-Post. -- Please don't Cc: me privately on mailing lists > and Usenet, if you also post the followup to the list or newsgroup. To reply > privately _only_ on Usenet and on broken lists which rewrite From, fetch the > TXT record for no-use.mooo.com.
Re: List From and Reply-To
On Thursday 31 May 2018 at 17:35:11, Rupert Gallagher wrote:
> Beware of the GDPR. If a current or former subscriber wants their address
> deleted, you are in hell. The mailing-list server can cleanup before
> itself with a reply-to the list only, and obfuscating the addresses, and
> deleting people's own banners and signatures.
In my opinion this is just one example of why parts of the GDPR are ridiculous
and were clearly not thought through before coming into legislation.
PS: I notice you choose to take the opposite approach with your own Reply-To
header, deliberately making it more difficult for people to reply to the list :)
Antony.
--
A user interface is like a joke.
If you have to explain it, it means it doesn't work.
Please reply to the list;
please *don't* CC me.
Re: List From and Reply-To
On Thu, 31 May 2018, Antony Stone wrote: On Thursday 31 May 2018 at 17:35:11, Rupert Gallagher wrote: Beware of the GDPR. If a current or former subscriber wants their address deleted, you are in hell. The mailing-list server can cleanup before itself with a reply-to the list only, and obfuscating the addresses, and deleting people's own banners and signatures. In my opinion this is just one example of why parts of the GDPR are ridiculous and were clearly not thought through before coming into legislation. Engaging in wishful thinking while drafting laws is an all-too-common failing. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- 6 days until the 74th anniversary of D-Day
Re: List From and Reply-To
On Thu, May 31, 2018 at 17:39, Antony Stone wrote: >PS: I notice you choose to take the opposite approach with your own Reply-To >header, deliberately making it more difficult for people to reply to the list >:) I just use the official ios client, where such regulations are not possible. This is an example of default client settings that may put you in trouble, and the usefulness of server-side enforced policy. Servers can automatically do things to keep both owners and clients on the safe side of the law. We shall not make the mistake of ignoring the GDPR: many sites are going down as we speak.
Re: List From and Reply-To
On 30 May 2018, at 08:25, Bill Cole wrote: > I can't speak to it as a MUA for mailing lists. It is, as it always has been and by design, a very bad mail client for mailing lists. (I use Apple Mail. But I use procmail to fix some of its stupidity, which is why this message goes to the list by default) -- TYPOS AR EHT FAULT OF GIN
Re: List From and Reply-To
On Thu, May 31, 2018 at 17:39, Antony Stone wrote: PS: I notice you choose to take the opposite approach with your own Reply-To header, deliberately making it more difficult for people to reply to the list :) On 31.05.18 17:00, Rupert Gallagher wrote: I just use the official ios client, where such regulations are not possible. what has Reply-To: in common with regulations? This is an example of default client settings that may put you in trouble, and the usefulness of server-side enforced policy. I see different problem with proposed approach: Removing or changing Reply-To (or other DKIM-signed header) requires removing DKIM signature. That may require changing From: address (if DKIM policy indicates sender signing all mail), which means that your mail is taken, modified and re-sent, "signed" as someone else. If we take your mail as your artwork, this could get us in trouble :-) Servers can automatically do things to keep both owners and clients on the safe side of the law. We shall not make the mistake of ignoring the GDPR: many sites are going down as we speak. I agree that GDPR apparently needs some polishing (or lawyer recommendation) but I don't like doing it this way -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Eagles may soar, but weasels don't get sucked into jet engines.
Re: List From and Reply-To
On 30 May 2018, at 15:34, Luis E. Muñoz wrote: > To further the point, one of the mailboxes I manage on this box has 95K+ > messages. Apple Mail would choke to dead on this one. Not at all. I have folders in mail.app with more than twice that number of messages. -- "Two years from now, spam will be solved," -- Bill Gates, January, 2004
Re: List From and Reply-To
I lost track of your reasoning. Let us start again. From the standpont of the GDPR, there is you, me, and someone in between who is responsible for our personal data. Infact, if you send to users@spamassassin.apache.org, I receive a copy of it *because* apache.org used our addresses. Ok we both subscribed to the list, but the GDPR gives us the right to be forgotten, for example. Now suppose you unsubscribe. You find out that your e-mails are archived on various sites other than SA. You send an e-mail to SA's or Apache's postmaster exerting your rights and demanding your shit to be deleted. According to the GDPR, Apache *must* comply *and* it must forward the demand to all of the third party archives. And it must do so quietly, that is, not publishing your demand on the internet. A lawyers matter? Well, the law is on the table, and one must execute it. Now, what I said is, to prevent this mess, the mailing list could clean up before itself by simply (relatively) obfuscating the addresses and removing any banner signature that hold personal data (full address and such). Am I making sense now?
Re: List From and Reply-To
> Ok we both subscribed to the list, but > the GDPR gives us the right to be forgotten, for example. Now suppose > you unsubscribe. You find out that your e-mails are archived on various > sites other than SA. You send an e-mail to SA's or Apache's postmaster > exerting your rights and demanding your shit to be deleted. According to > the GDPR, Apache *must* comply *and* it must forward the demand to all > of the third party archives. Nope. The right to be forgotten does not supersede every other interest, and there are situations where personal data does *not* need to be deleted: https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/dealing-citizens/do-we-always-have-delete-personal-data-if-person-asks_en Anthony -- www.fonant.com - Quality web sites Tel. 01903 867 810 Fonant Ltd is registered in England and Wales, company No. 7006596 Registered office: Amelia House, Crescent Road, Worthing, West Sussex, BN11 1QR
Re: List From and Reply-To
In the example at hand, the article you linked to does not grant to Apache the right to oppose to your right to oblivion. Sent from ProtonMail Mobile On Fri, Jun 1, 2018 at 14:45, Anthony Cartmell wrote: >> Ok we both subscribed to the list, but > the GDPR gives us the right to be >> forgotten, for example. Now suppose > you unsubscribe. You find out that >> your e-mails are archived on various > sites other than SA. You send an >> e-mail to SA's or Apache's postmaster > exerting your rights and demanding >> your shit to be deleted. According to > the GDPR, Apache *must* comply *and* >> it must forward the demand to all > of the third party archives. Nope. The >> right to be forgotten does not supersede every other interest, and there are >> situations where personal data does *not* need to be deleted: >> https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/dealing-citizens/do-we-always-have-delete-personal-data-if-person-asks_en >> Anthony -- www.fonant.com - Quality web sites Tel. 01903 867 810 Fonant Ltd >> is registered in England and Wales, company No. 7006596 Registered office: >> Amelia House, Crescent Road, Worthing, West Sussex, BN11 1QR
Re: List From and Reply-To
On 1 Jun 2018, at 5:12, @lbutlr wrote: On 30 May 2018, at 15:34, Luis E. Muñoz wrote: To further the point, one of the mailboxes I manage on this box has 95K+ messages. Apple Mail would choke to dead on this one. Not at all. I have folders in mail.app with more than twice that number of messages. Perhaps you were lucky. Those "chokes" where my main reason to move to MailMate. YMWV I suppose. Best regards -lem
Catch subtly-different Reply-To domain
Is there a rule to catch cases where the domain of the Reply-To header is a subtle variant on that in the To header. Take this (real) example from a phishing email sent yesterday: From: "Karen Howard" Reply-To: "Karen Howard" I realise that other elements of the address can be different without being a reliable spam indicator but I think that interfacefm.com -> intrefacefm.com are so similar and yet different that they should be worth a few points. But I can't think how to write such a rule myself.
sa-learn with modified reply-to address
Hello All I would change or add the reply-to address to "[EMAIL PROTECTED]" of each message before learning. This to prevent failures or misstakes while sending messages to the sa-host. Can someone tell me if this method is suitable for the bayes database? Thanks in advance Bruno
Re: [OT] Reply All vs. Reply-To
On Mon, 2008-10-20 at 09:53 -0700, John Hardin wrote: > On Sun, 19 Oct 2008, Michelle Konzack wrote: > > > Am 2008-10-16 17:07:26, schrieb Benny Pedersen: > >> > >> On Thu, October 16, 2008 11:16, Justin Mason wrote: > >>> +1. This is not a useful topic for this forum. Please drop it. > >> > >> drop sending cc when you olso post on maillist > > > > FullACK! > > Michelle, Benny, et. al., why do you seek to shift your burden onto the > rest of us? And for the love of all that is good, could we please stop rehashing this subject over and over and over again? For those of you who don't like it when folks forget to override "Reply All", we hear you. The list admins have understandably not reconfigured the list to please you. Accept this and move on, or by all means unsubscribe so we don't have to read your rants and whining anymore. This is supposed to be the SpamAssassin Users mailing list, not the "why I don't like it when people Reply All to me". Rubin -- Rubin Bennett rbTechnologies, LLC 80 Carleton Boulevard East Montpelier VT 05651 http://thatitguy.com (802)223-4448 Think for yourselves and let others enjoy the privilege to do so, too. ~Voltaire
Re: [OT] Reply All vs. Reply-To
On Mon, 2008-10-20 at 09:53 -0700, John Hardin wrote: > On Sun, 19 Oct 2008, Michelle Konzack wrote: > > > Am 2008-10-16 17:07:26, schrieb Benny Pedersen: > >> > >> On Thu, October 16, 2008 11:16, Justin Mason wrote: > >>> +1. This is not a useful topic for this forum. Please drop it. > >> > >> drop sending cc when you olso post on maillist > > > > FullACK! +1. > Michelle, Benny, et. al., why do you seek to shift your burden onto the > rest of us? Because *you* send your mails that way out. [] > If I want the rest of the list to also see the reply - which is the most > common case - I have to either manually add the list address to the > message recipents, or hit "reply all" instead. For me the latter is > simpler, and has become habit. I'm sure many if not most others are the > same way. You could use a (sane) MUA which support "List-reply" and be done. So why do you shift your burden to me? Bernd -- Firmix Software GmbH http://www.firmix.at/ mobil: +43 664 4416156 fax: +43 1 7890849-55 Embedded Linux Development and Services
Re: [OT] Reply All vs. Reply-To
Am 2008-10-20 09:53:10, schrieb John Hardin: > Michelle, Benny, et. al., why do you seek to shift your burden onto the > rest of us? > > When I hit "reply" on a message from the SA list, the only recipient is > the original sender. The list is configured this way and the SA list > admins may have reasons for doing so. The list admin contact address is > the place to lodge a complaint about this behavior. False, since the List IS correct configured. Sometimes it is required to send PMs for which is the . I always send messages to the list using and since this is a technical Mailinglist and NOT a "dummy" user forum, listmembers should use appropriated MUAs which supporting it. Also there is header called "Mail-Followup-To: which works wonder... If you want to get PMs too, set it to: Mail-Followup-To: [EMAIL PROTECTED], users@spamassassin.apache.org > If I want the rest of the list to also see the reply - which is the most > common case - I have to either manually add the list address to the > message recipents, or hit "reply all" instead. For me the latter is > simpler, and has become habit. I'm sure many if not most others are the > same way. Sorry, but currently I am DoS'ed by nearly 200.000 backscatters and arround 2 GByte in my main E-Mail I use here to post and I had to SPAM all of my customers to send Mails currently only to a "hidden" E-Mail. Currently I am very angry, since I am working mobile and over GSM/GPRS and fillilling up my personal account with useless messages which force me to download the messages twice... Note: My SIM is currently blocked by my GSM Provider Bouygues Telecom because the backscatter shit has produced an invoice of over 3000 Euro while I was in hospital and I can not more read my account... > Avoiding also directly CCing the original sender (i.e. you) first requires > that I remember that someone on the current thread doesn't want a direct > copy, and then requires I break my train of thought in composing the reply > to go edit the recipient list before hitting "send". I apologize most > abjectly, but I often fail to do both. Again, I'm sure many if not most > others are the same way. Forcing me to set "Reply-To:" on all Mailinglists I am on, mean, that I I have to create 168 extra send-hooks in mutt... If I start mutt from my Nokia, it take already 30 seconds to start up because heavy configurations, but forcing users to do things because a handfull peoples do not want to use reliabel software/MUAs is more then annoying. > There is another solution that does not require you depend on the memory > and courtesy of the other list members: before posting a message to the SA > list, set your Reply-To: header to the SA list address. That way any > well-behaved mail client when told to "reply all" will not directly send > you a copy. This has been discussed at length before. Since I get "legitim" PM's on my mailinglist messages, those peoples then have always to remember, that the Mail goes to the list and if they forget to change it, they send my business messages to the list which I do not like... This problem was already mentioned by someone... Thanks, Greetings and nice Day/Evening Michelle Konzack Systemadministrator 24V Electronic Engineer Tamay Dogan Network Debian GNU/Linux Consultant -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ # Debian GNU/Linux Consultant # Michelle Konzack Apt. 917 ICQ #328449886 +49/177/935194750, rue de Soultz MSN LinuxMichi +33/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com) signature.pgp Description: Digital signature
Re: [Offtopic] List From and Reply-To
On 30.05.18 15:49, Palvelin Postmaster wrote: Why does this list apparently use the original From header of the poster’s message and doesn't set a Reply-To header at all? because it's the standard behaviour. Hitting reply sends the response to poster directly get a mail client that supports mailing lists. Mozilla should do. This mailing lists sets headers required for list handling: List-Post: <mailto:users@spamassassin.apache.org> note that 1. there are cases when you want to reply personally 2. Reply-To: is supposed to be set by sending user, not someone in between. and DMARC failures occur when posting to list. where you did get this feeling? Those would happen if the list changed the original (or any DKIM-digned) header, or set envelope sender to the original poster. Neither does happen. At least not unless someone configures outgoing MTA to DKIM-sign headers that may change on the way (e.g. Received:) -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 42.7 percent of all statistics are made up on the spot.
Re: [Offtopic] List From and Reply-To
Palvelin Postmaster schrieb am 30.05.2018 um 14:49: Why does this list apparently use the original From header of the poster’s message and doesn't set a Reply-To header at all? Hitting reply sends the response to poster directly and DMARC failures occur when posting to list. Not very elegant. I use Thunderbird, and for postings on this list, a "Reply list" button appears in addition to the usual reply button. So I can reply to the list only, to the list and cc to the poster, or to the poster only. Messages also appear on this list without DMARC failures, because they get mailfrom envelope address from the mailinglist software. It's all fine.
Re: [Offtopic] List From and Reply-To
> On 30 May 2018, at 16:06, Matus UHLAR - fantomas wrote: > > On 30.05.18 15:49, Palvelin Postmaster wrote: > >> Hitting reply sends the response to poster directly > > get a mail client that supports mailing lists. Mozilla should do. I see, the 'Mozzilla or stfu' policy ;D >> and DMARC failures occur when posting to list. > > where you did get this feeling? I get these: Authentication-Results: mailchk-m06.uwaterloo.ca; dkim=fail reason="signature verification failed" (1024-bit key) header.d=palvelin.fi header.i=@palvelin.fi header.b="jkScMTCb" Received: from mx-104.cs.uwaterloo.ca (localhost [127.0.0.1]) by mx-104.cs.uwaterloo.ca (8.15.2/8.15.2/Debian-3) with ESMTPS id w4UCfMd0017123 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 30 May 2018 08:41:23 -0400 Received: (from arpepper@localhost) by mx-104.cs.uwaterloo.ca (8.15.2/8.15.2/Submit) id w4UCfMdf017105 for arpep...@connect.uwaterloo.ca; Wed, 30 May 2018 08:41:22 -0400 X-Authentication-Warning: mx-104.cs.uwaterloo.ca: arpepper set sender to users-return-118335-arpepper=uwaterloo...@spamassassin.apache.org using -f Received: from mailchk-m06.uwaterloo.ca (mailchk-m06.uwaterloo.ca [129.97.128.242]) by mx-104.cs.uwaterloo.ca (8.15.2/8.15.2/Debian-3) with ESMTPS id w4UCfKNh017011 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 30 May 2018 08:41:20 -0400 Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mailchk-m06.uwaterloo.ca (8.14.7/8.14.7) with SMTP id w4UCfELi016200 for ; Wed, 30 May 2018 08:41:17 -0400 DMARC-Filter: OpenDMARC Filter v1.3.2 mailchk-m06.uwaterloo.ca w4UCfELi016200 Authentication-Results: mailchk-m06/w4UCfELi016200; dmarc=fail (p=reject dis=none) header.from=palvelin.fi Authentication-Results: mailchk-m06; spf=pass smtp.mailfrom=users-return-118335-arpepper=uwaterloo...@spamassassin.apache.org DKIM-Filter: OpenDKIM Filter v2.11.0 mailchk-m06.uwaterloo.ca w4UCfELi016200 Received: (qmail 35995 invoked by uid 500); 30 May 2018 12:41:13 - Mailing-List: contact users-h...@spamassassin.apache.org; run by ezmlm Precedence: bulk list-help: <mailto:users-h...@spamassassin.apache.org> list-unsubscribe: <mailto:users-unsubscr...@spamassassin.apache.org> List-Post: <mailto:users@spamassassin.apache.org> List-Id: Delivered-To: mailing list users@spamassassin.apache.org Received: (qmail 35985 invoked by uid 99); 30 May 2018 12:41:12 - Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 30 May 2018 12:41:12 + Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 949B31A3964 for ; Wed, 30 May 2018 12:41:12 + (UTC) X-Virus-Scanned: clamav-milter 0.99.3 at mailchk-m06 Authentication-Results: spamd2-us-west.apache.org (amavisd-new); dkim=pass (1024-bit key) header.d=palvelin.fi Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id JzvfQbYYETXI for ; Wed, 30 May 2018 12:41:10 + (UTC) Received: from palvelin.fi (posti.palvelin.fi [83.150.109.27]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id AC16F5F41C for ; Wed, 30 May 2018 12:41:09 + (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=palvelin.fi; h=from :content-type:content-transfer-encoding:mime-version:subject :date:references:to:in-reply-to:message-id; s=posti; bh=qrKsgf7y rsJ0+f0QDK4L7U+3vAjhqmb1yo8CjtAWnnc=; b=jkScMTCbksH9eVaBvuIGeTUw sqmCcW4bY65Og4aOUpTqw9jH2PSgGhsxKf9Vkq0VV0kscmiOtVCAKWDajEWUjFhL Xf+R+qMkCtJaySGpkIQf4Q1cMP7pEG0+KX58D3tlzOAAua+cJhX70Wg7IwBaqQcq IZNRZRnEAjYZx+cIBE4= Received: from [188.238.10.162] (account postmas...@palvelin.fi HELO dhcp76.vallden.com) by palvelin.fi (CommuniGate Pro SMTP 6.2.4) with ESMTPSA id 10162425 for users@spamassassin.apache.org; Wed, 30 May 2018 15:41:08 +0300 From: Palvelin Postmaster Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\)) Subject: Re: rewrite_header Subject and Bayes Date: Wed, 30 May 2018 15:41:07 +0300 References: <257e510f-ab68-4e22-8a6b-552f59af3...@palvelin.fi> <20180530122146.gb24...@fantomas.sk> To: users@spamassassin.apache.org In-Reply-To: <20180530122146.gb24...@fantomas.sk> Message-Id:
Re: [Offtopic] List From and Reply-To
On Wednesday 30 May 2018 at 15:33:13, Palvelin Postmaster wrote: > > On 30 May 2018, at 16:06, Matus UHLAR - fantomas > > wrote: > > > > On 30.05.18 15:49, Palvelin Postmaster wrote: > >> Hitting reply sends the response to poster directly > > > > get a mail client that supports mailing lists. Mozilla should do. > > I see, the 'Mozzilla or stfu' policy ;D No, Mozilla was just one example; there are many. I, for example, use KMail, and in the headers of your original posting in the thread I see: From: Palvelin Postmaster List-Post: <mailto:users@spamassassin.apache.org> There is no Reply-To header. When I click on "Reply" my MUA automatically offers me users@spamassassin.apache.org Regards, Antony. -- Police have found a cartoonist dead in his house. They say that details are currently sketchy. Please reply to the list; please *don't* CC me.
Re: [Offtopic] List From and Reply-To
> On 30 May 2018, at 16:48, Antony Stone > wrote: > > On Wednesday 30 May 2018 at 15:33:13, Palvelin Postmaster wrote: > >>> On 30 May 2018, at 16:06, Matus UHLAR - fantomas >>> wrote: >>> >>> On 30.05.18 15:49, Palvelin Postmaster wrote: Hitting reply sends the response to poster directly >>> >>> get a mail client that supports mailing lists. Mozilla should do. >> >> I see, the 'Mozzilla or stfu' policy ;D > > No, Mozilla was just one example; there are many. > > I, for example, use KMail My Apple Mail/iPhone/iPad clients don’t. They all appear to be among Top 10 email clients (https://emailclientmarketshare.com). I wonder if Gmail, Outlook variants and the Android mail clients do? -- Palvelin.fi Hostmaster postmas...@palvelin.fi
Re: [Offtopic] List From and Reply-To
On 30 May 2018, at 10:00, Palvelin Postmaster wrote: On 30 May 2018, at 16:48, Antony Stone wrote: On Wednesday 30 May 2018 at 15:33:13, Palvelin Postmaster wrote: On 30 May 2018, at 16:06, Matus UHLAR - fantomas wrote: On 30.05.18 15:49, Palvelin Postmaster wrote: Hitting reply sends the response to poster directly get a mail client that supports mailing lists. Mozilla should do. I see, the 'Mozzilla or stfu' policy ;D No, Mozilla was just one example; there are many. I, for example, use KMail My Apple Mail/iPhone/iPad clients don’t. They all appear to be among Top 10 email clients (https://emailclientmarketshare.com). Which is unfortunate, because Apple Mail generally sucks. It seems to have been put under the control of people who think Outlook 2003 was the pinnacle of email clients. For MacOS, there are far better alternatives that include Mozilla and MailMate. For iOS not so much, sadly. Any mail client that does not have an easy way to view messages in raw RFC5322, to create messages that follow RFC3676, and to set Reply-To and From headers arbitrarily is unfit for use in the modern world no matter how many people use it because switching is hard. I wonder if Gmail, Outlook variants and the Android mail clients do? K9Mail for Android did, when last I used Android (many years ago.) Modern Outlook on Windows does (or did, as of 2010.) I don't think I've ever used the GMail web interface for anything beyond testing the GMail web interface, so I can't speak to it as a MUA for mailing lists.
Re: [Offtopic] List From and Reply-To
On 30 May 2018, at 8:49, Palvelin Postmaster wrote: Why does this list apparently use the original From header of the poster’s message and doesn't set a Reply-To header at all? 1. Traditional standard practice. Doing otherwise in either case would offend more people than sticking with the hands-off approach. 2. Inertia. For whatever reason, the choice was made in the misty past to use qmail & ezmlm for Apache lists. These are de facto orphanware programs that have licensing hostile to anyone seeking to adopt them. Backporting features into old software takes work and testing, and no one has seen it as worthwhile to do so for any DJB-ware as far as I know. Hitting reply sends the response to poster directly and DMARC failures occur when posting to list. Not very elegant. Really? Not that I see: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=palvelin.fi; h=from :content-type:content-transfer-encoding:mime-version:subject :message-id:date:to; s=posti; bh=nJX2juVBl5ckhxk/l1RP4IpkEFGPHhZ EKwAofBCnE/g=; b=BrKOw1EEdgBfVBxvpDLldyNXc5o2Cv0v6tIpSgK9roKd/4q cNQRljKNvc4PjZ94h7gbVFc3G0NzYs2vRMMywxAkMKUcBOhcZBRTb7S10qsWntPA vaLimWqfYph7zPrICAcFC92IwTv1JO2oRdIw9e11QOT0iB5mgKJLZ65DVjSQ= Received: from [188.238.10.162] (account postmas...@palvelin.fi HELO dhcp76.vallden.com) by palvelin.fi (CommuniGate Pro SMTP 6.2.4) with ESMTPSA id 10162444 for users@spamassassin.apache.org; Wed, 30 May 2018 15:49:40 +0300 From: Palvelin Postmaster Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\)) Subject: [Offtopic] List From and Reply-To Message-Id: <0e34bd1b-73e5-4d31-83e4-124cfd99f...@palvelin.fi> Date: Wed, 30 May 2018 15:49:38 +0300 To: users@spamassassin.apache.org X-Mailer: Apple Mail (2.3445.6.18) X-Spam-Source: 140.211.0.0/16 on AS3701 via ** FI FI in en X-Spam-Hops: Trusted_** **FI FIFI X-Spam-Score: -22.21 () AWL,BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SCC_DEBUG,SCC_DEBUG_RAW_LINE,SCC_DEBUG_WL,SPF_PASS,T_SCC_BODY_TEXT_LINE,USER_IN_DEF_SPF_WL,USER_IN_SPF_WHITELIST,USER_IN_WHITELIST_TO Note that changing the From header would break all DKIM signatures and forcing a Reply-To would break many.
Re: [Offtopic] List From and Reply-To
On 30 May 2018, at 10:25, Bill Cole wrote: On 30 May 2018, at 10:00, Palvelin Postmaster wrote: On 30 May 2018, at 16:48, Antony Stone wrote: On Wednesday 30 May 2018 at 15:33:13, Palvelin Postmaster wrote: On 30 May 2018, at 16:06, Matus UHLAR - fantomas wrote: On 30.05.18 15:49, Palvelin Postmaster wrote: Hitting reply sends the response to poster directly get a mail client that supports mailing lists. Mozilla should do. I see, the 'Mozzilla or stfu' policy ;D No, Mozilla was just one example; there are many. Grumble. Not enough coffee. Make that "Thunderbird (the Mozilla MUA)" rather than "Mozilla."
Re: [Offtopic] List From and Reply-To
On 05/30/2018 08:43 AM, Bill Cole wrote: Note that changing the From header would break all DKIM signatures and forcing a Reply-To would break many. That's where validating & striping DKIM signatures as the message enters the list comes into play. Preferably followed up with DKIM signing as messages exists the list. Now to see what sort of DMARC notifications (if any) I get for this reply. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature
Re: [Offtopic] List From and Reply-To
On 05/30/2018 09:34 AM, Grant Taylor wrote: Now to see what sort of DMARC notifications (if any) I get for this reply. I have received four DMARC auth-failure notifications (thus far) in response to my message to the SpamAssassin Users mailing list. It looks like the reports are indicating that they consider the message to have failed DMARC alignment tests because the From: header had my domain name in a message did not originating from my servers. Independent SPF and DKIM tests did pass. The failure seems to be a result of how DMARC amalgamates the two with published policies. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature
Re: [Offtopic] List From and Reply-To
On Wed, 30 May 2018 11:45:12 -0600 Grant Taylor wrote: > On 05/30/2018 09:34 AM, Grant Taylor wrote: > > Now to see what sort of DMARC notifications (if any) I get for this > > reply. > > I have received four DMARC auth-failure notifications (thus far) in > response to my message to the SpamAssassin Users mailing list. > > It looks like the reports are indicating that they consider the > message to have failed DMARC alignment tests because the From: header > had my domain name in a message did not originating from my servers. > > Independent SPF and DKIM tests did pass. The failure seems to be a > result of how DMARC amalgamates the two with published policies. SPF passes on the rewritten envelope address, so it's not aligned and it's just a matter of whether there's an aligned dkim pass. It passes dmarc at gmail, so presumably the problem is with the service that sent the notices. The important thing is to not sign the list* headers in dkim.
Re: [Offtopic] List From and Reply-To
> On May 30, 2018, at 10:25 AM, Bill Cole > wrote: > > On 30 May 2018, at 10:00, Palvelin Postmaster wrote: > >>> On 30 May 2018, at 16:48, Antony Stone >>> wrote: >>> >>> On Wednesday 30 May 2018 at 15:33:13, Palvelin Postmaster wrote: >>> >>>>> On 30 May 2018, at 16:06, Matus UHLAR - fantomas >>>>> wrote: >>>>> >>>>> On 30.05.18 15:49, Palvelin Postmaster wrote: >>>>>> Hitting reply sends the response to poster directly >>>>> >>>>> get a mail client that supports mailing lists. Mozilla should do. >>>> >>>> I see, the 'Mozzilla or stfu' policy ;D >>> >>> No, Mozilla was just one example; there are many. >>> >>> I, for example, use KMail >> >> My Apple Mail/iPhone/iPad clients don’t. They all appear to be among Top 10 >> email clients (https://emailclientmarketshare.com). > > Which is unfortunate, because Apple Mail generally sucks. It seems to have > been put under the control of people who think Outlook 2003 was the pinnacle > of email clients. For MacOS, there are far better alternatives that include > Mozilla and MailMate. For iOS not so much, sadly. All email clients “generally suck”. Thunderbird is not even actively developed anymore last I checked, so that’s not really an option. And if you can imagine this, both Thunderbird and MailMate choke on large mailboxes *even more* than Mail.app does. If I had a better option than some old command-line mess, I’d use it. Every 3-4 years I go on a hunt for a new Mac mail client and I always come up empty. I’ve tried MailMate, Thunderbird, Postbox and just keep coming back to the (neglected) Mail.app. I’m all ears if there’s something out there that can deal with 5 or 6 really large accounts well, AND does the right thing with mailing lists, I’m all ears. I’ve not tried Outlook for Mac yet, maybe that’s the ticket? :) Charles ps - this email I’m replying to has a “Reply-To” header and Mail.app followed it. > > Any mail client that does not have an easy way to view messages in raw > RFC5322, to create messages that follow RFC3676, and to set Reply-To and From > headers arbitrarily is unfit for use in the modern world no matter how many > people use it because switching is hard. > >> I wonder if Gmail, Outlook variants and the Android mail clients do? > > K9Mail for Android did, when last I used Android (many years ago.) Modern > Outlook on Windows does (or did, as of 2010.) I don't think I've ever used > the GMail web interface for anything beyond testing the GMail web interface, > so I can't speak to it as a MUA for mailing lists.
Re: [Offtopic] List From and Reply-To
On 05/30/2018 12:08 PM, RW wrote:
SPF passes on the rewritten envelope address, so it's not aligned and
it's just a matter of whether there's an aligned dkim pass.
It depends on what the Forensic Report ("fo") option is set to in the
published DMARC policy. Domain owners / record publishers can state
that any failure, including SPF misalignment, will cause a report to be
sent.
IMHO simply relying on DKIM to validate is insufficient.
Further, it's not unheard of for something else (completely benign) to
break DKIM (like 8-bit to 7-bit MIME transcoding).
It passes dmarc at gmail,
I've learned not to use Gmail as a measuring stick for what's good.
Rather I use Gmail as for the low end, as if it fails Gmail then it's
really broken. Gmail has a number of things that are NOT up to a high bar.
so presumably the problem is with the service that sent the notices.
How is it a misconfiguration / misbehavior of the receiving DMARC filter
for reporting a misalignment that it detected between the envelope from
and the From header?
That sounds like "working as (intended|desired|configured)" to me.
The important thing is to not sign the list* headers in dkim.
I did say that DKIM passed. Which means that the list-* headers didn't
cause the failure.
--
Grant. . . .
unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
Re: [Offtopic] List From and Reply-To
On 05/30/2018 12:47 PM, Charles Sprickman wrote: If I had a better option than some old command-line mess, I’d use it. Every 3-4 years I go on a hunt for a new Mac mail client and I always come up empty. I’ve tried MailMate, Thunderbird, Postbox and just keep coming back to the (neglected) Mail.app. I’m all ears if there’s something out there that can deal with 5 or 6 really large accounts well, AND does the right thing with mailing lists, I’m all ears. I’ve not tried Outlook for Mac yet, maybe that’s the ticket? I'd say that you can start looking at Eudora again in (I'm guessing) 6 ~ 18 months. Since Qualcom transferred the Eudora IP to the Computer History Museum and open sourced the source code, I expect that we will be seeing movement there in. I think I've seen some references to projects to resurrect the code base within days of the announcement. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature
Re: [Offtopic] List From and Reply-To
On 30 May 2018, at 14:51 (-0400), Grant Taylor wrote: > Since Qualcom transferred the Eudora IP to the Computer History Museum and > open sourced the source code, I expect that we will be seeing movement there > in. I think I've seen some references to projects to resurrect the code base > within days of the announcement. I wouldn't bet on a successful reanimation of the Eudora corpse for MacOS. My understanding from its developers at the time Qualcomm killed it in favor of re-skinning TBird (which also fizzled) is that the code was unmaintainable and required essentially a full rewrite to keep working on MacOS X given the ongoing rot in the Carbon APIs. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Currently Seeking Steadier Work: https://linkedin.com/in/billcole signature.asc Description: OpenPGP digital signature
Re: [Offtopic] List From and Reply-To
On 30 May 2018, at 13:54, Bill Cole wrote: On 30 May 2018, at 14:51 (-0400), Grant Taylor wrote: Since Qualcom transferred the Eudora IP to the Computer History Museum and open sourced the source code, I expect that we will be seeing movement there in. I think I've seen some references to projects to resurrect the code base within days of the announcement. I wouldn't bet on a successful reanimation of the Eudora corpse for MacOS. My understanding from its developers at the time Qualcomm killed it in favor of re-skinning TBird (which also fizzled) is that the code was unmaintainable and required essentially a full rewrite to keep working on MacOS X given the ongoing rot in the Carbon APIs. Also, IIRC, messages were kept in mbox-like files. That would certainly not scale well. Best regards -lem
Re: [Offtopic] List From and Reply-To
On 30 May 2018, at 14:47 (-0400), Charles Sprickman wrote: All email clients “generally suck”. Thunderbird is not even actively developed anymore last I checked, Check again. That's not been true for quite a while. I just dusted off TBird for the first time in 2 years and was treated to an update from v39 to v52, in 4 steps because apparently the autoupdate couldn't do it directly. 52.8.0 is 12 days old. so that’s not really an option. That really depends on what "actively developed" means. I'd have no problem at all using a MUA that was only maintained for security and bug fixes, if it had basic functionality nailed down. And if you can imagine this, both Thunderbird and MailMate choke on large mailboxes *even more* than Mail.app does. I haven't had MM "choke" on large mailboxes in recent years. I wish Benny would just declare a 2.0 release to make it clear that MM today is much more solid than it was in 2015. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Currently Seeking Steadier Work: https://linkedin.com/in/billcole
Re: [Offtopic] List From and Reply-To
On 30 May 2018, at 14:30, Bill Cole wrote: And if you can imagine this, both Thunderbird and MailMate choke on large mailboxes *even more* than Mail.app does. I haven't had MM "choke" on large mailboxes in recent years. I wish Benny would just declare a 2.0 release to make it clear that MM today is much more solid than it was in 2015. To further the point, one of the mailboxes I manage on this box has 95K+ messages. Apple Mail would choke to dead on this one. MM seems happy. I would give it another try as this is precisely the reason why I switched ~2 years ago. Best regards -lem
Re: [Offtopic] List From and Reply-To
On 30 May 2018, at 17:19 (-0400), Luis E. Muñoz wrote: On 30 May 2018, at 13:54, Bill Cole wrote: On 30 May 2018, at 14:51 (-0400), Grant Taylor wrote: Since Qualcom transferred the Eudora IP to the Computer History Museum and open sourced the source code, I expect that we will be seeing movement there in. I think I've seen some references to projects to resurrect the code base within days of the announcement. I wouldn't bet on a successful reanimation of the Eudora corpse for MacOS. My understanding from its developers at the time Qualcomm killed it in favor of re-skinning TBird (which also fizzled) is that the code was unmaintainable and required essentially a full rewrite to keep working on MacOS X given the ongoing rot in the Carbon APIs. Also, IIRC, messages were kept in mbox-like files. That would certainly not scale well. That's actually not a big issue, since they were mbox with an index in the resource fork or a sibling file and so did not suffer from the performance issues that simple mbox used simplistically has. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Currently Seeking Steadier Work: https://linkedin.com/in/billcole
Re: [Offtopic] List From and Reply-To
On Wed, 30 May 2018 12:47:42 -0600
Grant Taylor wrote:
> On 05/30/2018 12:08 PM, RW wrote:
> > SPF passes on the rewritten envelope address, so it's not aligned
> > and it's just a matter of whether there's an aligned dkim pass.
>
> It depends on what the Forensic Report ("fo") option is set to in the
> published DMARC policy. Domain owners / record publishers can state
> that any failure, including SPF misalignment, will cause a report to
> be sent.
OK, but when you said "The failure seems to be a result of how DMARC
amalgamates the two with published policies" I thought you were
claiming some kind of anomalous behaviour.
It's surely obvious that rewriting the envelope sender to a completely
different domain will break SPF alignment in DMARC. There wouldn't be
any point to DMARC if it didn't.
> > The important thing is to not sign the list* headers in dkim.
>
> I did say that DKIM passed. Which means that the list-* headers
> didn't cause the failure.
That was informational, some people do make that mistake.
Re: [Offtopic] List From and Reply-To
On 05/30/2018 04:02 PM, RW wrote: OK, but when you said "The failure seems to be a result of how DMARC amalgamates the two with published policies" I thought you were claiming some kind of anomalous behaviour. Ah. Sorry for the confusion. It's surely obvious that rewriting the envelope sender to a completely different domain will break SPF alignment in DMARC. There wouldn't be any point to DMARC if it didn't. Agreed. DMARC is meant to detect / report such misalignments. I think DMARC is somewhat incompatible with the stated desired behavior of the SpamAssassin Users mailing list. The typical SOP that I see is to mung the From: header so that messages appear to be from / via the mailing list. This enables alignment between the envelope and the From: header. This obviously breaks DKIM. Which IMHO means that old (broken) DKIM needs to be stripped and (ideally) new DKIM signatures added as messages egress the list. That was informational, some people do make that mistake. ACK -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature
Re: Fwd: List From and Reply-To
On Thursday 31 May 2018 at 12:16:04, Palvelin Postmaster wrote:
> > Begin forwarded message:
> >
> > From: Ian Zimmerman
> Are you and Bill Cole doing something different from other list members
> because your emails appear to have a Reply-To header?
Anyone is free to set a Reply-To header in the emails they send. This will be
preserved by the list server.
I believe both Ian and Bill are doing this, yes.
> --
> Palvelin.fi <http://palvelin.fi/> Hostmaster
> postmas...@palvelin.fi <mailto:postmas...@palvelin.fi>
The sig separator for email should have a space after the two dashes, so that
MUAs can strip this automatically from the replies.
Also, a bit off-topic, but the URL in your sig does not accept connections,
just in case you weren't aware.
Antony.
--
I want to build a machine that will be proud of me.
- Danny Hillis, creator of The Connection Machine
Please reply to the list;
please *don't* CC me.
Re: Catch subtly-different Reply-To domain
Am 2021-02-20 08:58, schrieb Dominic Raferd: Is there a rule to catch cases where the domain of the Reply-To header is a subtle variant on that in the To header. Take this (real) example from a phishing email sent yesterday: From: "Karen Howard" Reply-To: "Karen Howard" I realise that other elements of the address can be different without being a reliable spam indicator but I think that interfacefm.com -> intrefacefm.com are so similar and yet different that they should be worth a few points. But I can't think how to write such a rule myself. Use the "Damerau–Levenshtein distance" to calcutate the similarity. Since long I was interested to try this, but never found the time. Michael
Re: Catch subtly-different Reply-To domain
On Sun, 21 Feb 2021 11:28:51 +0100 Michael Storz wrote: > Am 2021-02-20 08:58, schrieb Dominic Raferd: > > Is there a rule to catch cases where the domain of the Reply-To > > header is a subtle variant on that in the To header. Take this > > (real) example from a phishing email sent yesterday: > > > > From: "Karen Howard" > > Reply-To: "Karen Howard" > Use the "Damerau–Levenshtein distance" to calcutate the similarity. > Since long I was interested to try this, but never found the time. Did you have particular use in mind for that? The example above doesn't seem all that useful as a phishing technique as it will fail DMARC. My suspicion is that they are trying to exploit mail systems that haven't yet adopted DMARC checking and that interfacefm.com was chosen for its SPF record: v=spf1 +a +mx +a:ns1.c57578.sgvps.net include:_spf.mailspamprotection.com There's no -all or ~all on the end.
Re: Catch subtly-different Reply-To domain
On 21/02/2021 13:56, RW wrote: On Sun, 21 Feb 2021 11:28:51 +0100 Michael Storz wrote: Am 2021-02-20 08:58, schrieb Dominic Raferd: Is there a rule to catch cases where the domain of the Reply-To header is a subtle variant on that in the To header. Take this (real) example from a phishing email sent yesterday: From: "Karen Howard" Reply-To: "Karen Howard" Use the "Damerau–Levenshtein distance" to calcutate the similarity. Since long I was interested to try this, but never found the time. Did you have particular use in mind for that? The example above doesn't seem all that useful as a phishing technique as it will fail DMARC. My suspicion is that they are trying to exploit mail systems that haven't yet adopted DMARC checking and that interfacefm.com was chosen for its SPF record: v=spf1 +a +mx +a:ns1.c57578.sgvps.net include:_spf.mailspamprotection.com There's no -all or ~all on the end. Yes this mail passed DMARC and it is cases like this that I want to catch. 99% of domains have not implemented full DMARC with p=quarantine|reject, so one can't rely on it (although it has a valuable role).
Re: Catch subtly-different Reply-To domain
On Sun, 21 Feb 2021 14:04:20 + Dominic Raferd wrote: > On 21/02/2021 13:56, RW wrote: > >>> From: "Karen Howard" > >>> Reply-To: "Karen Howard" > Yes this mail passed DMARC How did it pass DMARC when it has the domain being spoofed in the from header?
Re: Catch subtly-different Reply-To domain
On 2021-02-21 17:00, RW wrote: On Sun, 21 Feb 2021 14:04:20 + Dominic Raferd wrote: On 21/02/2021 13:56, RW wrote: >>> From: "Karen Howard" >>> Reply-To: "Karen Howard" Yes this mail passed DMARC How did it pass DMARC when it has the domain being spoofed in the from header? both domains can have dmarc, but only from header is dmarc tested and dkim can sign reply-to
Re: Catch subtly-different Reply-To domain
On 21/02/2021 16:20, Benny Pedersen wrote: On 2021-02-21 17:00, RW wrote: On Sun, 21 Feb 2021 14:04:20 + Dominic Raferd wrote: On 21/02/2021 13:56, RW wrote: >>> From: "Karen Howard" >>> Reply-To: "Karen Howard" Yes this mail passed DMARC How did it pass DMARC when it has the domain being spoofed in the from header? both domains can have dmarc, but only from header is dmarc tested and dkim can sign reply-to and interfacefm.com (like most domains) does not publish a DMARC policy, so it must pass
Re: Catch subtly-different Reply-To domain
On Sun, 21 Feb 2021 17:00:32 + Dominic Raferd wrote: > On 21/02/2021 16:20, Benny Pedersen wrote: > > On 2021-02-21 17:00, RW wrote: > >> On Sun, 21 Feb 2021 14:04:20 + > >> Dominic Raferd wrote: > >> > >>> On 21/02/2021 13:56, RW wrote: > >> > >>> >>> From: "Karen Howard" > >>> >>> Reply-To: "Karen Howard" > >> > >>> Yes this mail passed DMARC > >> > >> How did it pass DMARC when it has the domain being spoofed in the > >> from header? > > > > both domains can have dmarc, but only from header is dmarc tested > > > > and dkim can sign reply-to > and interfacefm.com (like most domains) does not publish a DMARC > policy, so it must pass But it does: $ dig +short txt _dmarc.interfacefm.com "v=DMARC1; p=none; rua=mailto:postmas...@interfacefm.com"; Presumably interfacefm.com has been hacked, but not to the extent that they can intercept incoming replies.
Re: Catch subtly-different Reply-To domain
On 21/02/2021 17:37, RW wrote: On Sun, 21 Feb 2021 17:00:32 + Dominic Raferd wrote: On 21/02/2021 16:20, Benny Pedersen wrote: On 2021-02-21 17:00, RW wrote: On Sun, 21 Feb 2021 14:04:20 + Dominic Raferd wrote: On 21/02/2021 13:56, RW wrote: From: "Karen Howard" Reply-To: "Karen Howard" Yes this mail passed DMARC How did it pass DMARC when it has the domain being spoofed in the from header? both domains can have dmarc, but only from header is dmarc tested and dkim can sign reply-to and interfacefm.com (like most domains) does not publish a DMARC policy, so it must pass But it does: $ dig +short txt _dmarc.interfacefm.com "v=DMARC1; p=none; rua=mailto:postmas...@interfacefm.com"; Presumably interfacefm.com has been hacked, but not to the extent that they can intercept incoming replies. I stand corrected; but as they specify p=none, the mail must still pass.
