Re: [Mailman-Developers] Fixing DMARC problems with .invalid munge

On 5/21/2014 12:14 PM, Ian Eiloart wrote: And, it’s not abusive if appropriate SPF checks are done first: obviously, you don’t do the callout if you get an SPF fail. A callout with an SPF pass isn’t abusive: if the domain sent me an email, then it should be able to handle a callout. You are wr

Re: [Mailman-Developers] Fixing DMARC problems with .invalid munge

On 17 May 2014, at 04:08, John Levine wrote: > Everyone I know who's tried to do spam filtering by SMTP callbacks to > verify sender addresses has stopped, Not me. > for the dual reasons that it > doesn't work, and it's abusive. It is helpful, we get almost no complaints. Complaints are usual

Re: [Mailman-Developers] Fixing DMARC problems with .invalid munge

Lindsay Haisley writes: > I have a lot of mods to Mailman too. Patching is easy using the gnu.org > diff and patch tools and can easily be scripted, I'm sure the OP knows that, and may even have a bzr (or git) repo. However, any change can require resolving conflicts, and some require changing

Re: [Mailman-Developers] Fixing DMARC problems with .invalid munge

John R Levine writes: > Isn't there code in 2.18 to check for DMARC problems to catch messages on > the way in? I'd think you could adapt that. I'm not sure what "on the way in" means, but 2.1.18 does have code to catch a p=reject record and handle it just once per post. The OP can't use 2.1

Re: [Mailman-Developers] Fixing DMARC problems with .invalid munge

On Sun, 2014-05-18 at 01:37 +0900, Stephen J. Turnbull wrote: > > How do you limit it to just addresses with DMARC problems? There's no > > benefit to doing it to everyone. > > Probably a hard-coded regexp (or list thereof) matching against the > address in "From". The OP has a special situati

Re: [Mailman-Developers] Fixing DMARC problems with .invalid munge

On 05/17/2014 10:33 AM, John Levine wrote: > > Well, yes, obviously. Since DNS checks can be slow, it would be nice > to reuse the answers that Mailman probably already has. Where are > they stored? They aren't stored anywhere in Mailman, but they are likely cached in a local name server. --

Re: [Mailman-Developers] Fixing DMARC problems with .invalid munge

>> How do you limit it to just addresses with DMARC problems? There's no >> benefit to doing it to everyone. >> >Because a DMARC record is published in DNS, Mailman must use a Python >module capable of querying DNS. MM 2.1.18 uses the dnspython > package for this. I b

Re: [Mailman-Developers] Fixing DMARC problems with .invalid munge

On 05/16/2014 10:56 PM, Bob Puff wrote: > >> name, addrs = parseaddr(msg.get('from')) >> addrs += '.invalid' >> del msg['from'] >> msg['From'] = formataddr((name, addrs)) >> >> If you put it in Mailman/Handlers/Cleanse.py or >> Mailman/Handlers/CookHeaders.py, parseaddr and formata

Re: [Mailman-Developers] Fixing DMARC problems with .invalid munge

> How do you limit it to just addresses with DMARC problems? There's no > benefit to doing it to everyone. Probably a hard-coded regexp (or list thereof) matching against the address in "From". The OP has a special situation where he's got lots of local mods to Mailman, so it's not convenient t

Re: [Mailman-Developers] Fixing DMARC problems with .invalid munge

On Sat, 2014-05-17 at 14:12 +, John Levine wrote: > How do you limit it to just addresses with DMARC problems? There's no > benefit to doing it to everyone. > Because a DMARC record is published in DNS, Mailman must use a Python module capable of querying DNS. MM 2.1.18 uses the dnspython

Re: [Mailman-Developers] Fixing DMARC problems with .invalid munge

Quoth Mark Sapiro: > >Exactly how to patch this depends on what Mailman version you're > >starting with, but you basically want some code like this. snip John Levine writes: > How do you limit it to just addresses with DMARC problems? There's no > benefit to doing it to everyone. Probably

Re: [Mailman-Developers] Fixing DMARC problems with .invalid munge

>Exactly how to patch this depends on what Mailman version you're >starting with, but you basically want some code like this. > >name, addrs = parseaddr(msg.get('from')) >addrs += '.invalid' >del msg['from'] >msg['From'] = formataddr((name, addrs)) > >If you put it in Mailman/Handle

Re: [Mailman-Developers] Fixing DMARC problems with .invalid munge

Bob Puff: > So guys... Is there a simple little hack we can do within MM 2.1 to try to > mitigate this issue, by adding .invalid or some other extension? I've got a > few lists that are getting to the point where MM sends the probe email, and > then figures it is not a bouncing address, but a lot

Re: [Mailman-Developers] Fixing DMARC problems with .invalid munge

Franck Martin writes: > You can also apply this patch: > > http://bazaar.launchpad.net/~mlm-author/mailman/2.1-author/revision/1341?remember=1338&compare_revid=1338 > > Rather than injecting an invalid domain in the From: and weakening > more the security of email... If your *primary* con

Re: [Mailman-Developers] Fixing DMARC problems with .invalid munge

Bob Puff writes: > So guys... Is there a simple little hack we can do within MM 2.1 to > try to mitigate this issue, by adding .invalid or some other > extension? I've got a few lists that are getting to the point > where MM sends the probe email, and then figures it is not a > bouncing addr

Re: [Mailman-Developers] Fixing DMARC problems with .invalid munge

> name, addrs = parseaddr(msg.get('from')) > addrs += '.invalid' > del msg['from'] > msg['From'] = formataddr((name, addrs)) > > If you put it in Mailman/Handlers/Cleanse.py or > Mailman/Handlers/CookHeaders.py, parseaddr and formataddr are already > imported from email.Utils so t

Re: [Mailman-Developers] Fixing DMARC problems with .invalid munge

You can also apply this patch: http://bazaar.launchpad.net/~mlm-author/mailman/2.1-author/revision/1341?remember=1338&compare_revid=1338 Rather than injecting an invalid domain in the From: and weakening more the security of email... ___ Mailman-Deve

Re: [Mailman-Developers] Fixing DMARC problems with .invalid munge

> Exactly how to patch this depends on what Mailman version you're > starting with, but you basically want some code like this. > > name, addrs = parseaddr(msg.get('from')) > addrs += '.invalid' > del msg['from'] > msg['From'] = formataddr((name, addrs)) > > If you put it in Mai

Re: [Mailman-Developers] Fixing DMARC problems with .invalid munge

On 05/16/2014 09:27 PM, Franck Martin wrote: > Upgrade to 2.1.18 If one is going to upgrade, one should upgrade to Mailman 2.1.18-1, but presumably the OP knows that and wants a different mitigation. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, Californiabette

Re: [Mailman-Developers] Fixing DMARC problems with .invalid munge

On 05/16/2014 08:36 PM, Bob Puff wrote: > So guys... Is there a simple little hack we can do within MM 2.1 to try to > mitigate this issue, by adding .invalid or some other extension? I've got a > few lists that are getting to the point where MM sends the probe email, and > then figures it is not

Re: [Mailman-Developers] Fixing DMARC problems with .invalid munge

You are really mixing everything... Toute connaissance est une réponse à une question. > On May 16, 2014, at 20:09, "John Levine" wrote: > > In article <1856298671.144791.1400292991012.javamail.zim...@peachymango.org> > you write: >> The trouble with .invalid is that it is a domain that do not

Re: [Mailman-Developers] Fixing DMARC problems with .invalid munge

Upgrade to 2.1.18 Toute connaissance est une réponse à une question. > On May 16, 2014, at 20:43, "Bob Puff" wrote: > > So guys... Is there a simple little hack we can do within MM 2.1 to try to > mitigate this issue, by adding .invalid or some other extension? I've got a > few lists that are

Re: [Mailman-Developers] Fixing DMARC problems with .invalid munge

So guys... Is there a simple little hack we can do within MM 2.1 to try to mitigate this issue, by adding .invalid or some other extension? I've got a few lists that are getting to the point where MM sends the probe email, and then figures it is not a bouncing address, but a lot of emails are not

Re: [Mailman-Developers] Fixing DMARC problems with .invalid munge

In article <1856298671.144791.1400292991012.javamail.zim...@peachymango.org> you write: >The trouble with .invalid is that it is a domain that do not accept emails. >Therefore why should you accept emails from a domain >that does not allow you to reply to it? > >It is bound in the future to creat

Re: [Mailman-Developers] Fixing DMARC problems with .invalid munge

The trouble with .invalid is that it is a domain that do not accept emails. Therefore why should you accept emails from a domain that does not allow you to reply to it? It is bound in the future to create issues when people move to more serious/ubiquitous domain reputation schemes.

Re: [Mailman-Developers] Fixing DMARC problems with .invalid munge

>> From: Marissa > >I have some sympathy for this approach, as I mentioned over in mailman-users. >It violates RFCs so I'm not sure Mailman should adopt it, but it's worth >experimenting with, and I'm glad you (John) are doing so, and providing >feedback here. I know the guy who wrote the RFC, a

Re: [Mailman-Developers] Fixing DMARC problems with .invalid munge

John R Levine writes: > > Note that AOL and Yahoo! need to do this because they have > > ambitions of being e-commerce platforms, and so their domain > > names can be used to scam money out of people. > > We're deep enough into tin-foil hat territory here that we're > done. Should you want

Re: [Mailman-Developers] Fixing DMARC problems with .invalid munge

John R Levine writes: > But you're nuts if you think that every Mailman list is going to > kick off every Yahoo and AOL user, You can stop the ad hominem innuendo right there (that's an RFC 2119 MUST NOT). There is plenty of documentary evidence on Mailman lists that I'm fully aware that that

Re: [Mailman-Developers] Fixing DMARC problems with .invalid munge

What'm trying to do is explain why Mailman should (IMHO) take a quite different, much more conservative, stance toward implementing this, and why I criticize DMARC. I don't know anyone who thinks the way that Yahoo and AOL are using DMARC is a good idea. But you're nuts if you think that ever

Re: [Mailman-Developers] Fixing DMARC problems with .invalid munge

John R Levine writes: > My apologies. My imagination is sadly limited by 20 years of > running mailing lists for real people, and extensive conversations > with the people who designed and use DMARC. Experience doesn't limit imagination, it's desperation to solve a difficult problem in a hurr

Re: [Mailman-Developers] Fixing DMARC problems with .invalid munge

On May 04, 2014, at 01:26 PM, John Levine wrote: >I realize I'm a bit late to this party, but this is a technique that I >don't think has been addressed here. On my lists I've fixed the DMARC >bounces by rewriting From: lines of DMARC'ed domains like this on the >way out: > > From: Marissa > >t

Re: [Mailman-Developers] Fixing DMARC problems with .invalid munge

> I wouldn't waste time worrying about whether various hacks might make > it 0.0001% easier to phish people. Will you please stop focusing on *your* logic, and start thinking about what happens if people with different interpretations of the facts take action on those interpretations? My apolog

Re: [Mailman-Developers] Fixing DMARC problems with .invalid munge

SM writes: > Hi Stephen, > At 23:28 05-05-2014, Stephen J. Turnbull wrote: > >Don't you have that backwards? It's pointing out lack of a formal > >hard requirement that is nit-picking. After all, Postel's Principle > >isn't written in any IETF procedure manual. Would you call that one a >

Re: [Mailman-Developers] Fixing DMARC problems with .invalid munge

Hi Stephen, At 23:28 05-05-2014, Stephen J. Turnbull wrote: Don't you have that backwards? It's pointing out lack of a formal hard requirement that is nit-picking. After all, Postel's Principle isn't written in any IETF procedure manual. Would you call that one a "nit", too? I labelled my pr

Re: [Mailman-Developers] Fixing DMARC problems with .invalid munge

John Levine writes: > I wouldn't waste time worrying about whether various hacks might make > it 0.0001% easier to phish people. Will you please stop focusing on *your* logic, and start thinking about what happens if people with different interpretations of the facts take action on those interp

Re: [Mailman-Developers] Fixing DMARC problems with .invalid munge

SM writes: > >RFCs must be shown to work in practice before they become Proposed > >Standards. Ie, don't expect something to work until you see it. > > This is a nit. There isn't any requirement that RFCs have to be > shown to work in practice before they become Proposed Standards. Don'

Re: [Mailman-Developers] Fixing DMARC problems with .invalid munge

John R Levine writes: > > > One advantage of this hack is that you can just turn it off when > > > you don't need it, much easier than the stuff that puts the list > > > address in the From: line which affects everyone. > > > > You're wrong on both counts. In Mailman 2.1.18, "From" munging i

Re: [Mailman-Developers] Fixing DMARC problems with .invalid munge

> One advantage of this hack is that you can just turn it off when > you don't need it, much easier than the stuff that puts the list > address in the From: line which affects everyone. You're wrong on both counts. In Mailman 2.1.18, "From" munging is equally easy to turn off -- two clicks on an

Re: [Mailman-Developers] Fixing DMARC problems with .invalid munge

Hi Stephen, At 01:07 05-05-2014, Stephen J. Turnbull wrote: Nor do I. I point to the *possibility* and our lack of ability to predict effects. The RFCs have proven over time to give us a system that works smoothly. We have rules of thumb that help to understand why they work as well as they do

Re: [Mailman-Developers] Fixing DMARC problems with .invalid munge

Mark Rousell writes: > I do not think that this method of working around Yahoo's DMARC > implementation will necessarily Nor do I. I point to the *possibility* and our lack of ability to predict effects. The RFCs have proven over time to give us a system that works smoothly. We have rules of

Re: [Mailman-Developers] Fixing DMARC problems with .invalid munge

John R Levine writes: > One advantage of this hack is that you can just turn it off when > you don't need it, much easier than the stuff that puts the list > address in the From: line which affects everyone. You're wrong on both counts. In Mailman 2.1.18, "From" munging is equally easy to tur

Re: [Mailman-Developers] Fixing DMARC problems with .invalid munge

Hi, This is my first post here so please be gentle. I know I am risking telling certain people how to suck eggs. I'm not currently a Mailman user but will probably begin to use it soon. I've followed the Mailman-Developers list for some time to familiarise myself with how Mailman works. Apologie

Re: [Mailman-Developers] Fixing DMARC problems with .invalid munge

> * Really fixes DMARC problems That's a matter of opinion. The DMARC-using domains will disagree, I think, as it still means that you are "impersonating" their users (see below), and making DMARC ineffective as a means of reducing spam and phishing. But we'll see about that soon enough. No,

[Mailman-Developers] Fixing DMARC problems with .invalid munge

John Levine writes: > Before you tell me I'm nuts, hear me out. I've actually implemented > this, and it works. You're not nuts. However, your definition of "works" is necessarily limited to what you personally can see, in only a couple of weeks. It does *not* take into account the potential

Re: [Mailman-Developers] Fixing DMARC problems with .invalid munge

Hi John, At 08:16 04-05-2014, John Levine wrote: The .invalid hack seems fine, no bounces, and no complaints about disappearing mail. There are mutant versions of this hack where you append a name with a wildcard that resolves but has an MTA that rejects all the mail, and a really evil one where

Re: [Mailman-Developers] Fixing DMARC problems with .invalid munge

Was there any occurrence of the ".invalid" in replies which were posted to the mailing list [1]? Not that I recall. Regards, John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. ___

Re: [Mailman-Developers] Fixing DMARC problems with .invalid munge

>> From: Marissa >Our concerns are the possibility of mail being rejected by recipient >MTAs because of the invalid From: address and user complaints about >difficulty in replying to the poster. Those are exactly the things I was worried about, too. I've seen no rejections at all due to the a

Re: [Mailman-Developers] Fixing DMARC problems with .invalid munge

On 05/04/2014 06:26 AM, John Levine wrote: > I realize I'm a bit late to this party, but this is a technique that I > don't think has been addressed here. On my lists I've fixed the DMARC > bounces by rewriting From: lines of DMARC'ed domains like this on the > way out: > > From: Marissa > >

[Mailman-Developers] Fixing DMARC problems with .invalid munge

I realize I'm a bit late to this party, but this is a technique that I don't think has been addressed here. On my lists I've fixed the DMARC bounces by rewriting From: lines of DMARC'ed domains like this on the way out: From: Marissa to From: Marissa Before you tell me I'm nuts, hear me