[TUHS] Excessive bouncing ... argh!

[TUHS] Excessive bouncing ... argh!

[Warren Toomey]

All, overnight the mail list blocked about 60 people because of excessive
bouncing. It was probably because the list has been busy, and the bounce
threshold for the (mostly gmail) addresses was exceeded. I've manually
re-enabled them all.

I have installed the script that strips DKIM and ARC header lines before
the list software processes the inbound e-mails. We will see if that helps.

Apologies, Warren

[TUHS] Excessive bouncing ... argh!

[Steffen Nurpmeso]

Warren Toomey <wkt at tuhs.org> wrote:
 |All, overnight the mail list blocked about 60 people because of excessive
 |bouncing. It was probably because the list has been busy, and the bounce
 |threshold for the (mostly gmail) addresses was exceeded. I've manually
 |re-enabled them all.
 |
 |I have installed the script that strips DKIM and ARC header lines before
 |the list software processes the inbound e-mails. We will see if that helps.

The mailman version i use supports REMOVE_DKIM_HEADERS out of the
box?  (This is v2.1.24, i hope that and Python2 will be maintained
for a while time.)  So i have REMOVE_DKIM_HEADERS=2 which always
removes those headers, but more possibilities exist.  There is
also special support for DMARC, but i never fiddled with that.
(I personally use SPF -all and hope for the day DNS via DTLS or
TLS finally becomes reality.  I never understood DNSSEC as such.)

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

[TUHS] Excessive bouncing ... argh!

[Grant Taylor]

On 09/22/2017 05:46 AM, Steffen Nurpmeso wrote:
> The mailman version i use supports REMOVE_DKIM_HEADERS out of the 
> box?  (This is v2.1.24, i hope that and Python2 will be maintained 
> for a while time.)  So i have REMOVE_DKIM_HEADERS=2 which always 
> removes those headers, but more possibilities exist.  There is 
> also special support for DMARC, but i never fiddled with that.

I sent a message to the Mailman users mailing list inquiring.  I believe 
that at least dmarc_moderation_action should be set to munge to best 
deal with DMARC.

I also feel like mailing lists are their own entity, and as such, 
messages should be from them.  Similarly, I think replies should be 
directed back to the list.  I think this is especially true for 
discussion type mailing lists.  Thus, I would be inclined to set 
from_is_list to munge also.

I feel like the best long term solution would be for remove_dkim_headers 
to be set to yes, which will remove the DKIM headers if the from header 
is being munged.

> (I personally use SPF -all and hope for the day DNS via DTLS or
> TLS finally becomes reality.  I never understood DNSSEC as such.)

I've been using DNSSEC for multiple years and have had very few problems 
with it.  Usually it's because I hand edit my zone and bork something.

I also look forward to the encryption ~> privacy that DNS over DTLS will 
provide (as I understand it) but I wonder what additional protection 
DTLS will provide compared to what DNSSEC provides.



-- 
Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3717 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://minnie.tuhs.org/pipermail/tuhs/attachments/20170922/bc1938c8/attachment-0001.bin>

[TUHS] Excessive bouncing ... argh!

[Gregg Levine]

Hello!
I did receive an actual notice to re-enable my subscription to the
list. Both here and on my other address. It was from AT&T. Based on
what you've posted I believe its that the evolving methods of sending
e-mail haven't completely caught up with the way lists manage it.

And thank you for being persistent. And thank you for an amazing list,
it is exactly what I need for my hobby concerning UNIX and BSD and the
PDP-11 and VAX machines. And an even better collection of software
regarding the society.
-----
Gregg C Levine gregg.drwho8 at gmail.com
"This signature fought the Time Wars, time and again."


On Thu, Sep 21, 2017 at 6:34 PM, Warren Toomey <wkt at tuhs.org> wrote:
> All, overnight the mail list blocked about 60 people because of excessive
> bouncing. It was probably because the list has been busy, and the bounce
> threshold for the (mostly gmail) addresses was exceeded. I've manually
> re-enabled them all.
>
> I have installed the script that strips DKIM and ARC header lines before
> the list software processes the inbound e-mails. We will see if that helps.
>
> Apologies, Warren
>

[TUHS] Excessive bouncing ... argh!

[Tom Ivar Helbekkmo]

Warren Toomey <wkt at tuhs.org> writes:

> I have installed the script that strips DKIM and ARC header lines before
> the list software processes the inbound e-mails. We will see if that helps.

That's an interesting solution.  Configuring it to not modify the
Subject: line by adding "[TUHS] " to it would probably also work.  :)

Also, it seems from my logs that every list item that's been refused at
my end over the last couple of weeks has been from someone in the domain
"tnetconsulting.net".  It might be interesting to see what's special
about mail from that subscriber.

A random sample:

/var/log/maillog.7.gz:Sep 15 00:27:18 barsoom postfix/smtpd[27728]: CBD5F1C716F: client=minnie.tuhs.org[45.79.103.53]
/var/log/maillog.7.gz:Sep 15 00:27:19 barsoom postfix/cleanup[26726]: CBD5F1C716F: message-id=<1c311c3e-6ba6-4f5c-267e-1529e1799045 at tnetconsulting.net>
/var/log/maillog.7.gz:Sep 15 00:27:19 barsoom opendkim[192]: CBD5F1C716F: bad signature data
/var/log/maillog.7.gz:Sep 15 00:27:20 barsoom opendmarc[489]: CBD5F1C716F: tnetconsulting.net fail
/var/log/maillog.7.gz:Sep 15 00:27:20 barsoom postfix/cleanup[26726]: CBD5F1C716F: milter-reject: END-OF-MESSAGE from minnie.tuhs.org[45.79.103.53]: 5.7.1 rejected by DMARC policy for tnetconsulting.net; from=<tuhs-bounces at minnie.tuhs.org> to=<tih at hamartun.priv.no> proto=ESMTP helo=<minnie.tuhs.org>

-tih
-- 
Most people who graduate with CS degrees don't understand the significance
of Lisp.  Lisp is the most important idea in computer science.  --Alan Kay

[TUHS] Excessive bouncing ... argh!

[Grant Taylor]

On 09/23/2017 01:50 AM, Tom Ivar Helbekkmo wrote:
> Also, it seems from my logs that every list item that's been refused at
> my end over the last couple of weeks has been from someone in the domain
> "tnetconsulting.net".  It might be interesting to see what's special
> about mail from that subscriber.

/me raises a white flag.

I can tell you what's special about mail from that subscriber.

I have leading industry standard email security enabled on my email. 
Things like DKIM and DMARC which are specifically designed to tell 
receiving email servers where email from my domain should come from and 
what to do with email that does not come from my servers.

So, receiving servers that are also running leading industry standard 
filters honor my settings and reject the messages that claim to be from 
me but do not come from my mail server.  -  Mailman naively interprets 
this as a bounce.

Suffice it to say, that email server industry is changing and mailing 
lists are going to have to change to keep up with the times.

This problem is happening to a lot of mailing lists and will start 
happening to more and more as more of the email industry adopts things 
like DKIM and DMARC.

Note:  Multiple governments around the world are strongly desiring 
things like DKIM and DMARC.  Germany is probably a leader.  US senators 
are asking US governmental agencies to follow suit.  -  Suffice it to 
say, that more and better email security is coming.  (I'm just an early 
adopter.)



-- 
Grant. . . .
unix || die

[TUHS] Excessive bouncing ... argh!

[Theodore Ts'o]

On Fri, Sep 22, 2017 at 01:51:43PM -0600, Grant Taylor wrote:
> I also feel like mailing lists are their own entity, and as such, messages
> should be from them.  Similarly, I think replies should be directed back to
> the list.  I think this is especially true for discussion type mailing
> lists.  Thus, I would be inclined to set from_is_list to munge also.

Unfortunately, munging the From field, while it does solve the DMARC
problem, has a very significant negative UI effect.  It means that
when you look at a summary of messages in a threaded summary, they
will all look like they came from the THUS mailing list, as opposed to
from the author of the posting.

This is actually the whole *point* of DMARC.  They want to make sure
that if you see a from field of paypal.com, it means "paypal.com", and
did not come from SCAMMER at MAKE.MONEY.FAST.NG.  So this is why DMARC
apologists who argue that this could be fixed by having MUA's hacked
so they display the X-List-From: field in the threaded mail summary
are wrong.  If you do this, then Nigerian spammers will be able to use
X-List-From: field to fool stupid e-mail users, and then Yahoo and
Paypal will end up pushing DMARCv2 (outside the IETF standards
structures, just as DMARC is pushed outside of the standards bodies,
but by big companies imposing their will on the rest of the Internet)
to censor the X-List-From: field just as DMARC is trying to force
mailing list reflectors to munge the From field.

	     		   	     	  - Ted

[TUHS] Excessive bouncing ... argh!

[Theodore Ts'o]

On Sat, Sep 23, 2017 at 03:05:47AM -0600, Grant Taylor wrote:
> 
> I have leading industry standard email security enabled on my email. Things
> like DKIM and DMARC which are specifically designed to tell receiving email
> servers where email from my domain should come from and what to do with
> email that does not come from my servers.

DMARC is only useful if you are worried about people trying to use
your domain for phishing purposes.  This is more of an issue for
Paypal.com and bankofamerica.com.  In general it's not really an issue
for thunk.org and tnetconsulting.net.

DKIM and SPF are useful if you need to interoperate with big, free
e-mail systems such as Yahoo, AOL, and Google which are *using* DMARC.
Using DKIM and SPF are useful in trying avoid your site from falsely
being accused as being a spammer.

DMARC has no real value, and in fact has negative value, as it means
that when you send e-mail from a DMARC site that causes other people
to be ejected off of mailing lists, the mailing list administrator may
decide that you are actively causing harm to the community, and simply
prevent you from sending mail to the mailing list all.

Other proposed solutions is to have the mailing list software detect
that you are using DMARC, and only having *your* postings munged so
the from field says thus at minnie.tugs.org, instead of
gtaylor at tnetconsulting.net.  That way only people who are using mail
systems with DMARC get their From field munged, instead of punishing
everyone using the mailing list.

						- Ted

[TUHS] Excessive bouncing ... argh!

[Tom Ivar Helbekkmo]

Theodore Ts'o <tytso at mit.edu> writes:

> That way only people who are using mail systems with DMARC get their
> From field munged, instead of punishing everyone using the mailing
> list.

Why should anyone need to?  Of all the mailing lists I'm on, this one is
the only one that has this problem.  For instance, on the NetBSD mailing
lists, my email reaches other recipients "From:" my real email address,
and SPF, DKIM, and DMARC all check out clean.  Here are the headers from
a message I sent to a NetBSD list, as received by my own system (whereas
the message I sent to the TUHS list last night was refused by my MTA):

| Return-Path: <bounces-current-users-owner-tih=hamartun.priv.no at NetBSD.org>
| Received: from 127.0.0.1 (HELO barsoom.hamartun.priv.no) by
|  barsoom.hamartun.priv.no (Archiveopteryx 3.2.0) with lmtp id
|  1490255725-9579-11611/4/764 for tih at hamartun.priv.no; Thu, 23 Mar 2017
|  07:55:25 +0000
| Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:470:a085:999::25])
| 	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
| 	(No client certificate requested)
| 	by barsoom.hamartun.priv.no (Postfix) with ESMTPS id 3CA3B1C7147
| 	for <tih at hamartun.priv.no>; Thu, 23 Mar 2017 08:55:23 +0100 (CET)
| Authentication-Results: barsoom.hamartun.priv.no; dmarc=pass header.from=hamartun.priv.no
| Authentication-Results: barsoom.hamartun.priv.no; spf=pass smtp.mailfrom=bounces-current-users-owner-tih=hamartun.priv.no at NetBSD.org
| Authentication-Results: barsoom.hamartun.priv.no;
| 	dkim=pass (1024-bit key) header.d=hamartun.priv.no header.i=@hamartun.priv.no header.b=Kykpwg+N
| Received: by mail.netbsd.org (Postfix, from userid 605)
| 	id 91AF78559D; Thu, 23 Mar 2017 07:55:16 +0000 (UTC)
| Delivered-To: Current-Users at netbsd.org
| Received: from localhost (localhost [127.0.0.1])
| 	by mail.netbsd.org (Postfix) with ESMTP id 04AC385569
| 	for <Current-Users at netbsd.org>; Thu, 23 Mar 2017 07:55:15 +0000 (UTC)
| X-Virus-Scanned: amavisd-new at netbsd.org
| Authentication-Results: mail.netbsd.org (amavisd-new);
| 	dkim=pass (1024-bit key) header.d=hamartun.priv.no
| Received: from mail.netbsd.org ([127.0.0.1])
| 	by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025)
| 	with ESMTP id 07zfmByWfGGy for <Current-Users at netbsd.org>;
| 	Thu, 23 Mar 2017 07:55:14 +0000 (UTC)
| Received: from barsoom.hamartun.priv.no (barsoom.hamartun.priv.no [193.71.27.8])
| 	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
| 	(No client certificate requested)
| 	by mail.netbsd.org (Postfix) with ESMTPS id C3DAC84CDD
| 	for <Current-Users at netbsd.org>; Thu, 23 Mar 2017 07:55:12 +0000 (UTC)
| Received: from thuvia.hamartun.priv.no (thuvia.hamartun.priv.no [193.71.27.7])
| 	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
| 	(No client certificate requested)
| 	by barsoom.hamartun.priv.no (Postfix) with ESMTPS id 88A601C7147;
| 	Thu, 23 Mar 2017 08:55:09 +0100 (CET)
| Dkim-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hamartun.priv.no;
| 	s=barsoom; t=1490255709;
| 	bh=CSM3cuXAMyJtu0wLEPB+K0BzqULiVelaGy5gTvWwfpU=;
| 	h=From:To:Cc:Subject:References:Date:In-Reply-To;
| 	b=Kykpwg+NK0kSkDYEkvrISX7fDtK9tYUogDcyAb0cSd1ogwCIYnAFSWKg3mnlJb+9g
| 	 urP7MuokAxM2gUJeVqGdosqAjncrfMQYt0ii8Ops3Awx9q/Dx3bmDyEz8jMUIQxWmw
| 	 oiCiL1ZkcjF/xGKvrV97jRW3BvVCzpRyZfO4ad1I=
| Received: by thuvia.hamartun.priv.no (Postfix, from userid 501)
| 	id 707E34DE48; Thu, 23 Mar 2017 08:55:09 +0100 (CET)
| From: Tom Ivar Helbekkmo <tih at hamartun.priv.no>
| To: Paul Goyette <paul at whooppee.com>
| Cc: Current-Users at netbsd.org
| Subject: Re: Error/warning message from rc.d/npf
| References: <Pine.NEB.4.64.1703231345500.401 at speedy.whooppee.com>
| Date: Thu, 23 Mar 2017 08:55:09 +0100
| In-Reply-To: <Pine.NEB.4.64.1703231345500.401 at speedy.whooppee.com> (Paul
| 	Goyette's message of "Thu, 23 Mar 2017 13:55:01 +0800")
| Message-Id: <m2wpbg1l7m.fsf at thuvia.hamartun.priv.no>
| User-Agent: Gnus/5.130012 (Ma Gnus v0.12) Emacs/24.5 (berkeley-unix)
| Mime-Version: 1.0
| Content-Type: text/plain
| Sender: current-users-owner at NetBSD.ORG
| List-Id: current-users.NetBSD.org
| Precedence: bulk
| Content-Transfer-Encoding: quoted-printable

-tih
-- 
Most people who graduate with CS degrees don't understand the significance
of Lisp.  Lisp is the most important idea in computer science.  --Alan Kay

[TUHS] Excessive bouncing ... argh!

[Ian Zimmerman]

On 2017-09-23 10:12, Theodore Ts'o wrote:

> Other proposed solutions is to have the mailing list software detect
> that you are using DMARC, and only having *your* postings munged so
> the from field says thus at minnie.tugs.org, instead of
> gtaylor at tnetconsulting.net.  That way only people who are using mail
> systems with DMARC get their From field munged, instead of punishing
> everyone using the mailing list.

That has been the reaction of every list I've seen react to the DMARC
problem at all.  Among others: haskell-cafe, exim-users, SDLU.
Initially I hated to make even this concession to "modern industry
standards", but now I think it's the best compromise, until the Internet
Octopuses kill email completely.

-- 
Please don't Cc: me privately on mailing lists and Usenet,
if you also post the followup to the list or newsgroup.
Do obvious transformation on domain to reply privately _only_ on Usenet.

[TUHS] Excessive bouncing ... argh!

[Ian Zimmerman]

On 2017-09-23 16:57, Tom Ivar Helbekkmo wrote:

> Why should anyone need to?  Of all the mailing lists I'm on, this one
> is the only one that has this problem.  For instance, on the NetBSD
> mailing lists, my email reaches other recipients "From:" my real email
> address, and SPF, DKIM, and DMARC all check out clean.  Here are the
> headers from a message I sent to a NetBSD list, as received by my own
> system (whereas the message I sent to the TUHS list last night was
> refused by my MTA):

Probably because the NetBSD list, unlike the tuhs list and most others,
doesn't mess with the headers or body in any way - not by attaching a
"helpful" tag to the Subject, and not by appending an xtra fake sig with
unsubscription info.

Either of these "modern" paractices will invalidate the source DKIM
signature, and so also trigger a DMARC reject if a strict policy is set.

By the way, my inbound processing automatically strips the Subject tag
before I get to see the messages.  It is useless.

-- 
Please don't Cc: me privately on mailing lists and Usenet,
if you also post the followup to the list or newsgroup.
Do obvious transformation on domain to reply privately _only_ on Usenet.

[TUHS] Excessive bouncing ... argh!

[Lyndon Nerenberg]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 1280 bytes --]


> On Sep 23, 2017, at 7:07 AM, Theodore Ts'o <tytso at mit.edu> wrote:
> 
> This is actually the whole *point* of DMARC.  They want to make sure
> that if you see a from field of paypal.com, it means "paypal.com", and
> did not come from SCAMMER at MAKE.MONEY.FAST.NG.  So this is why DMARC
> apologists who argue that this could be fixed by having MUA's hacked
> so they display the X-List-From: field in the threaded mail summary
> are wrong.  If you do this, then Nigerian spammers will be able to use
> X-List-From: field to fool stupid e-mail users, and then Yahoo and
> Paypal will end up pushing DMARCv2 (outside the IETF standards
> structures, just as DMARC is pushed outside of the standards bodies,
> but by big companies imposing their will on the rest of the Internet)
> to censor the X-List-From: field just as DMARC is trying to force
> mailing list reflectors to munge the From field.

Amen.

I hope this whole topic doesn't go off the rails – we've had enough of those on the list the past couple of weeks.

But I will note that, if the sites that enforce the fully-anal interpretation of DMARC start destroying the list, it's completely within the spirit of TUHS to migrate to a UUCP-only distribution.  (Note the deliberate absence of a smiley.)

--lyndon

[TUHS] Excessive bouncing ... argh!

[Tom Ivar Helbekkmo]

Lyndon Nerenberg <lyndon at orthanc.ca> writes:

> But I will note that, if the sites that enforce the fully-anal
> interpretation of DMARC start destroying the list,

Right.  So what's DMARC?  It's a way of specifying what to do with a
message that purports to be from your domain, but fails both SPF and
DKIM verification.  Oooo!  Scary!

> it's completely within the spirit of TUHS to migrate to a UUCP-only
> distribution.

:)  I'm game!  I was the last UUCP customer of my ISP (and only allowed
to remain a UUCP customer so long because I was also an employee, and
maintained their end of it myself), and I still have everything set up
to re-enable the mechanism.

-tih (...!mcvax!ndosl!melkart!tih)
-- 
Most people who graduate with CS degrees don't understand the significance
of Lisp.  Lisp is the most important idea in computer science.  --Alan Kay

[TUHS] Excessive bouncing ... argh!

[Grant Taylor]

On 09/23/2017 08:12 AM, Theodore Ts'o wrote:
> DMARC is only useful if you are worried about people trying to use
> your domain for phishing purposes.  This is more of an issue for
> Paypal.com and bankofamerica.com.  In general it's not really an issue
> for thunk.org and tnetconsulting.net.

That is your opinion.  Mine happens to differ.  I think we're both 
adults and can agree to disagree.

> DKIM and SPF are useful if you need to interoperate with big, free
> e-mail systems such as Yahoo, AOL, and Google which are *using* DMARC.
> Using DKIM and SPF are useful in trying avoid your site from falsely
> being accused as being a spammer.

I feel like DMARC is just the latest technology / technique that is 
causing ripples in the pond.  -  I seem to remember similar ripples when 
SPF, and DKIM to a lesser degree, were introduced became more popular.

> DMARC has no real value, and in fact has negative value, as it means
> that when you send e-mail from a DMARC site that causes other people
> to be ejected off of mailing lists, the mailing list administrator may
> decide that you are actively causing harm to the community, and simply
> prevent you from sending mail to the mailing list all.

I believe DMARC does have value, and will have more value in the short 
to mid-term future.

I acknowledge the perceived negative value of DMARC.  I expect that 
other anti-spam techniques caused similar perceptions over the years.

  - Closing open relays
  - Requiring reverse DNS
  - SPF
  - DKIM
  - DMARC
  - ARC (possibly in the future)

I understand why people may want to push back on such technologies.  I 
feel like they are free to have their opinion.  I'll try to keep my 
opinion to myself.

However, I suspect that the horse drawn carriages are going to 
eventually end up yielding to the automobile in most places.

This is exactly why I've been working with Warren to try to make sure 
that I (and others using DMARC like me) don't cause harm to the TUHS 
community.

> Other proposed solutions is to have the mailing list software detect
> that you are using DMARC, and only having *your* postings munged so
> the from field says thus at minnie.tugs.org, instead of
> gtaylor at tnetconsulting.net.  That way only people who are using mail
> systems with DMARC get their From field munged, instead of punishing
> everyone using the mailing list.

I do believe that's the current industry accepted work around.  -  I 
don't know if it's the proper thing to do or not.  -  I suspect it's 
what I'm going to end up asking Warren to enable.  (It's my 
understanding that the mailing list manager that Warren is using already 
has the knob, and that he just needs to turn it.)



-- 
Grant. . . .
unix || die

[TUHS] Excessive bouncing ... argh!

[Dave Horsfall]

On Sat, 23 Sep 2017, Tom Ivar Helbekkmo wrote:

> That's an interesting solution.  Configuring it to not modify the 
> Subject: line by adding "[TUHS] " to it would probably also work.  :)

I hope you really are joking...  What really annoys me are lists that do 
*not* add the ID to the Subject: line.

-- 
Dave Horsfall DTM (VK2KFU)  "Those who don't understand security will suffer."

[TUHS] Excessive bouncing ... argh!

[Random832]

On Sat, Sep 23, 2017, at 05:05, Grant Taylor wrote:
> So, receiving servers that are also running leading industry standard 
> filters honor my settings and reject the messages that claim to be from 
> me but do not come from my mail server.  -  Mailman naively interprets 
> this as a bounce.
> 
> Suffice it to say, that email server industry is changing and mailing 
> lists are going to have to change to keep up with the times.

Do the standards provide a way to allow mailing lists (or other kinds of
forwarders) to get around this? Maybe by having the original mail server
digitally sign the message and allowing it to be forwarded with the
signature intact. It seems like this is an important use case; why has
it been overlooked? I assume it *has* been overlooked, because the
changes I've seen have mainly consisted of an increasing number of
mailing lists simply giving up and using their own address as the From
header when the sender has this security enabled. Yahoo is the biggest
offender I've noticed, on both ends - every message I receive from Yahoo
groups does this, as do messages from Python mailing lists originally
sent by Yahoo users. I haven't, incidentally, seen any email at all from
Yahoo users on this list.

[TUHS] Excessive bouncing ... argh!

[Tom Ivar Helbekkmo]

random832 at fastmail.com writes:

> Do the standards provide a way to allow mailing lists (or other kinds
> of forwarders) to get around this?

They do.

> Maybe by having the original mail server digitally sign the message
> and allowing it to be forwarded with the signature intact.

That's called DKIM.  :)

An early attempt at protection against forgeries was SPF, which is a way
to tell recipients (by way of DNS) which mail servers are allowed to
send mail from a given domain.  That's too simplistic, though, as it
doesn't provide for mailing lists or other forwarders.

Adding DKIM, you get a cryptographic checksum covering a few headers,
and the body of the message.  The receiving mail system can use this to
verify that the sender is who the message claims.  The bits that are
checksummed have to be intact, though: the mailing list (or other
forwarder) must not modify the From:, To:, Date:, or Subject: headers,
nor the body of the message.

Finally, DMARC is a DNS based way to specify what to do with a message
that claims to be from your domain, but fails both SPF and DKIM
checks -- i.e. it's being delivered by a non-authorized mail system, and
it also lacks a verifiable DKIM signature.

-tih
-- 
Most people who graduate with CS degrees don't understand the significance
of Lisp.  Lisp is the most important idea in computer science.  --Alan Kay

[TUHS] Excessive bouncing ... argh!

[Derek Fawcus]

On Sun, Sep 24, 2017 at 08:27:02AM +1000, Dave Horsfall wrote:
> On Sat, 23 Sep 2017, Tom Ivar Helbekkmo wrote:
> > That's an interesting solution.  Configuring it to not modify the 
> > Subject: line by adding "[TUHS] " to it would probably also work.  :)
> 
> I hope you really are joking...  What really annoys me are lists that do 
> *not* add the ID to the Subject: line.

Well, it is something I find useless and annoying - but that is usually
'cause I subscribe using unique addresses.

On some machines (where I use procmail), I set up rules to strip out
such munging.

DF

[TUHS] Excessive bouncing ... argh!

[Dave Horsfall]

On Sun, 24 Sep 2017, Derek Fawcus wrote:

> On some machines (where I use procmail), I set up rules to strip out 
> such munging.

I used to use Procmail, but now it's unsupported, buggy, and quite likely 
vulnerable due to its baroque scripting language; if there was a decent 
replacement then I'd use it.

-- 
Dave Horsfall DTM (VK2KFU)  "Those who don't understand security will suffer."

[TUHS] Excessive bouncing ... argh!

[Ian Zimmerman]

On 2017-09-25 09:43, Dave Horsfall wrote:

> I used to use Procmail, but now it's unsupported, buggy, and quite
> likely vulnerable due to its baroque scripting language; if there was
> a decent replacement then I'd use it.

Any Sieve processor.  3 libre choices I know of, there may be others:

- built in exim MDA

- GNU mailutils

- dovecot

-- 
Please don't Cc: me privately on mailing lists and Usenet,
if you also post the followup to the list or newsgroup.
Do obvious transformation on domain to reply privately _only_ on Usenet.

[TUHS] Excessive bouncing ... argh!

[Dave Horsfall]

On Mon, 25 Sep 2017, Ian Zimmerman wrote:

>> I used to use Procmail, but now it's unsupported, buggy, and quite
>> likely vulnerable due to its baroque scripting language; if there was
>> a decent replacement then I'd use it.
>
> Any Sieve processor.  3 libre choices I know of, there may be others:

[...[

Thanks; I'll take a look.

-- 
Dave Horsfall DTM (VK2KFU)  "Those who don't understand security will suffer."

[TUHS] Excessive bouncing ... argh!

[Tom Ivar Helbekkmo]

Ian Zimmerman <itz at very.loosely.org> writes:

> Any Sieve processor.  3 libre choices I know of, there may be others:
>
> - built in exim MDA
>
> - GNU mailutils
>
> - dovecot

Archiveopteryx does Sieve, too.  That's what I use here.

-tih
-- 
Most people who graduate with CS degrees don't understand the significance
of Lisp.  Lisp is the most important idea in computer science.  --Alan Kay

[TUHS] Excessive bouncing ... argh!

[Gregg Levine]

Hello!
Not completely. It happened again. When was the last time the mail
list server was updated completely? That is, when a new version needed
to be installed.  This is the first time I've seen anything like this.
One of my other lists, kept choking on e-mail delivered from Yahoo,
and I was forced to move all communications to this address. And it
isn't the one used here.
-----
Gregg C Levine gregg.drwho8 at gmail.com
"This signature fought the Time Wars, time and again."


On Thu, Sep 21, 2017 at 6:34 PM, Warren Toomey <wkt at tuhs.org> wrote:
> All, overnight the mail list blocked about 60 people because of excessive
> bouncing. It was probably because the list has been busy, and the bounce
> threshold for the (mostly gmail) addresses was exceeded. I've manually
> re-enabled them all.
>
> I have installed the script that strips DKIM and ARC header lines before
> the list software processes the inbound e-mails. We will see if that helps.
>
> Apologies, Warren
>

[TUHS] Excessive bouncing ... argh!

[Ralph Corderoy]

Hi Warren,

I haven't kept up with all messages, but are you aware of the
https://minnie.tuhs.org/cgi-bin/mailman/admin/tuhs/?VARHELP=general/from_is_list
option, the dmarc_moderation_action it mentions, and how they interact?

IIRC, Mailman can check if the sender's domain is troublesome and only
re-write the From header to itself in those cases, leaving the rest of
our emails alone.

-- 
Cheers, Ralph.
https://plus.google.com/+RalphCorderoy

[TUHS] Excessive bouncing ... argh!

[Grant Taylor]

On 09/23/2017 10:18 AM, Tom Ivar Helbekkmo wrote:
> Of course.  I'm just saying that it's possible to set up mailing lists
> so that even people who use modern techniques for securing email can use
> them with no problems.  Seems to me, then, that the best response to the
> "problem" is to set the list up right.  And that the pressure should
> perhaps be on mailing list maintainers to do this, rather than on users
> to get their email providers and employers to not use SPF/DKIM/DMARC.

I agree that we all need to work together.  Warren has been very willing 
to try things to tweak the TUHS mailing list.  I'm grateful for that.

I think this is growing / learning pains as we all try to lumber forward 
into the future together.



-- 
Grant. . . .
unix || die

[TUHS] Excessive bouncing ... argh!

[Tom Ivar Helbekkmo]

Norman Wilson <norman at oclsc.org> writes:

> Beware tunnel vision.  Another mailing list I'm on has exactly the
> same problem, [...]

Of course.  I'm just saying that it's possible to set up mailing lists
so that even people who use modern techniques for securing email can use
them with no problems.  Seems to me, then, that the best response to the
"problem" is to set the list up right.  And that the pressure should
perhaps be on mailing list maintainers to do this, rather than on users
to get their email providers and employers to not use SPF/DKIM/DMARC.

-tih
-- 
Most people who graduate with CS degrees don't understand the significance
of Lisp.  Lisp is the most important idea in computer science.  --Alan Kay

[TUHS] Excessive bouncing ... argh!

[Norman Wilson]

Tom Ivar Helbekkmo:

  Why should anyone need to?  Of all the mailing lists I'm on, this one is
  the only one that has this problem.

=====

Beware tunnel vision.  Another mailing list I'm on has exactly
the same problem, made worse because it's being run by a central
Big Company Mailing List Provider so the rules keep changing under
foot and it's up to the poor-sod list maintainer (who is not a
programmer) to cope.

To bring the focus back to this mailing list, not every program
runs on a little-endian computer with arbitrary word alignment
and pointers that fit in an int.

Norman Wilson
Toronto ON