Mailing List Archive

Assuming you own/manage your infrastructure it should be straight-forward.

Create SFP records for your domain & SMTP server, set them to either soft or
hard fail mode.
If you can, also set up DKIM signing of your outgoing mail.

Then create rules that looks for your from address in a message and a meta
which says "if from me & DKIM-fail/SPF-fail hit it hard"

If you can work with the SPF hard fail you will also help to improve your net
reputation as spammers will have a harder time trying to "Joe Job" you.


On Fri, 14 Jul 2023, Thomas Cameron wrote:

> All -
>
> I am suddenly getting hammered by a BUNCH of spam that appears to be from me.
> It scores low, and even though I keep feeding it to Bayes, it's still not
> hitting the threshold to be marked as spam.
>
> When I check the headers, it's coming from multiple random email servers, but
> many appear to originate from hotmail/outlook.com. So from outlook.com,
> through some unsecured email server, then to my server.
>
> I'm trying to figure out how to block this stuff. Something like "if it
> appears to come from me, but it's not actually coming from my email server,"
> block it. I don't necessarily think this is a job for SA, but if there's a
> rule I can tweak or a setting I can change, I'm all ears.
>
> Thanks,
> Thomas
>
>

--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

This kinda raises an important issue. I already have SPF/DMARC/DKIM set
up. But because I use several mailing lists, I do not have a hard fail
set up. I get SO many notices when I send email to lists that I'm really
worried about defining hard failures/rejections.

But I'll play around with what you suggested.

Thomas

On 7/14/23 18:58, David B Funk wrote:
>
> Assuming you own/manage your infrastructure it should be
> straight-forward.
>
> Create SFP records for your domain & SMTP server, set them to either
> soft or hard fail mode.
> If you can, also set up DKIM signing of your outgoing mail.
>
> Then create rules that looks for your from address in a message and a
> meta which says "if from me & DKIM-fail/SPF-fail hit it hard"
>
> If you can work with the SPF hard fail you will also help to improve
> your net reputation as spammers will have a harder time trying to "Joe
> Job" you.
>
>
> On Fri, 14 Jul 2023, Thomas Cameron wrote:
>
>> All -
>>
>> I am suddenly getting hammered by a BUNCH of spam that appears to be
>> from me. It scores low, and even though I keep feeding it to Bayes,
>> it's still not hitting the threshold to be marked as spam.
>>
>> When I check the headers, it's coming from multiple random email
>> servers, but many appear to originate from hotmail/outlook.com. So
>> from outlook.com, through some unsecured email server, then to my
>> server.
>>
>> I'm trying to figure out how to block this stuff. Something like "if
>> it appears to come from me, but it's not actually coming from my
>> email server," block it. I don't necessarily think this is a job for
>> SA, but if there's a rule I can tweak or a setting I can change, I'm
>> all ears.
>>
>> Thanks,
>> Thomas
>>
>>
>

I've set up a subdomain lists.mydomain.de (and with regex expressions
as local part, to have unique email address per list, forgot to do that
here...) with soft spf and dmarc policies and that I only use for
mailing lists. Then I can use hard failure spf and dkim policies for
the domain mydomain.de itself.

Robert

Am Freitag, dem 14.07.2023 um 19:28 -0500 schrieb Thomas Cameron:
> This kinda raises an important issue. I already have SPF/DMARC/DKIM
> set
> up. But because I use several mailing lists, I do not have a hard
> fail
> set up. I get SO many notices when I send email to lists that I'm
> really
> worried about defining hard failures/rejections.
>
> But I'll play around with what you suggested.
>
> Thomas
>
> On 7/14/23 18:58, David B Funk wrote:
> >
> > Assuming you own/manage your infrastructure it should be
> > straight-forward.
> >
> > Create SFP records for your domain & SMTP server, set them to
> > either
> > soft or hard fail mode.
> > If you can, also set up DKIM signing of your outgoing mail.
> >
> > Then create rules that looks for your from address in a message and
> > a
> > meta which says "if from me & DKIM-fail/SPF-fail hit it hard"
> >
> > If you can work with the SPF hard fail you will also help to
> > improve
> > your net reputation as spammers will have a harder time trying to
> > "Joe
> > Job" you.
> >
> >
> > On Fri, 14 Jul 2023, Thomas Cameron wrote:
> >
> > > All -
> > >
> > > I am suddenly getting hammered by a BUNCH of spam that appears to
> > > be
> > > from me. It scores low, and even though I keep feeding it to
> > > Bayes,
> > > it's still not hitting the threshold to be marked as spam.
> > >
> > > When I check the headers, it's coming from multiple random email
> > > servers, but many appear to originate from hotmail/outlook.com.
> > > So
> > > from outlook.com, through some unsecured email server, then to my
> > > server.
> > >
> > > I'm trying to figure out how to block this stuff. Something like
> > > "if
> > > it appears to come from me, but it's not actually coming from my
> > > email server," block it. I don't necessarily think this is a job
> > > for
> > > SA, but if there's a rule I can tweak or a setting I can change,
> > > I'm
> > > all ears.
> > >
> > > Thanks,
> > > Thomas
> > >
> > >
> >
>

--
Robert Senger

On 7/14/23 6:06?PM, Thomas Cameron wrote:
> I'm trying to figure out how to block this stuff. Something like "if
> it appears to come from me, but it's not actually coming from my
> email server," block it.

SPF with hard fail in your own domain /and/ filtering that respects SPF
hard fail will almost certainly stop this like a switch.

On 7/14/23 7:28?PM, Thomas Cameron wrote:
> But because I use several mailing lists, I do not have a hard fail
> set up. I get SO many notices when I send email to lists that I'm really
> worried about defining hard failures/rejections.

I consider that to be a failure on the mailing list's part.

Mailing lists can't successfully operate like they did 25+ years ago.

> But I'll play around with what you suggested.

+10 for SPF.

+1 for encouraging mailing list operators to get with the times.

You can also do as Robert suggests and use a separate (sub)domain for
mailing lists with different SPF settings thereon.



Grant. . . .

> I am suddenly getting hammered by a BUNCH of spam that appears to be from
> me. It scores low, and even though I keep feeding it to Bayes, it's still
> not hitting the threshold to be marked as spam.
>
> When I check the headers, it's coming from multiple random email servers,
> but many appear to originate from hotmail/outlook.com. So from
> outlook.com, through some unsecured email server, then to my server.

SA can't block this trash by itself, but if something post the SA invocation
can look at the headers you might be able to block it. You can certainly
mark it as spam.
For instance:

#
# Ok, catch 'from me' when it isn't

header __FROM_ME_1 From =~ /<me\@myhost\.(?:net|com)>/i
header __FROM_ME_2 From =~ /\"First Last\" <me\@myhost\.net>/
header __FROM_ME_3 From =~ /First Last <me\@myhost\.net>/
meta NOT_FROM_ME __FROM_ME_1 && !(__FROM_ME_2 || __FROM_ME_3)
score NOT_FROM_ME 10
describe NOT_FROM_ME Spammer faking the mail from me!

Mind the backslash on the quotes and at sign. Depending on versions of
things these are necessary, and don't hurt if they are not necessary.

On 7/15/23 2:00?AM, Reindl Harald wrote:
> SPF don't care about the visible From-header

I agree that SPF doesn't (SHOULDN'T) care about the RFC522.From header.

However my experience has been that the vast majority of messages that
are spoofing the RFC522.From header are also spoofing the
RFC521.MailFrom which is squarely in SPF's domain.

Think of it as -- based on my experience -- a VERY STRONG but indirect
correlation.



Grant. . . .

I just fixed a problem like this. I checked my headers, and the email
was spf approved from google. I had included google so I could get some
mail forwarded by them back awhile ago, but it's not worth getting this
spam.  Someone has figured a way to use gmail to spam from their
servers, looks like to me.

spf=pass smtp.mailfrom=gmail.com;

I removed google from my spf line, and it's helped.

On 7/14/2023 4:06 PM, Thomas Cameron wrote:
> All -
>
> I am suddenly getting hammered by a BUNCH of spam that appears to be
> from me. It scores low, and even though I keep feeding it to Bayes,
> it's still not hitting the threshold to be marked as spam.
>
> When I check the headers, it's coming from multiple random email
> servers, but many appear to originate from hotmail/outlook.com. So
> from outlook.com, through some unsecured email server, then to my server.
>
> I'm trying to figure out how to block this stuff. Something like "if
> it appears to come from me, but it's not actually coming from my email
> server," block it. I don't necessarily think this is a job for SA, but
> if there's a rule I can tweak or a setting I can change, I'm all ears.
>
> Thanks,
> Thomas

On 16/07/2023 04:44, Cathryn Mataga wrote:

> Someone has figured a way to use gmail to spam from their servers,
> looks like to me.

huh? They have been doing this for YEARS, google don't care because they
get to scan (inspect) all the mail, even in transit, that's not "tinfoil
hat" rubbish either since they long admit it.

it's why anyone who whitelists gmail is a fool (much like those who use
gmail in the first place), we in fact add a positive score for all
google/gmail connections

--
Regards,
Noel Butler

This Email, including attachments, may contain legally privileged
information, therefore at all times remains confidential and subject to
copyright protected under international law. You may not disseminate
this message without the authors express written authority to do so.
If you are not the intended recipient, please notify the sender then
delete all copies of this message including attachments immediately.
Confidentiality, copyright, and legal privilege are not waived or lost
by reason of the mistaken delivery of this message.

Oh well, this was my own goof then I guess. I run sendmail, and I'm a
programmer, but I don't do email for a living, so I only learn things as
I pick them up slowly.

On 7/15/2023 5:05 PM, Noel Butler wrote:
>
> On 16/07/2023 04:44, Cathryn Mataga wrote:
>
>>   Someone has figured a way to use  gmail to spam from their servers,
>> looks like to me.
>>
> huh? They have been doing this for YEARS, google don't care because
> they get to scan (inspect) all the mail, even in transit, that's not
> "tinfoil hat" rubbish either since they long admit it.
> it's why anyone who whitelists gmail is a fool (much like those who
> use gmail in the first place), we in fact add a positive score for all
> google/gmail connections
> --
>
> Regards,
> Noel Butler
>
> This Email, including attachments, may contain legally privileged
> information, therefore at all times remains confidential and subject
> to copyright protected under international law. You may not
> disseminate this message without the authors express written authority
> to do so.   If you are not the intended recipient, please notify the
> sender then delete all copies of this message including attachments
> immediately. Confidentiality, copyright, and legal privilege are not
> waived or lost by reason of the mistaken delivery of this message.
>
>

On 7/14/23 20:30, Grant Taylor via users wrote:
> On 7/14/23 6:06?PM, Thomas Cameron wrote:
>> I'm trying to figure out how to block this stuff. Something like "if
>> it appears to come from me, but it's not actually coming from my
>> email server," block it.
>
> SPF with hard fail in your own domain /and/ filtering that respects
> SPF hard fail will almost certainly stop this like a switch.

I'd love to do this, but see below. I get TONS of warnings every time I
send email to lists (even this list) that make me hesitant to do hard fails.

>
> On 7/14/23 7:28?PM, Thomas Cameron wrote:
>> But because I use several mailing lists, I do not have a hard fail
>> set up. I get SO many notices when I send email to lists that I'm
>> really worried about defining hard failures/rejections.
>
> I consider that to be a failure on the mailing list's part.
>
> Mailing lists can't successfully operate like they did 25+ years ago.

I do, as well, but mailing lists outside of my sphere of influence. I
can't very well dictate to mailing list admins that they change the way
they do things. Even the earlier email I sent to this list generated a
bunch of warning messages. One of many:

<feedback>
<report_metadata>
<org_name>nimitz.pl</org_name>
<email>postmaster@nimitz.pl</email>
<report_id>camerontech.com-1689379200-1689465599@nimitz.pl</report_id>
<date_range>
<begin>1689379200</begin>
<end>1689465599</end>
</date_range>
</report_metadata>
<policy_published>
<domain>camerontech.com</domain>
<adkim>r</adkim>
<aspf>r</aspf>
<p>quarantine</p>
<sp>quarantine</sp>
<pct>100</pct>
</policy_published>
<record>
<row>
<source_ip>95.216.194.37</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>camerontech.com</header_from>
</identifiers>
<auth_results>
<spf>
<domain>spamassassin.apache.org</domain>
<result>pass</result>
</spf>
<dkim>
<domain>camerontech.com</domain>
<result>pass</result>
</dkim>
</auth_results>
</record>
</feedback>

So it seems like my emails are being quarantined when I send them to
mailing lists, even this one.

>> But I'll play around with what you suggested.
>
> +10 for SPF.
>
> +1 for encouraging mailing list operators to get with the times.
>
> You can also do as Robert suggests and use a separate (sub)domain for
> mailing lists with different SPF settings thereon.

It's not so much mailing list operators I'm worried about. It's that,
when my email goes through a listserv mailing list, if I define hard
failures, I am worried that my email isn't going to get to list members.
That's not the mailing list admin, it's the admins of the list members'
mail servers. If I'm not understanding something, please feel free to
clarify.

Thomas

On 7/14/23 23:59, Loren Wilton wrote:
>> I am suddenly getting hammered by a BUNCH of spam that appears to be
>> from me. It scores low, and even though I keep feeding it to Bayes,
>> it's still not hitting the threshold to be marked as spam.
>>
>> When I check the headers, it's coming from multiple random email
>> servers, but many appear to originate from hotmail/outlook.com. So
>> from outlook.com, through some unsecured email server, then to my
>> server.
>
> SA can't block this trash by itself, but if something post the SA
> invocation can look at the headers you might be able to block it. You
> can certainly mark it as spam.
> For instance:
>
> #
> # Ok, catch 'from me' when it isn't
>
> header __FROM_ME_1 From =~ /<me\@myhost\.(?:net|com)>/i
> header __FROM_ME_2 From =~ /\"First Last\" <me\@myhost\.net>/
> header __FROM_ME_3 From =~ /First Last <me\@myhost\.net>/
> meta NOT_FROM_ME __FROM_ME_1 && !(__FROM_ME_2 || __FROM_ME_3)
> score NOT_FROM_ME 10
> describe NOT_FROM_ME Spammer faking the mail from me!
>
> Mind the backslash on the quotes and at sign. Depending on versions of
> things these are necessary, and don't hurt if they are not necessary.

Forgive my ignorance, I haven't really played with custom rules before.
Are the entries like /<me\@myhost\.(?:net|com)>/i meant to edited for my
actual email address and domain, or does "me" and "@myhost" get expanded
somehow? I actually use sendmail for bunch of domains on my mail
servers, and I want to make sure this will work for all those domains.

I assume this just needs to go in /etc/mail/spamassassin/local.cf,
right? Or do I need to do separate stanzas for each domain?

Thomas

On 20230715 20:20:03, Thomas Cameron wrote:
> On 7/14/23 23:59, Loren Wilton wrote:
>>> I am suddenly getting hammered by a BUNCH of spam that appears to be from
>>> me. It scores low, and even though I keep feeding it to Bayes, it's still
>>> not hitting the threshold to be marked as spam.
>>>
>>> When I check the headers, it's coming from multiple random email servers,
>>> but many appear to originate from hotmail/outlook.com. So from outlook.com,
>>> through some unsecured email server, then to my server.
>>
>> SA can't block this trash by itself, but if something post the SA invocation
>> can look at the headers you might be able to block it. You can certainly mark
>> it as spam.
>> For instance:
>>
>> #
>> # Ok, catch 'from me' when it isn't
>>
>> header __FROM_ME_1 From =~ /<me\@myhost\.(?:net|com)>/i
>> header __FROM_ME_2 From =~ /\"First Last\" <me\@myhost\.net>/
>> header __FROM_ME_3 From =~ /First Last <me\@myhost\.net>/
>> meta NOT_FROM_ME __FROM_ME_1 && !(__FROM_ME_2 || __FROM_ME_3)
>> score NOT_FROM_ME 10
>> describe NOT_FROM_ME Spammer faking the mail from me!
>>
>> Mind the backslash on the quotes and at sign. Depending on versions of things
>> these are necessary, and don't hurt if they are not necessary.
>
> Forgive my ignorance, I haven't really played with custom rules before. Are
> the entries like /<me\@myhost\.(?:net|com)>/i meant to edited for my actual
> email address and domain, or does "me" and "@myhost" get expanded somehow? I
> actually use sendmail for bunch of domains on my mail servers, and I want to
> make sure this will work for all those domains.
>
> I assume this just needs to go in /etc/mail/spamassassin/local.cf, right? Or
> do I need to do separate stanzas for each domain?
>
> Thomas


Edit your username for "me", and your hostname plus most of its domain for "my
host" and probably you can change .net to match your TLD. And "first last" would
be your first name and last name as appears in emails.

I do it basically the same way Loren does. You are creating a rule or rules to
match your legitimate email address. That is the _FROM_ME_n stuff. Then you are
creating a meta rule that looks for email that claims to be from your raw email
address that does not have the correct formats for your outgoing email. If it
has your raw address but lacks your name components it fires off a score of 10.
The oddity at the end of the first rule is something I treat differently but the
concept is the change. Legitimate user accounts at Earthlink all end with .net.
So if it ends in .com it is automatically a dumb spam. My rules are a little
different. But the concept is the same.

{^_^}

> I assume this just needs to go in /etc/mail/spamassassin/local.cf, right? Or do I need to do separate stanzas for each domain?

If you want this to work for all users, yes. If you have per-user rules enabled, then it could go in user_prefs for that user.

The rules I posted assumed one sender user@org.xxx, whth a known first and last name.

If you have multiple personalities, then you have multiple "me's": user1@org.xxx, user2@org.xxx, and so on, then you needs to probably duplicate the rule set for each user. Probably all of the users have different first and last names. I'd probably change the meta rule name from NOT_FROM_ME to NOT_FROM_USER1, NOT_FROM_USER2, etc.

If you have one "me" but multiple accounts for that person, then probably all of the accounts have the same first and last name. In that case things could be simplified a bit.


Does that help or just add to the confusion?

On 7/15/23 10:04?PM, Thomas Cameron wrote:
> I'd love to do this, but see below. I get TONS of warnings every
> time I send email to lists (even this list) that make me hesitant to
> do hard fails.
I understand and appreciate what you're describing.

> I do, as well, but mailing lists outside of my sphere of influence.
> I can't very well dictate to mailing list admins that they change the
> way they do things. Even the earlier email I sent to this list
> generated a bunch of warning messages. One of many:

You can't dictate. But you can ask.

I'd almost guarantee that you wouldn't be the first bringing this to
their attention.

> It's not so much mailing list operators I'm worried about. It's
> that, when my email goes through a listserv mailing list, if I define
> hard failures, I am worried that my email isn't going to get to list
> members.

Yes, that is a risk.

But ...

> That's not the mailing list admin, it's the admins of the
> list members' mail servers.

... if you stop and think about it, SPF is doing exactly what it's
designed to do. The servers that receive messages from the list are
detecting your domain in the 5322.MailFrom, identifying that the sending
IP isn't authorized, and acting accordingly.

I'd argue that's exactly what is supposed to happen.

So who's doing something wrong? The receiving mail server who's acting
according to your published wishes or the server that is sending
contrary to your published wishes?

> If I'm not understanding something, please feel free to clarify.
Does that help clarify (my opinion)?



Grant. . . .

On Sat, Jul 15, 2023 at 10:04:18PM -0500, Thomas Cameron wrote:
> <dkim>pass</dkim>
> <spf>fail</spf>
> </policy_evaluated>

So, it fails SPF, but DKIM passes. Meaning, your mail would pass
normally modern servers which check both.

If you do not want to receive such status messages, you should update
your DMARC records (currently _dmarc.camerontech.com indicates you
want to receive BOTH aggregate "rua=" and forensic "ruf=" reports;
and that you want to receive status updates when the message would've
passed normally via "fo=1")

> So it seems like my emails are being quarantined when I send them to mailing
> lists, even this one.

What? No. At least not in this report you shared. You seem to be
confusing "<policy_published>" section (which is just a dump of DNS
which that server sees) with actual "<result>"s leading to final
"<disposition>" of "none" (which is good, as opposed to "reject" or
"quarantine" which would not be).

You probably might want to use some nice frontend to visualizing
DMARC results, if reading XML and SPF/DKIM/DMARC protocol internals
is not second nature for you.
e.g. https://github.com/topics/dmarc-reports

> > +1 for encouraging mailing list operators to get with the times.
> >
> > You can also do as Robert suggests and use a separate (sub)domain for
> > mailing lists with different SPF settings thereon.
>
> It's not so much mailing list operators I'm worried about. It's that, when
> my email goes through a listserv mailing list, if I define hard failures, I
> am worried that my email isn't going to get to list members. That's not the
> mailing list admin, it's the admins of the list members' mail servers. If
> I'm not understanding something, please feel free to clarify.

If mailing list is employing SRS, mail reaching final recipients
would not be failing SPF checkes, as envelope sender (i.e. SMTP's
"MAIL FROM: <xxxx>") would be rewritten as the mail is coming from
mailing list domain and their servers (as it would), not yours.

See https://en.wikipedia.org/wiki/Sender_Rewriting_Scheme

Only if the mailing list remailing server leaves original (your)
envelope sender (which it shouldn't be doing, yet often does), would
you get such SPF problems. So, SPF problem is solvable from mailing
list server side, if its admins are willing.

Also, if your mails are signed by DKIM, and mailing list software is
not rewriting signed headers nor body (as it shouldn't, but some
mailing lists try to add annoying text to the bottom of messages like
"to unsubscribe, do xyz", thus breaking both DKIM, S/MIME and PGP
signatures), then your mail should pass DKIM checks too.
So that problem is avoidable on mailing list server side too.

--
Opinions above are GNU-copylefted.

On Sat, 2023-07-15 at 22:04 -0500, Thomas Cameron wrote:
>
> On 7/14/23 20:30, Grant Taylor via users wrote:
> > On 7/14/23 6:06?PM, Thomas Cameron wrote:
> > > I'm trying to figure out how to block this stuff. Something like
> > > "if
> > > it appears to come from me, but it's not actually coming from my
> > > email server," block it.
> >
> > SPF with hard fail in your own domain /and/ filtering that respects
> > SPF hard fail will almost certainly stop this like a switch.
>
> I'd love to do this, but see below. I get TONS of warnings every time
> I
> send email to lists (even this list) that make me hesitant to do hard
> fails.
>
Another way to do this is to build either a mail archive or a database
of addresses you've sent mail to and simply add a positive score to mail
from anybody who you've sent mail to: this needs the following bits of
code:

I use PostgreSQL as the databaee and Postfix as my local MTA, which I
needed anyway to distribute internal mail on my local LAN.

Capturing outgoing mail destination addresses: I added a Postfix BCC
directive that sends a copy of outgoing mail to a local mailbox. Once a
day this mailbox is scanned for destination addresses: any new ones are
added to the database.

Scanning incoming mail: I wrote an SA extension to look up sender
addresses of incoming mail in the 'outbound mail address database' and
an SA rule to trigger it: this adds a negative score to mail containing
any FROM address(es) that I've previously sent mail to. The SA extension
is a Perl module that looks up the sender address on all incoming mail. 

Since the OP is a programmer, this should be easily within his
capabilities: 

- he needs to know some Perl to write the SA extension module (the
O'Reilly Camel book is a well-organised guide to Perl and/or he's
welcome to a copy of my Perl module)
.
- Almost any database will do for this job (even a flat text file if he
uses awk to update it and awk or grep to search it) though a proper
database such as Postgresql or MariaDB would be faster of the sent
address list is large, but he needs to know some fairly basic SQL to
add addresses to it and to do the lookups.


Martin

On 7/16/23 00:29, Grant Taylor via users wrote:
>>
> Does that help clarify (my opinion)?

It does clarify, but unfortunately, it doesn't alleviate my concerns.

I totally understand why SPF et al. are good ideas. But I swear, I feel
like they introduce darned near as many problems as they "solve."

But that's another rant. Thanks for your explanations.

--
Thomas

On 7/15/23 23:40, Loren Wilton wrote:
> ?
> > I assume this just needs to go in /etc/mail/spamassassin/local.cf,
> right? Or do I need to do separate stanzas for each domain?
> If you want this to work for all users, yes. If you have per-user
> rules enabled, then it could go in user_prefs for that user.
> The rules I posted assumed one sender user@org.xxx, whth a known first
> and last name.
> If you have multiple personalities, then you have multiple "me's":
> user1@org.xxx, user2@org.xxx, and so on, then you needs to probably
> duplicate the rule set for each user. Probably all of the users have
> different first and last names. I'd probably change the meta rule name
> from NOT_FROM_ME to NOT_FROM_USER1, NOT_FROM_USER2, etc.
> If you have one "me" but multiple accounts for that person, then
> probably all of the accounts have the same first and last name. In
> that case things could be simplified a bit.
> Does that help or just add to the confusion?
Thanks, Loren. It helps, I think - but I'm pretty new to using custom
rules, so my understanding may be wrong. Since I use only one email
address, I should probably set this up in local.cf like this:

#
# Ok, catch 'from me' when it isn't

header __FROM_THOMAS_1 From =~ /<thomas\.cameron\@camerontech\.(?:com)>/i
header __FROM_THOMAS_2 From =~ /\"Thomas Cameron\"
<thomas\.cameron\@camerontech\.com>/
header __FROM_THOMAS_3 From =~ /Thomas Cameron
<thomas\.cameron\@camerontech\.com>/
meta NOT_FROM_THOMAS __FROM_THOMAS_1 && !(__FROM_THOMAS_2 ||
__FROM_THOMAS_3)
score NOT_FROM_THOMAS 10
describe NOT_FROM_THOMAS Spammer faking the mail from me!

# End of custom rule for Thomas

Then, for my wife and kids, the same thing but with their email
addresses and domains.

Am I correct? Sorry if I'm being dense. I'm just a sysadmin, not a
developer, so I'm not super clear on how macros and expansions work in perl.

--
Thomas

On 7/16/23 00:41, Matija Nalis wrote:
> On Sat, Jul 15, 2023 at 10:04:18PM -0500, Thomas Cameron wrote:
>> <dkim>pass</dkim>
>> <spf>fail</spf>
>> </policy_evaluated>
> So, it fails SPF, but DKIM passes. Meaning, your mail would pass
> normally modern servers which check both.
>
> If you do not want to receive such status messages, you should update
> your DMARC records (currently _dmarc.camerontech.com indicates you
> want to receive BOTH aggregate "rua=" and forensic "ruf=" reports;
> and that you want to receive status updates when the message would've
> passed normally via "fo=1")

Thanks. I set it up to send me everything it could, to see if I had done
anything wrong. I will amend my DNS records as you suggested.

>> So it seems like my emails are being quarantined when I send them to mailing
>> lists, even this one.
> What? No. At least not in this report you shared. You seem to be
> confusing "<policy_published>" section (which is just a dump of DNS
> which that server sees) with actual "<result>"s leading to final
> "<disposition>" of "none" (which is good, as opposed to "reject" or
> "quarantine" which would not be).

Ah, cool, thanks for the clarification! I saw "quarantined" and thought
my emails were not getting through.

> You probably might want to use some nice frontend to visualizing
> DMARC results, if reading XML and SPF/DKIM/DMARC protocol internals
> is not second nature for you.
> e.g. https://github.com/topics/dmarc-reports

I will definitely check that out, thanks!

>>> +1 for encouraging mailing list operators to get with the times.
>>>
>>> You can also do as Robert suggests and use a separate (sub)domain for
>>> mailing lists with different SPF settings thereon.
>> It's not so much mailing list operators I'm worried about. It's that, when
>> my email goes through a listserv mailing list, if I define hard failures, I
>> am worried that my email isn't going to get to list members. That's not the
>> mailing list admin, it's the admins of the list members' mail servers. If
>> I'm not understanding something, please feel free to clarify.
> If mailing list is employing SRS, mail reaching final recipients
> would not be failing SPF checkes, as envelope sender (i.e. SMTP's
> "MAIL FROM: <xxxx>") would be rewritten as the mail is coming from
> mailing list domain and their servers (as it would), not yours.
>
> See https://en.wikipedia.org/wiki/Sender_Rewriting_Scheme
>
> Only if the mailing list remailing server leaves original (your)
> envelope sender (which it shouldn't be doing, yet often does), would
> you get such SPF problems. So, SPF problem is solvable from mailing
> list server side, if its admins are willing.
>
> Also, if your mails are signed by DKIM, and mailing list software is
> not rewriting signed headers nor body (as it shouldn't, but some
> mailing lists try to add annoying text to the bottom of messages like
> "to unsubscribe, do xyz", thus breaking both DKIM, S/MIME and PGP
> signatures), then your mail should pass DKIM checks too.
> So that problem is avoidable on mailing list server side too.

Thank you so much, I am reading these articles now! I really appreciate
your not busting my chops for not knowing this.

--
Thomas

On 7/16/23 9:37?AM, Thomas Cameron wrote:
> It does clarify, ...

:-)

> ... but unfortunately, it doesn't alleviate my concerns.

:-/

> I totally understand why SPF et al. are good ideas.

:-)

> But I swear, I feel
> like they introduce darned near as many problems as they "solve."

I question the veracity of that statement.

Specifically is SPF /introducing/ a *new* problem? Or is SPF
/highlighting/ an *existing* problem?

It sounds to me like:
1) you really do want to detect (and prevent) other servers from
sending email w/ an RFC5321.MailFrom address in your domain.
2) you want messages send to be able to be resent by specific other
servers.

IM(ns)HO #2 is in conflict with, if not diametrically opposed to, #1.

If other servers, like mailing lists, didn't send messages using your
RFC5321.MailFrom address, then this wouldn't be a problem.

Who's really doing the wrong thing here? You specifying you want
stringent email security or someone else pretending to be you?

> But that's another rant. Thanks for your explanations.

Maybe.



Grant. . . .

On 7/16/23 12:41?AM, Matija Nalis wrote:
> So, it fails SPF, but DKIM passes. Meaning, your mail would pass
> normally modern servers which check both.

That is predicated on the receiving server(s) not rejecting the message
for SPF failure.

> You probably might want to use some nice frontend to visualizing
> DMARC results, if reading XML and SPF/DKIM/DMARC protocol internals
> is not second nature for you. e.g.
> https://github.com/topics/dmarc-reports

Thank you for sharing the pointer to that front end.

> If mailing list is employing SRS, mail reaching final recipients
> would not be failing SPF checkes, as envelope sender (i.e. SMTP's
> "MAIL FROM: <xxxx>") would be rewritten as the mail is coming from
> mailing list domain and their servers (as it would), not yours.
>
> See https://en.wikipedia.org/wiki/Sender_Rewriting_Scheme

+1 for SRS (like behavior)

> Only if the mailing list remailing server leaves original (your)
> envelope sender (which it shouldn't be doing, yet often does), would
> you get such SPF problems. So, SPF problem is solvable from mailing
> list server side, if its admins are willing.

I've found that many, if not most, but definitely not all, mailing list
administrators are willing to make changes if they are aware of the
problem, know how to make the change, and have access to make said change.

Sadly, there are a few mailing lists that I'm on that are quite aware of
the problem but have decided to refuse to make the change and are in my
opinion acting like ostriches and sticking their head in the sand.

> Also, if your mails are signed by DKIM, and mailing list software is
> not rewriting signed headers nor body (as it shouldn't, but some
> mailing lists try to add annoying text to the bottom of messages
> like "to unsubscribe, do xyz", thus breaking both DKIM, S/MIME and
> PGP signatures), then your mail should pass DKIM checks too. So that
> problem is avoidable on mailing list server side too.

Yep. Mailing lists and other similar forwarding services are the places
that have the most influence of if things work well or not for the most
people.

Should each and every sending subscriber make changes to their
independent systems? Or should the singular mailing list make changes
in one place and help everybody?

Simple energy conservation seems to indicate changes in fewest places is
better.



Grant. . . .

> Am I correct? Sorry if I'm being dense. I'm just a sysadmin, not a developer, so I'm not super clear on how macros and expansions work in perl.

You have the concepts right. I'd try the rules you posted and see if they seem to be producing correct results. You can run a spam thru SA with the -t switch and see which rules hit, and hopefully the NOT_FROM_ rule will hit. Send yourself a test mail and see that it doesn't hit. If that all works it is time to add the rules for the family. If it doesn't work, look at how the From header is formatted in the mail you sent to yourself.

Loren

> header __FROM_THOMAS_1 From =~ /<thomas\.cameron\@camerontech\.(?:com)>/i

You can simplify this. The parenthesized grouping was only necessary when there was more than one possible string, in my case .com and .net. Since you only have .com you can remove the (:? and ) and make the regex a little more efficient:

> header __FROM_THOMAS_1 From =~ /<thomas\.cameron\@camerontech\.com>/i

Loren Wilton skrev den 2023-07-17 00:29:
>> header __FROM_THOMAS_1 From =~
> /<thomas\.cameron\@camerontech\.(?:com)>/i
>
> You can simplify this. The parenthesized grouping was only necessary
> when there was more than one possible string, in my case .com and
> .net. Since you only have .com you can remove the (:? and ) and make
> the regex a little more efficient:
>
> > header __FROM_THOMAS_1 From =~
> /<thomas\.cameron\@camerontech\.com>/i

back to basic:

why accept local envelope SENDER domains on port 25 ?

its safe to reject them

its not a question on spf or stupid srs rewrites