Mailing List Archive

Thomas Cameron skrev den 2023-07-15 01:06:
> All -
>
> I am suddenly getting hammered by a BUNCH of spam that appears to be
> from me.

an what tells you its not you ? :)

> It scores low, and even though I keep feeding it to Bayes,
> it's still not hitting the threshold to be marked as spam.

lets say spammers knows spamassassin ?

> When I check the headers, it's coming from multiple random email
> servers, but many appear to originate from hotmail/outlook.com. So
> from outlook.com, through some unsecured email server, then to my
> server.

forged senders is normal with freemail domains servers, google and all
friends abuse spf limits of none, as one just say +all or very big ip in
good ips pr domain, abuse of spf includes as it will help spammers do
more innocent things, that you want to see, it have no ends at all

> I'm trying to figure out how to block this stuff. Something like "if
> it appears to come from me,

define me first ?

> but it's not actually coming from my email
> server,"

for me its unclear in what way with that statement

> block it. I don't necessarily think this is a job for SA, but
> if there's a rule I can tweak or a setting I can change, I'm all ears.

define local recipient first, this list is aswell deny list for local
senders to reject on port 25

is there more help needed ?

if its header from: just dont do anymore then dkim check it

On Sun, Jul 16, 2023 at 01:37:39PM +0100, Martin Gregorie wrote:
> Another way to do this is to build either a mail archive or a database
> of addresses you've sent mail to and simply add a positive score to mail
> from anybody who you've sent mail to: this needs the following bits of
> code:

So, something like AWL and TxRep SpamAssassin plugins do?

--
Opinions above are GNU-copylefted.

Matija Nalis skrev den 2023-07-17 06:13:
> On Sun, Jul 16, 2023 at 01:37:39PM +0100, Martin Gregorie wrote:
>> Another way to do this is to build either a mail archive or a database
>> of addresses you've sent mail to and simply add a positive score to
>> mail
>> from anybody who you've sent mail to: this needs the following bits of
>> code:
>
> So, something like AWL and TxRep SpamAssassin plugins do?

in amavisd use penpal, job done

Noel Butler skrev den 2023-07-16 02:05:

> it's why anyone who whitelists gmail is a fool (much like those who
> use gmail in the first place), we in fact add a positive score for all
> google/gmail connections

you still have bigger signature then google/gmail on public maillists

On 7/16/23 17:57, Benny Pedersen wrote:
> back to basic:
>
> why accept local envelope SENDER domains on port 25 ?
>
> its safe to reject them
>
> its not a question on spf or stupid srs rewrites

That's actually a great point. So you're saying to tell sendmail to
reject emails purporting to come from me if they come from another mail
server?

Got a pointer to documentation on how to do that? I'm all ears.

Thomas

>On 7/16/23 17:57, Benny Pedersen wrote:
>>back to basic:
>>
>>why accept local envelope SENDER domains on port 25 ?
>>
>>its safe to reject them
>>
>>its not a question on spf or stupid srs rewrites

On 17.07.23 10:54, Thomas Cameron wrote:
>That's actually a great point. So you're saying to tell sendmail to
>reject emails purporting to come from me if they come from another
>mail server?
>
>Got a pointer to documentation on how to do that? I'm all ears.

when I used sendmail, I set up access file that rejected From:fantomas.sk
but my local IP address was allowed from using it, "Connect:127.0.0.1 OK"

just define access database for sendmail

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I intend to live forever - so far so good.

On 7/17/23 11:03, Reindl Harald wrote:
>
> -----------------
>
> for rejecting spoofed envelopes nothing easier than that
>
> you need to have a full list of addresses you receive mail anyways, so
> any message with one of those addresses without authentication can be
> safely rejected
>
> main.cf smtpd_recipient_restrictions:
> check_sender_access proxy:hash:/etc/postfix/spoofing_protection.cf
>
> [root@mail-gw:/etc/postfix]$ head spoofing_protection.cf
> yourlocaladdress1 REJECT Sender Spoofed
> yourlocaladdress2 REJECT Sender Spoofed
> ..............

Many thanks. I'll figure out how to do this with sendmail, since that's
what I use (yeah, I'm old).

Thomas

Thomas Cameron skrev den 2023-07-17 17:54:
> On 7/16/23 17:57, Benny Pedersen wrote:
>> back to basic:
>>
>> why accept local envelope SENDER domains on port 25 ?
>>
>> its safe to reject them
>>
>> its not a question on spf or stupid srs rewrites
>
> That's actually a great point. So you're saying to tell sendmail to
> reject emails purporting to come from me if they come from another
> mail server?
>
> Got a pointer to documentation on how to do that? I'm all ears.

sorry using postfix here, but same can be done with sendmail, i just
don't know how :)

in postfix i have postgresql data for virtual_mailbox_maps so it knows
with mail to accept

if this is used to check forged senders in port 25 you can safely reject
this forged senders

remember to use virtual_alias_maps aswell so it does not accept anything
local on port 25 as envelope sender, should be rejected if its known
local recipient

this is same as just use spf, but in postfix its done without using spf,
if spf have include: it unsafe to reject based on spf

with postfix maps its safe

sorry no guides from me, if you can change from sendmail to postfix
please do, so there will be more help to solve it

On 7/16/23 5:57?PM, Benny Pedersen wrote:
> why accept local envelope SENDER domains on port 25 ?

Do you subscribe to any mailing lists that don't rewrite the sender?
Thus your mail server would receive messages that you sent to the
mailing list as your SENDING domain on port 25 inbound from the world.

That's just the first example of why this -- let's go with -- workaround
-- I'm being polite -- will work most, but not all of the time.

This starts to become a problem when you have multiple servers working
cooperatively and communicating over port 25. -- I remember tell of
having email cascade through multiple Exchange servers for various
questionable reasons.

> its safe to reject them

I would not bet on it.



Grant. . . .

On 7/17/23 4:29?PM, Reindl Harald wrote:
> no single mailing-list on this planet does this - period

Can we agree to disagree?

Maybe no /contemporary/ mailing list. But there have been -- and I
contend still are -- LOTS of mailing lists that did / do this very thing.

.forward does this.
Alias expansion does this.
Mailman 2.x used to do this by default.

I've seen multiple mailing lists sate that they will unsubscribe people
if they send email from a domain with strict SPF settings because they
refuse to deal with altering the RFC5321.MailFrom envelope address.

You only need to look as far as mailing lists getting tripped by SPF.

If the mailing lists weren't re-using the RFC5321.MailFrom from the
incoming message in the message that they send out, there wouldn't be a
problem. Yet there have been many GB of email written about this very
problem.

> DMARC/DKIM are problematic for mailing-lists but
> envelope-ender/spf/spoofing-protecting is a no-brainer

I take it that you are in favor of the mailing list sending outgoing
messages using an RFC5321.MailFrom envelope sender that is different
than the the incoming message's RFC5321.MailFrom envelope sender.

Before VERP and SPF it was very common for mailing lists to send
outgoing messages with the same RFC5321.MailFrom as the incoming message
had.

> it's time to understand the difference between from-header and
> envelope-sender or for the sake of god stop operating public mailservers
> at all

Yet there are people that don't know the difference.



Grant. . . .

On 7/17/23 4:49?PM, Reindl Harald wrote:
>> Alias expansion does this
>
> is not a mailing list

What definition are you using for a mailing list?

Do you consider Majordomo to be a mailing list?

Because as far as I'm concerned, alias expansion in the MTA is where
mailing lists originated.

> in the real world i was subsribed the past 15-20 years to at least 30
> mailing-lists

That's all?

I still have email for more than 200 different mailing lists that I've
been subscribed to over the last 20 years.

> * not a single one used the senders envelope - period

I've seen way too many use the sender's envelope. Thankfully it's not
nearly as common in the last decade as it was before.

> * we have 2023 - period

> * you can't send to gmailif you don't have SPF - period

I've had SPF for much longer than Gmail wanted it or DKIM.

But it is my understanding that you can send to Gmail with just DKIM.

I hope that we can agree that simply having an SPF record isn't
necessarily the same as using SPF; "ip4:0/0" and / or "+all" isn't
really having SPF.

> and yes i get sick an tired from customers don't hosting mail on our
> servers with complaints of rejected mails to gmail users quoting the
> following:
>
> host gmail-smtp-in.l.google.com[74.125.133.26] said:
> 550-5.7.26 This mail is unauthenticated, which poses a security risk to the
> 550-5.7.26 sender and Gmail users, and has been blocked. The sender must
> 550-5.7.26 authenticate with at least one of SPF or DKIM. For this message,
> 550-5.7.26 DKIM checks did not pass and SPF check for

There you go; "at least one of SPF or DKIM". So by Google's own
message, you can send to them without SPF /if/ you have DKIM.

> in the past 15 years?
> name them!

I don't remember the exact mailing lists, it was 5-10 years ago. They
have since changed.

It was multiple lists with an organization that I think should have
known better. The IETF comes to mind.



Grant. . . .

Grant Taylor via users skrev den 2023-07-17 23:25:
> On 7/16/23 5:57?PM, Benny Pedersen wrote:
>> why accept local envelope SENDER domains on port 25 ?
>
> Do you subscribe to any mailing lists that don't rewrite the sender?

what ?

Return-Path: <users-return-126962-me=junc.eu@spamassassin.apache.org>

i recieve verp return path with i don't unverp here, this would be my
mistake if i did this

> Thus your mail server would receive messages that you sent to the
> mailing list as your SENDING domain on port 25 inbound from the world.

provide an example on this please

i just protect forged senders if its my domain, learn to live with it

> That's just the first example of why this -- let's go with --
> workaround -- I'm being polite -- will work most, but not all of the
> time.

first example on not agree ?

ask your own mailhoster if thay do verp or not

> This starts to become a problem when you have multiple servers working
> cooperatively and communicating over port 25. -- I remember tell of
> having email cascade through multiple Exchange servers for various
> questionable reasons.
>
>> its safe to reject them
> I would not bet on it.

your own problem to solve

On 17/07/2023 20:00, Benny Pedersen wrote:

> Noel Butler skrev den 2023-07-16 02:05:
>
>> it's why anyone who whitelists gmail is a fool (much like those who
>> use gmail in the first place), we in fact add a positive score for all
>> google/gmail connections
>
> you still have bigger signature then google/gmail on public maillists

and I'm supposed to care because why, did you forget to take your meds
again Benny...

--
Regards,
Noel Butler

This Email, including attachments, may contain legally privileged
information, therefore at all times remains confidential and subject to
copyright protected under international law. You may not disseminate
this message without the authors express written authority to do so.
If you are not the intended recipient, please notify the sender then
delete all copies of this message including attachments immediately.
Confidentiality, copyright, and legal privilege are not waived or lost
by reason of the mistaken delivery of this message.

On 7/17/23 6:07?PM, Reindl Harald wrote:
> because we have 2023 and in the last decade everybod with a brain was
> using spf and sender-spoofing-rejection fro envelopes

I wish that was the case.

There was a recommendation on mailop less than a week ago that people
only set up SPF records to appease Google and the person recommending
this actively discouraged doing any filtering on SPF.

IMHO there are too many people not utilizing SPF /
sender-spoofing-rejection for envelopes.

> we can agree that fools are doing foolish things

Can we agree that Google states that DKIM is sufficient to send email to
them?

> and? this idiotic nitpicking leads nowhere and in the real world SPF is
> way easier to setup and maintain

I've seen too many people nay saying / lamenting / poo pooing SPF.
People on mailing lists like mailop / and various IETF mailing lists.

In the last month, of 2023, I've seen multiple people suggest:
- that SPF should not be done
- that you should publish a record but not filter on SPF
- to publish questionable / soft SPF records; "~all" / "?all", or
$DEITY forbid "+all"
- ignore the result of the SPF test and filter on something else

> but that's not the topic
>
> the topic is you pretend mailing lists are using subsribers
> envelope-from in 2023

I'm not pretending. I have seen mailing lists in the last year send
messages using subscribers email address in the RFC5321.MailFrom
envelope address. - I don't have any examples handy.

> oh - they have  been changed - guess why!

I know why the ones that have changed have done so. But there are still
a small number that haven't yet changed.

> the topic is you pretend mailing lists are using subsribers
> envelope-from in 2023

Believe me or don't. I still see a small number of mailing lists
sending messages with subscribers addresses as the RFC5321.MailFrom in 2023.

These types of messages will be filtered by the recommendation to reject
any local recipient address as the RFC5321.MailFrom envelope address
mentioned earlier in thread.

> for a mail you send today it's irrelevant what was state of play in 2010

I'm talking about 2023, not 2010.

I don't remember which thread on which mailing list, but within the last
week I saw multiple people saying that services doing forwarding should
not rewrite sender addresses and that it was the downstream recipient's
system's fault for rejecting the message for -- what they considered to
be -- silly things like SPF failure.

Yes, it is 2023 and yes there are people / mailing lists / MTAs /
organizations trying -- and largely failing -- to re-send messages using
the inbound RFC5321.MailFrom envelope address.

I say this so that people can make an informed decision. Despite all
the recommendations to the contrary, people still run with scissors in
hand and run at the pool. Very bad ideas still happen.



Grant. . . .