On 06/17/2018 09:11 AM, Alice Wonder via CentOS wrote:> On 06/17/2018 08:52 AM, Michael Hennebry via CentOS wrote: >> I'm petty sure I messed up attributions, so am deleting them. >> >>>> I believe this is a DMARC issue. Yahoo, among other places, has set >>>> their dmarc records to p=reject: >> >>>> So, if your mail hosting provider enforces dmarc,(gmail does) and you >>>> get mail from a list that doesn't rewrite the headers, and people >>>> from places like yahoo post to the list, you'll likely get some form >>>> of warning about being being kicked off the mailing list every now >>>> and then. The frequency depends on how often people from p=reject >>>> places post, and what the settings are for bounce handling of the >>>> mailing list in question. >> >>> This is indeed what happened. An email from yahoo.com.uk caused gmail >>> to reject all the mails sent by that user because of the yahoo DMARC >>> settings. >> >> Say it isn't so: *An* e-mail, just *one* from yahoo.com.uk >> caused every gmail user to have his account disabled. >> >> I'd heard of the DMARC thing with mailing lists before, >> but had not known it enabled single e-mails of mass destruction. > > I run dmarc on my mail server but only in report mode, it doesn't reject. > > I did it as a test (for years) and am fully convinced that dmarc is > worthless for real world protection. > > Numerous mail lists out there are configured in such a way that dmarc > gets triggered and that just isn't going to change. > > It's a neat idea but it's not backwards compatible with the way SMTP > already works. > > I can not recommend its use. I do recommend mail server software update > if possible to be compatible but I just can not recommend mail servers > enforce dmarc. > > DKIM is a good thing, but dmarc breaks things too badly. > > Even DKIM though is of limited usefulness - it seems the spammer > blacklists don't really care. Even with proper DKIM signature on a > domain with correct reverse DNS set up for years, they will still add > you to the spam blacklist if any other host on your subnet is identified > as a spammer. > > So even the blacklists don't really utilize this anti-spam anti-spoof > technology, which makes it kind of worthless. > > Using DKIM as one of several factors in spamassassin though is possibly > helpful, though most spammers these days have a validating DKIM sig. > > _______________________________________________Let me put it this way - in the several years of running dmarc is report only mode, over 99% of reported violations are false positives from mail lists. That high of a false positive rate tells me it is broken technology.
On 06/17/2018 11:13 AM, Alice Wonder via CentOS wrote:> On 06/17/2018 09:11 AM, Alice Wonder via CentOS wrote: >> On 06/17/2018 08:52 AM, Michael Hennebry via CentOS wrote: >>> I'm petty sure I messed up attributions, so am deleting them. >>> >>>>> I believe this is a DMARC issue. Yahoo, among other places, has set >>>>> their dmarc records to p=reject: >>> >>>>> So, if your mail hosting provider enforces dmarc,(gmail does) and you >>>>> get mail from a list that doesn't rewrite the headers, and people >>>>> from places like yahoo post to the list, you'll likely get some form >>>>> of warning about being being kicked off the mailing list every now >>>>> and then. The frequency depends on how often people from p=reject >>>>> places post, and what the settings are for bounce handling of the >>>>> mailing list in question. >>> >>>> This is indeed what happened.? An email from yahoo.com.uk caused gmail >>>> to reject all the mails sent by that user because of the yahoo DMARC >>>> settings. >>> >>> Say it isn't so: *An* e-mail, just *one* from yahoo.com.uk >>> caused every gmail user to have his account disabled. >>> >>> I'd heard of the DMARC thing with mailing lists before, >>> but had not known it enabled single e-mails of mass destruction. >> >> I run dmarc on my mail server but only in report mode, it doesn't reject. >> >> I did it as a test (for years) and am fully convinced that dmarc is >> worthless for real world protection. >> >> Numerous mail lists out there are configured in such a way that dmarc >> gets triggered and that just isn't going to change. >> >> It's a neat idea but it's not backwards compatible with the way SMTP >> already works. >> >> I can not recommend its use. I do recommend mail server software update >> if possible to be compatible but I just can not recommend mail servers >> enforce dmarc. >> >> DKIM is a good thing, but dmarc breaks things too badly. >> >> Even DKIM though is of limited usefulness - it seems the spammer >> blacklists don't really care. Even with proper DKIM signature on a >> domain with correct reverse DNS set up for years, they will still add >> you to the spam blacklist if any other host on your subnet is identified >> as a spammer. >> >> So even the blacklists don't really utilize this anti-spam anti-spoof >> technology, which makes it kind of worthless. >> >> Using DKIM as one of several factors in spamassassin though is possibly >> helpful, though most spammers these days have a validating DKIM sig. >> >> _______________________________________________ > > > Let me put it this way - in the several years of running dmarc is report > only mode, over 99% of reported violations are false positives from mail > lists. > > That high of a false positive rate tells me it is broken technology.I agree with you .. unfortunately, gmail does not. They have enabled it for gmail users .. so if someone from yahoo xends a mail from a yahoo address, it gets rejected by gmail accounts. The list setting wrt dmarc doesn't matter .. it is totally gmail enabling it. What our settings do is NOT send the From (as the original sender), if the sender is on a domain where dmarc is enabled, so that gmail does not reject it. If it is rejected by gmail .. it causes (eventually) .. not he sender's, but the recipient's account on gmail to be disabled by the mailing list as non-existent. What the change that Brian and I tried to make, and Fabian finally fixed :D (thanks Fabian), is to fix that only from doamins that enable dmarc (ie, yahoo.* ) so that domains who turn on dmarc as enforcing (ie gmail) do not cause rejects of those emails. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20180618/4ffa86ce/attachment-0001.sig>
On Mon, June 18, 2018 7:10 am, Johnny Hughes wrote:> On 06/17/2018 11:13 AM, Alice Wonder via CentOS wrote: >> On 06/17/2018 09:11 AM, Alice Wonder via CentOS wrote: >>> On 06/17/2018 08:52 AM, Michael Hennebry via CentOS wrote: >>>> I'm petty sure I messed up attributions, so am deleting them. >>>> >>>>>> I believe this is a DMARC issue. Yahoo, among other places, has set >>>>>> their dmarc records to p=reject: >>>> >>>>>> So, if your mail hosting provider enforces dmarc,(gmail does) and >>>>>> you >>>>>> get mail from a list that doesn't rewrite the headers, and people >>>>>> from places like yahoo post to the list, you'll likely get some form >>>>>> of warning about being being kicked off the mailing list every now >>>>>> and then. The frequency depends on how often people from p=reject >>>>>> places post, and what the settings are for bounce handling of the >>>>>> mailing list in question. >>>> >>>>> This is indeed what happened.?? An email from yahoo.com.uk caused >>>>> gmail >>>>> to reject all the mails sent by that user because of the yahoo DMARC >>>>> settings. >>>> >>>> Say it isn't so: *An* e-mail, just *one* from yahoo.com.uk >>>> caused every gmail user to have his account disabled. >>>> >>>> I'd heard of the DMARC thing with mailing lists before, >>>> but had not known it enabled single e-mails of mass destruction. >>> >>> I run dmarc on my mail server but only in report mode, it doesn't >>> reject. >>> >>> I did it as a test (for years) and am fully convinced that dmarc is >>> worthless for real world protection. >>> >>> Numerous mail lists out there are configured in such a way that dmarc >>> gets triggered and that just isn't going to change. >>> >>> It's a neat idea but it's not backwards compatible with the way SMTP >>> already works. >>> >>> I can not recommend its use. I do recommend mail server software update >>> if possible to be compatible but I just can not recommend mail servers >>> enforce dmarc. >>> >>> DKIM is a good thing, but dmarc breaks things too badly. >>> >>> Even DKIM though is of limited usefulness - it seems the spammer >>> blacklists don't really care. Even with proper DKIM signature on a >>> domain with correct reverse DNS set up for years, they will still add >>> you to the spam blacklist if any other host on your subnet is >>> identified >>> as a spammer. >>> >>> So even the blacklists don't really utilize this anti-spam anti-spoof >>> technology, which makes it kind of worthless. >>> >>> Using DKIM as one of several factors in spamassassin though is possibly >>> helpful, though most spammers these days have a validating DKIM sig. >>> >>> _______________________________________________ >> >> >> Let me put it this way - in the several years of running dmarc is report >> only mode, over 99% of reported violations are false positives from mail >> lists. >> >> That high of a false positive rate tells me it is broken technology.Fully agree.> > I agree with you .. unfortunately, gmail does not. They have enabled it > for gmail users .. so if someone from yahoo xends a mail from a yahoo > address, it gets rejected by gmail accounts. The list setting wrt dmarc > doesn't matter .. it is totally gmail enabling it. > > What our settings do is NOT send the From (as the original sender), if > the sender is on a domain where dmarc is enabled, so that gmail does not > reject it. > > If it is rejected by gmail .. it causes (eventually) .. not he sender's, > but the recipient's account on gmail to be disabled by the mailing list > as non-existent.I'm surprised no one arrived at conclusion: don't use gmail then. Valeri> > What the change that Brian and I tried to make, and Fabian finally fixed > :D (thanks Fabian), is to fix that only from doamins that enable dmarc > (ie, yahoo.* ) so that domains who turn on dmarc as enforcing (ie gmail) > do not cause rejects of those emails. > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++