On 10/02/2019 12:49, Benny Pedersen via dovecot wrote:> fixing mailman will be the fail, solve it by letting opendkim and opendmarc not reject detected maillist will be solution,A general broad mailing list whitelist will be problematic, do work it needs to look for specific list type hidden headers, spammers and nasties will incorporate those headers into their trash that impersonates mailing lists and voila, they pass. there is no quick and easy fix to the dmarc mess other than p=none aspf=s (DKIM is another one that gets narky at lists, and despite all the spf haters dreams, I've never had a problem with spf and lists, and we were an early beta adopter of spf) -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] documents accepted, please do not send proprietary formatted documents Links: ------ [1] http://www.adobe.com/ [2] http://en.wikipedia.org/wiki/OpenDocument -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20190211/3ff4a535/attachment-0001.html>
Michael A. Peters
2019-Feb-10 23:46 UTC
offtopic: rant about thoughtless enabling DMARC checks
On 2/10/19 3:42 PM, Noel Butler via dovecot wrote:> On 10/02/2019 12:49, Benny Pedersen via dovecot wrote: > >> >> fixing mailman will be the fail, solve it by letting opendkim and >> opendmarc not reject detected maillist will be solution, > > > A general broad mailing list whitelist will be problematic, do work it > needs to look for specific list type hidden headers,? spammers and > nasties will incorporate those headers into their trash that > impersonates mailing lists and voila, they pass.However the majority of spammers do not spam with a properly configured Reverse DNS - so detect the list header and skip DMARC if list headers are present AND Reverse DNS matched the HELO/EHLO
Michael A. Peters
2019-Feb-10 23:48 UTC
offtopic: rant about thoughtless enabling DMARC checks
On 2/10/19 3:46 PM, Michael A. Peters via dovecot wrote:> On 2/10/19 3:42 PM, Noel Butler via dovecot wrote: >> On 10/02/2019 12:49, Benny Pedersen via dovecot wrote: >> >>> >>> fixing mailman will be the fail, solve it by letting opendkim and >>> opendmarc not reject detected maillist will be solution, >> >> >> A general broad mailing list whitelist will be problematic, do work it >> needs to look for specific list type hidden headers,? spammers and >> nasties will incorporate those headers into their trash that >> impersonates mailing lists and voila, they pass. > > However the majority of spammers do not spam with a properly configured > Reverse DNS - so detect the list header and skip DMARC if list headers > are present AND Reverse DNS matched the HELO/EHLO >Also, DMARC isn't really anti-spam technology, it's anti-spoof technology. Rather than fake mail list headers, spammers will just use domains w/o a DMARC policy. Much easier.
On 11/02/2019 09:46, Michael A. Peters via dovecot wrote:> > > However the majority of spammers do not spam with a properly configured > Reverse DNS - so detect the list header >and skip DMARC if list headers > are present AND Reverse DNS matched the HELO/EHLO >A hell of a lot do, though (this is pretty average percentages here) Accepted 70.07% Rejected 29.93% ----------------- Total 100.00% ============ 5xx Reject relay denied 4.27% 5xx Reject unknown user 7.93% 5xx Reject sender address 7.32% 5xx Reject unknown client host 52.44% 5xx Reject RBL 3.66% 5xx Reject milter 24.39% ========================Total 5xx Rejects 100.00% unknown client host was high as 95% up till about 10 years ago, so they are slowly learning. -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF and ODF documents accepted, please do not send proprietary formatted documents
Apparently Analagous Threads
- offtopic: rant about thoughtless enabling DMARC checks
- offtopic: rant about thoughtless enabling DMARC checks
- offtopic: rant about thoughtless enabling DMARC checks
- offtopic: rant about thoughtless enabling DMARC checks [was: Re: Bounces?]
- offtopic: rant about thoughtless enabling DMARC checks [was: Re: Bounces?]