[sorry off-topic, ignore if uninterested in dmarc/dkim/mail filters] On 2024/07/17 22:14, mark.yagnatinsky at barclays.com wrote:> I don't know enough about DMARC to make any sense of what you just said... actually wait, maybe I get it. > You're saying that email sent that I send to the list will land in your inbox with my address in the From header. > But the recipient mail system will think to itself > "this message couldn't possibly have come from Mark, because a cursory inspection of the routing history clearly shows it came from mindrot.org" > And then it will conclude "thus, clearly, the sender is lying about being Mark, and is trying to impersonate him. I can safely drop this message". > Is that about right?barclays.com has a DNS record setup that says all mail from this domain should be authenticated, the "p=reject" in here: $ dig _dmarc.barclays.com txt +short "v=DMARC1; p=reject; fo=1; rua=mailto:dmarc_rua at emaildefense.proofpoint.com; ruf=mailto:dmarc_ruf at emaildefense.proofpoint.com" This auth can either be by IP address of sending server (SPF) which is not going to work for mailing list messages, or by valid DKIM signature. The mail admins can choose what is covered by the DKIM signature. In the case of barclays.com there are various headers (which I think make it through the mailing list untouched) but also the body, which does not; a footer with the list URL is added. So the mail as sent via the list fails DMARC authentication. Most spam filters assign scores for various characteristics of emails that might indicate that a message is either unwanted or wanted. Usually missing or failed DMARC auth gives a medium "this may be junk" score whereas various signs indicating that it was sent via a mailing list reduce the score. Some mail filters treat certain domains specially and add a much higher score if they fail DMARC auth checks. (For rspamd this adds a "BLACKLIST_DMARC" score and the list includes various domains relating to ing, barclays, hsbc, paypal, chase, westpac, etc, as well as various other well known companies). So, sending from a barclays.com address you'll be more likely to have messages you send via a mailing list accidentally marked as junk than someone using a less "high value" domain.> -----Original Message----- > From: Stuart Henderson <stu at spacehopper.org> > Sent: Wednesday, July 17, 2024 5:56 PM > To: Yagnatinsky, Mark : IT (NYK) <mark.yagnatinsky at barclays.com> > Cc: openssh-unix-dev at mindrot.org > Subject: Re: scattered thoughts on connection sharing > > > CAUTION: This email originated from outside our organisation - stu at spacehopper.org Do not click on links, open attachments, or respond unless you recognize the sender and can validate the content is safe. > On 2024/07/17 11:39, mark.yagnatinsky at barclays.com wrote: > > Thanks for replying! And noted, re: patience... will do. > > Note that this mailing list doesn't rewrite sender addresses, so it is likely to result in email failing DMARC checks. > > In many places spam filters don't give a high enough spam score for DMARC failure to treat the mail as spam without additional signs, but for certain higher risk domains (for example, banks...) that scoring is often bumped up. > > As a result, for many readers, your emails to this list are likely to have been either rejected or dropped into a spam folder at the recipient's end. > > This message is for information purposes only. It is not a recommendation, advice, offer or solicitation to buy or sell a product or service, nor an official confirmation of any transaction. It is directed at persons who are professionals and is intended for the recipient(s) only. It is not directed at retail customers. This message is subject to the terms at: https://www.ib.barclays/disclosures/web-and-email-disclaimer.html. > > For important disclosures, please see: https://www.ib.barclays/disclosures/sales-and-trading-disclaimer.html regarding marketing commentary from Barclays Sales and/or Trading desks, who are active market participants; https://www.ib.barclays/disclosures/barclays-global-markets-disclosures.html regarding our standard terms for Barclays Investment Bank where we trade with you in principal-to-principal wholesale markets transactions; and in respect to Barclays Research, including disclosures relating to specific issuers, see: https://publicresearch.barclays.com. > __________________________________________________________________________________ > If you are incorporated or operating in Australia, read these important disclosures: https://www.ib.barclays/disclosures/important-disclosures-asia-pacific.html. > __________________________________________________________________________________ > For more details about how we use personal information, see our privacy notice: https://www.ib.barclays/disclosures/personal-information-use.html. > __________________________________________________________________________________
mark.yagnatinsky at barclays.com
2024-Jul-18 11:57 UTC
[OT] Re: scattered thoughts on connection sharing
Thanks, that actually made sense! -----Original Message----- From: Stuart Henderson <stu at spacehopper.org> Sent: Thursday, July 18, 2024 5:10 AM To: Yagnatinsky, Mark : IT (NYK) <mark.yagnatinsky at barclays.com> Cc: openssh-unix-dev at mindrot.org Subject: [OT] Re: scattered thoughts on connection sharing CAUTION: This email originated from outside our organisation - stu at spacehopper.org Do not click on links, open attachments, or respond unless you recognize the sender and can validate the content is safe. [sorry off-topic, ignore if uninterested in dmarc/dkim/mail filters] On 2024/07/17 22:14, mark.yagnatinsky at barclays.com wrote:> I don't know enough about DMARC to make any sense of what you just said... actually wait, maybe I get it. > You're saying that email sent that I send to the list will land in your inbox with my address in the From header. > But the recipient mail system will think to itself "this message > couldn't possibly have come from Mark, because a cursory inspection of the routing history clearly shows it came from mindrot.org" > And then it will conclude "thus, clearly, the sender is lying about being Mark, and is trying to impersonate him. I can safely drop this message". > Is that about right?barclays.com has a DNS record setup that says all mail from this domain should be authenticated, the "p=reject" in here: $ dig _dmarc.barclays.com txt +short "v=DMARC1; p=reject; fo=1; rua=mailto:dmarc_rua at emaildefense.proofpoint.com; ruf=mailto:dmarc_ruf at emaildefense.proofpoint.com" This auth can either be by IP address of sending server (SPF) which is not going to work for mailing list messages, or by valid DKIM signature. The mail admins can choose what is covered by the DKIM signature. In the case of barclays.com there are various headers (which I think make it through the mailing list untouched) but also the body, which does not; a footer with the list URL is added. So the mail as sent via the list fails DMARC authentication. Most spam filters assign scores for various characteristics of emails that might indicate that a message is either unwanted or wanted. Usually missing or failed DMARC auth gives a medium "this may be junk" score whereas various signs indicating that it was sent via a mailing list reduce the score. Some mail filters treat certain domains specially and add a much higher score if they fail DMARC auth checks. (For rspamd this adds a "BLACKLIST_DMARC" score and the list includes various domains relating to ing, barclays, hsbc, paypal, chase, westpac, etc, as well as various other well known companies). So, sending from a barclays.com address you'll be more likely to have messages you send via a mailing list accidentally marked as junk than someone using a less "high value" domain.> -----Original Message----- > From: Stuart Henderson <stu at spacehopper.org> > Sent: Wednesday, July 17, 2024 5:56 PM > To: Yagnatinsky, Mark : IT (NYK) <mark.yagnatinsky at barclays.com> > Cc: openssh-unix-dev at mindrot.org > Subject: Re: scattered thoughts on connection sharing > > > CAUTION: This email originated from outside our organisation - stu at spacehopper.org Do not click on links, open attachments, or respond unless you recognize the sender and can validate the content is safe. > On 2024/07/17 11:39, mark.yagnatinsky at barclays.com wrote: > > Thanks for replying! And noted, re: patience... will do. > > Note that this mailing list doesn't rewrite sender addresses, so it is likely to result in email failing DMARC checks. > > In many places spam filters don't give a high enough spam score for DMARC failure to treat the mail as spam without additional signs, but for certain higher risk domains (for example, banks...) that scoring is often bumped up. > > As a result, for many readers, your emails to this list are likely to have been either rejected or dropped into a spam folder at the recipient's end. > > This message is for information purposes only. It is not a recommendation, advice, offer or solicitation to buy or sell a product or service, nor an official confirmation of any transaction. It is directed at persons who are professionals and is intended for the recipient(s) only. It is not directed at retail customers. This message is subject to the terms at: https://clicktime.symantec.com/15sifMjJMtQTfGdzL3fNs?h=lVMob4LbX78vTrS9haoGqX80229s1NplMtBzRGFBQvw=&u=https://www.ib.barclays/disclosures/web-and-email-disclaimer.html. > > For important disclosures, please see: https://clicktime.symantec.com/15siaXY1uGisFKp4nVGEF?h=9hv53QPuipqrukD0PNigGsVkIIyOQUOUj_v7NbjFnGk=&u=https://www.ib.barclays/disclosures/sales-and-trading-disclaimer.html regarding marketing commentary from Barclays Sales and/or Trading desks, who are active market participants; https://clicktime.symantec.com/15siL2xAXRg61VLJ9p4nP?h=iqTbMsOk6RpPOS4A9BnRjjLtkuB_iVFzZ7aW01d25ds=&u=https://www.ib.barclays/disclosures/barclays-global-markets-disclosures.html regarding our standard terms for Barclays Investment Bank where we trade with you in principal-to-principal wholesale markets transactions; and in respect to Barclays Research, including disclosures relating to specific issuers, see: https://clicktime.symantec.com/15siFCkt4ozVbYWNcFfdm?h=p7veXIGrMml0EjqDuYWnBVlY1Z2q2JlpQ-LKsqEkJ34=&u=https://publicresearch.barclays.com. > ______________________________________________________________________ > ____________ If you are incorporated or operating in Australia, read > these important disclosures: https://clicktime.symantec.com/15siQs9Sz3MgRSADhNTw1?h=S2hP8eOjwnsnnOuwV0ZC0_X6q-I2Rn3_OYvdznCaXtw=&u=https://www.ib.barclays/disclosures/important-disclosures-asia-pacific.html. > ______________________________________________________________________ > ____________ For more details about how we use personal information, > see our privacy notice: https://clicktime.symantec.com/15siVhLjSf3GqNz9Evs5d?h=LDDK__xnmlUy3ko_fX8tfEuTbFfCKJq4ZKG_lpj2BUc=&u=https://www.ib.barclays/disclosures/personal-information-use.html. > ______________________________________________________________________ > ____________This message is for information purposes only. It is not a recommendation, advice, offer or solicitation to buy or sell a product or service, nor an official confirmation of any transaction. It is directed at persons who are professionals and is intended for the recipient(s) only. It is not directed at retail customers. This message is subject to the terms at: https://www.ib.barclays/disclosures/web-and-email-disclaimer.html. For important disclosures, please see: https://www.ib.barclays/disclosures/sales-and-trading-disclaimer.html regarding marketing commentary from Barclays Sales and/or Trading desks, who are active market participants; https://www.ib.barclays/disclosures/barclays-global-markets-disclosures.html regarding our standard terms for Barclays Investment Bank where we trade with you in principal-to-principal wholesale markets transactions; and in respect to Barclays Research, including disclosures relating to specific issuers, see: https://publicresearch.barclays.com. __________________________________________________________________________________ If you are incorporated or operating in Australia, read these important disclosures: https://www.ib.barclays/disclosures/important-disclosures-asia-pacific.html. __________________________________________________________________________________ For more details about how we use personal information, see our privacy notice: https://www.ib.barclays/disclosures/personal-information-use.html. __________________________________________________________________________________
James Ralston
2024-Jul-20 20:30 UTC
openssh-unix-dev DMARC-related settings (was Re: scattered thoughts on connection sharing)
On Thu, Jul 18, 2024 at 5:14?AM Stuart Henderson <stu at spacehopper.org> wrote:> The mail admins can choose what is covered by the DKIM signature. > In the case of barclays.com there are various headers (which I think > make it through the mailing list untouched) but also the body, which > does not; a footer with the list URL is added.The real issue here is that the Mailman configuration for the openssh-unix-dev list does not appear to set `dmarc_moderation_action` (in `Privacy options` - `Sender filters`) to either `Munge From` or `Wrap Message`, which is necessary for lists where either of the following is true: 1. The list accepts posts from senders whose domain applies DMARC policy (`p=reject` or `p=quarantine`) but only implements SPF, not DKIM. (Resending a message through a mailing list will always invalidate SPF unless SRS (1) is used, and almost no one bothers with SRS.) 2. The list accepts posts from senders whose domain applies DMARC policy (`p=reject` or `p=quarantine`), and the list is configured to modify messages sent to the list (add a Subject: header tag, add a footer, et. al.). (Modifying messages will invalid the DKIM signature.) When affected senders (either group #1 or group #2) post to the list, all list subscribers whose MTAs apply/obey DMARC policy will take the action the sender?s domain?s DMARC policy declares (reject outright, or quarantine / flag as spam). Damien, is there any possibility of updating the Mailman `dmarc_moderation_action` setting (2)? DMARC isn?t going anywhere; the big mail providers are either already requiring it to some degree (3), or have said they will start requiring it soon. (1) https://en.wikipedia.org/wiki/Sender_Rewriting_Scheme (2) https://wiki.list.org/DEV/DMARC (3) https://support.google.com/a/answer/81126