[Techtalk] Opinions/Experiences Needed: Mailing list bouncing problem

Sarah Newman newmans at sonic.net
Sun Aug 2 23:16:30 UTC 2015


Looking at http://wiki.list.org/DEV/DMARC I think my preference is for the 'from_is_list' option with munging. I dislike selective rewriting because
that makes searches or filters more likely to be wrong.

For the behavior with reply-to, my email client (Thunderbird) has a 'Reply to List'. I think, but am not certain, that 'Reply to List' uses the
List-Post header. Mailman already sets the List-Post header.

If 'reply to list' is available, I see no reason why reply-to couldn't go to only the original sender. Unfortunately I don't know how many email
clients have the 'reply to list' option. Anybody know?

On 08/01/2015 02:59 PM, Terry wrote:
> Hi folks,
> 
> LinuxChix had an issue earlier this week with the Newchix mailing list
> where over 200 members had their subscriptions disabled due to bounces.
>  We re-enabled everyone's subscription and tracked down the problem.
> Unfortunately, it wasn't a glitch in our system.  We violated Yahoo's
> DMARC policy because we use the poster's address in the From:header.  To
> mitigate the problem, we've changed the bounce processing options for
> our mailing lists until a solution can be implemented.
> 
> To keep this message as brief as possible, this is not a technical
> discussion of DMARC, DKIM or SPF but rather a discussion on the
> practical impact on LinuxChix's mailing lists and members when a domain
> has a DMARC policy of reject.
> 
> Yahoo's policy: See https://help.yahoo.com/kb/SLN24016.html.
> "In 2014 Yahoo updated the DMARC record with "p=reject" for the
> "yahoo.com" domain.  This means all DMARC compliant mail receivers
> (including Yahoo, Hotmail, and Gmail) are now bouncing emails sent as
> "@yahoo.com" addresses that aren't sent through Yahoo servers. Any
> messages without a proper Domain Keys Identified Mail (DKIM) signature
> or Sender Policy Framework (SPF) alignment will be rejected."
> 
> Yahoo is not the only mail provider to implement a DMARC
> reject/quarantine policy nor is it the only one with DMARC compliant
> mailservers.  At least 49 domains on LinuxChix mailing lists are DMARC
> compliant. As best we can tell, *this affects at least 65.5% (1,555) of
> our members*.
> 
> The bottom line is that DMARC breaks mailing list software, including
> Mailman.  See this post:
> http://www.circleid.com/posts/20140408_yahoo_addresses_a_security_problem_by_breaking_every_mailing_list/
> 
> We're not the first list this has happened to. See
> http://www.gossamer-threads.com/lists/nanog/users/175053 for an
> enlightening discussion on the NANOG list. There's been a huge amount of
> debate about this. If you want hours of reading fun, search for "DMARC
> and Mailman".  The purpose of this email is not to reignite the debate
> but to:
> 
> 1. Ask for your opinions on how LinuxChix should handle this because it
> will affect our members, and
> 2. Solicit any experiences you may have had on other mailing lists in
> relation to the DMARC issue.
> 
> The problem for LinuxChix is three-fold:
> - legitimate mail isn't getting through,
> - the bounces are disabling members' subscriptions, and
> - we risk getting blacklisted due to "excessive bouncing therefore we're
> spamming" or "you're a spammer because you keep showing up in our held
> messages/junk folder".
> 
> Mailman has been patched for DMARC compliance, offering two methods. One
> is called "from_is_list" and implements DMARC compliance for *all* posts
> with two options:
> 
> - Rewrite the From: header with the poster's name 'via the list' and the
> list's address and merge the poster's address into Reply-To:
> or
> - Wrap the message as a message/rfc822 sub-part in a MIME format outer
> message with From: and Reply-To: as above.
> 
> Mailman does not recommend "from_is_list" because, as best as I can
> figure out, while all messages become DMARC compliant, you then break
> RFCs and you should break RFCs only when there is no other choice.
> 
> The second, "dmarc_moderation_action", *selectively* acts on poster
> domains with a DMARC policy of reject or quarantine.  It has five options:
> 
> - the two above
> - accept
> - reject
> - discard
> 
> The LinuxChix sysadmins and coordinators are now considering how to
> handle this.  Each method and each option has practical effects for our
> members.
> 
> Accept - This, in effect, changes nothing as this is what we're doing
> now.  Mail from members with Yahoo, et al, addresses will still be
> bounced by any DMARC compliant receiving server (Gmail, Yahoo, Hotmail,
> etc).  Our list admins will need to deal with all the bounces and
> re-enabling of subscriptions, unless we turn off bounce processing.  In
> short, it does nothing to solve the problem and increases the burden on
> the sysadmins and mailing list admins.
> 
> Reject - Reject messages from a poster with a DMARC policy of
> reject/quarantine with an explanation as to why.  This would affect
> 10.57% (251) of our members.
> 
> Discard - Drops any message from a poster with a DMARC policy of
> reject/quarantine.  Same as rejecting, 10.57% (251) of our members, only
> they'd have no clue.
> 
> Munging/Wrapping - Both of these options impact all members because both
> change the Reply-To and From headers.  If done selectively, only
> messages from domains with policies of reject/quarantine will be
> changed.  The message From: header would be "abc via techtalk
> <techtalk at linuxchix.org>".  Reply-To would be abc at yahoo.com AND
> techtalk at linuxchix.org.
> 
> Currently, the poster's address is in the From: header and utilizing the
> Reply-To function in your mail client will result in the message being
> directed to the original poster.  If we munge or wrap, the Reply-To will
> now go to the poster AND the list.
> 
> *This is a significant deviation from how our lists currently work.*  We
> assume a private reply unless Reply-To-All or Reply-To-List is used.
> This could result in someone replying to the list inadvertently when the
> reply was meant to be private.
> See http://archive.linuxchix.org/reply-policy.html.
> 
> *Depending on how you filter (if you do) LinuxChix messages, this would
> require changes/additions to your current filters.*
> 
> Opinions/comments/experiences of how other lists handled this are welcome.
> 
> I've been reading this stuff for 4 days straight now and my brain hurts.
>  Apologies if it's less than clear.
> 




More information about the Techtalk mailing list