Recent searches
Search options
Administered by:
Taking a stroll through my spam folder, I saw a bunch of legitimate messages from people and companies with their own domains, that are not publishing DMARC and SPF records. Surely everyone (and by everyone I mean Google) is rejecting their mail? How do they not realize this?
Then I noticed that one of them was received *from* gmail, so their mail probably works fine so long as they only mail gmail users. But another was via Yahoo, so that doesn't track.
https://jwz.org/b/ykk8
Bill Cole 
@grumpybozo@toad.social@jwz The stats we collect for the #SpamAssassin project (mass-scan results from participating sites) have long shown that spammers are more consistent at making SPF, DKIM, and DMARC correct than are legitimate senders. DMARC in particular has no discernible benefit for most senders, so it is a useless signal.
Rejecting mail based solely on authentication failures of those deeply flawed authentication methods does more harm than good.
@grumpybozo Wow, that's amazing. Great job everybody! So glad we spent so much time implementing all of that crap!
@jwz @grumpybozo maybe should give hashcash - the proof of work idea that spawned that bastard child bitcoin - another look.
@ghard @jwz We (the #SpamAssassin project) had support for HashCash for well over a decade. No one used it. No one cared enough to fix the plugin for recent versions, so we dropped it.
There's a strong argument that any form of "e-postage" is doomed. Spammers can hijack computing power in arbitrary amounts for paying it.
@grumpybozo @ghard @jwz I slavishly added hashcash headers to all my outgoing mail for years... I hoped.
@kitten_tech @grumpybozo @ghard @jwz I'm still pretty convinced that it's the only viable option. I'd just crank the cost to email me up to gigantic unless I added their contact info, I really don't care if someone can't spend a few minutes grinding for a cold-contact legitimate email. They can do an intro / get a referral some other way if it's that important.
@jwz @grumpybozo just one more public key in a TXT record, that'll fix email, just gotta add one more TXT record bro
@atax1a @jwz It is a frustration that for DKIM, DMARC, and SPF to be as trustworthy as possible, one must deploy DNSSEC correctly and defend one's domain against any threat to its reputation but all the spammers need to do is buy a cheap domain with any old garbage DNS and get a handful of records right.
@grumpybozo @jwz and don't get us started on how dnssec is untroubleshootable garbage whose main failure mode is to turn your entire domain into an unresolvable sinkhole
@grumpybozo @atax1a @jwz Intent of SPF was to get to the point that a domain reputation system of some kind would be viable. If someone outside of Google et al built one, it would be.
@nwp @grumpybozo @jwz none of this is true or follows from the premises, hth
@atax1a @jwz @grumpybozo gotta plan to deal with that, just waiting for an “imminent” draft to haul its lard-arse over the finish line before we get active on something useful.
https://code.exim.org/exim/exim/src/branch/master/doc/doc-txt/id-wellknown.txt
i hear if we just get everyone to have just the right magical number and size of TXT records, that we will achieve world peace. :D
@jwz DKIM and SPF allow good actors to use a consistent identifier that allows mailbox providers to reliably track behaviour. It’s not that there’s any correlation between SPF/DKIM authentication and good mail, it’s that it allows monitoring a senders history of sending wanted mail more reliably.
(DMARC? Mostly pandering to confused brand zealots, with a side of DMARC consultant job creation programme.)
At least the bad guys can't forge the From address any more. I'm no longer receiving phishing emails purporting to come from my own domain's sysadmin. Good riddance.
But I'm still receiving plenty of phishing emails, so yeah, the real problem remains unsolved.
@argv_minus_one Well that's the thing, I have yet to discover a way for postfix to reject messages with a forged From: line that actually works. You'd think this would be the default by now. It is not.
Hmm true. You could run a milter that checks DKIM and rejects any message where it doesn't check out (or the SMTP from address doesn't match the header), but you pointed out earlier that this would drop more legit mail than phony mail. 
Now spammers can get a throwaway VPS to send spam. No wonder why my self-hosted email is overrun with spam!
@neel @grumpybozo @jwz SPF is still helpful to figure out if I overblocked if someone complains to be honest…I check the spf-records against my blacklist and can see then if an IP landed on it or not and can then unblock
@nielsk @neel @jwz Right. Both SPF and DKIM can be useful as *positive* signals. That's why we have welcomelist_{spf,dkim,auth} directives in #SpamAssassin: so you can protect mail from known-good domains only when it passes some sort of authentication.
@neel @jwz @grumpybozo I use the Spamhaus DROP list.. it blocks a lot of crap from reaching my mail server
@grumpybozo @jwz i run my own mailserver. how do i contribute?
@Viss @jwz See the SpamAssassin website:
https://cwiki.apache.org/confluence/display/SPAMASSASSIN/NightlyMassCheck
The output is the promotion/demotion of rules and rescoring and the "RuleQA" site:
https://ruleqa.spamassassin.org
@grumpybozo @jwz Bonus round: GMail themselves effectively requires 'DMARC' (aligned DKIM and/or SPF) for any sending domain that wants to reliably reach GMail users, including through forwarding. This is really fun when domains don't do that, send email to professors in my university department, and said professors forward their email to GMail.
I'm not sure these domains set out to create unforwardable email but they sure achieved it. (We don't do SRS because that's a hack on top of SPF.)
@cks @grumpybozo My experience is that "forward mail from your own domain to your gmail account" has not worked in 3+ years. The only working solution I have found is to run your own POP3 server and give Gmail the passwords to poll that. https://jwz.org/b/yj4d
@jwz @grumpybozo We may well have been lucky in that we're a long established computer science department at a major 
university, so GMail may have implicit or explicit special casing for us due to the general volume of (good) email we send their way routinely, both forwarding and talking back and forth with people on GMail. (And we have GMail POP3 users too.)
It's one of the frustrations of modern email that why things work or don't is so opaque with major providers like GMail.
@jwz @grumpybozo I fully expect that someday GMail will decide to stop accepting email our professors forward from their accounts here to their GMail accounts. When that happens I don't know what people will do but there won't be anything we can do about it one way or another. In a way the viability of our own email system is at the mercy of GMail's whims (among others).
@cks @jwz @grumpybozo The professors can set up Gmail so that it collects the mail; instead of them forwarding their mail. Especially since when they mark forwarded mails as spam, usually the other side will mark your servers as the spammers
@nielsk @jwz @grumpybozo Sadly modern security practices are going to kill off GMail's POP3 collection sooner or later, because AFAIK there's no way for that to be integrated with MFA protecting the POP3 access.
(We have an OIDC IdP and could in theory do OAuth2 bearer tokens but good luck getting anything to accept using a third party IdP for that for mail, almost certainly including GMail. Mail clients included. Everyone hardcodes the major providers and calls it a day.)
@cks @jwz @grumpybozo The mail provider I use personally has switched on app-passwords for pop3/imap/etc. I have not yet integrated MFA into my mail services (except the web-ui), so I am not sure how much of a security problem app-passwords are.
@grumpybozo @nielsk @jwz If you're lucky, people will enter the app passwords into their clients, let the client remember them, and then forget the password themselves, so the person can't (easily) give it to a phisher site.
(Will people stick app passwords into a phish site? Probably yes, some of the time, if the phish site asks right.)
@cks @grumpybozo "Nothing works unless Google deigns to grant you a personal dispensation" is extremely on-brand for ... *gestures wildly*
@jwz @cks @grumpybozo
Gmail's POP3 polling has the fun feature that triggering a poll manually is a lot of clicks, buried in the settings, web only; and the automatic interval is longer than some email confirmation timeouts
@sabik @cks @grumpybozo Yes, it's awesome! Maybe in the next release they can include a little hammer that just pops up and hits you in the face.
@jwz @cks @grumpybozo . Huh, that's interesting. I do forward my domain email to gmail (via cloudflare), and it seems to work fine. I wonder what's different...
@cathysarisky @jwz @cks It becomes a problem when the forwarding includes spam, particularly the sort that is easy to positively identify. It is also problematic with SPF, unless you are rewriting the senders in your MTA (i.e. using SRS)
@cathysarisky @jwz @cks @grumpybozo I decided years ago to use my domain and forward to Gmail, so that in case anything happened to my gmail account, I could quickly switch to my account where the domain is hosted. It's been at least 5 years and it works well. I am currently getting 100+ spams a day and they are all detected in Gmail. In fact, recently I've been wondering if another provider could catch spam as well. The 100+ has been happening only for about three months.
@jwz @cks @grumpybozo it depends on how you do it.
I use my DNS provider’s option and they do all the Hard Work for me. Works 99.999% of the time
@cks @grumpybozo @jwz SRS usually breaks if there is a strict DMARC-policy in place. It helps if there isn’t one though. But the big mailers only want that there is one; they don’t say anything about the policy (p=none is still ok in my experience)
@cks @jwz The only ways to do forwarding that doesn't break SPF is to use SRS or encapsulate every message as a message/rfc822 inside of a container message sent by the forwarder's domain. Or have the user set up GMail to fetch via POP3 instead of you forwarding via SMTP
DKIM is usually undamaged by simple forwarding, unless you modify the body or headers (including re-encoding.)
@grumpybozo @jwz The un-forwardable place we encountered had set up SPF but wasn't DKIM signing email (and had no DMARC, but GMail didn't care). So their email was (presumably) accepted when sent directly to GMail, passing SPF checks, but not forwarded through us (no SPF pass, no DKIM signature to pass). I gave them a 'very clever -5 points' award.
@cks @grumpybozo @jwz I guess it's at about a 100 years since I looked into SPF and DKIM, but will need to do again as recently configured the MailPlus server on one of our Synology NAS systems.
Runs brilliantly for incoming mail, which was the important bit.
Previously I've run JNOS, but that needed an upgrade and the hardware was ready for retirement.
Some time ago I had mail from my main mailhosting provider being bounced by GMail, was quite annoying. Seems fixed, today no bounces yet.
@grumpybozo @jwz In my experience spammers have a better setup in that regard than most legitimate senders…
@grumpybozo @jwz we use these for anti-phishing. Until I started my current job, I had no idea how good phishing can be. We’re not even a large company. We get spear phishing for several of our executives weekly. Seriously a new phish impersonating an executive every week. Literally anything we can do to cut that down is worthwhile for us. It’s kinda nuts.
@gaelicWizard @jwz It is nuts, and anti-phishing is what mail authentication is actually useful for.
@grumpybozo 
what I'm hearing is that I should reject mail as spam if SPF, DKIM, and DMARC are present and used correctly. @jwz
@grumpybozo @jwz email authentication like DMARC/SPF does one thing: it prevents impersonation of a specific domain (assuming policies are configured for reject or quarantine.) It does not prevent look-alike domains, typo squats, or other spam that simply uses images, logos and email templates that look like they are from one brand’s domain even though they are from an unrelated one.
@deepthoughts10 wrote: "email authentication like DMARC/SPF does one thing: it prevents impersonation of a specific domain (assuming policies are configured for reject or quarantine.)"
It does not even do that on my iPhone.
P.S. SPF was invented to prevent Joe Jobs (https://en.wikipedia.org/wiki/Joe_job). Marketing idiots (including Bill Gates) said that it would kill spam. It killed forwarding instead.
while i wouldn't call them useless, SPF/DKIM/DMARC do have a tendency to throw out more babies than just bathwater.
5 minute greylisting and using some of the spam services like SPAMHAUS do vastly more good at rejecting the really stupid spammers.
sadly, these days, outlook, google, mailgun, (and lately spotify) are ones i can't just block but let through vast amounts of spam.
@paul_ipv6 @grumpybozo I had *way* too many false positives with spamhaus et al and turned them all off years ago. Sigh.
huh. i use sbl-xbl and have not had problems with false positives. how long ago did you last try?
admittedly, i run a family/friends mail server, not a commercial service.
@paul_ipv6 @grumpybozo I don't remember. It happened a couple of times and I dropped them forever. I think the last one was something like "oh, today we've decided that any mail originating inside AWS is spam". It's me. I am mail originating inside AWS.
@jwz @paul_ipv6 The Spamhaus services have gotten complicated enough that they can really do damage if you miss details. The most important one is excluding your own legitimate mail sources from scrutiny (and knowing how to identify them.)
@jwz @paul_ipv6 @grumpybozo TBF, most of the spam I get is from AWS, gmail and Microsoft. 10-20 per day. And heir abuse@ addresses seem to be ignored. So it's not an unreasonable position to take :-) (BTW, I haven't had false positives with Spamhaus for many years now).