[Linux-aus] PSA: Messages sent through LA mailing lists being classified as SPAM

Thu Jan 14 16:55:55 AEDT 2016

On Thu, 14 Jan 2016 08:57:31 AM Adam Nielsen wrote:
> I think the problem is DKIM/SPF combined with a mailing list.  Since
> mailing list software adds "[linux-aus]" to the subject, and changes
> the 'To' field, any sender using DKIM to sign messages will cause the
> message validation to fail, as the modified message no longer matches
> what the sender signed with their the DKIM key.

Also the list adds a footer which means that all DKIM signatures which don't 
use a l= field (to specify the length that is signed) will be broken.  However 
using l= isn't ideal as that allows an attacker to append to messages without 
breaking signatures.

Also the version of Mailman used will sometimes rewrite a message body to a 
different encoding (EG encoding a message as base64 when the original was plain 
text).

Finally Mailman doesn't preserve headers it rewrites them and uses a different 
method of header folding.  OpenDKIM uses tabs and both OpenDKIM and libmail-
dkim-perl expect tabs when it receives mail, Mailman refolds it with spaces 
instead and those programs can't validate the mail (I'm not aware of any DKIM 
checker that accepts spaces).  Fixing this would require some significant 
changes in the Mailman code, I believe it uses library code for this which 
makes it even harder.

Getting Mailman to pass mail through with DKIM signatures intact is 
unreasonably difficult.

> Last I checked there wasn't really a solution for this, because if you
> strip the DKIM fields then the message will still fail.  Spam filters
> check to see whether DKIM is expected on each message, so for those
> hosts where DKIM is mandatory, missing DKIM fields will cause the
> message to be marked as spam.

Stripping DKIM only causes the message to fail if there are ADSP or DMARC 
entries for the domain in question, but an increasing number of domains are 
using such things including Yahoo.

On Thu, 14 Jan 2016 09:30:32 AM Stephen Rothwell wrote:
> On some lists I am responsible for, I have turned on the Mailman
> feature that will put a wrapper around any email from a site that
> publishes a strict DMARC policy.  It basically turns such emails into a
> single mail digest.

This will make it very difficult for people to reply.  It will break all 
threading when users who post a lot use DKIM (which appears to be the case for 
this list).

http://wiki.list.org/DEV/DMARC

The above web page describes how to solve this.  If you use the from_is_list 
feature then messages will have the following change:
-From: Russell Coker <russell at coker.com.au>
+From: Russell Coker via linux-aus <linux-aus at lists.linux.org.au>

Then the Linux Australia server can sign the messages with it's own DKIM 
signature.

Mailman 2.1.8 (the version used here) has a new option 
dmarc_moderation_action.  That option means that all DKIM signed messages (not 
DMARC messages regardless of what is indicated) will be treated differently 
(wrapped, From munged, etc).  I think that dmarc_moderation_action is a really 
bad idea as it means that some of the messages will be processed one way and 
some processed another way.

Last year I implemented from_is_list on the LUV lists.  There were a number of 
complaints from people who don't like the aesthetics of it.  But mail is now 
much more reliable with no problems delivering to Gmail.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/