[conspire] (forw) [skeptic] me.com is shooting Skeptic subscribers in the foot w/DMARC (was: I have questions...)

Rick Moen rick at linuxmafia.com
Sun Apr 25 23:27:20 PDT 2021 

More DMARC badness.  It chews up ridiculous amounts of time explaining
this every time a subscriber gets shot in the foot.

----- Forwarded message from Rick Moen <rick at linuxmafia.com> -----

Date: Sun, 25 Apr 2021 23:15:07 -0700
From: Rick Moen <rick at linuxmafia.com>
To: skeptic at linuxmafia.com
Subject: [skeptic] me.com is shooting Skeptic subscribers in the foot
	w/DMARC (was: I have questions...)
Organization: If you lived here, you'd be $HOME already.

Wade Smith (wadetsmith at me.com) just posted the second of two 
consecutive posts to this thread -- and did absolutely nothing wrong,
but on the other hand his e-mail provider me.com has apparently begun
shooting in the foot many other subscribers who receive his postings.

I was startled to notice that Len Clevelin's subscription at
subscription address "leonard at cleavelin.net" got delivery disabled for
too high a bounce score.  Oh?  The triggering posting that caused the
disabling was Wade's second posting, on account of error response 
"Quarantine" that the mail system for cleavelin.net issued when me.com 
attempted to deliver Len's copy of Wade's second post.

(I just un-disabled Len's delivery of Skeptic mail.  For now.)

The way things work, if your the mail system servicing your subscribed
address refuses too much mailing list mail in a short period, a metric
called the "bounce score" rises to where Mailman guesses you must be
having a problem, and disables your delivery.  If the apparent problem
persists, eventually the subscriber with ongoing bounces gets
unsubscribed automatically.

Anyway, next step was to figure out why the mail server for
cleavelin.net was refusing mail with a me.com address.  I had a strong
suspicion I knew why, and I guessed right the first time.  It's me.com
having started to publish a strong DMARC policy.

$ dig -t txt _dmarc.me.com +short
"v=DMARC1\; p=quarantine\; rua=mailto:d at rua.agari.com\; ruf=mailto:d at ruf.agari.com\;"
$

DMARC is a badly designed antiforgery method designed by Yahoo that is
built atop an equally badly designed earlier antiforgery method named
DKIM.  DKIM allows an individual user to cryptographically sign the
composed contents of his/her message, including many of the internal
SMTP headers.  DMARC is a metastandard that includes DKIM, and adds
a method (SPF) to determine whether the IP address attempting to deliver
mail ostensibly from a claimed sending domain is among the IP addresses
predeclared as authorised to issue mail from that domain onto the
Internet.

A key part of DMARC is the "DMARC policy" that a domain can declare in
the public DNS under what circumstances to (please) accept the mail as
genuinely from the domain, when to reject it, and when to quarantine it
as suspicious and possibly forged ("quarantine" usually meaning consign
the message to a special spambox/trash mailbox rather than to the user's
inbox).  

Above is the current public DMARC policy for sending domain me.com.  The
most important bit to notice is "p=quarantine".  That means, in English,
"If this message fails DKIM crypto signature validation, or SPF
validation of the sending IP, then please spambox it rather than deliver
it to the user."

In this case, me.com sent Wade's posting to linuxmafia.com, where
linuxmafia.com's Mailman re-mailed out individual copies to all
subscribers including Len.  However, Len's receiving mail server
software queried the me.com DMARC policy before deciding what to do with
the arriving mail.  It recalculated the DKIM signature, and Len's copy
failed validation because Mailman makes necessary changes to SMTP
headers when it re-transmits postings.  Therefore, Len's copy failed
DKIM validation, therefore it failed DMARC validation, therefore Len's
receiving mail server software spamboxed Len's copy of Wade's posting,
and told linuxmafia.com's mail server software it was doing this.
linuxmafia.com conveyed this event to Mailman, which incremented Len's 
"bounce score".  Because obviously this has happened multiple times
including on both of Wade's recent postings to this thread, Len's
"bounce score" quickly rose above the magic 5.0 cutoff, and Mailman
intervened automatically to disable Len's subscription delivery.

Why is this happening?  Fundamentally, Yahoo designed an antiforgery
method (DKIM) that is hostile to mailing lists, not being willing to
take into account the need for software like Mailman to make some
changes to the body and headers of a subscriber's post, in making the
copies sent to fellow subscribers.  All across the world, DKIM is
failing on mailing list postings sent through Mailman, Sympa, Majordomo,
Listproc, ezmlm, and all of the other mailing list managers.

_Any_ sending domain that declares a DMARC policy of "p=reject" or
"p=quarantine" causes massive problems for mailing list subscribers
receiving mail sent from a subscriber on that domain, _if_ the receiving
mail system implements the overly aggressive DKIM/DMARC policy request.
And, please note, this is not the user's fault, and the user cannot fix
the problem -- except by not participating in mailing lists from a
domain with a "p=reject" or "p=quarantine" DMARC policy.

Before today, the only sending domains I knew with overly aggressive
DKIM/DMARC policies were yahoo.com and aol.com (which two domains, these
days, are part of the same operation).  me.com now becomes the third.


Listen up:  I cannot fix this.  The problem is caused by the domains
with the overly aggressive DKIM/DMARC policies.  I have no control over
those.  Wade could ask me.com (Apple) not to be asshats, but they
probably won't listen.

The very newest Mailman 2.x releases make possible a clever hack that
sidesteps the problem for domains with the overly aggressive DKIM/DMARC
policies.  At this time, I cannot upgrade to that.  I am stuck for the 
time being with what I'm running.  No, I do not need donations (unless
you can send large investments of available time and energy).  

For the time being, what I can and will do is watch for subscriber
getting their delivery switched off, as Len did, and un-do that.  The
problem will persist, and also persons in Len's position in this matter
would not be seeing Wade's postings, because his mail server's software
complied with me.com's request and spamboxed what Wade wrote.  So, Len 
along with any other subscriber whose SMTP mail server system fully
implements DMARC will shoot him/her in the foot every time Wade (or any
other subscriber) posts from me.com.  Or from a yahoo.com address.  Or
from an aol.com address.

Before people try to argue with the above:  No, seriously, I'm quite
cerain.  What I wrote is the truth.

_______________________________________________
skeptic mailing list
skeptic at linuxmafia.com
http://linuxmafia.com/mailman/listinfo/skeptic
To reach the listadmin, mail rick at linuxmafia.com 

----- End forwarded message -----

More information about the conspire mailing list