because people are just fundamentally assholes

Dirk Hohndel dirk at hohndel.org
Sat Nov 13 18:03:03 PST 2021 


> On Nov 13, 2021, at 2:45 PM, Jeroen Massar wrote:
>> 
>> And I finally broke down and implemented DKIM on the server (as Linus and I speculated that that might help to not be "disappeared" by gmail).
> 
> Yeah, these are sucky tactics, and in many cases, unless you have personal contacts at the big orgs you are going to be stuck not delivering.

At this point (knock on wood) it seems all of the large ones are back to accepting email from me. There are a couple that are still rejecting email (and that don't have "contact me here" addresses to try and escalate the problem), but I'm hopeful that this will be resolved soon.
 
> DKIM is not going to be enough, and as you are already doing you are rewriting the From header (which is annoying as reply-to gets munged etc.)
> 
> In order to be 'accepted' by the large orgs, a combo of at least:
> - don't be in a /24 or /48 with spammers, IP neighborhood matters

Yes - that was one of the challenges in the beginning. Finding a VPS hoster whose IP subnet has acceptable reputation. I found one who seems to be doing a good job keeping things clean (and of course I don't want to kicked out of their subnet :) )

> - IP/domain reputation matters (high volume can thus spam 1%, low volume means with 1 'spam' mail you might be out...)

I go through my logs usually at least once a week - the fact that it took me two weeks to notice this one annoyed me - but I had a few other things going on in my life the last couple of weeks.

> - have forward + reverse DNS matching (forward verified reverse or whatever it is called)

I do. The gateway server IP reverse maps to mailhub.gr8dns.org, which resolves back to the same IP. And that's one of the MX hosts for subsurface-divelog.org -- so I think that should be ok.

> - SPF (-all)

done

> - DKIM

done

> - DMARC (strict)
> - ARC (Authenticated Receiver Chain aka DMARC for forwarders)

I don't do either of those. Need to read up on them, I guess.

> - List-Unsubscribe + Precendence: List

I have a List-Unsubscribe header (actually, two, with both an HTTP and an SMTP method to unsubscribe).
And I have Precendence: List

> - Signup to google postmaster + outlook SNDS if you have your own IPs, so that it indicates that you 'care'...

I do have my own IP. So I need to figure out how to do that signup you are talking about

> And that is the bare minimum.... most of those boxes are being ticked already.
> 
> Note that proper big spammers have that all setup nicely, places like Gmail where most spam come from of course have such high volumes that any 'small spamrun' just comes through.
> 
> If you need any help with the above don't hesitate to ask.

If you have pointers on the three things I haven't done (DMARC, ARC, SNDS) I'd appreciate those - feel free to send them off list so we don't bore the rest.

> Oh, please note that because of the header:
> 
> From: Dirk Hohndel via subsurface <subsurface at subsurface-divelog.org>
> 
> MUAs that auto-add people you reply to in the address book.... auto-complete for your name, becomes the mailinglist.

Yes, I find that super annoying. But unless I do that, neither SPF nor DKIM will work

> Add to that that Safari and Outlook both are stupid and then auto-fills the name of a person based on that entry... voila, first mail somebody replies to, all subsequent mails come from that person for the list...
> 
> The way around that, as I implemented for Trident, is the <jeroen%massar.ch at via.domain> format, as then there is a unique address that can be reversed to the original address; but that also implies that for Reply to the From address needs to arrive at the original recipient and thus has to be rewritten.

But that's also wrong - and I certainly don't want to enable that forwarding on my server. And it still autocompletes to the wrong address for people.

> Note that the following:
> 
> Authentication-Results: massar.ch;
> 	dkim=pass (2048-bit key; unprotected) header.d=subsurface-divelog.org header.i=@subsurface-divelog.org header.a=rsa-sha256 header.s=2021 header.b=T84KKRk5;
> 	dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=hohndel.org header.i=@hohndel.org header.a=rsa-sha256 header.s=2021 header.b=oEnVr5CJ;
> 	dkim-atps=neutral
> 
> Shows that the hohndel.org DKIM header was still present. ARC covers that part, to make Google a bit happier in your host declaring that you verified, but then broke that sig.

You lost me :)

> The big orgs are making it on-purpose hard to do your own, as they know that they then get more of the mail on their platforms, and every bit of data helps :(   [not that something like 80% of mail ends up there anyway, thus they effectively see it all unfortunately, and with domain hosting and forwarding one never knows where your mail ends up; PGP oh meh... to protect sensitive stuff...]

I noticed :)

> As for Mailman: one thing that really helps is changing the standard URLs for the signup page, makes it harder for bots to get there, and script kiddies would then have to manually change the scripts they have, and that, is hard for them.

Interesting idea. I'll look into how to do that. If you have a link to a tutorial, I'd be thrilled :)

Thank you so much for all this valuable feedback. Very, very much appreciated.

/D

More information about the subsurface mailing list