ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: spam on old lists - was [89attendees] Fw: new important message

2016-04-15 16:04:49
from [Benson Schliesser] [Permanent Link] 
ietf(_at_)johnlevine(_dot_)com wrote:

In this particular case, filtering by From: address on mailing lists
still works well enough, 


First, let me say that I agree with the above statement inasmuch as it concerns 
external blacklists for filtering IETF mailing lists. But I'm not so sure that 
I agree with it in a broader sense. I'm saying this as the person whose email 
address is in the From header of the spam email that started this thread.  :(

The spam message in this case did not originate from any client or host under 
my control. It did not transit via any of my mail relays. It was a forgery - it 
spoofed my email address in the From header, and unfortunately happened to 
match it up with a To header addressing an IETF mailing list to which I'm 
subscribed. 

For whatever it's worth, this has been going on for a while. I've been getting 
bounces, moderation notices, etc, for people and lists I never even knew 
existed. I'm not sure how the originating software harvested my email address, 
how it's controlled, etc, but it does seem to be some kind of distributed 
malware or botnet that takes advantage of a specific mail client. (I have 
further speculation about this, but I'll save that for another venue.)

In an effort to do something about this (in addition to fruitless attempts at 
getting help from various abuse@ teams) I've tried to configure DMARC, DKIM, 
and SPF for my sending domain. Unfortunately the IETF mail servers don't seem 
to pay attention to this, and spoofed messages still get relayed. Further, 
because the IETF mailing lists don't perform sender rewriting, legitimate 
messages were being thrown away by list members' mail servers that do respect 
SPF. The (hopefully temporary) fix has been to add the IETF mail servers to my 
domain's SPF record - which results in false negatives instead of false 
positives. 

If any experts have advice on how to fix this better, please teach me. I'll buy 
you many drinks, chocolates, or whatever makes you happy! 

Otherwise the only fix that I can imagine is for the IETF to start 
opportunistically filtering list message submissions based on DMARC, SPF, and 
DKIM, as well as performing sender rewriting in the list software. Like most 
things, I imagine the subscribers on this list have opinions about this - and 
I'd be glad to hear them. 

Thanks,
-Benson

Attachment: smime.p7s
Description: S/MIME cryptographic signature

[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Time to kill layer 2, Phillip Hallam-Baker
Next by Date:  Re: [89attendees] spam on old lists - was Fw: new important message, Dick Franks
Previous by Thread:  Re: [89attendees] spam on old lists - was Fw: new important message, Carlos M. Martinez
Next by Thread:  Re: spam on old lists - was [89attendees] Fw: new important message, John R Levine
Indexes:  [Date] [Thread] [Top] [All Lists]