Re: spam on old lists - was [89attendees] Fw: new important message

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

ietf@xxxxxxxxxxxxxx wrote:
In this particular case, filtering by From: address on mailing lists
still works well enough,

First, let me say that I agree with the above statement inasmuch as it concerns external blacklists for filtering IETF mailing lists. But I'm not so sure that I agree with it in a broader sense. I'm saying this as the person whose email address is in the From header of the spam email that started this thread.  :(

The spam message in this case did not originate from any client or host under my control. It did not transit via any of my mail relays. It was a forgery - it spoofed my email address in the From header, and unfortunately happened to match it up with a To header addressing an IETF mailing list to which I'm subscribed. 

For whatever it's worth, this has been going on for a while. I've been getting bounces, moderation notices, etc, for people and lists I never even knew existed. I'm not sure how the originating software harvested my email address, how it's controlled, etc, but it does seem to be some kind of distributed malware or botnet that takes advantage of a specific mail client. (I have further speculation about this, but I'll save that for another venue.)

In an effort to do something about this (in addition to fruitless attempts at getting help from various abuse@ teams) I've tried to configure DMARC, DKIM, and SPF for my sending domain. Unfortunately the IETF mail servers don't seem to pay attention to this, and spoofed messages still get relayed. Further, because the IETF mailing lists don't perform sender rewriting, legitimate messages were being thrown away by list members' mail servers that do respect SPF. The (hopefully temporary) fix has been to add the IETF mail servers to my domain's SPF record - which results in false negatives instead of false positives. 

If any experts have advice on how to fix this better, please teach me. I'll buy you many drinks, chocolates, or whatever makes you happy! 

Otherwise the only fix that I can imagine is for the IETF to start opportunistically filtering list message submissions based on DMARC, SPF, and DKIM, as well as performing sender rewriting in the list software. Like most things, I imagine the subscribers on this list have opinions about this - and I'd be glad to hear them. 

Thanks,
-Benson

<<attachment: smime.p7s>>

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]