[Mailman-Users] DMARC hack

Allan Hansen hansen at rc.org
Mon May 25 00:19:37 CEST 2015 

I wonder why then I got a bunch of issues with btopenworld.com, which apparently is Yahoo based.
I just checked btopenworld.com with the ‘host’ command and as you say, it has no ‘reject’:

$ host -t TXT _dmarc.btopenworld.com
_dmarc.btopenworld.com descriptive text "v=DMARC1\; p=none\; fo=1\; rua=mailto:dmarcagg at btinternet.com, mailto:dmarc_agg at auth.returnpath.net\;"
$ host -t TXT _dmarc.yahoo.com      
_dmarc.yahoo.com descriptive text "v=DMARC1\; p=reject\; sp=none\; pct=100\; rua=mailto:dmarc-yahoo-rua at yahoo-inc.com, mailto:dmarc_y_rua at yahoo.com\;”

Here is the reject notice:

Final-Recipient: rfc822; subscriber at aol.com
Original-Recipient: rfc822;subscriber at aol.com
Action: failed
Status: 5.2.1
Remote-MTA: dns; mailin-04.mx.aol.com
Diagnostic-Code: smtp; 521 5.2.1 :  AOL will not accept delivery of this
   message.

Date: May 13, 2015 at 07:52:17 PDT
From: <sender at btopenworld.com>
To: <list address>
Subject: subject
Reply-To: sender at btopenworld.com



And yes, as I just wrote, I have good reasons for keeping this as simple as I possibly can. Upgrading is not simple, I suspect, though I’d love to move to 3.0, as I have a lot of lists, with subscribers on many lists simulteneously.

Yours,

	Allan


> On May 24, 2015, at 11:14 , Stephen J. Turnbull <stephen at xemacs.org> wrote:
> 
> Allan Hansen writes:
> 
>> Checking for aol.com and yahoo.com here alone will not work. I have
>> a bunch of other subscribers that have  accounts with providers
>> that are owned by Yahoo (mostly) and AOL, but whose addresses are
>> not of this form.
> 
> Oddly enough, it turns out that they only use DMARC p=reject at their
> principal domain (aol.com and yahoo.com).  You can check for any given
> domain by prepending _dmarc. and checking the TXT record.  For
> example, for aol.com it would be "host -t TXT _dmarc.aol.com" if you
> have the host utility for doing DNS lookups.
> 
>> I would have to do this for all addresses, to be safe.
> 
> If you're worried about safety and care about conforming to standards,
> you really should upgrade to at least Mailman 2.1.18-1.  That allows
> you to be nonconformant only for authors whose addresses are in
> troublesome domains, and handles the reply-to issue as well as
> possible (making everybody happy isn't quite possible).  I'm sure you
> have good reason for not doing so *right* *now*, but keep it in mind.
> 
>> If I do this and add the bit about the Reply-To, what would the
>> code look like?
> 
> If you do it for all mail, you just delete the "if" line and shift
> everything left one dedent.
> 
>    name, addr = parseaddr(msg.get('from'))
>        name = "%s (%s) via list" % (name if name else "Anonymous", addr)
>        fromaddr = mlist.GetListEmail()
>        del msg['from']
>        msg['from'] = formataddr((name, addr))
>        # reply-to handling goes here
> 
> I'm not comfortable trying to say what to do about reply-to, because
> it's quite complicated depending on how you want to handle each of a
> large number of variations: what to do with a preexisting Reply-To and
> whether to put the list and/or the from address there.  See the
> Mailman/Handlers/CookHeaders.py file in the Mailman distribution.
>

More information about the Mailman-Users mailing list