[Mailman-Users] Potential "Bounce" Question

Stephen J. Turnbull stephen at xemacs.org
Thu Sep 10 10:42:37 CEST 2015 

@Mark & anybody else familiar with the FAQ: Some of the information
below isn't in the DMARC FAQ, and some of it doesn't seem to be in FAQ
at all.  Pointers to relevant FAQs would be appreciated as I will
update & xref in the next few days as I find time.

Nancy C writes:

 > I am the admin for a group & some members frequently get warning messages
 > like this:
 > 
 > "Your current bounce score is 3.0 out of a maximum of 5.0"
 > 
 > The subscriber has done nothing wrong & these messages are usually
 > Hotmail, yahoo & aol accounts.

The subscriber may have done nothing wrong -- but they chose evil and
incompetent providers.  "Friends don't let friends use Yahoo! or AOL."

In practice, it's really hard to get people to change providers, so I
don't recommend that you try.  However, these sites are actively
disrupting the whole mail system (not just mailing lists) to cover up
for massive security breaches leading to the leakage of millions of
contact lists to professional spammers.  Not nice.

 > What can be done to reduce / eliminate these messages?

The first thing I would suggest is to upgrade Mailman.  As far as I
can tell, Mailman 2.1.20 doesn't send those messages, period (there's
a template for it, but I can't find anywhere it's used).  It sends a
message when the account is disabled, and then at intervals
thereafter.  (Mark Sapiro would know better, though.)  If it *does*
send those messages, I'm sure it's triggered by actual bounces: those
users are losing posts.

As Brian and Mark point out, a likely cause of frequent bounces is the
DMARC p=reject policy used by Yahoo! and AOL.  This policy effectively
requires that mail "From" a user of one of those sites be delivered
directly by a mail server at those sites, a condition which cannot be
satisfied by a public mailing list.[1]

The most popular[2] way to address this condition is to use Mailman >=
2.1.18-1, and set the "Privacy Options > Sender Filters >
dmarc_moderation_action" to "Munge From".  You should review your
settings in the "Reply-To header munging" section of the "General
Options", as there are interactions between the DMARC moderation action
and Reply-To.  (In Mailman 2.1.20 several adjustments were made to
improve the default settings and options available, but 2.1.18-1 and
2.1.19 are usable with care.)  There are other options for your
consideration, but this is by far the most popular.

Another possibility is that those systems have become very paranoid
about spam, and reject mail for various and sundry (ie, quite random)
reasons that have nothing to do with spammy content.

1.  Your external mail server should have consistent A, MX, and PTR
    records, and announce itself with the public domain.

2.  You should publish SPF and DKIM records for the external mail
    server, and DKIM sign outgoing mail yourself.

3.  It may help to register as a bona fide mailing list with the
    problem providers, and get on their feedback loops.

4.  If you have a lot of resources, you could publish a DMARC record
    and get feedback about who is spoofing your domain, and how much.
    But keeping up with and analyzing that feedback could easily be
    somebody's full-time job, although there are options to just get
    summaries.

Some people think that removing broken DKIM signatures is a good idea,
but we recommend against that.  See Mailman/Defaults.py, the setting
for REMOVE_DKIM_HEADERS and the comment above it.



Footnotes: 
[1]  That's not quite true: a pure "pass through" mailing list that
doesn't change any of the received content will pass the digital
signature test (such a list can add header fields, but not edit
subject or add a heading or footer to the body).  This is unpleasant
at best, and may be legally risky in some cases where the list needs
to add a disclaimer.  ("Legal risk" may be an urban legend, and
certainly varies by jurisdiction.)

[2]  Personally, I just conform to Japanese Ministry of Education
policy that prohibits use of Yahoo for "official communications", and
for once enjoy conformance to policy hugely. ;-)

More information about the Mailman-Users mailing list