[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: @debian.org mail

Am 03.06.19 um 18:09 schrieb Marco d'Itri:


-all would stop some forged emails, but we do not have forged email
issues.
We do. 4% of this year's spam in my spam traps have originated as fake @debian.org. Unfortunately we even nicely relay them as we can't tell legitimate and fake Debian email apart ourselves.
My favorite ones are fake me sending real me emails with forged Microsoft Outlook Express 6.00.2900.5338 headers. 'Cause that's definitely my MUA of choice. I've also been chosen for the Google foundation trustee board which - allegedly - gets me a personal grant to spend however I wish. I'm still waiting for Google's check to arrive. 

Back to topic:
Mailly's sender score has ditched to 65/100 during the last spam wave in early May and it took two weeks to recover to sane ratings.
We also fan out spam like <CAN-EvJwX4MAH3+jXPu7iqJo05S9NSg19YFLd-yavVH77KNoSOA@mail.gmail.com> (msgid-search works but it's just a boring example) which - funnily - gets us spam points at Google (cause we amplify that to ~ a hundred @gmail.com recipients). 

As we are white-listed at dnswl.org and a few other places such fan out

1) is very useful for spammers and
2) makes our IP reputation suffer as in the May case cited above
As I said earlier, we're not the best netizens we can be and we should not facilitate for others spamming in our name.
I know you don't like SPF mx -all but that is what stops the above and makes @debian.org mail delivery reliable again. As we relay mailing lists via lists.d.o (bendel) we can easily have that continue rewriting senders without issues. It can have a separate SPF.
There are other options, too, incl. the one you listed. I'd go for ARC if we want to go beyond SPF. But that would be a 20 year leap in email tech. I like iterations, i.e. aim for some less ambitious goals first. It's DSA's call what they prefer. I don't care which solution is chosen as long as we get one. O.k., I'd prefer us to not sign up for Google hosted email or Exchange online. I think that part is even safe to assume rough consensus on.
Reply to: