NANOG Community, Maintenance is starting in accordance with the prior maintenance notice. The lists will be unavailable until the maintenance is concluded before or about 0600 UTC. Thank you, Sincerely, NANOG Staff ----------------------------------------- *Valerie Wittkop* Program Directorvwittkop@nanog.org | +1 734-730-0225 <+17347300225> (mobile) | www.nanog.org NANOG | 305 E. Eisenhower Pkwy, Suite 100 | Ann Arbor, MI 48108, USA ASN 19230
The lists have been migrated to mailman 3 and are on lists.nanog.org now. The new archive interface is online and is searchable, along with the ability to reply from the archive interface. You will need to make an account associated with the email address you use to receive mail on lists.nanog.org if you want to use these features. Thank you, -- Bryan Fields 727-409-1194 - Voice http://bryanfields.net
Thank you, Bryan. — Greg Newman
On Mar 1, 2025, at 1:26 AM, Bryan Fields <Bryan@bryanfields.net> wrote:
The lists have been migrated to mailman 3 and are on lists.nanog.org now. The new archive interface is online and is searchable, along with the ability to reply from the archive interface. You will need to make an account associated with the email address you use to receive mail on lists.nanog.org if you want to use these features.
Thank you, -- Bryan Fields
727-409-1194 - Voice http://bryanfields.net _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/SC3GCS2N...
| Subject: [NANOG]Re: Congrats on completing the move to Mailman 3 but is this Subject line mangling truly necessary? -- Niels.
On Sun, Mar 2, 2025 at 10:55 AM Niels Bakker <niels=nanog@bakker.net> wrote:
| Subject: [NANOG]Re:
Congrats on completing the move to Mailman 3 but is this Subject line mangling truly necessary?
It has been standard for mailing lists for a quarter of a century now. Isn't it time NANOG caught up with mailing list best practices? Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/
Agreed. NANOG was one of only a few mailing lists I'm on that didn't appropriately mangle the headers. Now it's fixed. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "William Herrin" <bill@herrin.us> To: "North American Network Operators Group" <nanog@lists.nanog.org> Sent: Sunday, March 2, 2025 4:04:28 PM Subject: [NANOG]Re: Scheduled Maintenance Finished On Sun, Mar 2, 2025 at 10:55 AM Niels Bakker <niels=nanog@bakker.net> wrote:
| Subject: [NANOG]Re:
Congrats on completing the move to Mailman 3 but is this Subject line mangling truly necessary?
It has been standard for mailing lists for a quarter of a century now. Isn't it time NANOG caught up with mailing list best practices? Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/ _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/EOFBQS54...
I’d love a whitespace after the “[NANOG]”
On 3/2/25 2:04 PM, William Herrin wrote:
On Sun, Mar 2, 2025 at 10:55 AM Niels Bakker <niels=nanog@bakker.net> wrote:
| Subject: [NANOG]Re:
Congrats on completing the move to Mailman 3 but is this Subject line mangling truly necessary? It has been standard for mailing lists for a quarter of a century now. Isn't it time NANOG caught up with mailing list best practices?
FWIW, the old configuration didn't mark up the subject or add a footer which has the advantage of not breaking the originating DKIM signature. I had always assumed that that was on purpose. Mike
* William Herrin:
On Sun, Mar 2, 2025 at 10:55 AM Niels Bakker <niels=nanog@bakker.net> wrote:
| Subject: [NANOG]Re:
Congrats on completing the move to Mailman 3 but is this Subject line mangling truly necessary?
It has been standard for mailing lists for a quarter of a century now. Isn't it time NANOG caught up with mailing list best practices?
Many mailing lists have moved away from Subject:/body rewriting because it breaks DKIM signatures and may prevent successful message delivery to recipients whose servers enforce the sender's DMARC policy. The alternative is to rewrite the From: line, at least for senders with restrictive DMARC policies, but this breaks other things. <https://docs.mailman3.org/projects/mailman/en/latest/src/mailman/handlers/docs/dmarc-mitigations.html>
On 3/2/25 5:17 PM, Florian Weimer wrote:
* William Herrin:
On Sun, Mar 2, 2025 at 10:55 AM Niels Bakker <niels=nanog@bakker.net> wrote:
| Subject: [NANOG]Re:
Congrats on completing the move to Mailman 3 but is this Subject line mangling truly necessary?
It has been standard for mailing lists for a quarter of a century now. Isn't it time NANOG caught up with mailing list best practices?
By default mailman 3 adds the list name as a subject prefix when you create a list. The procedure used was to create a list and then import the mailman2 config to the new list. From the migration MOP: - create the new list you want to migrate as the mailman user: mailman create nanog@lists.nanog.org mailman import21 nanog@lists.nanog.org ./nanog-config.pck Looks like this is where it came from. Doing some research it looks like we had the same prefixing of subjects in april 2008 after the move from merit to nanog.org.
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/HOTH2SVU... https://mailman.nanog.org/pipermail/nanog/2008-May/000782.html
I never noticed it before as I filter on List-ID into a "NANOG" folder. It could be removed or modified.
Many mailing lists have moved away from Subject:/body rewriting because it breaks DKIM signatures and may prevent successful message delivery to recipients whose servers enforce the sender's DMARC policy. The alternative is to rewrite the From: line, at least for senders with restrictive DMARC policies,
Right now, and historically in the mm2 list config, if a sender had a DMARC policy of reject or quarantine, mailman replaced the From: with the list address. Example: "Bryan Fields via No-adv <no-adv@lists.nanog.org>" Looking back at the mm2 list, DKIM was always a hit or miss, as the list would filter/strip attachments and other email fluf. Unless you sent a plain text message (as you should), it would cause the DKIM signature to fail. btw I use https://github.com/lieser/dkim_verifier/wiki/ as a plugin in my MUA. It's really good for DKIM debugging. There are two other options: 1. Rewrite the from for all messages 2. Implement ARC https://arc-spec.org/ Option one is a bit like a shotgun approach, but it works across all providers, and is well understood. A number of other lists in our industry do it with little issue; the -nsp lists and outages to name a few. A receiver can view the headers and see if it's signed/valid along the way. Option two is outside the scope of migration, but arguably could be the best as it directly solves the issue. Google does implement it. The footer is a bit redundant, as mailman3 has the direct link in the "Archived-At:" header now. I'd propose removing the footer and subject prefix, and investigate implementing ARC now that we can support it on mailman3. Keep in mind there's over 12k people on this list, so performance is a bit of concern. What do others think of this?
but this breaks other things.
What other things does it beak? If someone needs to have their message received and validated there is a tool for that in gpg/pgp. These mime types are accepted on this list and several people use them. -- Bryan Fields 727-409-1194 - Voice http://bryanfields.net
* Bryan@bryanfields.net (Bryan Fields) [Mon 03 Mar 2025, 00:47 CET]:
The footer is a bit redundant, as mailman3 has the direct link in the "Archived-At:" header now. I'd propose removing the footer and subject prefix, and investigate implementing ARC now that we can support it on mailman3. Keep in mind there's over 12k people on this list, so performance is a bit of concern.
What do others think of this?
Agreed on both counts. Look at this monstrosity: Subject: [NANOG] Re: [NANOG]Re: Hardware for MPLS/SR network -- Niels.
On 3/2/25 6:46 PM, Bryan Fields wrote:
There are two other options:
1. Rewrite the from for all messages 2. Implement ARC https://arc-spec.org/
Option one is a bit like a shotgun approach, but it works across all providers, and is well understood. A number of other lists in our industry do it with little issue; the -nsp lists and outages to name a few. A receiver can view the headers and see if it's signed/valid along the way.
Option two is outside the scope of migration, but arguably could be the best as it directly solves the issue. Google does implement it.
The footer is a bit redundant, as mailman3 has the direct link in the "Archived-At:" header now. I'd propose removing the footer and subject prefix, and investigate implementing ARC now that we can support it on mailman3. Keep in mind there's over 12k people on this list, so performance is a bit of concern.
What do others think of this?
Personally, I always liked that DKIM stayed valid through NANOG. It meant that mail sent to NANOG was evaluated mostly by the actual sender, and not by the list itself, which seems much better than lists laundering senders from the PoV of spam filters. Matt
On 3/3/25 12:30 PM, Matt Corallo via NANOG wrote:
On 3/2/25 6:46 PM, Bryan Fields wrote:
There are two other options:
1. Rewrite the from for all messages 2. Implement ARC https://arc-spec.org/
Option one is a bit like a shotgun approach, but it works across all providers, and is well understood. A number of other lists in our industry do it with little issue; the -nsp lists and outages to name a few. A receiver can view the headers and see if it's signed/valid along the way.
Option two is outside the scope of migration, but arguably could be the best as it directly solves the issue. Google does implement it.
The footer is a bit redundant, as mailman3 has the direct link in the "Archived-At:" header now. I'd propose removing the footer and subject prefix, and investigate implementing ARC now that we can support it on mailman3. Keep in mind there's over 12k people on this list, so performance is a bit of concern.
What do others think of this?
Personally, I always liked that DKIM stayed valid through NANOG. It meant that mail sent to NANOG was evaluated mostly by the actual sender, and not by the list itself, which seems much better than lists laundering senders from the PoV of spam filters.
In theory, at least. Unfortunately all of that logic is proprietary especially by the big mailbox providers so it's really hard to say what's happening under the hood. It would be nice to know how it's being used in real life, but I'm not aware of any papers that describe it (feel free if anybody knows some). Mike
On 3/2/25 3:46 PM, Bryan Fields wrote:
There are two other options:
1. Rewrite the from for all messages 2. Implement ARC https://arc-spec.org/
Option one is a bit like a shotgun approach, but it works across all providers, and is well understood. A number of other lists in our industry do it with little issue; the -nsp lists and outages to name a few. A receiver can view the headers and see if it's signed/valid along the way.
Option two is outside the scope of migration, but arguably could be the best as it directly solves the issue. Google does implement it.
Please don't implement ARC -- it's a waste of time and doesn't do what it purports to do. The DKIM wg has just been rechartered and one of the work items is for the list software to annotate the changes it made for the receiver to recover the original signature. That has a much higher likelihood of working. Mike
On Sun, Mar 02, 2025 at 11:17:35PM +0100, Florian Weimer wrote:
Many mailing lists have moved away from Subject:/body rewriting because it breaks DKIM signatures and may prevent successful message delivery to recipients whose servers enforce the sender's DMARC policy. The alternative is to rewrite the From: line, at least for senders with restrictive DMARC policies, but this breaks other things.
And this is one of the great ironies of the entire DKIM/DMARC push: it breaks things that were working just fine for decades while (a) providing no anti-spam value [1] and (b) making the email forgery problem *much* worse [2]. ---rsk [1] I've been monitoring deployment over all email traffic to several dozen domains scattered across a number of servers scattered across a number of networks. And amusingly (or not), significantly more spam is correctly signed than non-spam. This should surprise nobody; it's been a repeated pattern with multiple technologies that were claimed to deal with spam effectively and have instead either had no real impact or made the problem worse. [2] The convergence of multiple bad choices is in play here. First, the proliferation of new TLDs that have been rapidly overrun by abusers of all descriptions. Second, dubious choices in email user interfaces that obfuscate sender addresses. Third, equally dubious choices in email UIs that mark messages that pass validation as "signed" or "secure" or "certified" or whatnot. Fourth, the increasing inability of users to understand email address RHS, e.g., to distinguish example.com from example.tld or example.com.tld or exammple.com or exammple.tld. Fifth, many example.com's of the world don't send plaintext email messages; they mark them up with HTML and graphics and so on, which means that they're teaching their users that any message which *looks like* it's from them is really from them. Sixth, they also include URLs and encourage their users to use those URLs. Seventh, as everyone here is painfully aware, there are all kinds of hosting/cloud operations that will happily take example.tld's money even though they know full well they're not the real example.com and know equally full well what they're really doing. The result of all this is that users are being trained to fall for forgeries, and there is ample supporting infrastructure to make those forgeries effective. Yeah, abusers will have a hard time successfully forging messages from example.com and getting them delivered: *but they don't have to* because example.tld (for ~1000 values of "tld") is available. And of course example.tld can recreate the language and appearance of messages from the real example.com at will, and can mimic the web site, which means that users will be presented messages that look like, feel like, smell like they're from example.com, are dutifully marked as "authentic" or whatever in their email client...and are all fakes that lead them to a fake web site.
participants (11)
-
Bryan Fields -
Florian Weimer -
Greg Newman -
Job Snijders -
Matt Corallo -
Michael Thomas -
Mike Hammett -
Niels Bakker -
Rich Kulawiec -
Valerie Wittkop -
William Herrin