I've recently observed gmail dropping messages or not forwarding all messages/posts from the nanog list. This is rather annoying. Has anyone else experienced this? Does anyone have any insight as to why? Thanks, -b -- Bill Blackford Network Engineer Logged into reality and abusing my sudo privileges.....
On Thu, Apr 21, 2011 at 9:24 PM, Bill Blackford <bblackford@gmail.com> wrote:
I've recently observed gmail dropping messages or not forwarding all messages/posts from the nanog list. This is rather annoying.
Has anyone else experienced this? Does anyone have any insight as to why?
sometimes nanog mail gets marked as spam for me ... I think spam does not get auto-forwarded.
ok, there are some in the spam folder. Hmm, didn't think to look there for the missing ones when my inbox appears to be receivng partial threads. Thanks, -b On Thu, Apr 21, 2011 at 6:31 PM, Christopher Morrow <morrowc.lists@gmail.com> wrote:
On Thu, Apr 21, 2011 at 9:24 PM, Bill Blackford <bblackford@gmail.com> wrote:
I've recently observed gmail dropping messages or not forwarding all messages/posts from the nanog list. This is rather annoying.
Has anyone else experienced this? Does anyone have any insight as to why?
sometimes nanog mail gets marked as spam for me ... I think spam does not get auto-forwarded.
-- Bill Blackford Network Engineer Logged into reality and abusing my sudo privileges.....
What is the DKIM check result for those messages? May be time to get nanog mailing list DKIM aware? On 4/22/11 13:24 , "Bill Blackford" <bblackford@gmail.com> wrote:
I've recently observed gmail dropping messages or not forwarding all messages/posts from the nanog list. This is rather annoying.
Has anyone else experienced this? Does anyone have any insight as to why?
Thanks,
On Fri, Apr 22, 2011 at 9:44 PM, Franck Martin <fmartin@linkedin.com> wrote:
What is the DKIM check result for those messages?
Non existent, it's SPF only. This is what GMail sees: Received: from s0.nanog.org (s0.nanog.org [207.75.116.162]) by mx.google.com with ESMTPS id h1si7255610ibn.43.2011.04.22.13.42.53 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 22 Apr 2011 13:42:53 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of nanog-bounces+askoorb+nanog=gmail.com@nanog.org designates 207.75.116.162 as permitted sender) client-ip=207.75.116.162; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of nanog-bounces+askoorb+nanog=gmail.com@nanog.org designates 207.75.116.162 as permitted sender) smtp.mail=nanog-bounces+askoorb+nanog=gmail.com@nanog.org
May be time to get nanog mailing list DKIM aware?
On 4/22/11 13:24 , "Bill Blackford" <bblackford@gmail.com> wrote:
I've recently observed gmail dropping messages or not forwarding all messages/posts from the nanog list. This is rather annoying.
Has anyone else experienced this? Does anyone have any insight as to why?
Yes, for example, the message I'm replying to had this at the top of it: "Due to a filter you created, this message was not sent to Spam. Edit Filters" "Warning: This message may not be from whom it claims to be. Beware of following any links in it or of providing the sender with any personal information. Learn more" So GMail thinks it's a phishing message :-/ Quite a lot of my Nanog messages are marked as spam, which is why I created a filter to not send any messages with a list ID header with nanog.nanog.org in it to spam at all. The only way for Nanog to get round this would be for the mail administrator to follow *every* step at https://mail.google.com/support/bin/answer.py?answer=81126 which basically is: - Explicit SPF with hard fail. - Signing with DKIM or DomainKeys. - Useing a consistent IP address to send bulk mail. - Keeping valid reverse DNS records for the IP address(es) from which mail is sent, pointing to the sending domain. - Use the same address in the 'From:' header on every bulk mail that is sent. - Using the "Precedence: bulk" header. - Up-to-date contact information in the WHOIS record, and on abuse.net. But the list administrator would have to do all of that faff. Alex
On 4/23/11 10:41 , "Alex Brooks" <askoorb+nanog@gmail.com> wrote:
On Fri, Apr 22, 2011 at 9:44 PM, Franck Martin <fmartin@linkedin.com> wrote:
What is the DKIM check result for those messages?
Non existent, it's SPF only.
My point.
This is what GMail sees:
Received: from s0.nanog.org (s0.nanog.org [207.75.116.162]) by mx.google.com with ESMTPS id h1si7255610ibn.43.2011.04.22.13.42.53 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 22 Apr 2011 13:42:53 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of nanog-bounces+askoorb+nanog=gmail.com@nanog.org designates 207.75.116.162 as permitted sender) client-ip=207.75.116.162; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of nanog-bounces+askoorb+nanog=gmail.com@nanog.org designates 207.75.116.162 as permitted sender) smtp.mail=nanog-bounces+askoorb+nanog=gmail.com@nanog.org
May be time to get nanog mailing list DKIM aware?
On 4/22/11 13:24 , "Bill Blackford" <bblackford@gmail.com> wrote:
I've recently observed gmail dropping messages or not forwarding all messages/posts from the nanog list. This is rather annoying.
Has anyone else experienced this? Does anyone have any insight as to why?
Yes, for example, the message I'm replying to had this at the top of it:
"Due to a filter you created, this message was not sent to Spam. Edit Filters" "Warning: This message may not be from whom it claims to be. Beware of following any links in it or of providing the sender with any personal information. Learn more"
So GMail thinks it's a phishing message :-/
Because from: may be from a domain which is known to DKIM sign everything.... (like gmail).
Quite a lot of my Nanog messages are marked as spam, which is why I created a filter to not send any messages with a list ID header with nanog.nanog.org in it to spam at all.
The only way for Nanog to get round this would be for the mail administrator to follow *every* step at https://mail.google.com/support/bin/answer.py?answer=81126 which basically is: - Explicit SPF with hard fail. - Signing with DKIM or DomainKeys. - Useing a consistent IP address to send bulk mail. - Keeping valid reverse DNS records for the IP address(es) from which mail is sent, pointing to the sending domain. - Use the same address in the 'From:' header on every bulk mail that is sent. - Using the "Precedence: bulk" header. - Up-to-date contact information in the WHOIS record, and on abuse.net.
But the list administrator would have to do all of that faff.
No, it is mailman, just upgrade mailman. Recent versions are more DKIM aware... More info: http://tools.ietf.org/html/draft-ietf-dkim-mailinglists-06
On 4/22/2011 4:01 PM, Franck Martin wrote:
On 4/23/11 10:41 , "Alex Brooks"<askoorb+nanog@gmail.com> wrote:
On Fri, Apr 22, 2011 at 9:44 PM, Franck Martin<fmartin@linkedin.com> wrote:
What is the DKIM check result for those messages?
Non existent, it's SPF only.
My point.
Nearly all of the spam I see is DKIM signed. It just makes messages bigger. I'd just as soon our volunteers spend their times on other things, myself. -- "The person becomes vulnerable to all manner of fads, such as astrology, superstitions, economics, and tarot-card reading." The Black Swan, by Nassim Nicholas Taleb
On 4/23/11 11:24 , "Lynda" <shrdlu@deaddrop.org> wrote:
On 4/22/2011 4:01 PM, Franck Martin wrote:
On 4/23/11 10:41 , "Alex Brooks"<askoorb+nanog@gmail.com> wrote:
On Fri, Apr 22, 2011 at 9:44 PM, Franck Martin<fmartin@linkedin.com> wrote:
What is the DKIM check result for those messages?
Non existent, it's SPF only.
My point.
Nearly all of the spam I see is DKIM signed. It just makes messages bigger. I'd just as soon our volunteers spend their times on other things, myself.
It is like IPv6, it just makes packets bigger...
On 04/22/2011 07:24 PM, Lynda wrote:
Non existent, it's SPF only.
My point.
Nearly all of the spam I see is DKIM signed. It just makes messages bigger. I'd just as soon our volunteers spend their times on other things, myself.
DKIM isn't designed explicitly to stop spam, it's designed to identify senders. If you trust the issued certificates(!) being used to sign the mail, you at least have a good indication that the spam is coming from the domain that it says it's coming from. This can make spam blocking much more effective because instead of simply hoping that a domain-based blocklist will block spam and not ham (due to spoofed sender addresses), you have a pretty good feeling that this will be the case. Of course this relies on various other bits and pieces to fall into place, such as properly handling such messages (Gmail's detection and handling rules aren't public AFAIK), CAs not being compromised, etc. Not to mention that the spammers can simply register another domain and buy a new cert -- but then the argument above still holds. --Jeff
On Apr 25, 2011, at 10:12 AM, Jeff Mitchell wrote:
If you trust the issued certificates(!) being used to sign the mail, you at least have a good indication that the spam is coming from the domain that it says it's coming from. This can make spam blocking much more effective because instead of simply hoping that a domain-based blocklist will block spam and not ham (due to spoofed sender addresses), you have a pretty good feeling that this will be the case.
Of course this relies on various other bits and pieces to fall into place, such as properly handling such messages (Gmail's detection and handling rules aren't public AFAIK), CAs not being compromised, etc. Not to mention that the spammers can simply register another domain and buy a new cert -- but then the argument above still holds.
DKIM doesn't use purchased certificates. It's all self-signed. As for catching spammers, using d= as an identifier is more effective at finding the good stuff than the bad stuff. So if this list were signed by nanog.org, we (or our reputation systems) could all recognize that mail signed d=nanog.org rarely resulted in user complaints, and thus it must be mail the users want to receive; conversely, mail which spoofs nanog.org but is not signed can safely* be stored in the big bit bucket in the cloud. -- J.D. Falk the leading purveyor of industry counter-rhetoric solutions * assuming nanog.org signs ALL mail -- but that's another long discussion
On 04/26/2011 05:08 PM, J.D. Falk wrote:
On Apr 25, 2011, at 10:12 AM, Jeff Mitchell wrote:
If you trust the issued certificates(!) being used to sign the mail, you at least have a good indication that the spam is coming from the domain that it says it's coming from. This can make spam blocking much more effective because instead of simply hoping that a domain-based blocklist will block spam and not ham (due to spoofed sender addresses), you have a pretty good feeling that this will be the case.
Of course this relies on various other bits and pieces to fall into place, such as properly handling such messages (Gmail's detection and handling rules aren't public AFAIK), CAs not being compromised, etc. Not to mention that the spammers can simply register another domain and buy a new cert -- but then the argument above still holds.
DKIM doesn't use purchased certificates. It's all self-signed.
Well, they aren't self-signed either; DKIM doesn't use x.509 style certs at all. It's just RSAPublicKey DER-encoded public keys that are placed in the DNS. Mike, but it still requires some crufty ASN.1 which is prolly the confusion
On 04/26/2011 09:16 PM, Michael Thomas wrote:
On 04/26/2011 05:08 PM, J.D. Falk wrote:
On Apr 25, 2011, at 10:12 AM, Jeff Mitchell wrote:
If you trust the issued certificates(!) being used to sign the mail, you at least have a good indication that the spam is coming from the domain that it says it's coming from. This can make spam blocking much more effective because instead of simply hoping that a domain-based blocklist will block spam and not ham (due to spoofed sender addresses), you have a pretty good feeling that this will be the case.
Of course this relies on various other bits and pieces to fall into place, such as properly handling such messages (Gmail's detection and handling rules aren't public AFAIK), CAs not being compromised, etc. Not to mention that the spammers can simply register another domain and buy a new cert -- but then the argument above still holds.
DKIM doesn't use purchased certificates. It's all self-signed.
Well, they aren't self-signed either; DKIM doesn't use x.509 style certs at all. It's just RSAPublicKey DER-encoded public keys that are placed in the DNS.
Sorry, yes. I've had GPG and X509 on the brain lately. Thanks for the correction, Mike and J.D. --Jeff
On 4/22/2011 4:24 PM, Lynda wrote:
Nearly all of the spam I see is DKIM signed. It just makes messages bigger. I'd just as soon our volunteers spend their times on other things, myself.
In the off-chance you are assuming that the presence of a DKIM signature is supposed to mean something about the quality of a message, please note that it isn't. It is only meant to supply a reliable, valid identifier, with which assessments can then be made. That assessment step is where the fun happens. See: <http://dkim.org/specs/draft-ietf-dkim-deployment-11.html> For reference, spammers are typically early adopters of newly security standardized mechanisms, in the (demonstrably valid) belief that some folk confuse identification with quality assurance. In particular, the DKIM d= identifier is primarily helpful for avoiding false positives. That is, it is for an assessment process targeting signers you trust, rather more than for targeting those you don't. If you don't care about the trust side of the filtering equation, I suspect DKIM will not be all that helpful for you. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net
On 4/21/11 9:24 PM, Bill Blackford wrote:
I've recently observed gmail dropping messages or not forwarding all messages/posts from the nanog list. This is rather annoying.
Has anyone else experienced this? Does anyone have any insight as to why?
I've read the thread, and ironically all messages from Franck Martin in this thread were sent to spam by gmail. None of the others! This is like an earlier thread: -------- Previous Message -------- Subject: Re: sudden low spam levels? Date: Tue, 04 Jan 2011 10:10:24 -0500 From: William Allen Simpson <william.allen.simpson@gmail.com> To: nanog@nanog.org On 1/3/11 6:42 PM, Jay Farrell wrote:
I noticed a substantial drop in spam in my gmail account in recent days, from several hundred a day to maybe a hundred. Ironically, gmail filtered this thread to my spam folder.
Yes, I found these messages my gmail spam today, too. Lately, gmail has been regularly flagging NANOG as spam, particularly the end of week CIDR and BGP reports.
participants (10)
-
Alex Brooks
-
Bill Blackford
-
Christopher Morrow
-
Dave CROCKER
-
Franck Martin
-
J.D. Falk
-
Jeff Mitchell
-
Lynda
-
Michael Thomas
-
William Allen Simpson