Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Wikipedia: Wikitech

SPF (email spoof prevention feature) test-rollout Weds 10/5

 

 

Wikipedia wikitech RSS feed   Index | Next | Previous | View Threaded


jgreen at wikimedia

Sep 28, 2012, 11:00 AM

Post #1 of 12 (1969 views)
Permalink
SPF (email spoof prevention feature) test-rollout Weds 10/5

I'm planning to deploy Sender Policy Framework (SPF) for the wikimedia.org
domain on Weds October 5. SPF is a framework for validating outgoing mail,
which gives the receiving side useful information for spam filtering. The
main goal is to cause spoofed @wikimedia.org mail to be correctly
identified as such. It should also improve our odds of getting fundraiser
mailings into inboxes rather than spam folders.

The change should not be noticeable, but the most likely problem would be
legitimate @wikimedia.org mail being treated as spam. If you hear of this
happening please let me know.

Technical details are below for anyone interested . . .

Thanks,
jg

Jeff Green
Operations Engineer, Special Projects
Wikimedia Foundation
149 New Montgomery Street, 3rd Floor
San Francisco, CA 94105
jgreen [at] wikimedia

. . . . . . .

SPF overview http://en.wikipedia.org/wiki/Sender_Policy_Framework

The October 8 change will be simply a matter of adding a TXT record to the
wikimedia.org DNS zone:

wikimedia.org IN TXT "v=spf1 ip4:91.198.174.0/24 ip4:208.80.152.0/22
ip6:2620:0:860::/46 include:_spf.google.com ip4:74.121.51.111 ?all"

The record is a list of subnets that we identify as senders (all wmf
subnets, google apps, and the fundraiser mailhouse). The "?all" is a
"neutral" policy--it doesn't state either way how mail should be handled.

Eventually we'll probably bump "?all" to a stricter "~all" aka SoftFail,
which tells the receiving side that only mail coming from the listed
subnets is valid. Most ISPs will route 'other' mail to a spam folder based
on SoftFail.

Please bug me with any questions/comments!

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


daniel at nadir-seen-fire

Sep 28, 2012, 11:04 AM

Post #2 of 12 (1923 views)
Permalink
Re: SPF (email spoof prevention feature) test-rollout Weds 10/5 [In reply to]

On Fri, 28 Sep 2012 11:00:08 -0700, Jeff Green <jgreen [at] wikimedia>
wrote:

> I'm planning to deploy Sender Policy Framework (SPF) for the
> wikimedia.org domain on Weds October 5. SPF is a framework for
> validating outgoing mail, which gives the receiving side useful
> information for spam filtering. The main goal is to cause spoofed
> @wikimedia.org mail to be correctly identified as such. It should also
> improve our odds of getting fundraiser mailings into inboxes rather than
> spam folders.
>
> The change should not be noticeable, but the most likely problem would
> be legitimate @wikimedia.org mail being treated as spam. If you hear of
> this happening please let me know.
>
> Technical details are below for anyone interested . . .
>
> Thanks,
> jg
>
> Jeff Green
> Operations Engineer, Special Projects
> Wikimedia Foundation
> 149 New Montgomery Street, 3rd Floor
> San Francisco, CA 94105
> jgreen [at] wikimedia
>
> . . . . . . .
>
> SPF overview http://en.wikipedia.org/wiki/Sender_Policy_Framework
>
> The October 8 change will be simply a matter of adding a TXT record to
> the wikimedia.org DNS zone:
>
> wikimedia.org IN TXT "v=spf1 ip4:91.198.174.0/24 ip4:208.80.152.0/22
> ip6:2620:0:860::/46 include:_spf.google.com ip4:74.121.51.111 ?all"
>
> The record is a list of subnets that we identify as senders (all wmf
> subnets, google apps, and the fundraiser mailhouse). The "?all" is a
> "neutral" policy--it doesn't state either way how mail should be handled.
>
> Eventually we'll probably bump "?all" to a stricter "~all" aka SoftFail,
> which tells the receiving side that only mail coming from the listed
> subnets is valid. Most ISPs will route 'other' mail to a spam folder
> based on SoftFail.

I was under the impression that ~all softfail is not an assertion that
something is not authorized and the only way to actually assert that is
with -all hardfail.

> Please bug me with any questions/comments!


--
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://daniel.friesen.name]


_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


tylerromeo at gmail

Sep 28, 2012, 11:10 AM

Post #3 of 12 (1922 views)
Permalink
Re: SPF (email spoof prevention feature) test-rollout Weds 10/5 [In reply to]

You should also add an SPF record in addition to a TXT record, as
recommended by RFC 4408. The format is the same.

*--*
*Tyler Romeo*
Stevens Institute of Technology, Class of 2015
Major in Computer Science
www.whizkidztech.com | tylerromeo [at] gmail



On Fri, Sep 28, 2012 at 2:04 PM, Daniel Friesen
<daniel [at] nadir-seen-fire>wrote:

> On Fri, 28 Sep 2012 11:00:08 -0700, Jeff Green <jgreen [at] wikimedia>
> wrote:
>
> I'm planning to deploy Sender Policy Framework (SPF) for the
>> wikimedia.org domain on Weds October 5. SPF is a framework for
>> validating outgoing mail, which gives the receiving side useful information
>> for spam filtering. The main goal is to cause spoofed @wikimedia.orgmail to be correctly identified as such. It should also improve our odds of
>> getting fundraiser mailings into inboxes rather than spam folders.
>>
>> The change should not be noticeable, but the most likely problem would be
>> legitimate @wikimedia.org mail being treated as spam. If you hear of
>> this happening please let me know.
>>
>> Technical details are below for anyone interested . . .
>>
>> Thanks,
>> jg
>>
>> Jeff Green
>> Operations Engineer, Special Projects
>> Wikimedia Foundation
>> 149 New Montgomery Street, 3rd Floor
>> San Francisco, CA 94105
>> jgreen [at] wikimedia
>>
>> . . . . . . .
>>
>> SPF overview http://en.wikipedia.org/wiki/**Sender_Policy_Framework<http://en.wikipedia.org/wiki/Sender_Policy_Framework>
>>
>> The October 8 change will be simply a matter of adding a TXT record to
>> the wikimedia.org DNS zone:
>>
>> wikimedia.org IN TXT "v=spf1 ip4:91.198.174.0/24 ip4:208.80.152.0/22ip6:2620:0:860::/46 include:_
>> spf.google.com ip4:74.121.51.111 ?all"
>>
>> The record is a list of subnets that we identify as senders (all wmf
>> subnets, google apps, and the fundraiser mailhouse). The "?all" is a
>> "neutral" policy--it doesn't state either way how mail should be handled.
>>
>> Eventually we'll probably bump "?all" to a stricter "~all" aka SoftFail,
>> which tells the receiving side that only mail coming from the listed
>> subnets is valid. Most ISPs will route 'other' mail to a spam folder based
>> on SoftFail.
>>
>
> I was under the impression that ~all softfail is not an assertion that
> something is not authorized and the only way to actually assert that is
> with -all hardfail.
>
>
> Please bug me with any questions/comments!
>>
>
>
> --
> ~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://daniel.friesen.name]
>
>
>
> ______________________________**_________________
> Wikitech-l mailing list
> Wikitech-l [at] lists
> https://lists.wikimedia.org/**mailman/listinfo/wikitech-l<https://lists.wikimedia.org/mailman/listinfo/wikitech-l>
>
_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


jgreen at wikimedia

Sep 28, 2012, 11:19 AM

Post #4 of 12 (1921 views)
Permalink
Re: SPF (email spoof prevention feature) test-rollout Weds 10/5 [In reply to]

On Fri, 28 Sep 2012, Daniel Friesen wrote:

> On Fri, 28 Sep 2012 11:00:08 -0700, Jeff Green <jgreen [at] wikimedia> wrote:
>
>> I'm planning to deploy Sender Policy Framework (SPF) for the wikimedia.org
>> domain on Weds October 5. SPF is a framework for validating outgoing mail,
>> which gives the receiving side useful information for spam filtering. The
>> main goal is to cause spoofed @wikimedia.org mail to be correctly
>> identified as such. It should also improve our odds of getting fundraiser
>> mailings into inboxes rather than spam folders.
>>
>> The change should not be noticeable, but the most likely problem would be
>> legitimate @wikimedia.org mail being treated as spam. If you hear of this
>> happening please let me know.
>>
>> Technical details are below for anyone interested . . .
>>
>> Thanks,
>> jg
>>
>> Jeff Green
>> Operations Engineer, Special Projects
>> Wikimedia Foundation
>> 149 New Montgomery Street, 3rd Floor
>> San Francisco, CA 94105
>> jgreen [at] wikimedia
>>
>> . . . . . . .
>>
>> SPF overview http://en.wikipedia.org/wiki/Sender_Policy_Framework
>>
>> The October 8 change will be simply a matter of adding a TXT record to the
>> wikimedia.org DNS zone:
>>
>> wikimedia.org IN TXT "v=spf1 ip4:91.198.174.0/24 ip4:208.80.152.0/22
>> ip6:2620:0:860::/46 include:_spf.google.com ip4:74.121.51.111 ?all"
>>
>> The record is a list of subnets that we identify as senders (all wmf
>> subnets, google apps, and the fundraiser mailhouse). The "?all" is a
>> "neutral" policy--it doesn't state either way how mail should be handled.
>>
>> Eventually we'll probably bump "?all" to a stricter "~all" aka SoftFail,
>> which tells the receiving side that only mail coming from the listed
>> subnets is valid. Most ISPs will route 'other' mail to a spam folder based
>> on SoftFail.
>
> I was under the impression that ~all softfail is not an assertion that
> something is not authorized and the only way to actually assert that is with
> -all hardfail.

The distinction is essentially assert (-all) vs advise (~all). Ideally
-all would result in a reject during SMTP, and ~all would be
route-to-spam-folder. But I think what really happens is subjective to the
receiving side.


>> Please bug me with any questions/comments!
>
>
> --
> ~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://daniel.friesen.name]
>
>
> _______________________________________________
> Wikitech-l mailing list
> Wikitech-l [at] lists
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


jgreen at wikimedia

Sep 28, 2012, 11:19 AM

Post #5 of 12 (1924 views)
Permalink
Re: SPF (email spoof prevention feature) test-rollout Weds 10/5 [In reply to]

Good point--thanks!

jg

On Fri, 28 Sep 2012, Tyler Romeo wrote:

> You should also add an SPF record in addition to a TXT record, as
> recommended by RFC 4408. The format is the same.
>
> *--*
> *Tyler Romeo*
> Stevens Institute of Technology, Class of 2015
> Major in Computer Science
> www.whizkidztech.com | tylerromeo [at] gmail
>
>
>
> On Fri, Sep 28, 2012 at 2:04 PM, Daniel Friesen
> <daniel [at] nadir-seen-fire>wrote:
>
>> On Fri, 28 Sep 2012 11:00:08 -0700, Jeff Green <jgreen [at] wikimedia>
>> wrote:
>>
>> I'm planning to deploy Sender Policy Framework (SPF) for the
>>> wikimedia.org domain on Weds October 5. SPF is a framework for
>>> validating outgoing mail, which gives the receiving side useful information
>>> for spam filtering. The main goal is to cause spoofed @wikimedia.orgmail to be correctly identified as such. It should also improve our odds of
>>> getting fundraiser mailings into inboxes rather than spam folders.
>>>
>>> The change should not be noticeable, but the most likely problem would be
>>> legitimate @wikimedia.org mail being treated as spam. If you hear of
>>> this happening please let me know.
>>>
>>> Technical details are below for anyone interested . . .
>>>
>>> Thanks,
>>> jg
>>>
>>> Jeff Green
>>> Operations Engineer, Special Projects
>>> Wikimedia Foundation
>>> 149 New Montgomery Street, 3rd Floor
>>> San Francisco, CA 94105
>>> jgreen [at] wikimedia
>>>
>>> . . . . . . .
>>>
>>> SPF overview http://en.wikipedia.org/wiki/**Sender_Policy_Framework<http://en.wikipedia.org/wiki/Sender_Policy_Framework>
>>>
>>> The October 8 change will be simply a matter of adding a TXT record to
>>> the wikimedia.org DNS zone:
>>>
>>> wikimedia.org IN TXT "v=spf1 ip4:91.198.174.0/24 ip4:208.80.152.0/22ip6:2620:0:860::/46 include:_
>>> spf.google.com ip4:74.121.51.111 ?all"
>>>
>>> The record is a list of subnets that we identify as senders (all wmf
>>> subnets, google apps, and the fundraiser mailhouse). The "?all" is a
>>> "neutral" policy--it doesn't state either way how mail should be handled.
>>>
>>> Eventually we'll probably bump "?all" to a stricter "~all" aka SoftFail,
>>> which tells the receiving side that only mail coming from the listed
>>> subnets is valid. Most ISPs will route 'other' mail to a spam folder based
>>> on SoftFail.
>>>
>>
>> I was under the impression that ~all softfail is not an assertion that
>> something is not authorized and the only way to actually assert that is
>> with -all hardfail.
>>
>>
>> Please bug me with any questions/comments!
>>>
>>
>>
>> --
>> ~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://daniel.friesen.name]
>>
>>
>>
>> ______________________________**_________________
>> Wikitech-l mailing list
>> Wikitech-l [at] lists
>> https://lists.wikimedia.org/**mailman/listinfo/wikitech-l<https://lists.wikimedia.org/mailman/listinfo/wikitech-l>
>>
> _______________________________________________
> Wikitech-l mailing list
> Wikitech-l [at] lists
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


b-jorsch at alum

Sep 28, 2012, 12:19 PM

Post #6 of 12 (1931 views)
Permalink
Re: SPF (email spoof prevention feature) test-rollout Weds 10/5 [In reply to]

On Fri, Sep 28, 2012 at 11:00:08AM -0700, Jeff Green wrote:
>
> The change should not be noticeable, but the most likely problem
> would be legitimate @wikimedia.org mail being treated as spam. If
> you hear of this happening please let me know.

Anyone who sends all mail marked as "from"[1] their @wikimedia.org
address through Gmail's SMTP server, through an SMTP server hosted by
Wikimedia (is there one?), or through any other server identified in the
SPF record should be fine. And anyone who isn't sending "from" an
@wikimedia.org address should be entirely unaffected.

If anyone is sending mail marked as "from" their @wikimedia.org address
through some other SMTP server (e.g. through their home ISP), they might
start to see trouble with this change and likely will when the SPF
record is changed to ~all.

Also, any recipient who has their mail forwarded might have trouble
*receiving* messages from @wikimedia.org addresses, unless their
forwarding service takes SPF into account or their destination mailbox
doesn't check SPF. OTOH, these people would have the same problem with
receiving mail from all the other domains that currently implement SPF.



[1]: There are actually two concepts of "from" involved in email. The
first, the "envelope sender" or "mail from", is the address that
bounce notifications should be sent to. The second is the address
that actually shows up as "From:" in the email message. SPF is
intended to target only the former, but SenderID hijacks the SPF
specification to also test the latter.

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


nemowiki at gmail

Sep 28, 2012, 12:26 PM

Post #7 of 12 (1915 views)
Permalink
Re: [Wikimedia-l] SPF (email spoof prevention feature) test-rollout Weds 10/5 [In reply to]

>> Eventually we'll probably bump "?all" to a stricter "~all" aka
>> SoftFail, which tells the receiving side that only mail coming from
>> the listed subnets is valid. Most ISPs will route 'other' mail to a
>> spam folder based on SoftFail.

I guess this means that people will no longer be able to successfully
use a @wikimedia.org address in their from: field unless they are WMF
employees (or whatever) and use the Google Apps address via webmail or
SMTP-AUTH?
Not that I care, but all such existing users should probably be warned.

>
> I was under the impression that ~all softfail is not an assertion that
> something is not authorized and the only way to actually assert that is
> with -all hardfail.
>
>> Please bug me with any questions/comments!

Nemo

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


jgreen at wikimedia

Sep 28, 2012, 12:43 PM

Post #8 of 12 (1922 views)
Permalink
Re: [Wikimedia-l] SPF (email spoof prevention feature) test-rollout Weds 10/5 [In reply to]

On Fri, 28 Sep 2012, Federico Leva (Nemo) wrote:

>>> Eventually we'll probably bump "?all" to a stricter "~all" aka
>>> SoftFail, which tells the receiving side that only mail coming from
>>> the listed subnets is valid. Most ISPs will route 'other' mail to a
>>> spam folder based on SoftFail.
>
> I guess this means that people will no longer be able to successfully use a
> @wikimedia.org address in their from: field unless they are WMF employees (or
> whatever) and use the Google Apps address via webmail or SMTP-AUTH?
> Not that I care, but all such existing users should probably be warned.

This is why Andrew in Office IT sent out emails over the past couple of
weeks regarding mail client setup. I don't think he's heard from anyone
who for whom this is an issue, but he's on board for helping people adjust
their outbound mailserver if we can find anyone who needs to.

>> I was under the impression that ~all softfail is not an assertion that
>> something is not authorized and the only way to actually assert that is
>> with -all hardfail.
>>
>>> Please bug me with any questions/comments!
>
> Nemo
>
> _______________________________________________
> Wikitech-l mailing list
> Wikitech-l [at] lists
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


daniel at nadir-seen-fire

Sep 28, 2012, 12:44 PM

Post #9 of 12 (1913 views)
Permalink
Re: SPF (email spoof prevention feature) test-rollout Weds 10/5 [In reply to]

On Fri, 28 Sep 2012 12:19:21 -0700, Brad Jorsch
<b-jorsch [at] alum> wrote:

> On Fri, Sep 28, 2012 at 11:00:08AM -0700, Jeff Green wrote:
>>
>> The change should not be noticeable, but the most likely problem
>> would be legitimate @wikimedia.org mail being treated as spam. If
>> you hear of this happening please let me know.
>
> Anyone who sends all mail marked as "from"[1] their @wikimedia.org
> address through Gmail's SMTP server, through an SMTP server hosted by
> Wikimedia (is there one?), or through any other server identified in the
> SPF record should be fine. And anyone who isn't sending "from" an
> @wikimedia.org address should be entirely unaffected.
>
> If anyone is sending mail marked as "from" their @wikimedia.org address
> through some other SMTP server (e.g. through their home ISP), they might
> start to see trouble with this change and likely will when the SPF
> record is changed to ~all.
>
> Also, any recipient who has their mail forwarded might have trouble
> *receiving* messages from @wikimedia.org addresses, unless their
> forwarding service takes SPF into account or their destination mailbox
> doesn't check SPF. OTOH, these people would have the same problem with
> receiving mail from all the other domains that currently implement SPF.
>
>
>
> [1]: There are actually two concepts of "from" involved in email. The
> first, the "envelope sender" or "mail from", is the address that
> bounce notifications should be sent to. The second is the address
> that actually shows up as "From:" in the email message. SPF is
> intended to target only the former, but SenderID hijacks the SPF
> specification to also test the latter.

And to make things all fun and confusing. We shouldn't forget about the
Sender: header...

**mumbles about AWS-SES not supporting Sender:**

--
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://daniel.friesen.name]


_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


jgreen at wikimedia

Sep 28, 2012, 12:47 PM

Post #10 of 12 (1920 views)
Permalink
Re: SPF (email spoof prevention feature) test-rollout Weds 10/5 [In reply to]

On Fri, 28 Sep 2012, Daniel Friesen wrote:

> On Fri, 28 Sep 2012 12:19:21 -0700, Brad Jorsch
> <b-jorsch [at] alum> wrote:
>
>> On Fri, Sep 28, 2012 at 11:00:08AM -0700, Jeff Green wrote:
>>>
>>> The change should not be noticeable, but the most likely problem
>>> would be legitimate @wikimedia.org mail being treated as spam. If
>>> you hear of this happening please let me know.
>>
>> Anyone who sends all mail marked as "from"[1] their @wikimedia.org
>> address through Gmail's SMTP server, through an SMTP server hosted by
>> Wikimedia (is there one?), or through any other server identified in the
>> SPF record should be fine. And anyone who isn't sending "from" an
>> @wikimedia.org address should be entirely unaffected.
>>
>> If anyone is sending mail marked as "from" their @wikimedia.org address
>> through some other SMTP server (e.g. through their home ISP), they might
>> start to see trouble with this change and likely will when the SPF
>> record is changed to ~all.
>>
>> Also, any recipient who has their mail forwarded might have trouble
>> *receiving* messages from @wikimedia.org addresses, unless their
>> forwarding service takes SPF into account or their destination mailbox
>> doesn't check SPF. OTOH, these people would have the same problem with
>> receiving mail from all the other domains that currently implement SPF.
>>
>>
>>
>> [1]: There are actually two concepts of "from" involved in email. The
>> first, the "envelope sender" or "mail from", is the address that
>> bounce notifications should be sent to. The second is the address
>> that actually shows up as "From:" in the email message. SPF is
>> intended to target only the former, but SenderID hijacks the SPF
>> specification to also test the latter.
>
> And to make things all fun and confusing. We shouldn't forget about the
> Sender: header...
>
> **mumbles about AWS-SES not supporting Sender:**

Yes and SenderID is where we're running into deliverability issues for
fundraiser mailings since we lack SPF, that's part of what prompted this
whole initiative. Well, that and an ancient RT request from Office IT!

>
> --
> ~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://daniel.friesen.name]
>
>
> _______________________________________________
> Wikitech-l mailing list
> Wikitech-l [at] lists
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


daniel at nadir-seen-fire

Sep 28, 2012, 1:13 PM

Post #11 of 12 (1915 views)
Permalink
Re: SPF (email spoof prevention feature) test-rollout Weds 10/5 [In reply to]

On Fri, 28 Sep 2012 12:47:20 -0700, Jeff Green <jgreen [at] wikimedia>
wrote:

>
>
> On Fri, 28 Sep 2012, Daniel Friesen wrote:
>
>> On Fri, 28 Sep 2012 12:19:21 -0700, Brad Jorsch
>> <b-jorsch [at] alum> wrote:
>>
>>> On Fri, Sep 28, 2012 at 11:00:08AM -0700, Jeff Green wrote:
>>>> The change should not be noticeable, but the most likely problem
>>>> would be legitimate @wikimedia.org mail being treated as spam. If
>>>> you hear of this happening please let me know.
>>> Anyone who sends all mail marked as "from"[1] their @wikimedia.org
>>> address through Gmail's SMTP server, through an SMTP server hosted by
>>> Wikimedia (is there one?), or through any other server identified in
>>> the
>>> SPF record should be fine. And anyone who isn't sending "from" an
>>> @wikimedia.org address should be entirely unaffected.
>>> If anyone is sending mail marked as "from" their @wikimedia.org
>>> address
>>> through some other SMTP server (e.g. through their home ISP), they
>>> might
>>> start to see trouble with this change and likely will when the SPF
>>> record is changed to ~all.
>>> Also, any recipient who has their mail forwarded might have trouble
>>> *receiving* messages from @wikimedia.org addresses, unless their
>>> forwarding service takes SPF into account or their destination mailbox
>>> doesn't check SPF. OTOH, these people would have the same problem with
>>> receiving mail from all the other domains that currently implement SPF.
>>> [1]: There are actually two concepts of "from" involved in email.
>>> The
>>> first, the "envelope sender" or "mail from", is the address that
>>> bounce notifications should be sent to. The second is the address
>>> that actually shows up as "From:" in the email message. SPF is
>>> intended to target only the former, but SenderID hijacks the SPF
>>> specification to also test the latter.
>>
>> And to make things all fun and confusing. We shouldn't forget about the
>> Sender: header...
>>
>> **mumbles about AWS-SES not supporting Sender:**
>
> Yes and SenderID is where we're running into deliverability issues for
> fundraiser mailings since we lack SPF, that's part of what prompted this
> whole initiative. Well, that and an ancient RT request from Office IT!

T_T Not my complaint about From: @wikimedia.org spam on wikitech-l?

>>
>> -- ~Daniel Friesen (Dantman, Nadir-Seen-Fire)
>> [http://daniel.friesen.name]
>>
>>
>> _______________________________________________
>> Wikitech-l mailing list
>> Wikitech-l [at] lists
>> https://lists.wikimedia.org/mailman/listinfo/wikitech-l


--
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://daniel.friesen.name]


_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


jgreen at wikimedia

Sep 28, 2012, 1:15 PM

Post #12 of 12 (1916 views)
Permalink
Re: SPF (email spoof prevention feature) test-rollout Weds 10/5 [In reply to]

On Fri, 28 Sep 2012, Daniel Friesen wrote:

> On Fri, 28 Sep 2012 12:47:20 -0700, Jeff Green <jgreen [at] wikimedia> wrote:
>
>>
>>
>> On Fri, 28 Sep 2012, Daniel Friesen wrote:
>>
>>> On Fri, 28 Sep 2012 12:19:21 -0700, Brad Jorsch
>>> <b-jorsch [at] alum> wrote:
>>>
>>>> On Fri, Sep 28, 2012 at 11:00:08AM -0700, Jeff Green wrote:
>>>>> The change should not be noticeable, but the most likely problem
>>>>> would be legitimate @wikimedia.org mail being treated as spam. If
>>>>> you hear of this happening please let me know.
>>>> Anyone who sends all mail marked as "from"[1] their @wikimedia.org
>>>> address through Gmail's SMTP server, through an SMTP server hosted by
>>>> Wikimedia (is there one?), or through any other server identified in the
>>>> SPF record should be fine. And anyone who isn't sending "from" an
>>>> @wikimedia.org address should be entirely unaffected.
>>>> If anyone is sending mail marked as "from" their @wikimedia.org address
>>>> through some other SMTP server (e.g. through their home ISP), they might
>>>> start to see trouble with this change and likely will when the SPF
>>>> record is changed to ~all.
>>>> Also, any recipient who has their mail forwarded might have trouble
>>>> *receiving* messages from @wikimedia.org addresses, unless their
>>>> forwarding service takes SPF into account or their destination mailbox
>>>> doesn't check SPF. OTOH, these people would have the same problem with
>>>> receiving mail from all the other domains that currently implement SPF.
>>>> [1]: There are actually two concepts of "from" involved in email. The
>>>> first, the "envelope sender" or "mail from", is the address that
>>>> bounce notifications should be sent to. The second is the address
>>>> that actually shows up as "From:" in the email message. SPF is
>>>> intended to target only the former, but SenderID hijacks the SPF
>>>> specification to also test the latter.
>>>
>>> And to make things all fun and confusing. We shouldn't forget about the
>>> Sender: header...
>>>
>>> **mumbles about AWS-SES not supporting Sender:**
>>
>> Yes and SenderID is where we're running into deliverability issues for
>> fundraiser mailings since we lack SPF, that's part of what prompted this
>> whole initiative. Well, that and an ancient RT request from Office IT!
>
> T_T Not my complaint about From: @wikimedia.org spam on wikitech-l?

That too! ;-)

>
>>>
>>> -- ~Daniel Friesen (Dantman, Nadir-Seen-Fire)
>>> [http://daniel.friesen.name]
>>>
>>>
>>> _______________________________________________
>>> Wikitech-l mailing list
>>> Wikitech-l [at] lists
>>> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
>
> --
> ~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://daniel.friesen.name]
>
>
> _______________________________________________
> Wikitech-l mailing list
> Wikitech-l [at] lists
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Wikipedia wikitech RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.