----- Forwarded message from Rick Moen <rick(a)linuxmafia.com> -----
Date: Sat, 21 Nov 2020 12:41:28 -0800
From: Rick Moen <rick(a)linuxmafia.com>
To: Al <aw009(a)sunnyside.com>
Cc: Michael Paoli <Michael.Paoli(a)cal.berkeley.edu>
Subject: Re: Fwd: cooperation
I'm going to also send this to balug-admin for collective knowledge.
Quoting Al Whaley (aw009(a)sunnyside.com):
> Rick,
> this one caught my eye... it seems to have gone through mailman on
> linuxmafia for the SFLUG mailing list.
_Sort_ of, but mostly not.
You as a listadmin for the SF-LUG mailing list receive copies from
Mailman of outside mail addressed to the sf-lug-owner(a)linuxmafia.com
alias (note -owner suffix). If the initial MTA defences don't reject
the inbound mail to that role alias address, then it'll get out to the
listadmins, i.e., to you + me + Jim Stockford (the SF-LUG list's
three-person listadmin roster).
If you check full headers, you'll find that the 419 scam mail
originated from Microsoft Hotmail IP address 40.92.51.100. See these
Received headers for that initial information:
From mailman-bounces(a)linuxmafia.com Sat Nov 21 09: 9:52 2020
Return-path: <mailman-bounces(a)linuxmafia.com>
Envelope-to: rick(a)linuxmafia.com
Delivery-date: Sat, 21 Nov 2020 09:09:52 -0800
Received: from localhost ([127.0.0.1] helo=linuxmafia.com)
by linuxmafia.com with esmtp (Exim 4.72)
(envelope-from <mailman-bounces(a)linuxmafia.com>)
id 1kgWOV-0005CC-Vj; Sat, 21 Nov 2020 09:09:52 -0800
Received: from mail-db8eur06olkn2100.outbound.protection.outlook.com
([40.92.51.100]
helo=EUR06-DB8-obe.outbound.protection.outlook.com)
by linuxmafia.com with esmtp (Exim 4.72)
(envelope-from <jmpumjzzjjsxssvvvzzz(a)hotmail.com>)
id 1kgWOQ-0005C3-Vq; Sat, 21 Nov 2020 09:09:50 -0800
Grepping the MTA logs for that IP....
linuxmafia:/var/log/exim4# zgrep 40.92.51.100 mainlog*
mainlog:2020-11-21 09:09:50 1kgWOQ-0005C3-Vq SA: Action: scanned but message isn't spam: score=0.8 required=4.0 (scanned in 3/3 secs | Message-Id: 1kgWOQ-0005C3-Vq). From <jmpumjzzjjsxssvvvzzz(a)hotmail.com> (host=mail-db8eur06olkn2100.outbound.protection.outlook.com
[40.92.51.100]) for sf-lug-owner(a)linuxmafia.com, sf-lug(a)linuxmafia.com mainlog:2020-11-21 09:09:50 1kgWOQ-0005C3-Vq <= jmpumjzzjjsxssvvvzzz(a)hotmail.com H=mail-db8eur06olkn2100.outbound.protection.outlook.com (EUR06-DB8-obe.outbound.protection.outlook.com) [40.92.51.100] P=esmtp S=8365 id=AM6PR08MB424596EC3D85FB4BE09C3DD6CDFE0(a)AM6PR08MB4245.eurprd08.prod.outlook.com
linuxmafia:/var/log/exim4#
...you can see that the SMTP session, i.e., the SMTP envelope
information embodied in the SMTP delivery conversation, must have contained
MAIL FROM: <jmpumjzzjjsxssvvvzzz(a)hotmail.com>
RCPT TO: <sf-lug-owner(a)linuxmafia.com>
RCPT TO: <sf-lug(a)linuxmafia.com>
Measured spamicity (0.8) at receiving MTA level was nowhere near high
enough for my MTA to reject (4.0), because this really _was_ from a
Hotmail user, and the mail's body text was not sufficiently spammy to a
degree that automated MTA-level spamd scanning for garbage adjudged
processed meat, so this 419 scam mail got passed along to the Mailman
MLM. Mailman passed through the copy _back_ to the MTA that was
addressed out to the listadmins, _but_ by contrast lodged the direct
mailing list copy in Mailman's admin queue for sf-lug(a)linuxmafia.com,
whence it will expire out in five days and then automatically get thrown
away.
Why in the MLM admin queue? Two reasons:
1. Since in this case the scam mail's internal SMTP headers were
'implicitly addressed', i.e., there were no To: or Cc: addresses
whatsoever inside the message proper, only SMTP envelope addressees
(outside the message proper), Mailman will never send such mail out to
subscribers, on account of Mailman's built-in filter blocking all
'implicitly addressed' mail. I.e., Mailman requires that valid mail to
subscribers specify on either the internal To: header or the internal CC:
header the mailing list's direct address or an alias the listadmins have
specified inside the admin WebUI. If that header is _not_ present, the
message deterministically lodges in the admin queue, flagged as
'implicitly addressed'.
2. Also, it didn't originate from a subscriber, hence would (for that
reason as well) have been intercepted and held as being from a
non-subscribed address.
> it's not in the archives so I'm assuming it didn't go out to
> everyone, unless you deleted it, and it wasn't marked
> as being sent for moderation...
> what am I missing here?
Naturally, I would love for inbound junkmail filtering to reject even
more than it already does, but, frankly, linuxmafia.com system-level
spam-rejection is already quite good. Diminishing returns and false
positives rapidly become a problem as one tries to make MTA spam
immune response even better.
Where I sit, it seems to me it's a fact of life that being a Mailman
addressee on any [listname]-owner aliases _is_ going to get you
increased MLM-mediated spam because of being a member of that alias, as
additional protections covering MLM subscribers simply don't apply to
that admin-role alias address.
Speaking of that, I believe it's past time that I remove Jim Stockford
(i.e., jim(a)well.com) from the sf-lug-owner(a)linuxmafia.com roster, and
I'm going to do that right now.
It realised I probably needed to get around to that, about a year or so
ago, when he was _publicly_ claiming on the SF-LUG mailing list that
linuxmafia.com is an SMTP spam source, very likely because of having
received some amount of junkmail via the sf-lug-owner alias. (His
public accusation was, however, _unbelievably_ vague, so I couldn't
investigate his claim.)
You, by contrast, did exactly the right thing in asking me rather than
going on a public accusation campaign, so the comparison is night and
day. That distinction having been made, to this day I resent Jim's
(false) public accusation, and the only thing that mitigates it is that,
for unclear personal reasons, Jim has been lately unable to discharge
his responsibilities.
I didn't want to delete him from the roster in haste, since Jim founded
the group, and supposedly solemnly committed to being _the_ listadmin
responsible for it, (but has never actually done the job, over the
entire 15-year period I've given SF-LUG temporary mailing list hosting,
pending them getting their server running again -- which never
happened).
Done. jim(a)well.com is now omitted from the SF-LUG listadmin roster.
(Just for the record: This means that the _sole_ requirement I insisted
on, before being willing to grant SF-LUG temporary mailing list hosting
to help after whatever mysterious failure destroyed SF-LUG's -own-
mailing list server in late 2005 -- the requirement that Jim shoulder
listadmin duties so I don't have my workload increased by SF-LUG's
presence on my server -- has been continuously in default from that day
in December 2005 to the present.)
----- End forwarded message -----