(forw) Re: Fwd: cooperation - BALUG-Admin

21 Nov 2020


      ----- Forwarded message from Rick Moen rick@linuxmafia.com -----
Date: Sat, 21 Nov 2020 12:41:28 -0800
From: Rick Moen rick@linuxmafia.com
To: Al aw009@sunnyside.com
Cc: Michael Paoli Michael.Paoli@cal.berkeley.edu
Subject: Re: Fwd: cooperation
I'm going to also send this to balug-admin for collective knowledge.
Quoting Al Whaley (aw009@sunnyside.com):
...
Rick,
this one caught my eye... it seems to have gone through mailman on
linuxmafia for the SFLUG mailing list.
_Sort_ of, but mostly not.
You as a listadmin for the SF-LUG mailing list receive copies from
Mailman of outside mail addressed to the sf-lug-owner@linuxmafia.com 
alias (note -owner suffix).  If the initial MTA defences don't reject
the inbound mail to that role alias address, then it'll get out to the
listadmins, i.e., to you + me + Jim Stockford (the SF-LUG list's
three-person listadmin roster).
If you check full headers, you'll find that the 419 scam mail
originated from Microsoft Hotmail IP address 40.92.51.100.  See these
Received headers for that initial information:
From mailman-bounces@linuxmafia.com Sat Nov 21 09: 9:52 2020
Return-path: mailman-bounces@linuxmafia.com
Envelope-to: rick@linuxmafia.com
Delivery-date: Sat, 21 Nov 2020 09:09:52 -0800
Received: from localhost ([127.0.0.1] helo=linuxmafia.com)
        by linuxmafia.com with esmtp (Exim 4.72)
        (envelope-from mailman-bounces@linuxmafia.com)
        id 1kgWOV-0005CC-Vj; Sat, 21 Nov 2020 09:09:52 -0800
Received: from mail-db8eur06olkn2100.outbound.protection.outlook.com
        ([40.92.51.100]
helo=EUR06-DB8-obe.outbound.protection.outlook.com)
        by linuxmafia.com with esmtp (Exim 4.72)
        (envelope-from jmpumjzzjjsxssvvvzzz@hotmail.com)
        id 1kgWOQ-0005C3-Vq; Sat, 21 Nov 2020 09:09:50 -0800
Grepping the MTA logs for that IP....
linuxmafia:/var/log/exim4# zgrep 40.92.51.100 mainlog*
mainlog:2020-11-21 09:09:50 1kgWOQ-0005C3-Vq SA: Action: scanned but message isn't spam: score=0.8 required=4.0 (scanned in 3/3 secs | Message-Id: 1kgWOQ-0005C3-Vq). From jmpumjzzjjsxssvvvzzz@hotmail.com (host=mail-db8eur06olkn2100.outbound.protection.outlook.com
[40.92.51.100]) for sf-lug-owner@linuxmafia.com, sf-lug@linuxmafia.com mainlog:2020-11-21 09:09:50 1kgWOQ-0005C3-Vq <= jmpumjzzjjsxssvvvzzz@hotmail.com H=mail-db8eur06olkn2100.outbound.protection.outlook.com (EUR06-DB8-obe.outbound.protection.outlook.com) [40.92.51.100] P=esmtp S=8365 id=AM6PR08MB424596EC3D85FB4BE09C3DD6CDFE0@AM6PR08MB4245.eurprd08.prod.outlook.com
linuxmafia:/var/log/exim4#
...you can see that the SMTP session, i.e., the SMTP envelope
information embodied in the SMTP delivery conversation, must have contained
MAIL FROM: jmpumjzzjjsxssvvvzzz@hotmail.com
RCPT TO: sf-lug-owner@linuxmafia.com
RCPT TO: sf-lug@linuxmafia.com
Measured spamicity (0.8) at receiving MTA level was nowhere near high
enough for my MTA to reject (4.0), because this really _was_ from a
Hotmail user, and the mail's body text was not sufficiently spammy to a
degree that automated MTA-level spamd scanning for garbage adjudged
processed meat, so this 419 scam mail got passed along to the Mailman
MLM.  Mailman passed through the copy _back_ to the MTA that was
addressed out to the listadmins, _but_ by contrast lodged the direct
mailing list copy in Mailman's admin queue for sf-lug@linuxmafia.com,
whence it will expire out in five days and then automatically get thrown
away.
Why in the MLM admin queue?  Two reasons:
1.  Since in this case the scam mail's internal SMTP headers were
'implicitly addressed', i.e., there were no To: or Cc: addresses
whatsoever inside the message proper, only SMTP envelope addressees
(outside the message proper), Mailman will never send such mail out to
subscribers, on account of Mailman's built-in filter blocking all
'implicitly addressed' mail.  I.e., Mailman requires that valid mail to
subscribers specify on either the internal To: header or the internal CC: 
header the mailing list's direct address or an alias the listadmins have
specified inside the admin WebUI.  If that header is _not_ present, the
message deterministically lodges in the admin queue, flagged as
'implicitly addressed'.
2.  Also, it didn't originate from a subscriber, hence would (for that
reason as well) have been intercepted and held as being from a
non-subscribed address.
...
it's not in the archives so I'm assuming it didn't go out to
everyone, unless you deleted it, and it wasn't marked
as being sent for moderation...
what am I missing here?
Naturally, I would love for inbound junkmail filtering to reject even
more than it already does, but, frankly, linuxmafia.com system-level
spam-rejection is already quite good.   Diminishing returns and false
positives rapidly become a problem as one tries to make MTA spam
immune response even better.
Where I sit, it seems to me it's a fact of life that being a Mailman 
addressee on any [listname]-owner aliases _is_ going to get you
increased MLM-mediated spam because of being a member of that alias, as
additional protections covering MLM subscribers simply don't apply to
that admin-role alias address.
Speaking of that, I believe it's past time that I remove Jim Stockford 
(i.e., jim@well.com) from the sf-lug-owner@linuxmafia.com roster, and
I'm going to do that right now.
It realised I probably needed to get around to that, about a year or so
ago, when he was _publicly_ claiming on the SF-LUG mailing list that
linuxmafia.com is an SMTP spam source, very likely because of having
received some amount of junkmail via the sf-lug-owner alias.  (His
public accusation was, however, _unbelievably_ vague, so I couldn't
investigate his claim.)
You, by contrast, did exactly the right thing in asking me rather than
going on a public accusation campaign, so the comparison is night and
day.  That distinction having been made, to this day I resent Jim's
(false) public accusation, and the only thing that mitigates it is that,
for unclear personal reasons, Jim has been lately unable to discharge
his responsibilities.
I didn't want to delete him from the roster in haste, since Jim founded
the group, and supposedly solemnly committed to being _the_ listadmin
responsible for it, (but has never actually done the job, over the
entire 15-year period I've given SF-LUG temporary mailing list hosting,
pending them getting their server running again -- which never
happened).
Done.  jim@well.com is now omitted from the SF-LUG listadmin roster.
(Just for the record:  This means that the _sole_ requirement I insisted
on, before being willing to grant SF-LUG temporary mailing list hosting
to help after whatever mysterious failure destroyed SF-LUG's -own-
mailing list server in late 2005 -- the requirement that Jim shoulder
listadmin duties so I don't have my workload increased by SF-LUG's
presence on my server -- has been continuously in default from that day
in December 2005 to the present.)
----- End forwarded message -----