[BALUG-Admin] (forw) Re: Fwd: cooperation

Rick Moen rick@linuxmafia.com
Sat Nov 21 20:43:12 UTC 2020 

----- Forwarded message from Rick Moen <rick@linuxmafia.com> -----

Date: Sat, 21 Nov 2020 12:41:28 -0800
From: Rick Moen <rick@linuxmafia.com>
To: Al <aw009@sunnyside.com>
Cc: Michael Paoli <Michael.Paoli@cal.berkeley.edu>
Subject: Re: Fwd: cooperation

I'm going to also send this to balug-admin for collective knowledge.

Quoting Al Whaley (aw009@sunnyside.com):

> Rick,
> this one caught my eye... it seems to have gone through mailman on
> linuxmafia for the SFLUG mailing list.

_Sort_ of, but mostly not.  

You as a listadmin for the SF-LUG mailing list receive copies from
Mailman of outside mail addressed to the sf-lug-owner@linuxmafia.com 
alias (note -owner suffix).  If the initial MTA defences don't reject
the inbound mail to that role alias address, then it'll get out to the
listadmins, i.e., to you + me + Jim Stockford (the SF-LUG list's
three-person listadmin roster).

If you check full headers, you'll find that the 419 scam mail
originated from Microsoft Hotmail IP address 40.92.51.100.  See these
Received headers for that initial information:

 From mailman-bounces@linuxmafia.com Sat Nov 21 09: 9:52 2020
Return-path: <mailman-bounces@linuxmafia.com>
Envelope-to: rick@linuxmafia.com
Delivery-date: Sat, 21 Nov 2020 09:09:52 -0800
Received: from localhost ([127.0.0.1] helo=linuxmafia.com)
        by linuxmafia.com with esmtp (Exim 4.72)
        (envelope-from <mailman-bounces@linuxmafia.com>)
        id 1kgWOV-0005CC-Vj; Sat, 21 Nov 2020 09:09:52 -0800
Received: from mail-db8eur06olkn2100.outbound.protection.outlook.com
        ([40.92.51.100]
helo=EUR06-DB8-obe.outbound.protection.outlook.com)
        by linuxmafia.com with esmtp (Exim 4.72)
        (envelope-from <jmpumjzzjjsxssvvvzzz@hotmail.com>)
        id 1kgWOQ-0005C3-Vq; Sat, 21 Nov 2020 09:09:50 -0800

Grepping the MTA logs for that IP....

linuxmafia:/var/log/exim4# zgrep 40.92.51.100 mainlog*
mainlog:2020-11-21 09:09:50 1kgWOQ-0005C3-Vq SA: Action: scanned but message isn't spam: score=0.8 required=4.0 (scanned in 3/3 secs | Message-Id: 1kgWOQ-0005C3-Vq). From <jmpumjzzjjsxssvvvzzz@hotmail.com> (host=mail-db8eur06olkn2100.outbound.protection.outlook.com
[40.92.51.100]) for sf-lug-owner@linuxmafia.com, sf-lug@linuxmafia.com mainlog:2020-11-21 09:09:50 1kgWOQ-0005C3-Vq <= jmpumjzzjjsxssvvvzzz@hotmail.com H=mail-db8eur06olkn2100.outbound.protection.outlook.com (EUR06-DB8-obe.outbound.protection.outlook.com) [40.92.51.100] P=esmtp S=8365 id=AM6PR08MB424596EC3D85FB4BE09C3DD6CDFE0@AM6PR08MB4245.eurprd08.prod.outlook.com
linuxmafia:/var/log/exim4#

...you can see that the SMTP session, i.e., the SMTP envelope
information embodied in the SMTP delivery conversation, must have contained

MAIL FROM: <jmpumjzzjjsxssvvvzzz@hotmail.com>
RCPT TO: <sf-lug-owner@linuxmafia.com>
RCPT TO: <sf-lug@linuxmafia.com>

Measured spamicity (0.8) at receiving MTA level was nowhere near high
enough for my MTA to reject (4.0), because this really _was_ from a
Hotmail user, and the mail's body text was not sufficiently spammy to a
degree that automated MTA-level spamd scanning for garbage adjudged
processed meat, so this 419 scam mail got passed along to the Mailman
MLM.  Mailman passed through the copy _back_ to the MTA that was
addressed out to the listadmins, _but_ by contrast lodged the direct
mailing list copy in Mailman's admin queue for sf-lug@linuxmafia.com,
whence it will expire out in five days and then automatically get thrown
away.

Why in the MLM admin queue?  Two reasons:

1.  Since in this case the scam mail's internal SMTP headers were
'implicitly addressed', i.e., there were no To: or Cc: addresses
whatsoever inside the message proper, only SMTP envelope addressees
(outside the message proper), Mailman will never send such mail out to
subscribers, on account of Mailman's built-in filter blocking all
'implicitly addressed' mail.  I.e., Mailman requires that valid mail to
subscribers specify on either the internal To: header or the internal CC: 
header the mailing list's direct address or an alias the listadmins have
specified inside the admin WebUI.  If that header is _not_ present, the
message deterministically lodges in the admin queue, flagged as
'implicitly addressed'.

2.  Also, it didn't originate from a subscriber, hence would (for that
reason as well) have been intercepted and held as being from a
non-subscribed address.


> it's not in the archives so I'm assuming it didn't go out to
> everyone, unless you deleted it, and it wasn't marked
> as being sent for moderation...
> what am I missing here?

Naturally, I would love for inbound junkmail filtering to reject even
more than it already does, but, frankly, linuxmafia.com system-level
spam-rejection is already quite good.   Diminishing returns and false
positives rapidly become a problem as one tries to make MTA spam
immune response even better.  

Where I sit, it seems to me it's a fact of life that being a Mailman 
addressee on any [listname]-owner aliases _is_ going to get you
increased MLM-mediated spam because of being a member of that alias, as
additional protections covering MLM subscribers simply don't apply to
that admin-role alias address.

Speaking of that, I believe it's past time that I remove Jim Stockford 
(i.e., jim@well.com) from the sf-lug-owner@linuxmafia.com roster, and
I'm going to do that right now.  

It realised I probably needed to get around to that, about a year or so
ago, when he was _publicly_ claiming on the SF-LUG mailing list that
linuxmafia.com is an SMTP spam source, very likely because of having
received some amount of junkmail via the sf-lug-owner alias.  (His
public accusation was, however, _unbelievably_ vague, so I couldn't
investigate his claim.)  

You, by contrast, did exactly the right thing in asking me rather than
going on a public accusation campaign, so the comparison is night and
day.  That distinction having been made, to this day I resent Jim's
(false) public accusation, and the only thing that mitigates it is that,
for unclear personal reasons, Jim has been lately unable to discharge
his responsibilities.

I didn't want to delete him from the roster in haste, since Jim founded
the group, and supposedly solemnly committed to being _the_ listadmin
responsible for it, (but has never actually done the job, over the
entire 15-year period I've given SF-LUG temporary mailing list hosting,
pending them getting their server running again -- which never
happened).

Done.  jim@well.com is now omitted from the SF-LUG listadmin roster.

(Just for the record:  This means that the _sole_ requirement I insisted
on, before being willing to grant SF-LUG temporary mailing list hosting
to help after whatever mysterious failure destroyed SF-LUG's -own-
mailing list server in late 2005 -- the requirement that Jim shoulder
listadmin duties so I don't have my workload increased by SF-LUG's
presence on my server -- has been continuously in default from that day
in December 2005 to the present.)


----- End forwarded message -----

More information about the BALUG-Admin mailing list