Web lists-archives.com

Re: Proof of concept: Mailing list "software" without MTA


On Thu, Oct 25, 2018 at 05:57:04PM -0400, rhkramer@xxxxxxxxx wrote:
> > Received: from mail-oi1-x22b.google.com (mail-oi1-x22b.google.com
> > [IPv6:2607:f8b0:4864:20::22b]) (using TLSv1.2 with cipher
> > ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com",
> > Issuer "Google Internet Authority G3" (not verified)) by bendel.debian.org
> > (Postfix) with ESMTPS id 647D0264 for <debian-user@xxxxxxxxxxxxxxxx>; Thu,
> > 25 Oct 2018 20:26:40 +0000 (UTC)
> > 
> > It says here what you've used Google's MTA.
> > It even has correct DKIM signature, and that's something that means you
> > haven't forged the headers.
> That's interesting, because I have at least somewhat modified the headers.

Whatever you did with e-mail locally - i.e. before giving it to Google
to deliver - does not break DKIM. DKIM is computed by MTA.

> > >          * optionally check the list of subscribers to make sure it came
> > >          from a subscriber (unless I want to treat it as an open mail
> > >          list) -- if from a non-subscriber (or a banned user / spammer),
> > >          optionally send a rejection message (I found in my
> > >          "administration" of some yahoo groups, that it often worked
> > >          better not to send a rejection message to a known spammer -- if
> > >          you send a message, they often try to subscribe (or
> > >          resubscribe) and then resend the spam -- if you don't send a
> > >          message, they often seem to assume that there is no problem,
> > >          never realizing that their messages weren't getting to the
> > >          list)
> > 
> > SpamAssassin, anyone?
> I don't know if I could invoke SpamAssassin on yahoo's mail lists (but, of 
> course, I could invoke it on any thing I run or build locally).

The trick here is to have full e-mail (RFC822 headers and body) locally.
It's my understanding that you have that.

> > >          * optionally call it to the attention of the owner of the list
> > >          (or of the computer it is running on) if the list (or this
> > >          user) is to be moderated * change some of the message headers
> > >          as appropriate (including generating a new unique messageID
> > >          (maybe using `date +%s.%N' and some text string reflecting the
> > >          name of the mailing list
> > 
> > formail from procmail or reformail from maildrop.
> > And changing existing Message-ID header is a really bad idea.
> Well, I wasn't sure how mail lists normally handle that -- clearly the message 
> has a MessageId when sent from the subscriber -- I would have guessed the mail 
> list would use a different MessageID when forwarding it (sending it) to other 
> subscribers, especially recognizing that the text and such do get some 
> changes.

Your e-mail contains this, along the other things:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;

That means that Google vouched that all e-mail headers listed in "h=",
including Message-ID are legit.
Any e-mail receiver including debian-user's MTA (bendel.debian.org) can
verify that header (bendel does).
Changing any DKIM-protected header will break DKIM signature, and that
means such e-mail can be rightfully rejected by receiver.

But wait, there's more. Message-ID has special meaning - replying
e-mails can reference it. You change Message-ID - you break threading.