Re: Proof of concept: Mailing list "software" without MTA
- Date: Fri, 26 Oct 2018 08:50:22 +0300
- From: Reco <recoverym4n@xxxxxxxxxxxx>
- Subject: Re: Proof of concept: Mailing list "software" without MTA
On Thu, Oct 25, 2018 at 05:57:04PM -0400, rhkramer@xxxxxxxxx wrote:
> > Received: from mail-oi1-x22b.google.com (mail-oi1-x22b.google.com
> > [IPv6:2607:f8b0:4864:20::22b]) (using TLSv1.2 with cipher
> > ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com",
> > Issuer "Google Internet Authority G3" (not verified)) by bendel.debian.org
> > (Postfix) with ESMTPS id 647D0264 for <debian-user@xxxxxxxxxxxxxxxx>; Thu,
> > 25 Oct 2018 20:26:40 +0000 (UTC)
> > It says here what you've used Google's MTA.
> > It even has correct DKIM signature, and that's something that means you
> > haven't forged the headers.
> That's interesting, because I have at least somewhat modified the headers.
Whatever you did with e-mail locally - i.e. before giving it to Google
to deliver - does not break DKIM. DKIM is computed by MTA.
> > > * optionally check the list of subscribers to make sure it came
> > > from a subscriber (unless I want to treat it as an open mail
> > > list) -- if from a non-subscriber (or a banned user / spammer),
> > > optionally send a rejection message (I found in my
> > > "administration" of some yahoo groups, that it often worked
> > > better not to send a rejection message to a known spammer -- if
> > > you send a message, they often try to subscribe (or
> > > resubscribe) and then resend the spam -- if you don't send a
> > > message, they often seem to assume that there is no problem,
> > > never realizing that their messages weren't getting to the
> > > list)
> > SpamAssassin, anyone?
> I don't know if I could invoke SpamAssassin on yahoo's mail lists (but, of
> course, I could invoke it on any thing I run or build locally).
The trick here is to have full e-mail (RFC822 headers and body) locally.
It's my understanding that you have that.
> > > * optionally call it to the attention of the owner of the list
> > > (or of the computer it is running on) if the list (or this
> > > user) is to be moderated * change some of the message headers
> > > as appropriate (including generating a new unique messageID
> > > (maybe using `date +%s.%N' and some text string reflecting the
> > > name of the mailing list
> > formail from procmail or reformail from maildrop.
> > And changing existing Message-ID header is a really bad idea.
> Well, I wasn't sure how mail lists normally handle that -- clearly the message
> has a MessageId when sent from the subscriber -- I would have guessed the mail
> list would use a different MessageID when forwarding it (sending it) to other
> subscribers, especially recognizing that the text and such do get some
Your e-mail contains this, along the other things:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
That means that Google vouched that all e-mail headers listed in "h=",
including Message-ID are legit.
Any e-mail receiver including debian-user's MTA (bendel.debian.org) can
verify that header (bendel does).
Changing any DKIM-protected header will break DKIM signature, and that
means such e-mail can be rightfully rejected by receiver.
But wait, there's more. Message-ID has special meaning - replying
e-mails can reference it. You change Message-ID - you break threading.