1. Forum
  2. Usenet
  3. NEWS.ADMIN.TECHNICAL

  • Re: SPF check for moderation relay

    From Ivo Gandolfo@21:1/5 to Marco Moock on Tue Dec 10 18:47:04 2024
    On 10/12/2024 19:21, Marco Moock wrote:
    Hello!

    Is there any standard or policy that requires usenet servers to use
    their own domain in env from for moderation mails?

    I consider using SPF checks on my system.

    --
    kind regards
    Marco

    I ran into this when I had to set up the robomod for this group, as the
    server "rejected" the emails sent because they were not from the main
    domain.
    To get around the problem I had to disable the SPF and DKIM check for
    receiving on the robomod email, but it could actually be a problem in
    the future (especially considering that Microsoft/Google/AOL/Yahoo/etc
    have started filtering anything that is not signed with DKIM/DMARC and
    has SPF fully activated).
    This is especially true if the moderator, for example, uses a gmail
    mailbox to moderate. If the server does not sign with DKIM and there is
    no SPF active, the email could simply be discarded for obvious reasons.

    However, given how the system works, there is no simple answer on how to overcome all this.

    Unless write a RFC specifically, the problem remains that even if a new
    method were to be found, there are now old and/or unmaintained systems
    around, which would still use the old way of sending emails.

    Sincerely

    --
    Ivo Gandolfo



    --
    Approved by robomod. For info contact the admin.
    V1.0

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Marco Moock@21:1/5 to All on Tue Dec 10 18:21:14 2024
    Hello!

    Is there any standard or policy that requires usenet servers to use
    their own domain in env from for moderation mails?

    I consider using SPF checks on my system.

    --
    kind regards
    Marco

    Send spam to 1733775304muell@stinkedores.dorfdsl.de


    --
    Approved by robomod. For info contact the admin.
    V1.0

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Marco Moock@21:1/5 to All on Tue Dec 10 19:12:09 2024
    On 10.12.2024 18:47 Uhr Ivo Gandolfo wrote:

    However, given how the system works, there is no simple answer on how
    to overcome all this.

    Unless write a RFC specifically, the problem remains that even if a
    new method were to be found, there are now old and/or unmaintained
    systems around, which would still use the old way of sending emails.

    If the moderation destination mailbox requires working SPF/DKIM, the
    addresses need to be rewritten.

    The usenet servers that send mail to my moderation relay (not
    destination) often use their own domain as the envelope from. SPF
    checking would be possible then.

    Mail from my machine wasn't rejected yet.

    --
    kind regards
    Marco

    Send spam to 1733852824muell@stinkedores.dorfdsl.de


    --
    Approved by robomod. For info contact the admin.
    V1.0

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Russ Allbery@21:1/5 to Russ Allbery on Tue Dec 10 19:40:54 2024
    Russ Allbery <eagle@eyrie.org> writes:

    Even if you look only at the envelope sender, there will be no real relationship, since moderation submissions generally go through relay
    servers that do not do any of the transformations required by modern
    email spam prevention standards, and news servers may or may not use a
    valid address as an envelope sender when sending moderation submissions.

    Oh, ack, sorry -- I missed the context here that you're talking from the perspective of running a relay.

    As a moderation relay, you're a lot more likely to be able to get away
    with SPF, since I think most news servers *do* use an envelope sender that matches their domain. However, no, there is no requirement that they do
    so; all of this stuff predates email spam filtering standards.

    I'm also not entirely sure that you're going to get a lot of benefit from
    doing so? I guess you would be able to filter out spam sent directly to
    the moderation relay address, but I'm not sure how common that is compared
    to the amount of spam sent via Usenet posting. I suppose it will probably
    vary by group; some groups have likely advertised moderators.isc.org email addresses for people to use as a backup method of posting if their local
    news server doesn't handle relays properly, and in that case those
    addresses have probably gotten onto lists of spam addresses.

    --
    Russ Allbery (eagle@eyrie.org) <https://www.eyrie.org/~eagle/>


    --
    Approved by robomod. For info contact the admin.
    V1.0

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Russ Allbery@21:1/5 to Marco Moock on Tue Dec 10 19:33:15 2024
    Marco Moock <mm+usenet-es@dorfdsl.de> writes:

    Is there any standard or policy that requires usenet servers to use
    their own domain in env from for moderation mails?

    There will be absolutely no relationship whatsoever between the From
    header of moderation submissions and the domain from which you receive
    them. Often the From header will be completely invalid, and it's very
    common (probably the 99% case these days) for the email address of the
    poster, even if valid, to have nothing whatsoever to do with the news
    server they use.

    Even if you look only at the envelope sender, there will be no real relationship, since moderation submissions generally go through relay
    servers that do not do any of the transformations required by modern email
    spam prevention standards, and news servers may or may not use a valid
    address as an envelope sender when sending moderation submissions.

    At present, there's basically no useful type of address-based spam
    filtering that can be done with moderation submissions via email. One
    pretty much has to turn off spam filtering (except maybe content analysis)
    if one is in the email path for moderation submissions. I expect this to
    make Usenet moderation increasingly untenable in the future, but fixing it
    will require a fairly significant revision to the Usenet standards and the implementation of the relays, which are running on an iffy volunteer basis already. (And, if that revision involves switching to encapsulating submissions, which would be the technically correct way to handle the
    various incompatibilities between netnews articles and email, it would
    require changes to all the moderation software as well.)

    --
    Russ Allbery (eagle@eyrie.org) <https://www.eyrie.org/~eagle/>


    --
    Approved by robomod. For info contact the admin.
    V1.0

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Marco Moock@21:1/5 to All on Tue Dec 10 20:00:06 2024
    On 10.12.2024 19:40 Uhr Russ Allbery wrote:

    I'm also not entirely sure that you're going to get a lot of benefit
    from doing so? I guess you would be able to filter out spam sent
    directly to the moderation relay address, but I'm not sure how common
    that is compared to the amount of spam sent via Usenet posting.

    I've already received such messages with forged env from addresses.

    That's why I asked.

    If I can make SPF checks according to the policy, this might reduce
    such stuff a little bit.

    --
    kind regards
    Marco

    Send spam to 1733856054muell@stinkedores.dorfdsl.de


    --
    Approved by robomod. For info contact the admin.
    V1.0

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Adam H. Kerman@21:1/5 to Marco Moock on Tue Dec 10 20:12:41 2024
    Marco Moock <mm+usenet-es@dorfdsl.de> wrote:
    On 10.12.2024 18:47 Uhr Ivo Gandolfo wrote:

    However, given how the system works, there is no simple answer on how
    to overcome all this.

    Unless write a RFC specifically, the problem remains that even if a
    new method were to be found, there are now old and/or unmaintained
    systems around, which would still use the old way of sending emails.

    If the moderation destination mailbox requires working SPF/DKIM, the >addresses need to be rewritten.

    Please to gawd do not pursue this.

    The encoding always should have been based on ENVELOPE FROM, never on
    the From header in the mailing address. This misuse of the protocols has screwed up mailing lists for years and never had anything to do with
    identity protection. News to Mail gateways would be similarly affected.

    Not having learned a lesson from how mailing lists were adversely
    impacted, you would spread the pain to moderation? With moderation, it's
    not possible to avoid use of a relay unless self approvals are used.

    There is no identity on the From header to protect!

    The usenet servers that send mail to my moderation relay (not
    destination) often use their own domain as the envelope from. SPF
    checking would be possible then.

    Well, yes, but what are you trying to accomplish here? It's not the
    identity of the author.

    Usenet has been doing moderation in a somewhat useless manner forever.
    The proto article probably should have been an attachment to have
    something useful on Path. Instead, when the reader reads the approved
    article on the server he reads from, the Path traces back to the
    moderator's host and we lose the portion of the path that would have
    traced back to the author.

    If I'm concerned about the author's identity, I'd need to see Path back
    to him.

    Mail from my machine wasn't rejected yet.

    Uh, good. No one along the relay path of a proto article or the approved article injected back into Usenet should be checking SPF/DKIM at all.

    If they are, then their implementation is broken.


    --
    Approved by robomod. For info contact the admin.
    V1.0

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Ivo Gandolfo@21:1/5 to Russ Allbery on Tue Dec 10 20:13:38 2024
    On 10/12/2024 20:40, Russ Allbery wrote:
    Oh, ack, sorry -- I missed the context here that you're talking from the perspective of running a relay.

    As a moderation relay, you're a lot more likely to be able to get away
    with SPF, since I think most news servers *do* use an envelope sender that matches their domain. However, no, there is no requirement that they do
    so; all of this stuff predates email spam filtering standards.



    FYI this is the latest header's message received from my robomod https://www.bofh.team/headers.txt

    You see, we have a lot now checking (spamassassin, etc). In that case I
    suppose to centralize everything it's a better choise, due to
    management. the moderators.isc.org need to be the main where the robomod
    stay, and in that case you don't have a relay problem or other things.


    Sincerely

    --
    Ivo Gandolfo


    --
    Approved by robomod. For info contact the admin.
    V1.0

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From John Levine@21:1/5 to mm+usenet-es@dorfdsl.de on Tue Dec 10 20:07:16 2024
    It appears that Marco Moock <mm+usenet-es@dorfdsl.de> said:
    If the moderation destination mailbox requires working SPF/DKIM, the >addresses need to be rewritten.

    Given that the moderation relays are run by unpaid volunteers, that
    is backward. If you want to run a moderated group, figure out how to
    accept the mail the relays send.

    I've been running moderated groups for over 35 years. In my experience
    the amount of spam the relays forward is essentally zero, so I just whitelist them by IP address.

    --
    Regards,
    John Levine, johnl@taugh.com, Primary Perpetrator of "The Internet for Dummies",
    Please consider the environment before reading this e-mail. https://jl.ly


    --
    Approved by robomod. For info contact the admin.
    V1.0

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From =?UTF-8?Q?Julien_=C3=89LIE?=@21:1/5 to All on Wed Dec 11 00:16:20 2024
    Hi Adam,

    Usenet has been doing moderation in a somewhat useless manner forever.
    The proto article probably should have been an attachment to have
    something useful on Path.

    FWIW, RFC 5537 defines an application/news-transmission media type
    intended for the encapsulation of news articles. See Section 4.1:

    Optional parameters: One and only one of "usage=moderate",
    "usage=inject", or "usage=relay".

    Encoding considerations: A transfer-encoding different from that
    of the article transmitted MAY be
    supplied to ensure correct transmission
    over some 7bit transport medium.

    Body part: A complete proto-article ready for
    injection into Netnews or an article
    being relayed to another agent.


    Nevertheless, I am not aware of implementations. When forwarding the
    article to approve to a moderator, the news server needs knowing whether
    the moderator can handle that (new) media type. Some kind of up-to-date configuration telling which format to use (plain or encapsulated) for
    each moderation address has to be set up and maintained.

    I am unsure that it will be implemented and widely adopted one day,
    given the complexity of the change in an environment where some/most
    servers are no longer updated.

    If anyone has any proposal on that subject, feel free to tell!

    --
    Julien ÉLIE

    « I don't know if it's what you want, but it's what you get. » (Larry
    Wall)


    --
    Approved by robomod. For info contact the admin.
    V1.0

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)