Hi folks,

during the last moonths I get more mails from the debian-user list marked as spam than before. Something must have changed.

I examined the header of the mails, but did not see any unusual.

Below I send the header of an example of such a mail, maybe you can see the reason?

On my computer I am also using spamassassin, and my own score is set to 3.4,
so even so it should not considered as spam.

Thisis the header:

--- snip ---

X-Spam-Flag: YES
X-SPAM-FACTOR: DKIM
X-Envelope-From: bounce-debian-devel=hans.ullrich=loop.de@lists.debian.org DMARC-Filter: OpenDMARC Filter v1.4.1 mail104c50.megamailservers.eu 4269vZOl098298
Authentication-Results: mail104c50.megamailservers.eu; dmarc=fail (p=reject dis=none) header.from=4angle.com
Authentication-Results: mail104c50.megamailservers.eu; spf=none smtp.mailfrom=lists.debian.org
Authentication-Results: mail104c50.megamailservers.eu;
dkim=fail reason="signature verification failed" (4096-bit key) header.d=4angle.com header.i=@4angle.com header.b="bS+3bWmq"
Return-Path: <bounce-debian-devel=hans.ullrich=loop.de@lists.debian.org> Received: from bendel.debian.org (bendel.debian.org [82.195.75.100])
by mail104c50.megamailservers.eu (8.14.9/8.13.1) with ESMTP id 4269vZOl098298
for <hans.ullrich@loop.de>; Wed, 6 Mar 2024 09:57:37 +0000
Received: from localhost (localhost [127.0.0.1])
by bendel.debian.org (Postfix) with QMQP
id C9230205B1; Wed, 6 Mar 2024 09:

Hi,

Hans wrote:

during the last moonths I get more mails from the debian-user list marked as spam than before.
[...]
Below I send the header of an example of such a mail, maybe you can see the reason?

The message does not look like it came to you via debian-user:

X-Original-To: lists-debian-devel@bendel.debian.org
Delivered-To: lists-debian-devel@bendel.debian.org
Received: from localhost (localhost [127.0.0.1])
by bendel.debian.org (Postfix) with ESMTP id B720220598
for <lists-debian-devel@bendel.debian.org>; Wed, 6 Mar 2024
[...]
Resent-To: debian-bugs-dist@lists.debian.org
Resent-CC: debian-devel@lists.debian.org, debian-python@lists.debian.org,
wnpp@debian.org

Are you perhaps subscribed to one of the "Resent-*" lists ?

Subject: *****SPAM***** Bug#1065537: ITP: bleak-retry-connector -- Connector for Bleak Clients that handles transient connection failures

The mark "*****SPAM*****" does not appear in the archive

https://lists.debian.org/debian-devel/2024/03/msg00076.html

All in all it looks like a legit message, not like spam.
So the suspect would sit after Debian's mail servers.


The only Received header i see between Debian and you is:

Received: from bendel.debian.org (bendel.debian.org [82.195.75.100])
by mail104c50.megamailservers.eu (8.14.9/8.13.1) with ESMTP
id 4269vZOl098298
for <hans.ullrich@loop.de>; Wed, 6 Mar 2024 09:57:37 +0000

It looks like either megamailservers.eu or your own processing added
the spam mark to the subject.


Have a nice day :)

Thomas

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hans wrote:

Hi folks,

during the last moonths I get more mails from the debian-user list marked as spam than before. Something must have changed.

I examined the header of the mails, but did not see any unusual.

Below I send the header of an example of such a mail, maybe you can see the reason?

On my computer I am also using spamassassin, and my own score is set to 3.4, so even so it should not considered as spam.

X-Spam-Flag: YES
X-SPAM-FACTOR: DKIM

What sets these two headers?

Authentication-Results: mail104c50.megamailservers.eu;
dkim=fail reason="signature verification failed" (4096-bit key) header.d=4angle.com header.i=@4angle.com header.b="bS+3bWmq"

That's the source of the DKIM fail.

X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on bendel.debian.org X-Spam-Level:
X-Spam-Status: No, score=-6.7 required=4.0 tests=BODY_INCLUDES_PACKAGE,

DKIM_INVALID,DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,LDO_WHITELIST,
T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no
version=3.4.2

This is debian.org's mailserver checking for spam and deciding that it isn't, even though DKIM is invalid.

X-Virus-Scanned: at lists.debian.org with policy bank en-ht X-Amavis-Spam-Status: No, score=-8.561 tagged_above=-10000 required=5.3
tests=[BAYES_00=-2, BODY_INCLUDES_PACKAGE=-2, DKIM_INVALID=0.1,
DKIM_SIGNED=0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249,
LDO_WHITELIST=-5, T_SCC_BODY_TEXT_LINE=-0.01]
autolearn=ham autolearn_force=no

This is debian.org again.

X-Bogosity: Ham, tests=bogofilter, spamicity=0.053994, version=1.2.5

--- snap ---

Does one see any reason, why this is considered as spam???

Whatever set X-SPAM-FLAG: YES is probably at fault.

-dsr-

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Thomas,

you perhaps subscribed to one of the "Resent-*" lists ?

Not as far as I know.

Subject: *****SPAM***** Bug#1065537: ITP: bleak-retry-connector -- Connector for Bleak Clients that handles transient connection failures

The mark "*****SPAM*****" does not appear in the archive

This line is set by spamassassin on my own computer, when a spam mail is
marked as spam. Then it will be filtered out. But I can not see, WHJY it is recognised as apam!

https://lists.debian.org/debian-devel/2024/03/msg00076.html

All in all it looks like a legit message, not like spam.
So the suspect would sit after Debian's mail servers.

The only Received header i see between Debian and you is:

Received: from bendel.debian.org (bendel.debian.org [82.195.75.100])

by mail104c50.megamailservers.eu (8.14.9/8.13.1) with ESMTP
id 4269vZOl098298
for <hans.ullrich@loop.de>; Wed, 6 Mar 2024 09:57:37 +0000

It looks like either megamailservers.eu or your own processing added
the spam mark to the subject.

Hmm, suspicious. I changed nothing and suddenly many mails from debian-user (but not all, only some) are recognized as spam. And I can not see, why they are. Thre are no URLs in it, no suspicous gifs or any other content. Just
quite normal mails. And some are flagged as spam, some not. Weired.....

Have a nice day :)

Thomas

Best

Hans

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Am Mittwoch, 6. März 2024, 12:10:57 CET schrieb Dan Ritter:

X-Spam-Flag: YES

X-SPAM-FACTOR: DKIM

What sets these two headers?

I do not know. So I asked on this list.

What I believe is, that the X-Spam-Flag: YES is set somehow on the way and as spamassin is looking at that is marking the mail as spam.

The question is: Where and why is this flag set? Maybe because of the DKIM failure?

Sorry, I do not know, and maybe you are right: It might be a problem with megamailservers, who knows.

Best

Hans

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

Hans wrote:

I changed nothing and suddenly many mails from debian-user
(but not all, only some) are recognized as spam.

But the one you posted here did not come from debian-user.

So maybe what changed is an inadverted subscription to one of
debian-bugs-dist@lists.debian.org
debian-devel@lists.debian.org
debian-python@lists.debian.org,
wnpp@debian.org
This might have broadened the set of mail senders and thus gives your
mail provider opportunities to complain like spotted by Dan Ritter:

Authentication-Results: mail104c50.megamailservers.eu;
dkim=fail reason="signature verification failed" (4096-bit key) header.d=4angle.com header.i=@4angle.com header.b="bS+3bWmq"

"4angle.com" matches the mail address of the bug submitter
"Edward Betts <edward@4angle.com>".


The shown message headers offer unsubscription from debian-devel:

List-Unsubscribe: <mailto:debian-devel-request@lists.debian.org?subject=unsubscribe>

I.e. to send a mail to debian-devel-request@lists.debian.org with the
subject line
unsubscribe


Have a nice day :)

Thomas

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hans <hans.ullrich@loop.de> wrote:

Hi Thomas,

you perhaps subscribed to one of the "Resent-*" lists ?

Not as far as I know.

Subject: *****SPAM***** Bug#1065537: ITP: bleak-retry-connector -- Connector for Bleak Clients that handles transient connection
failures

The mark "*****SPAM*****" does not appear in the archive

This line is set by spamassassin on my own computer, when a spam mail
is marked as spam. Then it will be filtered out. But I can not see,
WHJY it is recognised as apam!

https://lists.debian.org/debian-devel/2024/03/msg00076.html

All in all it looks like a legit message, not like spam.
So the suspect would sit after Debian's mail servers.

The only Received header i see between Debian and you is:

Received: from bendel.debian.org (bendel.debian.org
[82.195.75.100])

by mail104c50.megamailservers.eu (8.14.9/8.13.1) with
ESMTP id 4269vZOl098298
for <hans.ullrich@loop.de>; Wed, 6 Mar 2024 09:57:37
+0000

It looks like either megamailservers.eu or your own processing added
the spam mark to the subject.

Hmm, suspicious. I changed nothing and suddenly many mails from
debian-user (but not all, only some) are recognized as spam. And I
can not see, why they are. Thre are no URLs in it, no suspicous gifs
or any other content. Just quite normal mails. And some are flagged
as spam, some not. Weired.....

So if it's not you, then it sounds like you need to ask
megamailservers.eu why.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

Hans wrote:

Re: *****SPAM***** Re: Spam from the list?
In-Reply-To: <20240306112253.55e25711@earth.stargate.org.uk>

referring the mail

Date: Wed, 6 Mar 2024 11:22:53 +0000
From: Brad Rogers <brad@fineby.me.uk>
Message-ID: <20240306112253.55e25711@earth.stargate.org.uk>

I assume that this mail appeared with the "*****SPAM*****" marker in
your mailbox.
(The currently most plausible theory is that megamailservers.eu adds "X-Spam-Flag: YES" and your local mail processing takes this header as
reason to change the subject.)

So what does the mail which you received from Brad via debian-user
say about "Authentication-Results:" ?
Your initial post quoted three such headers. Expect more than one.


Have a nice day :)

Thomas

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, 06 Mar 2024 13:53:49 +0100
Hans <hans.ullrich@loop.de> wrote:

Hello Hans,

It should be well trained

Spam training is an ongoing process....

But until then suddenly the false positives increased from one day to >another, although I had changed nothing.

....because the spam changes. What's coming now is new, and SA has not
seen it before. You have to train it. Equally, what you consider ham
can change - for example, when you subscribe to a new mailing list that
caters to a subject not encountered by you before because of, say, taking
up a new hobby.

I've been using my spam filtering set up for years too, and I still get
the occasional false positive. I mark them as ham to (hopefully)
improve spam filtering here.

--
Regards _ "Valid sig separator is {dash}{dash}{space}"
/ ) "The blindingly obvious is never immediately apparent"
/ _)rad "Is it only me that has a working delete key?"
If you ain't sticking your knives in me, you will be eventually
Monsoon - Robbie Williams

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEmwDAJZJEijHvlxs1Dz7gAfAqPiAFAmXoboMACgkQDz7gAfAq PiDBnAf/QcShtd1Qf6SFQwjTj6XaTQ+w2IN1ORzbzypJ3VJelKljFvKhTfeApOLH SGd8fCYK5wZVT4eR9hhd7A1DtyGQSg3qH0kRLjp+sWpL8ejWheyXZz+6B1O4j1Dp 9f/Y3JhYypRUiOIM46f5IKLsAv3Nr6UIghGk3xNCo0FPe+BOG3BWe54iLJ9rOWgR 43HWpW4QuT/Pxbwb/EI8mQtFV+iVmOSgpoGGpnJAjMCogezQodTDj4p94Gm9J3fe OuMkEZQpAjycIOaNZ/Ll77UUYatBH4SBkJsLJ32K6jr0xAML++Z5KRNU02EXfflj NBEZazXbiqzjIxWGW9UrOzBAelieXQ==
=RKu8
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

HI Brad,

I do not believe, it is a training problem. Why? Well, your formerly mail was marked as spam. So I marked it as ham. Now, your second mail again is marked as spam.

We know, there is nothing unusual with your mail, but it is again marked as spam. Even, when I explicity marked your mails as ham!

Thus the problem is not on my computer.

I believe, what Thomas said: Megamail or my mailprovider is setting the X- Spam-Flag to YES, and my spamassassin is recognizing this and marks this as spam.

The solution would be, either to make megamails or my provider make things correctly (but I have no atom bombs to force them) , or delete my rule, to check the X-Spam-Flag (which I actually do not want).

Important is: The cause is not at debian server (which is fine!) and not on my system (which is also fine), but on the provider server.

To know this, I think we can safely close this issue.

We have learnt some things (which is always important) and could find the reason.

Thank you all for your help and input!!

Best regards

Hans


Am Mittwoch, 6. März 2024, 14:24:19 CET schrieb Brad Rogers:

On Wed, 06 Mar 2024 13:53:49 +0100
Hans <hans.ullrich@loop.de> wrote:

Hello Hans,

It should be well trained

Spam training is an ongoing process....

But until then suddenly the false positives increased from one day to >another, although I had changed nothing.

....because the spam changes. What's coming now is new, and SA has not
seen it before. You have to train it. Equally, what you consider ham
can change - for example, when you subscribe to a new mailing list that caters to a subject not encountered by you before because of, say, taking
up a new hobby.

I've been using my spam filtering set up for years too, and I still get
the occasional false positive. I mark them as ham to (hopefully)
improve spam filtering here.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hans <hans.ullrich@loop.de> wrote:

HI Brad,

I do not believe, it is a training problem. Why? Well, your formerly
mail was marked as spam. So I marked it as ham. Now, your second mail
again is marked as spam.

We know, there is nothing unusual with your mail, but it is again
marked as spam. Even, when I explicity marked your mails as ham!

Thus the problem is not on my computer.

I believe, what Thomas said: Megamail or my mailprovider is setting
the X- Spam-Flag to YES, and my spamassassin is recognizing this and
marks this as spam.

The solution would be, either to make megamails or my provider make
things correctly (but I have no atom bombs to force them) , or delete
my rule, to check the X-Spam-Flag (which I actually do not want).

You don't need an atom bomb. Simply contact their support and tell them
they appear to be misclassifying mail. If they don't fix the problem
then consider changing your provider. Or at least tell them you will :)

Also they are still sending the mail to you, so it is your choice
whether to actually classify it as spam! Look at your mail program and
see what options it has regarding classifying spam. Change it to not
respect the particular header you think is causing problems.

Important is: The cause is not at debian server (which is fine!) and
not on my system (which is also fine), but on the provider server.

To know this, I think we can safely close this issue.

We have learnt some things (which is always important) and could find
the reason.

Thank you all for your help and input!!

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi all,
I believe, I found the reason, why mails are marked as spam and others not.

All spam mails shjow this entry in the header:

--- sninp ---

Authentication-Results: mail35c50.megamailservers.eu; spf=none smtp.mailfrom=lists.debian.org
Authentication-Results: mail35c50.megamailservers.eu;
dkim=fail reason="signature verification failed" (2048-bit key) header.d=debian.org header.i=@debian.org header.b="pDp/TPD5"
Return-Path: <bounce-debian-devel=hans.ullrich=loop.de@lists.debian.org> Received: from bendel.debian.org (bendel.debian.org [82.195.75.100])
by mail35c50.megamailservers.eu (8.14.9/8.13.1) with ESMTP id 425I9ZEK112497
for <hans.ullrich@loop.de>; Tue, 5 Mar 2024 18:09:37 +0000

--- snap ---

White mails get the dkim=pass and spam mails got dkim=fail (as you see above).

However, I am not much experienced with DKIM, but as far as I read, it has soemthing to do with key exchanges.

But who must exchange keys? I see also bendel.debian.org and a bounce message.

Can that be the reason, that bendel.debian.org and megameilservers.eu has some problems with the keys?

On both I can not take a look and have

On Thu, Mar 07, 2024 at 09:44:51AM +0100, Hans wrote:

Hi all,
I believe, I found the reason, why mails are marked as spam and others not.

All spam mails shjow this entry in the header:

--- sninp ---

Authentication-Results: mail35c50.megamailservers.eu; spf=none smtp.mailfrom=lists.debian.org
Authentication-Results: mail35c50.megamailservers.eu;
dkim=fail reason="signature verification failed" (2048-bit key) header.d=debian.org header.i=@debian.org header.b="pDp/TPD5"
Return-Path: <bounce-debian-devel=hans.ullrich=loop.de@lists.debian.org> Received: from bendel.debian.org (bendel.debian.org [82.195.75.100])
by mail35c50.megamailservers.eu (8.14.9/8.13.1) with ESMTP id 425I9ZEK112497
for <hans.ullrich@loop.de>; Tue, 5 Mar 2024 18:09:37 +0000

--- snap ---

White mails get the dkim=pass and spam mails got dkim=fail (as you see above).

However, I am not much experienced with DKIM, but as far as I read, it has soemthing to do with key exchanges.

But who must exchange keys? I see also bendel.debian.org and a bounce message.

Can that be the reason, that bendel.debian.org and megameilservers.eu has some
problems with the keys?

On both I can not take a look and have no influence to it, but mayme the admins
of bendel.debian.org do know more.

Thanks for reading this,

Best regards

Hans

Well i think that you would be add to whitelist emails from bendel.debian.org.


Thanks, Byunghee from South Korea

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

On Thu, Mar 07, 2024 at 09:44:51AM +0100, Hans wrote:

--- sninp ---

Authentication-Results: mail35c50.megamailservers.eu; spf=none smtp.mailfrom=lists.debian.org
Authentication-Results: mail35c50.megamailservers.eu;
dkim=fail reason="signature verification failed" (2048-bit key) header.d=debian.org header.i=@debian.org header.b="pDp/TPD5"
Return-Path: <bounce-debian-devel=hans.ullrich=loop.de@lists.debian.org> Received: from bendel.debian.org (bendel.debian.org [82.195.75.100])
by mail35c50.megamailservers.eu (8.14.9/8.13.1) with ESMTP id 425I9ZEK112497
for <hans.ullrich@loop.de>; Tue, 5 Mar 2024 18:09:37 +0000

--- snap ---

White mails get the dkim=pass and spam mails got dkim=fail (as you see above).

A great many legitimate emails will fail DKIM so it is not a great
idea to reject every email that does so. I don't think that you are
going to have a good time using Internet mailing lists while your
mail provider rejects mails with invalid DKIM, so if I were you I'd
work on fixing that rather than trying to get everyone involved to
correctly use DKIM.

In this specific example your problem is that a mail came through
the Debian bug tracking system (which pretends to be the original
sender) and on the way out was DKIm signed by debian.org and then
went through Debian's list servers. Somewhere in there the DKIM
signature was broken.

I don't rate your chances of getting the operators of
bugs.debian.org and lists.debian.org to agree to preserve DKIM since
I know at least some of them are severely opposed to DKIM.

Your mailbox provider really should not be rejecting everything that
has a broken DKIm signature. This email from me will probably have a
broken DKIM signature.

Thanks,
Andy

--
https://bitfolk.com/ -- No-nonsense VPS hosting

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 07/03/2024 21:04, Andy Smith wrote:

Hi,

On Thu, Mar 07, 2024 at 09:44:51AM +0100, Hans wrote:

--- sninp ---

Authentication-Results: mail35c50.megamailservers.eu; spf=none
smtp.mailfrom=lists.debian.org
Authentication-Results: mail35c50.megamailservers.eu;
dkim=fail reason="signature verification failed" (2048-bit key)
header.d=debian.org header.i=@debian.org header.b="pDp/TPD5"
Return-Path: <bounce-debian-devel=hans.ullrich=loop.de@lists.debian.org>
Received: from bendel.debian.org (bendel.debian.org [82.195.75.100])
by mail35c50.megamailservers.eu (8.14.9/8.13.1) with ESMTP id
425I9ZEK112497
for <hans.ullrich@loop.de>; Tue, 5 Mar 2024 18:09:37 +0000

--- snap ---

White mails get the dkim=pass and spam mails got dkim=fail (as you see above).

A great many legitimate emails will fail DKIM so it is not a great
idea to reject every email that does so. I don't think that you are
going to have a good time using Internet mailing lists while your
mail provider rejects mails with invalid DKIM, so if I were you I'd
work on fixing that rather than trying to get everyone involved to
correctly use DKIM.

In this specific example your problem is that a mail came through
the Debian bug tracking system (which pretends to be the original
sender) and on the way out was DKIm signed by debian.org and then
went through Debian's list servers. Somewhere in there the DKIM
signature was broken.

I don't rate your chances of getting the operators of
bugs.debian.org and lists.debian.org to agree to preserve DKIM since
I know at least some of them are severely opposed to DKIM.

Your mailbox provider really should not be rejecting everything that
has a broken DKIm signature. This email from me will probably have a
broken DKIM signature.

Thanks,
Andy

Andy's mail's DKIM looks OK here:

Authentication-Results: mx.zohomail.com;
dkim=pass;
spf=none (zohomail.com: 82.195.75.100 is neither permitted nor denied by domain of lists.debian.org) smtp.mailfrom=bounce-debian-user=john=bunsenlabs.org@lists.debian.org;
dmarc=pass(p=none dis=none) header.from=strugglers.net
ARC-Seal: i=1; a=rsa-sha256; t=1709813111; cv=none;
d=zohomail.com; s=zohoarc;
b=E/0YtYVq6D01XC5ug3vazK169M6jDxoXOO6K7rs6qdKhNHP1XDV7QSLAvwJetsjzooDe39MNSl/160MWgl3URqQ1YhPYZ9aBFQ3DsmN74mTKPiQYOxqx0XzNy1Nemo4oRetVQDrwEGeegQWUBbrxtbD18x8R7Dd9Ps19NxKRMP8=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc;
t=1709813111; h=Content-Type:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Resent-Sender:Resent-Date:References:Resent-Message-ID:Resent-From:Subject:Subject:To:To:
Message-Id:Reply-To:Cc;
bh=ohelUf+wTnNtAeaNpYE6UONuc2euPhvqBvxLaU7Fz7c=;
b=MUW94hTSknXpUch7F94usVvulKMrwldlWtoyP582oO6+EMhKaeisaBraF7KE46pdbHyE+AAzf/dn0xPDxNnN+M+RXSbXsQvu7qEIe/+q6fCdppDhql+IMx+U9H+Q61olqpD+JMh9IxFgAUSKme0bLD8NhFKOskvLdtzqq3XeIpg=
ARC-Authentication-Results: i=1; mx.zohomail.com;
dkim=pass;
spf=none (zohomail.com: 82.195.75.100 is neither permitted nor denied by domain of lists.debian.org) smtp.mailfrom=bounce-debian-user=john=bunsenlabs.org@lists.debian.org;
dmarc=pass header.from=<andy@strugglers.net> (p=none dis=none)

--snip--

DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=strugglers.net; s=alpha; h=In-Reply-To:Content-Type:MIME-Version:References
:Message-ID:Subject:To:From:Date:Content-Transfer-Encoding:Sender:Reply-To:Cc
:Content-ID:Content-Description:Resent-To;
bh=ohelUf+wTnNtAeaNpYE6UONuc2euPhvqBvxLaU7Fz7c=; b=c5YTQp9JWbbPNuLxDYO19XXqgy
KmEiV4tSD2LlNXy4C9/5PPfZ5JGT6U70UQpwIXgC1alHcUyD+LY6JDPEbO33KuWsWr4gvrJCwrq0u
HMUc+sKwQgknFeLxa5Jk3a3VFLURsYYec+6Lc9C4WsQB9I+xuv8CmO22xpRRNqB3SWdR7gtHy+Ab8
1UGvqoeEsCAtc5y2dt3uiX6Uy5qYDRbgbSVBhfq4TwjxmyTqmnkT1oG62tW2LavipJDvfR/40weCR
B/S7To5h6Lgc/1oLArFNtrtPlfyyRg38maGSj5Jgt9X5Vwdfg187lIla/I4OBjib2pDV5d38QzL7v
4Vz0PYFg==;

--
John

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, 7 Mar 2024, Andy Smith wrote:

Hi,

On Thu, Mar 07, 2024 at 09:44:51AM +0100, Hans wrote:

--- sninp ---

Authentication-Results: mail35c50.megamailservers.eu; spf=none smtp.mailfrom=lists.debian.org
Authentication-Results: mail35c50.megamailservers.eu;
dkim=fail reason="signature verification failed" (2048-bit key) header.d=debian.org header.i=@debian.org header.b="pDp/TPD5"
Return-Path: <bounce-debian-devel=hans.ullrich=loop.de@lists.debian.org> Received: from bendel.debian.org (bendel.debian.org [82.195.75.100])
by mail35c50.megamailservers.eu (8.14.9/8.13.1) with ESMTP id 425I9ZEK112497
for <hans.ullrich@loop.de>; Tue, 5 Mar 2024 18:09:37 +0000

--- snap ---

White mails get the dkim=pass and spam mails got dkim=fail (as you see above).

A great many legitimate emails will fail DKIM so it is not a great
idea to reject every email that does so. I don't think that you are
going to have a good time using Internet mailing lists while your
mail provider rejects mails with invalid DKIM, so if I were you I'd
work on fixing that rather than trying to get everyone involved to
correctly use DKIM.

And some dkim seems setup with the intention that it should not be used
for mailinglusts:

DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=dow.land;
s=20210720;
h=From:In-Reply-To:References:Subject:To:Message-Id:Date:
Content-Type:Content-Transfer-Encoding:Mime-Version:Sender:Reply-To:Cc:
Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
List-Subscribe:List-Post:List-Owner:List-Archive;

This one passed on bendel but not when it got to me. Most on debian-user
seem ok, debian-devel does seem to get more submissions with broken dkim
(based on looking at a random handful on each list)

AFAICT, it's a problem at the originator causing failures, either
something wrong with dkim setup or too strict set of headers.

I shall be checking what this does when it gets back to me. One of the
problems with dkim is that you assume it still works, it's hard to know
what others actually see...

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hello,

On Fri, Mar 08, 2024 at 02:16:07AM +0000, Tim Woodall wrote:

And some dkim seems setup with the intention that it should not be used
for mailinglusts:

DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=dow.land;
s=20210720;
h=From:In-Reply-To:References:Subject:To:Message-Id:Date:
Content-Type:Content-Transfer-Encoding:Mime-Version:Sender:Reply-To:Cc:
Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
List-Subscribe:List-Post:List-Owner:List-Archive;

So the thing is that the RFC for DKIM specifies a list of headers to
sign and those include ones commonly used by mailing list software
so as soon as one of those mails goes through list software, the DKIM signatures get broken. And sadly because that is what is suggested
in the RFC, that is also the default setting of Exim in Debian.

As a result heaps of messages don't make it through mailing lists
with DKIM intact even when the list operator makes some effort to
allow it to work (e.g. avoids adding footers or subject tags, just
passes the mail through, like debian-user does).

AFAICT, it's a problem at the originator causing failures, either
something wrong with dkim setup or too strict set of headers.

Yes. But I think a person whose receiving system outright rejects on
DKIM failure might spend their whole lives tracking down and
contacting the operators of sending systems to educate them about
DKIM, only to be mostly met with disagreement, lack of
understanding, or silence. Which is why I argue that at present it
isn't a good idea to just reject all DKIM failures like OP's mailbox
provider appears to be doing.

That sort of setup would only be suitable for someone who doesn't
really use email, except for "transactional" mails (password
reminders, OTP, etc.) and one-way newsletters. Which admittedly is
probably the majority of users - but not OP!

I shall be checking what this does when it gets back to me. One of the problems with dkim is that you assume it still works, it's hard to know
what others actually see...

Adding DMARC and a reporting address gets you far more unwelcome
insight into what others do. 😀

Thanks,
Andy

--
https://bitfolk.com/ -- No-nonsense VPS hosting

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

Andy Smith wrote:

[...] I argue that at present it
isn't a good idea to just reject all DKIM failures like OP's mailbox
provider appears to be doing.

Just for the records:
The mails in question don't get rejected but rather marked as spam
and then get delivered.

The currently best theory is that megamailservers.eu adds a header
X-Spam-Flag: YES
if it perceives DKIM problems, and that the local anti-spam software
of the receiver takes this header as reason to alter the subject by
the prefix "*****SPAM*****".

Whether it is a good idea to map DKIM failure to a spam marking header
is another interesting topic.

Original post of this thread with an example of all headers of a mail:
https://lists.debian.org/msgid-search/3371640.PXJkl210th@protheus2


Have a nice day :)

Thomas

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)