Re: Can we please refuse mail to the list from list addresses? - Mailing list pgsql-www
From | Andrew Sullivan |
---|---|
Subject | Re: Can we please refuse mail to the list from list addresses? |
Date | |
Msg-id | 20071129223558.GC8157@crankycanuck.ca Whole thread Raw |
In response to | Re: Can we please refuse mail to the list from list addresses? ("Marc G. Fournier" <scrappy@hub.org>) |
Responses |
Re: Can we please refuse mail to the list from list addresses?
|
List | pgsql-www |
Hi all, It appears that I caused a ruckus with my suggestion. It hasn't helped that I have, I think, encouraged a rather different discussion. This message is intended to disambiguate the various threads of this discussion, lay to rest at least one, and to make a promise about others. A. What I asked for What I actually asked for was that we reject mail From: <listname@postgresql.org> destined for <listname@postgresql.org>. I suggested this, because the spammers have obviously figured out that they can send mail with the From: and To: headers the same, and evade many spam traps. Since lists should _never_ send mail to themselves (it'd be a loop), this is an obvious optimisation. Marc says he can do this; I dunno whether it's been done, but I think his suggestion should be implemented. B. What else came out As it turns out, this discussion raised several other issues. I think they are the following: 1. SMTP Auth Everyone agrees this should be and is happening, so we don't need to discuss it more. 2. SMTP Submit vs. "Classic" SMTP While it is possible to authenticate SMTP while relaying, there is a current push in the Internet operator community to end the practice of MUA->MTA submission on port 25. The reasons for this are somewhat complicated. I'd like to propose that we not be distracted by this conversation while the current release is happening. Therefore, I propose that we postpone that discussion until some time in January. In order to allow people to prepare for any such discussion, there are some sub-questions that arise: a. Do we allow email that is unauthenticated with SMTP Auth fromany domain to go to any list without moderation (irrespectiveofsubscription)?b. Do we allow email that is unauthenticated with SMTP Auth frompostgresql.org domains to goto any list without moderation(irrespective of subscription)?c. Do we reject email that is unauthenticated with SMTP Authwith aTo: to the lists?d. Do we regard email with a From: address in the postgresql.orgdomain that is unauthenticated(by any server) to be legitimate (andtherefore in or out of spam-control attempts)?e. Do we regard emailwith a From: address in the postgresql.orgdomain that is not SMTP-Auth authenticated _at all_ to belegitimate?f. Dowe regard email with a From: address in the postgresql.orgdomain that is not authenticated _at the postgresql.org mailservers_to be legitimate? (Consider SMTP Auth atnon-postgresql.org mail servers, such as hub.org orcommandprompt.com.)g. Do we regard email with a From: address in the postgresql.orgdomain that is not authenticated bythe postgresql.org submitservice at the time of MUA->MTA delivery to be legitimate?h. What do our answers to the abovemean for various email signingsystems (such as SPF and DKIM)? Every one of the above may be answered in different ways, and the union of them entails various listmail policies that we may or may not like. Since the possible set of policies is so large, I offer to put together a proposed set of policies, with justifications, some time in January (after the release is behind us); that ought to eliminate the number of options that need to be included (I think some of the above questions have obvious answers). Is this ok with others? A -- Andrew Sullivan Old sigs will return after re-constitution of blue smoke