You are viewing a plain text version of this content. The canonical link for it is here.

Posted to infrastructure-dev@apache.org by Robert Metzger <rm...@apache.org> on 2014/08/12 15:42:33 UTC

Nabble Archive emails to MLs rejected due to SPF check

Hi,

I recently noticed that users tried to ask questions on our mailing list (
user@flink.incubator.apache.org) through the nabble mailing list archive (
http://apache-flink-incubator-user-mailing-list-archive.2336050.n4.nabble.com/),
but the mails never showed up at our mailing list.
It seems that Nabble is sending the mails from their servers, on behalf of
the user, using the user's email address.

I tried replying to our mailing list from a @web.de email address, and got
the following error:

This message was created automatically by mail delivery software.
> A message that you sent could not be delivered to one or more of its
> recipients. This is a permanent error. The following address(es) failed:
>   dev@flink.incubator.apache.org
>     SMTP error from remote mail server after RCPT TO:<
> dev@flink.incubator.apache.org>:
>     host mx1.us.apache.org [140.211.11.136]: 550 SPF forgery:
>     Please see
> http://www.openspf.org/why.html?sender=metzgerr%40web.de&ip=216.139.236.26&receiver=athena.apache.org
> ------ This is a copy of the message, including all the headers. ------
> Return-path: <me...@web.de>
> Received: from ben.nabble.com ([192.168.236.152])
>         by sam.nabble.com with esmtp (Exim 4.72)
>         (envelope-from <me...@web.de>)
>         id 1XGQ79-00009o-1D
>         for dev@flink.incubator.apache.org; Sun, 10 Aug 2014 03:12:35
> -0700
> Date: Sun, 10 Aug 2014 03:12:35 -0700 (PDT)
> From: rmetzger <me...@web.de>
> To: dev@flink.incubator.apache.org
> Message-ID: <14...@n3.nabble.com>
> In-Reply-To: <14...@n3.nabble.com>
> References: <14...@n3.nabble.com>
> Subject: Re: How to use ShipStrategy BroadCast


Would it be possible to "whitelist" nabble.com for sending mails on behalf
of their user's?
At least one other Apache project also noticed the issue:
http://mail-archives.apache.org/mod_mbox/cxf-users/201406.mbox/%3CDC3F5CBB3E66D44FBF12357ADC2471F257B471%40CBR1PEXC03.production.prod%3E
Here is another example:
http://ofbiz.135035.n4.nabble.com/Internal-Server-Error-Trunk-Demo-Management-Apps-td1475202.html
(See second message)


Regards,
Robert

Re: Nabble Archive emails to MLs rejected due to SPF check

Posted by Joseph Schaefer <jo...@yahoo.com.INVALID>.

The problem with Nabble is not purely Nabble's fault - as I have said several times now Nabble uses the user's inbound address instead of a Nabble address because we insisted on it.

Now what Nabble needs to do for us is to rewrite those addresses using SRS, which ezmlm supports.

Sent from my iPhone

> On Aug 12, 2014, at 1:03 PM, David Nalley <da...@gnsa.us> wrote:
> 
>> On Tue, Aug 12, 2014 at 12:48 PM, Robert Metzger <rm...@apache.org> wrote:
>> Thank you for the fast response.
>> I understand that this check is there to protect from phishing / spam
>> mails. Let me explain my reasoning ...
> 
> So the problem isn't with whitelisting Nabble; the problem is that
> we'd have to disable SPF checks. The owners of those domains have
> configured SPF to not allow third parties to send messages that appear
> to be originating from those domains.
> 
> I appreciate that users want to communicate with projects, and think
> thats a great thing; something I highly encourage. However, I think
> that the onus is on Nabble to figure out how to not have issues with
> domains that enforce SPF for their mail, not for scores of places to
> make exceptions for them.
> 
> --David

Re: Nabble Archive emails to MLs rejected due to SPF check

Posted by David Nalley <da...@gnsa.us>.

On Tue, Aug 12, 2014 at 12:48 PM, Robert Metzger <rm...@apache.org> wrote:
> Thank you for the fast response.
> I understand that this check is there to protect from phishing / spam
> mails. Let me explain my reasoning ...
>

So the problem isn't with whitelisting Nabble; the problem is that
we'd have to disable SPF checks. The owners of those domains have
configured SPF to not allow third parties to send messages that appear
to be originating from those domains.

I appreciate that users want to communicate with projects, and think
thats a great thing; something I highly encourage. However, I think
that the onus is on Nabble to figure out how to not have issues with
domains that enforce SPF for their mail, not for scores of places to
make exceptions for them.

--David

Re: Nabble Archive emails to MLs rejected due to SPF check

Posted by Robert Metzger <rm...@apache.org>.

Thank you for the fast response.
I understand that this check is there to protect from phishing / spam
mails. Let me explain my reasoning ...

It is very important for the projects to receive all messages from their
users. Nabble seems to be very popular among many projects and its indeed a
good service that allows users without mailing list experience to
participate in discussions or seek for help.

Users sending emails from "nabble.com" hosts need to have verified email
accounts. So spammers can not just sign up there to exploit the service for
sending mails. In addition to that, the mailing list moderators would
receive moderation mails if unsubscribed users try to post to the mailing
list (I think most of the users using the service are subscribed to the
list because nabble has a big warning popup to tell them)
So its unlikely that spammers can actually cause damage.

I think that allowing "nabble.com" to send emails from other addresses
would mean to trust the nabble.com administrators that they know how to
avoid abuse of the system.




On Tue, Aug 12, 2014 at 3:53 PM, Tony Stevenson <to...@pc-tony.com> wrote:

>
> > On 12 Aug 2014, at 14:42, Robert Metzger <rm...@apache.org> wrote:
> >
> > Hi,
> >
> > I recently noticed that users tried to ask questions on our mailing list
> (
> > user@flink.incubator.apache.org) through the nabble mailing list
> archive (
> >
> http://apache-flink-incubator-user-mailing-list-archive.2336050.n4.nabble.com/
> ),
> > but the mails never showed up at our mailing list.
> > It seems that Nabble is sending the mails from their servers, on behalf
> of
> > the user, using the user's email address.
> >
> > I tried replying to our mailing list from a @web.de email address, and
> got
> > the following error:
> >
> > This message was created automatically by mail delivery software.
> >> A message that you sent could not be delivered to one or more of its
> >> recipients. This is a permanent error. The following address(es) failed:
> >>  dev@flink.incubator.apache.org
> >>    SMTP error from remote mail server after RCPT TO:<
> >> dev@flink.incubator.apache.org>:
> >>    host mx1.us.apache.org [140.211.11.136]: 550 SPF forgery:
> >>    Please see
> >>
> http://www.openspf.org/why.html?sender=metzgerr%40web.de&ip=216.139.236.26&receiver=athena.apache.org
> >> ------ This is a copy of the message, including all the headers. ------
> >> Return-path: <me...@web.de>
> >> Received: from ben.nabble.com ([192.168.236.152])
> >>        by sam.nabble.com with esmtp (Exim 4.72)
> >>        (envelope-from <me...@web.de>)
> >>        id 1XGQ79-00009o-1D
> >>        for dev@flink.incubator.apache.org; Sun, 10 Aug 2014 03:12:35
> >> -0700
> >> Date: Sun, 10 Aug 2014 03:12:35 -0700 (PDT)
> >> From: rmetzger <me...@web.de>
> >> To: dev@flink.incubator.apache.org
> >> Message-ID: <14...@n3.nabble.com>
> >> In-Reply-To: <14...@n3.nabble.com>
> >> References: <14...@n3.nabble.com>
> >> Subject: Re: How to use ShipStrategy BroadCast
> >
> >
> > Would it be possible to "whitelist" nabble.com for sending mails on
> behalf
> > of their user’s?
>
> No sorry. This would be a dangerous strategy IMO. This would mean ignoring
> all defences put in place by the admins for $DOMAIN, and just accepting
> mail as coming from that domain via a list of $OTHER_SERVICE.
>
> > At least one other Apache project also noticed the issue:
> >
> http://mail-archives.apache.org/mod_mbox/cxf-users/201406.mbox/%3CDC3F5CBB3E66D44FBF12357ADC2471F257B471%40CBR1PEXC03.production.prod%3E
> > Here is another example:
> >
> http://ofbiz.135035.n4.nabble.com/Internal-Server-Error-Trunk-Demo-Management-Apps-td1475202.html
> > (See second message)
> >
> >
> > Regards,
> > Robert
>
>
> Cheers,
> Tony
>
> ----------------------------------
> Tony Stevenson
>
> tony@pc-tony.com
> pctony@apache.org
>
> http://www.pc-tony.com
>
> GPG - 1024D/51047D66
> ----------------------------------
>
>
>
>
>
>
>

Re: Nabble Archive emails to MLs rejected due to SPF check

Posted by Tony Stevenson <to...@pc-tony.com>.

> On 12 Aug 2014, at 14:42, Robert Metzger <rm...@apache.org> wrote:
> 
> Hi,
> 
> I recently noticed that users tried to ask questions on our mailing list (
> user@flink.incubator.apache.org) through the nabble mailing list archive (
> http://apache-flink-incubator-user-mailing-list-archive.2336050.n4.nabble.com/),
> but the mails never showed up at our mailing list.
> It seems that Nabble is sending the mails from their servers, on behalf of
> the user, using the user's email address.
> 
> I tried replying to our mailing list from a @web.de email address, and got
> the following error:
> 
> This message was created automatically by mail delivery software.
>> A message that you sent could not be delivered to one or more of its
>> recipients. This is a permanent error. The following address(es) failed:
>>  dev@flink.incubator.apache.org
>>    SMTP error from remote mail server after RCPT TO:<
>> dev@flink.incubator.apache.org>:
>>    host mx1.us.apache.org [140.211.11.136]: 550 SPF forgery:
>>    Please see
>> http://www.openspf.org/why.html?sender=metzgerr%40web.de&ip=216.139.236.26&receiver=athena.apache.org
>> ------ This is a copy of the message, including all the headers. ------
>> Return-path: <me...@web.de>
>> Received: from ben.nabble.com ([192.168.236.152])
>>        by sam.nabble.com with esmtp (Exim 4.72)
>>        (envelope-from <me...@web.de>)
>>        id 1XGQ79-00009o-1D
>>        for dev@flink.incubator.apache.org; Sun, 10 Aug 2014 03:12:35
>> -0700
>> Date: Sun, 10 Aug 2014 03:12:35 -0700 (PDT)
>> From: rmetzger <me...@web.de>
>> To: dev@flink.incubator.apache.org
>> Message-ID: <14...@n3.nabble.com>
>> In-Reply-To: <14...@n3.nabble.com>
>> References: <14...@n3.nabble.com>
>> Subject: Re: How to use ShipStrategy BroadCast
> 
> 
> Would it be possible to "whitelist" nabble.com for sending mails on behalf
> of their user’s?

No sorry. This would be a dangerous strategy IMO. This would mean ignoring all defences put in place by the admins for $DOMAIN, and just accepting mail as coming from that domain via a list of $OTHER_SERVICE.

> At least one other Apache project also noticed the issue:
> http://mail-archives.apache.org/mod_mbox/cxf-users/201406.mbox/%3CDC3F5CBB3E66D44FBF12357ADC2471F257B471%40CBR1PEXC03.production.prod%3E
> Here is another example:
> http://ofbiz.135035.n4.nabble.com/Internal-Server-Error-Trunk-Demo-Management-Apps-td1475202.html
> (See second message)
> 
> 
> Regards,
> Robert


Cheers,
Tony

----------------------------------
Tony Stevenson

tony@pc-tony.com
pctony@apache.org

http://www.pc-tony.com

GPG - 1024D/51047D66
----------------------------------