Hi, probably not important, but I got classical scam faking openSUSE admin, see <https://paste.opensuse.org/pastes/74905cfd9aad> Enjoy. :-) Yours, V. -- Vojtěch Zeisek https://trapa.cz/ Komunita openSUSE GNU/Linuxu Community of the openSUSE GNU/Linux https://www.opensuse.org/
On 2023-04-13 09:12, Vojtěch Zeisek wrote:
Hi, probably not important, but I got classical scam faking openSUSE admin, see <https://paste.opensuse.org/pastes/74905cfd9aad> Enjoy. :-) Yours, V.
I suspect that nothing can be done. The thing is that, by design, anyone can send saying "I am "whomever@opensuse.org", because as there is no proper smtp server for the opensuse.org alias and each of us has to use their own methods to send that email, it basically means that they can not be filtered. No authentication checks are possible. cer@Telcontar:~> nslookup -type=txt opensuse.org Server: 192.168.1.16 Address: 192.168.1.16#53 Non-authoritative answer: opensuse.org text = "v=spf1 include:_spf.opensuse.org ?all" opensuse.org text = "google-site-verification=lSkTjo9mv48fTfzd-vZiZ2Yih6b8CJ-ek4Xij9v7KTY" Authoritative answers can be found from: cer@Telcontar:~> Types of rejection levels: -all (reject or fail them - don't deliver the email if anything does not match) ~all (soft-fail them - accept them, but mark it as 'suspicious') +all (pass regardless of match - accept anything from the domain) ?all (neutral - accept it, nothing can be said about the validity if there isn't an IP match) <https://support.mailessentials.gfi.com/hc/en-us/articles/360015116520-How-to-check-and-read-a-Sender-Policy-Framework-record-for-a-domain> -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 4/13/23 05:33, Carlos E. R. wrote:
The thing is that, by design, anyone can send saying "I am "whomever@opensuse.org", because as there is no proper smtp server for the opensuse.org alias and each of us has to use their own methods to send that email, it basically means that they can not be filtered. No authentication checks are possible.
Ahh, the good ole days.. When an organizations servers -- were ... the organizations servers.... -- David C. Rankin, J.D.,P.E.
On 2023-04-13 20:07, David C. Rankin wrote:
On 4/13/23 05:33, Carlos E. R. wrote:
The thing is that, by design, anyone can send saying "I am "whomever@opensuse.org", because as there is no proper smtp server for the opensuse.org alias and each of us has to use their own methods to send that email, it basically means that they can not be filtered. No authentication checks are possible.
Ahh, the good ole days..
When an organizations servers -- were ... the organizations servers....
In the good old days I could send email from home, posing as you, without having to use any organization relay >:-) -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
Carlos & David, et al -- ...and then Carlos E. R. said... % On 2023-04-13 20:07, David C. Rankin wrote: % > On 4/13/23 05:33, Carlos E. R. wrote: % > > The thing is that, by design, anyone can send saying "I am % > > "whomever@opensuse.org", because as there is no proper smtp server ... % > % > Ahh, the good ole days.. % > % > When an organizations servers -- were ... the organizations servers.... % % In the good old days I could send email from home, posing as you, without % having to use any organization relay >:-) Ah, yes. "Merry Christmas, from santa@north.pole.org" One of my first hacks :-) The good ol' days, indeed. It's no longer Mayberry out there *sigh* HANN :-D -- David T-G See http://justpickone.org/davidtg/email/ See http://justpickone.org/davidtg/tofu.txt
David C. Rankin wrote:
On 4/13/23 05:33, Carlos E. R. wrote:
The thing is that, by design, anyone can send saying "I am "whomever@opensuse.org", because as there is no proper smtp server for the opensuse.org alias and each of us has to use their own methods to send that email, it basically means that they can not be filtered. No authentication checks are possible.
Ahh, the good ole days..
When an organizations servers -- were ... the organizations servers....
If someone (preferably 2-3 people) volunteers for running support, we can set up outbound SMTP for the opensuse.org addresses, with corresponding authentication, it's not a lot of effort. The real effort is in supporting it. -- Per Jessen, Zürich (10.2°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
Dne neděle 16. dubna 2023 12:31:52 CEST, Per Jessen napsal(a):
David C. Rankin wrote:
On 4/13/23 05:33, Carlos E. R. wrote:
The thing is that, by design, anyone can send saying "I am "whomever@opensuse.org", because as there is no proper smtp server for the opensuse.org alias and each of us has to use their own methods to send that email, it basically means that they can not be filtered. No authentication checks are possible.
Ahh, the good ole days.. When an organizations servers -- were ... the organizations servers....
If someone (preferably 2-3 people) volunteers for running support, we can set up outbound SMTP for the opensuse.org addresses, with corresponding authentication, it's not a lot of effort. The real effort is in supporting it.
IMHO own openSUSE SMTP would be great. I'd also add possibility of DKIM and so and lowered chance of openSUSE legitimate mails failing into SPAM. Sorry for dumb question, but what does exactly "effort supporting it" mean? I'd guess one wiki page will just state server name, port, security layer and which credentials to use and that's it...? -- Vojtěch Zeisek https://trapa.cz/ Komunita openSUSE GNU/Linuxu Community of the openSUSE GNU/Linux https://www.opensuse.org/
Vojtěch Zeisek wrote:
Dne neděle 16. dubna 2023 12:31:52 CEST, Per Jessen napsal(a):
David C. Rankin wrote:
On 4/13/23 05:33, Carlos E. R. wrote:
The thing is that, by design, anyone can send saying "I am "whomever@opensuse.org", because as there is no proper smtp server for the opensuse.org alias and each of us has to use their own methods to send that email, it basically means that they can not be filtered. No authentication checks are possible.
Ahh, the good ole days.. When an organizations servers -- were ... the organizations servers....
If someone (preferably 2-3 people) volunteers for running support, we can set up outbound SMTP for the opensuse.org addresses, with corresponding authentication, it's not a lot of effort. The real effort is in supporting it.
IMHO own openSUSE SMTP would be great. I'd also add possibility of DKIM and so and lowered chance of openSUSE legitimate mails failing into SPAM.
Yep. We already publish DKIM / DMARC data.
Sorry for dumb question, but what does exactly "effort supporting it" mean? I'd guess one wiki page will just state server name, port, security layer and which credentials to use and that's it...?
Not a dumb question at all. For starters, there will be 700-800 members who will all need to set up their systems for such a new feature. This will no doubt require some hand-holding, never mind how well it is described on that wiki page Next, there is userid+password management. People will need to authenticate to use their accounts - the easiest (implementation) is userid+pwd. People forget them, want to change them, need to setup an account on a new system etc etc. Another question here is - do we add all of them to our internal accounts system or do we maintain a separate accounts system? Third, we will need some sort of rate limiting - accounts are stolen all the time, we don't want anyone abusing our mail system and sending thousands of mails when an acocunt has been compromised. (not really a support matter though). I'm sure I have forgotten something :-) -- Per Jessen, Zürich (10.3°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
Dne neděle 16. dubna 2023 13:04:55 CEST, Per Jessen napsal(a):
Vojtěch Zeisek wrote:
Dne neděle 16. dubna 2023 12:31:52 CEST, Per Jessen napsal(a):
David C. Rankin wrote:
On 4/13/23 05:33, Carlos E. R. wrote: If someone (preferably 2-3 people) volunteers for running support, we can set up outbound SMTP for the opensuse.org addresses, with corresponding authentication, it's not a lot of effort. The real effort is in supporting it.
IMHO own openSUSE SMTP would be great. I'd also add possibility of DKIM and so and lowered chance of openSUSE legitimate mails failing into SPAM.
Yep. We already publish DKIM / DMARC data.
Good.
Sorry for dumb question, but what does exactly "effort supporting it" mean? I'd guess one wiki page will just state server name, port, security layer and which credentials to use and that's it...?
For starters, there will be 700-800 members who will all need to set up their systems for such a new feature. This will no doubt require some hand-holding, never mind how well it is described on that wiki page
I'd guess this should be solvable "in standard way", i.e. ML, fora, IRC, ...
Next, there is userid+password management. People will need to authenticate to use their accounts - the easiest (implementation) is userid+pwd. People forget them, want to change them, need to setup an account on a new system etc etc. Another question here is - do we add all of them to our internal accounts system or do we maintain a separate accounts system?
IMHO the best would be to use existing openSUSE accounts as for any other part of our infrastructure.
Third, we will need some sort of rate limiting - accounts are stolen all the time, we don't want anyone abusing our mail system and sending thousands of mails when an acocunt has been compromised. (not really a support matter though).
Yep, there should be dedicated volunteer for that, but accounts can be stolen even now - how is this solved now?
I'm sure I have forgotten something :-)
Might be, but it sound doable. :-) -- Vojtěch Zeisek https://trapa.cz/ Komunita openSUSE GNU/Linuxu Community of the openSUSE GNU/Linux https://www.opensuse.org/
On 2023-04-16 21:32, Vojtěch Zeisek wrote:
Dne neděle 16. dubna 2023 13:04:55 CEST, Per Jessen napsal(a):
Vojtěch Zeisek wrote:
Dne neděle 16. dubna 2023 12:31:52 CEST, Per Jessen napsal(a):
David C. Rankin wrote:
On 4/13/23 05:33, Carlos E. R. wrote: If someone (preferably 2-3 people) volunteers for running support, we can set up outbound SMTP for the opensuse.org addresses, with corresponding authentication, it's not a lot of effort. The real effort is in supporting it.
IMHO own openSUSE SMTP would be great. I'd also add possibility of DKIM and so and lowered chance of openSUSE legitimate mails failing into SPAM.
Yep. We already publish DKIM / DMARC data.
Good.
Sorry for dumb question, but what does exactly "effort supporting it" mean? I'd guess one wiki page will just state server name, port, security layer and which credentials to use and that's it...?
For starters, there will be 700-800 members who will all need to set up their systems for such a new feature. This will no doubt require some hand-holding, never mind how well it is described on that wiki page
I'd guess this should be solvable "in standard way", i.e. ML, fora, IRC, ...
Next, there is userid+password management. People will need to authenticate to use their accounts - the easiest (implementation) is userid+pwd. People forget them, want to change them, need to setup an account on a new system etc etc. Another question here is - do we add all of them to our internal accounts system or do we maintain a separate accounts system?
IMHO the best would be to use existing openSUSE accounts as for any other part of our infrastructure.
Perhaps not, in order to not expose the passwords.
Third, we will need some sort of rate limiting - accounts are stolen all the time, we don't want anyone abusing our mail system and sending thousands of mails when an acocunt has been compromised. (not really a support matter though).
Yep, there should be dedicated volunteer for that, but accounts can be stolen even now - how is this solved now?
I'm sure I have forgotten something :-)
Might be, but it sound doable. :-)
With that job description, I think I can volunteer. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
Vojtěch Zeisek wrote:
Dne neděle 16. dubna 2023 13:04:55 CEST, Per Jessen napsal(a):
Yep. We already publish DKIM / DMARC data.
Good.
It is a matter of opinion :-) It doesn't exactly do much for us when we don't have dedicated outgoing servers. In fact, despite (or because of) our policies being very permissive, some providers refuse emails from @opensuse.org.
For starters, there will be 700-800 members who will all need to set up their systems for such a new feature. This will no doubt require some hand-holding, never mind how well it is described on that wiki page
I'd guess this should be solvable "in standard way", i.e. ML, fora, IRC, ...
Many people look at this slightly differently. When they have been issued an account and some credentials, they often feel entitled to help. Equally often, problems are perceived to be caused by whoever provided the account and credentials.
Next, there is userid+password management. People will need to authenticate to use their accounts - the easiest (implementation) is userid+pwd. People forget them, want to change them, need to setup an account on a new system etc etc. Another question here is - do we add all of them to our internal accounts system or do we maintain a separate accounts system?
IMHO the best would be to use existing openSUSE accounts as for any other part of our infrastructure.
Yes, probably. I suspect the issue would be - today, the vast majority of our members don't have an account - with email suddenly requiring an account, everybody will want one. Today, we already have one or two account support requests, per week.
Third, we will need some sort of rate limiting - accounts are stolen all the time, we don't want anyone abusing our mail system and sending thousands of mails when an acocunt has been compromised. (not really a support matter though).
Yep, there should be dedicated volunteer for that, but accounts can be stolen even now - how is this solved now?
Today it isn't so important - a compromised account might give someone access to bugzilla, but not much else. A compromised email account can cause our mailserver to be blacklisted, thus affecting everyone.
I'm sure I have forgotten something :-)
Might be, but it sound doable. :-)
Yes, from a purely technical point of view, it is very much doable and I would be happy to set it up. -- Per Jessen, Zürich (9.2°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
Dne pondělí 17. dubna 2023 9:18:57 CEST, Per Jessen napsal(a):
Vojtěch Zeisek wrote:
Dne neděle 16. dubna 2023 13:04:55 CEST, Per Jessen napsal(a):
For starters, there will be 700-800 members who will all need to set up their systems for such a new feature. This will no doubt require some hand-holding, never mind how well it is described on that wiki page
I'd guess this should be solvable "in standard way", i.e. ML, fora, IRC, ...
Many people look at this slightly differently. When they have been issued an account and some credentials, they often feel entitled to help. Equally often, problems are perceived to be caused by whoever provided the account and credentials.
Well, might be, but still I'd say "standard" existing support is enough, regardless anyone's perceptions.
Next, there is userid+password management. People will need to authenticate to use their accounts - the easiest (implementation) is userid+pwd. People forget them, want to change them, need to setup an account on a new system etc etc. Another question here is - do we add all of them to our internal accounts system or do we maintain a separate accounts system?
IMHO the best would be to use existing openSUSE accounts as for any other part of our infrastructure.
Yes, probably. I suspect the issue would be - today, the vast majority of our members don't have an account - with email suddenly requiring an account, everybody will want one. Today, we already have one or two account support requests, per week.
Hmmm... An account You need practically for everything, don't You? Bugzilla, OBS, fora, wiki, getting @opensuse.org alias, Weblate, ... For ML You can be subscribed with any mail, OK, but for anything else You should already have an account and credentials, don't You?
Third, we will need some sort of rate limiting - accounts are stolen all the time, we don't want anyone abusing our mail system and sending thousands of mails when an acocunt has been compromised. (not really a support matter though).
Yep, there should be dedicated volunteer for that, but accounts can be stolen even now - how is this solved now?
Today it isn't so important - a compromised account might give someone access to bugzilla, but not much else. A compromised email account can cause our mailserver to be blacklisted, thus affecting everyone.
True. This most be already solved thousand times. How is this practically processed in comparable organizations? Apart of technical maintenance, this would be IMHO the most demanding part, so when we see how demanding, we see if it'd be worth of the effort.
I'm sure I have forgotten something :-)
Might be, but it sound doable. :-)
Yes, from a purely technical point of view, it is very much doable and I would be happy to set it up.
I might be able to help with some other parts. -- Vojtěch Zeisek https://trapa.cz/ Komunita openSUSE GNU/Linuxu Community of the openSUSE GNU/Linux https://www.opensuse.org/
On 4/17/23 09:48, Vojtěch Zeisek wrote:
Today it isn't so important - a compromised account might give someone access to bugzilla, but not much else. A compromised email account can cause our mailserver to be blacklisted, thus affecting everyone.
True. This most be already solved thousand times. How is this practically processed in comparable organizations? Apart of technical maintenance, this would be IMHO the most demanding part, so when we see how demanding, we see if it'd be worth of the effort.
FWIW, Debian has this setup, https://lists.debian.org/debian-devel-announce/2022/07/msg00003.html but everyone on that domain has passed some security checks at some point in time. You can't just create an account and send mails. So while it probably would be easy to trust most people here with a relay, it's probably not a good idea to do so for the Internet. As-is, we allow anyone to create an account without much checking, so having an opensuse.org relay (since anyone can easily create an account) is probably not a good idea. @opensuse.org relay would probably have to be limited much further than just having an account. - Adam
Adam Majer wrote:
On 4/17/23 09:48, Vojtěch Zeisek wrote:
Today it isn't so important - a compromised account might give someone access to bugzilla, but not much else. A compromised email account can cause our mailserver to be blacklisted, thus affecting everyone.
True. This most be already solved thousand times. How is this practically processed in comparable organizations? Apart of technical maintenance, this would be IMHO the most demanding part, so when we see how demanding, we see if it'd be worth of the effort.
FWIW, Debian has this setup, https://lists.debian.org/debian-devel-announce/2022/07/msg00003.html
That describes our problem in a nutshell. (gmail). -- Per Jessen, Zürich (13.4°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 2023-04-17 14:00, Adam Majer wrote:
On 4/17/23 09:48, Vojtěch Zeisek wrote:
Today it isn't so important - a compromised account might give someone access to bugzilla, but not much else. A compromised email account can cause our mailserver to be blacklisted, thus affecting everyone.
True. This most be already solved thousand times. How is this practically processed in comparable organizations? Apart of technical maintenance, this would be IMHO the most demanding part, so when we see how demanding, we see if it'd be worth of the effort.
FWIW, Debian has this setup,
https://lists.debian.org/debian-devel-announce/2022/07/msg00003.html
but everyone on that domain has passed some security checks at some point in time. You can't just create an account and send mails.
So while it probably would be easy to trust most people here with a relay, it's probably not a good idea to do so for the Internet. As-is, we allow anyone to create an account without much checking, so having an opensuse.org relay (since anyone can easily create an account) is probably not a good idea. @opensuse.org relay would probably have to be limited much further than just having an account.
The relay should be open to anyone that has an @opensuse.org alias. That's its purpose. -- Cheers / Saludos, Carlos E. R. (from Elesar, using openSUSE Leap 15.4)
On Mon, 17 Apr 2023 16:00:53 +0200 "Carlos E. R." <carlos.e.r@opensuse.org> wrote:
On 2023-04-17 14:00, Adam Majer wrote:
On 4/17/23 09:48, Vojtěch Zeisek wrote:
Today it isn't so important - a compromised account might give someone access to bugzilla, but not much else. A compromised email account can cause our mailserver to be blacklisted, thus affecting everyone.
True. This most be already solved thousand times. How is this practically processed in comparable organizations? Apart of technical maintenance, this would be IMHO the most demanding part, so when we see how demanding, we see if it'd be worth of the effort.
FWIW, Debian has this setup,
https://lists.debian.org/debian-devel-announce/2022/07/msg00003.html
but everyone on that domain has passed some security checks at some point in time. You can't just create an account and send mails.
So while it probably would be easy to trust most people here with a relay, it's probably not a good idea to do so for the Internet. As-is, we allow anyone to create an account without much checking, so having an opensuse.org relay (since anyone can easily create an account) is probably not a good idea. @opensuse.org relay would probably have to be limited much further than just having an account.
The relay should be open to anyone that has an @opensuse.org alias. That's its purpose.
How would you deal with the obvious problem posed by "As-is, we allow anyone to create an account without much checking, so having an opensuse.org relay (since anyone can easily create an account) is probably not a good idea."?
Dave Howorth wrote:
How would you deal with the obvious problem posed by "As-is, we allow anyone to create an account without much checking, so having an opensuse.org relay (since anyone can easily create an account) is probably not a good idea."?
AFAIK, new members require approval by the membership committee, so an openSUSE alias isn't just issued without some minimal check. Accounts elsewhere (wiki, fora, lists, bugzilla, obs etc) need no approval, that is correct. -- Per Jessen, Zürich (16.6°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 2023-04-17 17:36, Dave Howorth wrote:
On Mon, 17 Apr 2023 16:00:53 +0200 "Carlos E. R." <> wrote:
On 2023-04-17 14:00, Adam Majer wrote:
On 4/17/23 09:48, Vojtěch Zeisek wrote:
Today it isn't so important - a compromised account might give someone access to bugzilla, but not much else. A compromised email account can cause our mailserver to be blacklisted, thus affecting everyone.
True. This most be already solved thousand times. How is this practically processed in comparable organizations? Apart of technical maintenance, this would be IMHO the most demanding part, so when we see how demanding, we see if it'd be worth of the effort.
FWIW, Debian has this setup,
https://lists.debian.org/debian-devel-announce/2022/07/msg00003.html
but everyone on that domain has passed some security checks at some point in time. You can't just create an account and send mails.
So while it probably would be easy to trust most people here with a relay, it's probably not a good idea to do so for the Internet. As-is, we allow anyone to create an account without much checking, so having an opensuse.org relay (since anyone can easily create an account) is probably not a good idea. @opensuse.org relay would probably have to be limited much further than just having an account.
The relay should be open to anyone that has an @opensuse.org alias. That's its purpose.
How would you deal with the obvious problem posed by "As-is, we allow anyone to create an account without much checking, so having an opensuse.org relay (since anyone can easily create an account) is probably not a good idea."?
But that is not so. They have to pass an approval committee to get the alias, and then someone has to add the alias to the list of mail aliases. Currently though, anybody can invent a new alias and send with it. They can not receive. That's the problem we are trying to solve. -- Cheers / Saludos, Carlos E. R. (from Elesar, using openSUSE Leap 15.4)
Vojtěch Zeisek wrote:
Dne pondělí 17. dubna 2023 9:18:57 CEST, Per Jessen napsal(a):
Vojtěch Zeisek wrote:
Dne neděle 16. dubna 2023 13:04:55 CEST, Per Jessen napsal(a):
For starters, there will be 700-800 members who will all need to set up their systems for such a new feature. This will no doubt require some hand-holding, never mind how well it is described on that wiki page
I'd guess this should be solvable "in standard way", i.e. ML, fora, IRC, ...
Many people look at this slightly differently. When they have been issued an account and some credentials, they often feel entitled to help. Equally often, problems are perceived to be caused by whoever provided the account and credentials.
Well, might be, but still I'd say "standard" existing support is enough, regardless anyone's perceptions.
In principle you are 100% right, in practice someone has to explain how those perceptions are wrong, and tell someone seeking support to go elsewhere, in a nice & polite way.
Yes, probably. I suspect the issue would be - today, the vast majority of our members don't have an account - with email suddenly requiring an account, everybody will want one. Today, we already have one or two account support requests, per week.
Hmmm... An account You need practically for everything, don't You? Bugzilla, OBS, fora, wiki, getting @opensuse.org alias,
I don't think an account is needed for the alias, but I have just now realised that I actually don't know.
Today it isn't so important - a compromised account might give someone access to bugzilla, but not much else. A compromised email account can cause our mailserver to be blacklisted, thus affecting everyone.
True. This most be already solved thousand times.
1017 to be precise :-) The rate limiting is easily done with a postfix policy daemon. My main issue is - I'm a professional, I do this sort of thing for a living. -- Per Jessen, Zürich (13.0°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
Hello, In the Message; Subject : Spam faking openSUSE Message-ID : <3807597.KrdhrDLNI4@veles> Date & Time: Thu, 13 Apr 2023 09:12:08 +0200 [VZ] == Vojtěch Zeisek <vojtech.zeisek@opensuse.org> has written: VZ> Hi, VZ> probably not important, but I got classical scam faking openSUSE admin, see VZ> <https://paste.opensuse.org/pastes/74905cfd9aad> VZ> Enjoy. :-) VZ> Yours, VZ> V. This is the first time I have seen spam that has completely slipped through the sending domain verification. [...] Authentication-Results: ORIGINATING; dkim=none; spf=pass (ORIGINATING: domain of noreply@opensuse.org designates 195.135.221.175 as permitted sender) smtp.mailfrom=noreply@opensuse.org; dmarc=pass (policy=none) header.from=opensuse.org [...] I only receive spams that can be removed by spf filter. The spammer in question is highly skilled, isn't he? I don't know how to deal with this kind of spam. Any idea? Regards & Good Night. --- ┏━━┓彡 野宮 賢 mail-to: nomiya @ lake.dti.ne.jp ┃\/彡 ┗━━┛ "A bachelor’s degree still holds prestige as a ticket to the middle class, but its value has received increasing scrutiny. In the last several years, rising tuition and student loan debt have led more Americans to reconsider an investment in postsecondary education." -- Washington Post --
Masaru Nomiya wrote:
This is the first time I have seen spam that has completely slipped through the sending domain verification.
[...] Authentication-Results: ORIGINATING; dkim=none; spf=pass (ORIGINATING: domain of noreply@opensuse.org designates 195.135.221.175 as permitted sender) smtp.mailfrom=noreply@opensuse.org; dmarc=pass (policy=none) header.from=opensuse.org [...]
I only receive spams that can be removed by spf filter. The spammer in question is highly skilled, isn't he?
No, not really. As has been discussed in this thread, we (openSUSE) permit anyone to send mails from @opensuse.org. In this case it is a phishing attempt, trying to get access to someone's email account. The mail is permitted by SPF and there is simply not enough information to otherwise identify as spam. -- Per Jessen, Zürich (17.2°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
Hello, In the Message; Subject : Re: Spam faking openSUSE Message-ID : <u1jp91$c76$1@saturn.local.net> Date & Time: Mon, 17 Apr 2023 17:40:17 +0200 [PJ] == Per Jessen <fakefakefake@opensuse.org> has written: PJ> Masaru Nomiya wrote: PJ> > This is the first time I have seen spam that has completely slipped PJ> > through the sending domain verification. PJ> > PJ> > [...] PJ> > Authentication-Results: ORIGINATING; PJ> > dkim=none; PJ> > spf=pass (ORIGINATING: domain of noreply@opensuse.org designates PJ> > 195.135.221.175 as permitted sender) PJ> > smtp.mailfrom=noreply@opensuse.org; dmarc=pass (policy=none) PJ> > header.from=opensuse.org PJ> > [...] PJ> > PJ> > I only receive spams that can be removed by spf filter. PJ> > The spammer in question is highly skilled, isn't he? I see that you are a staff member of the IT section, is that wrong? If so, just fine. PJ> No, not really. As has been discussed in this thread, we (openSUSE) PJ> permit anyone to send mails from @opensuse.org. I know what this is. I have seen more and more spoofed e-mails than I care to count. PJ> In this case it is a phishing attempt, trying to get access to PJ> someone's email account. I figured, so I just watched the header. PJ> The mail is permitted by SPF and there is simply not enough PJ> information to otherwise identify as spam. I can't understand you. In other words, I'm surprising that the spam is being processed as ham, even though the receiving server for this spam has not only SPF, but also SPF, DKIM, and DMARC, which are three layers of sending domain authentication to protect against spoofed mail. In particular, DMARC is the strongest sender domain authentication so far, isn't it. I would think that server administrators would treat this as a severe problem? Don't you? Regards. --- ┏━━┓彡 野宮 賢 mail-to: nomiya @ lake.dti.ne.jp ┃\/彡 ┗━━┛ "Tim Cook, the C.E.O. of Apple, said earlier this year that he would not let his nephew join social networks. Bill Gates banned cellphone until his children were teenagers, and Melinda Gates wrote that she wished they had waited even longer. Steve Jobs would not let his young children near iPads." -- The New York Times --
Masaru Nomiya wrote:
I see that you are a staff member of the IT section, is that wrong? If so, just fine.
I merely volunteer as an unpaid sysadmin for openSUSE, that is all. See my signature.
PJ> The mail is permitted by SPF and there is simply not enough PJ> information to otherwise identify as spam.
I can't understand you.
In other words, I'm surprising that the spam is being processed as ham, even though the receiving server for this spam has not only SPF, but also SPF, DKIM, and DMARC, which are three layers of sending domain authentication to protect against spoofed mail.
In this case, the mail was not actually spoofed. We explicitly permit _anyone_ to send mails from "tomdickandharry@opensuse.org" from _anywhere_ . The SPF record for opensuse.org says "no policy".
In particular, DMARC is the strongest sender domain authentication so far, isn't it.
Probably, but we only verify signatures. Mails sent by openSUSE members using their openSUSE aliases are not DMARC signed.
I would think that server administrators would treat this as a severe problem? Don't you?
No I don't. It is working as designed. -- Per Jessen, Zürich (9.1°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
Hello, In the Message; Subject : Re: Spam faking openSUSE Message-ID : <u1l93s$jjj$1@saturn.local.net> Date & Time: Tue, 18 Apr 2023 07:16:44 +0200 [PF] == Per Jessen <this.isnt.spoofed@opensuse.org> has written: PF> Masaru Nomiya wrote: PF> > I see that you are a staff member of the IT section, is that wrong? PF> > If so, just fine. PF> I merely volunteer as an unpaid sysadmin for openSUSE, that is all. See PF> my signature. PF> > PJ> The mail is permitted by SPF and there is simply not enough PF> > PJ> information to otherwise identify as spam. PF> > PF> > I can't understand you. PF> > PF> > In other words, I'm surprising that the spam is being processed as PF> > ham, even though the receiving server for this spam has not only SPF, PF> > but also SPF, DKIM, and DMARC, which are three layers of sending PF> > domain authentication to protect against spoofed mail. PF> In this case, the mail was not actually spoofed. We explicitly permit PF> _anyone_ to send mails from "tomdickandharry@opensuse.org" from PF> _anywhere_ . The SPF record for opensuse.org says "no policy". PF> > In particular, DMARC is the strongest sender domain authentication so PF> > far, isn't it. PF> Probably, but we only verify signatures. Mails sent by openSUSE members PF> using their openSUSE aliases are not DMARC signed. PF> > I would think that server administrators would treat this as a severe PF> > problem? Don't you? PF> No I don't. It is working as designed. Sorry, now I know what I've fully misunderstood. Regards. --- ┏━━┓彡 野宮 賢 mail-to: nomiya @ lake.dti.ne.jp ┃\/彡 ┗━━┛ "A bachelor’s degree still holds prestige as a ticket to the middle class, but its value has received increasing scrutiny. In the last several years, rising tuition and student loan debt have led more Americans to reconsider an investment in postsecondary education." -- Washington Post --
On Apr 18, 2023, at 1:17 AM, Per Jessen <this.isnt.spoofed@opensuse.org> wrote:
Masaru Nomiya wrote:
I see that you are a staff member of the IT section, is that wrong? If so, just fine.
I merely volunteer as an unpaid sysadmin for openSUSE, that is all. See my signature.
Many thanks for volunteering, it is much appreciated. I’ve been a mailing list member on different lists for about 25 years, (SuSE, openSUSE). Even now, in my 70’s, I use the list to keep somewhat updated on the changes taking place with openSUSE. KEN
participants (13)
-
Adam Majer -
Carlos E. R. -
Carlos E. R. -
Dave Howorth -
David C. Rankin -
David Thorburn-Gundlach -
kschneider bout-tyme.net -
Masaru Nomiya -
Per Jessen -
Per Jessen -
Per Jessen -
Per Jessen -
Vojtěch Zeisek