Re: [Nmh-workers] Stanford disliking my emails -- update + question

[Bob Carragher]

On Wed, 22 Apr 2015 23:22:27 -0400 Ken Hornstein <address@hidden> sez:

> >I think you read that a little differently than I intended - I
> >didn't mean to imply that this would be free (just included in
> >whatever else you get) though it sometimes is (I suspect
> >that's rare) - they're businesses, and will seek a profit from
> >whatever avenue they can, which is reasonable - most often
> >there will be some additional charge, but often (from the
> >commercial pay for use providers, as distinct from google etc.
> >who raise revenue other ways) this is a service they offer -
> >why wouldn't they - it costs them almost nothing, and they can
> >charge for it.
>
> Fair enough ... but again, my two examples (Verizon and
> pobox.com) don't include it in their service they provide to me
> that I pay for.  But that doesn't really get to my larger point
> - every other MUA manages to send email fine, without requiring
> your own domain.  It seems backwards to tell nmh users this is
> the preferred solution.

Two more examples:  Comcast (a "business" account -- though they
do offer static IPs, for a fee) and Google Mail.

I, for one, am very glad that there exists a fine and supported
solution that doesn't require me to buy a domain name!

> >  | Thirdly ... I think it's ridiculous that Stanford's
> >  | anti-spam rules trawl through Received headers (which are
> >  | defined as being free-form)
> >
> >Actually, they're not, they have a fairly strict format (with
> >lots of options, true) - but that's not really the point.  The
> >real issue is that spammers tend to put in a chain of bogus
> >Received headers in messages they send in a rather lame
> >attempt to hide the true origin of the message.
>
> Fair enough, I was wrong about that ... although, really, RFC
> 5321 says you can't count on them to have any format, but like
> you said, not really relevant here.  My key point was that
> Bob's message was validated by gmail's DKIM rules; that only
> happens if you authenticated to gmail to submit the message.
> If that happens, you shouldn't need to check the Received
> headers for bogus stuff.

On a related note, initially Stanford IT said it was GMail's
fault, though they were never precise with their reasoning.  My
guess is that they were saying, "Yes, GMail is providing a valid
DKIM entry, but the sending node uses 'localhost.localdomain' --
which means GMail is in effect validating what is, in our
opinion, 'spam.'"

I can see that that is not 100% impossible.  But, given the
presence of the DKIM signature, is it an unreasonable statement?

> >Detecting that series of bogus Received headers is one way to
> >determine that a message is probably spam - it is not at all a
> >useless technique (your "most windows users" MUAs don't tend
> >to add Received headers at all - and nor should they - nor
> >does nmh, which it also shouldn't - but if you deliver via a
> >local sendmail/postfix/exim/... which I personally believe is
> >the best way to config nmh, then it will (and should) and you
> >need a domain name for that.
> 
> I know we're never going to agree on the best way to configure
> mail submission, but you have admitted in the past that your
> have an unusual amount of control over your local domain, to a
> degree that I think very few people have nowadays.  Also,
> you've been around long enough that you probably remember
> having to deal with sendmail.cf directly rather than having it
> generated by m4 templates.  For you, registering a domain isn't
> a big deal because you did that already and of course sendmail
> configuration is easy.  But ... for the person who has a more
> traditional setup (e.g., has a residential ISP and submits to
> gmail), making that a requirement is overkill, and like I said
> earlier if they have to ASK how to configure sendmail here then
> they shouldn't be using it.  Their world will be easier if they
> submit email like everyone else does (and really, if they're at
> that level of sophistication then they won't get any of the
> advantages of having their own domain).

I also remember editing sendmail.cf files.  I also have an old
copy of the O'Reilly "sendmail" book, from the mid-1990s.  But to
say I did more than copy the sendmail.cf file from elsewhere,
edit the hostnames, and cross my fingers, would be to give me far
more credit than I deserve!  B-)  And it sent me down the wrong
track for years, something that more-or-less worked (though there
were significant limitations) until this issue with Stanford's
anti-spam tool finally forced the realization that (a) I didn't
have a proper host/sendmail setup and (b) there are proper tools
to do the job without needing to use or understand sendmail or
break one's /etc/hosts file!  (And I would be still be lost
without this wonderful mailing list and the people here!)

The average NMH user probably has more *nix and sysadmin
knowledge than the average Ubuntu user, but if I'm at all
representative of that average NMH user then we have enough just
to be dangerous to ourselves.  B-)

                                Bob