Today, spam emails that look like they have been sent from our mailing system (test@lists.fedoraproject.org) have been sent to the mailing list(s).
These mails led already community members to consider this could be realistic: the mails resembled sufficiently what we are used to receive from the mailing list system to consider this could be really from our system. But it is not: the mails inform the users that their password will expire and ask to log in with a given link in order to continue with their existing password. Don’t do it!
I pin this temporarily as this attempt differs to other spam/phishing attempts, because the latter used to be easy to identify.
If something like this happened also on other channels / with other “realistic” approaches, feel free to add it here to let others know
I already removed them from archives, so they are not there anymore. The problem is that the mails look like they are sent directly from test@lists.fedoraproject.org and we can’t really ban that address.
Friendly reminder on today’s SMTP:
All major mail service providers refuse to process incoming mail without appropriate DKIM-signature. This forces all senders to digitally sign and further identify themselves as a sender.
Fedora mailing list uses discoursemail.com platform and emails sent are signed with their private keys. Also, any email is verifiable by their RSA public-key from DNS TXT-RR sea1._domainkey.discoursemail.com.
Unfortunately no mail client utilizes this information. It would be so nice my MTA to inform something in this fashion: “The email from fedoraproject.discoursemail.com has a matching digital signature with emails you previously received from this mailing list”.
Such info wouldn’t be a definite 100% proof of security, but it would indicate me a cursory check was conducted and result was ok. When a rogue mail with incorrect DKIM-signature would be received, a warning should be issued. To repeat: without DKIM, you will never see the mail, or you can see it in your junk mail box with warning label attached.
Such feature would be easy to implement into any mail client.
This is a fallout of us trying to make test-announce → test list forwarding work. The moment we lifted restrictions to debug why forwarding doesn’t work, spam started getting through. Sorry about that.
Well, it is actually more subtle and complex than that (and that is why spam and spoofing is still a thing). While SPF/DKIM/DMARC can provide strong hints (and all orgs are encouraged to setup the hints), not all target email servers may apply those hints the same (and it is not unknown that due to past issues, that a mail server (and/or client) may be configured to ignore markings for some sources). While small orgs might be able to reject everything that is not absolutely perfectly formed, large email providers need to make choices that make their clients sufficiently pleased. Sending email to a mail list (to be forwarded to all recipients) is also an issue. And mail lists and servers can rewrite headers such that the hints simply are wrong (wrong enough that one needs to stop using them as the end all and be all solution).
Except for those making (lots of) money off UCE, most people wish that email was better secured and authenticated and UCE was no longer a thing, but that is still just a pipe dream.
While SPF/DKIM/DMARC can provide strong hints (and all orgs are encouraged to setup the hints), not all target email servers may apply those hints the same (and it is not unknown that due to past issues, that a mail server (and/or client) may be configured to ignore markings for some sources).
This statement is not entirely true.
All major mail service providers (with exception of Apple) have issued “bulk sender” rules. I run my own SMTPd on my home Linux, by no means my 2 or 3 mails per day places me into a bulk sender -category. Still, without proper DMARC (that’s SPF + DKIM), none of my mails gets processed. To spam, if I’m lucky!
My claim is: 2026 without DMARC Google and Microsoft won’t accept your mail. That should cover 95% of all human-created email traffic.
Please everyone, keep focused here: this is about the current spam issue.
For improving/adjusting our infra and its implementation, we have other channels. I suggest to use the Matrix channel or open a dedicated topic in Project Discussion to start a chat if you think something can be improved or so.
Are you coming from Middle/Dark Age? I don’t understand why do you call “ban”? But penguins don’t like “ban” and penguins understand only “forbidden”.
