Richard Rosner writes:
Are there any settings that may help with making it easier seeing spam as spam?
I gather you mean that you are letting spam go through to your subscribers, and you want to give them more information? For practical purposes, you've already lost, though. Studies show that users are not very good at picking up on such details.
E.g. some mail programs, including Outlook, allow the user to set a from mail address that most mail clients will show instead of the true sender address, but the senders mail address is still present in the sender header field. While some people and companies carelessly abuse that functionality, hiding their true mail address, those bad practices also are abused my spammers and others.
What you consider "abuse" or "bad practice" is often very useful. For example, I have validated four different addresses that I can set in Gmail, each of which I use for specific recipients. Of course, all are "public" identities, if you know me you likely know more than one of those addresses. Of course all such messages have my Gmail address as sender. I would be very angry if you dug that out and substituted it for my public identity.
If you are seriously considering such a strategy, you should do a study to see whether you'd catch more spam than ham this way.
In any case, competent spammers are spoofing *all* of the identities involved in creating and injecting the email. The only way to effectively authenticate email is to use cryptographic signatures. Since very few users do this themselves, you're left with DKIM. Technically speaking DKIM only authenticates the sending host. But on the assumption that the sending host authenticates its users, if the From field is included in that host's DKIM signature, you can trust the authenticity of the author identity in the From field.
Mailman does not perform DKIM verification, but your MTA almost certainly does already. It probably also already performs the DMARC "From alignment" check, which is even more strict than the DKIM test I described above. From alignment requires a valid DKIM signature including the From field, and the domain in the From address must be the same as the domain that signed the message. Your spam filter should be using those before forwarding to Mailman.
Does mailman have any settings that would remove any such obfuscations, e.g. in this case detect the manipulated from address and replace it with the sender address?
No. In fact, the only optional manipulations of From that Mailman performs are (a) to remove the address for anonymized lists, and (b) to change the address to that of the list in cases where changes to the message performed by the list would invalidate the DKIM signature.
If you are enabling features that invalidate the original DKIM signature, you can provide more information to your subscribers via the ARC (Authenticated Received Chain) protocol. It's better to have this implemented in the MTA, but as long as the MTA is configured to provide verification of incoming SPF and DKIM results in the Authentication-Results field, Mailman can optionally participate in ARC for you.
While I do run my own spam filter, it's virtually getting harder every day to make sure you detect all spam while not having too many false positives. If it was possible to reverse at least the most obvious manipulations, that would probably already help. Also, it would make it much easier for the users to see at first glance who actually wrote an email. It's always less trustworthy if the senders address is shown as user3168@suspiciousdomain.gg instead of it being manipulated to say support@yourprovider.com.
I think the odds are good that you'll annoy some of the more sophisticated subscribers, but not save anyone from spam.
I haven't collected statistics on this, but anomolous message IDs are often noticable, often in messages "from support@someprovider.com". Of course almost none of your users will be checking that, but your spam filter may be able to use failed alignment between Message-ID and DKIM signer.
You haven't described your use case in any detail, so the following advice may not apply for your lists. But generically the strategies that have high success rates are
- Human moderation, preferably after a highly accurate filter, of course.
- Members-only list.
- Crank up the spam points for invalid or missing DKIM signature and for failed From alignment (but this may cause problems for some of your posters).
There are other strategies specific to the list. One list I know had success by giving negative spam points to mentions of the list's topic.
Steve