Automated emails sent by LibriVox forum - question

Comments about LibriVox? Suggestions to improve things? News?
Post Reply
gont
Posts: 47
Joined: September 5th, 2022, 11:31 am

Post by gont »

Hi there,
I was wondering who's in charge of the IT-related aspects of LibriVox?
It seems like LibriVox Forum automated emails are sent unsigned and in quite of an out-dated fashion (not using DKIM and not enforcing DMARC).

Best,
redrun
LibriVox Admin Team
Posts: 2756
Joined: August 11th, 2022, 8:32 pm
Contact:

Post by redrun »

I haven't been here long, but I don't see that this question's been answered recently. Hopefully someone with direct knowledge can settle the question, but meanwhile:

My guess is, the Archive.org folks keep the wheels turning, but in the absence of a budget and a project description, IT things are unlikely to change.

Probably the best bets on this front would be to email postmaster@, or to get in contact with Archive.org:
https://archive.org/about/contact.php
Rapunzelina
LibriVox Admin Team
Posts: 17624
Joined: November 15th, 2011, 3:47 am

Post by Rapunzelina »

We do use the servers and bandwidth from archive.org but the IT side of our website and forum is independent.
I don't understand the issue discussed - I am not familiar with email technology. I would assume these are the default settings used by the forum infrastructure. How important is the issue, does it cause any problems? If it works anyway, I would say it's not worth spending any of our limited resources on it.
TriciaG
LibriVox Admin Team
Posts: 60512
Joined: June 15th, 2008, 10:30 pm
Location: Toronto, ON (but Minnesotan to age 32)

Post by TriciaG »

Do we need DKIM and DMARC?

These, from a quick web search, are methods to prevent email spoofing. We don't collect personal information on our members, and we don't collect payments or anything. If someone stole a member's credentials through a spoofed Topic Reply Notification, they'd get very little reward.

Edit to add: I'm 99% sure the emails are managed by the phpBB forum software.
Serial novel: The Wandering Jew
Medieval England meets Civil War Americans: Centuries Apart
Humor: My Lady Nicotine
knotyouraveragejo
LibriVox Admin Team
Posts: 22067
Joined: November 18th, 2006, 4:37 pm

Post by knotyouraveragejo »

That's correct.

LibriVox only send emails to forum members who have requested them through the settings in their forum profile. We do not send out general or mass emails with extremely few exceptions and only under unusual circumstances.
Jo
redrun
LibriVox Admin Team
Posts: 2756
Joined: August 11th, 2022, 8:32 pm
Contact:

Post by redrun »

TriciaG wrote: October 3rd, 2022, 5:04 am Do we need DKIM and DMARC?
At the risk of making some assumptions, and you know what they say...
Gont, I've thankfully not had to do much of this type of work, and not lately, so I'm definitely open to correction.

Edit: various edits made for readability. I hope I've broken this answer down so it's useful at various levels.

--

Short answer

Probably not. We may have missed a few potential volunteers, but we know of at least one way to check if that's the case.

--

Helpful answer

In general, having DMARC also makes it less likely that real LibriVox messages will be flagged as spam, or blocked entirely. As Jo mentions, we do have some other things that help us here.
This obviously didn't pose a problem for anyone that's on the forum now, but if it's happening to anyone, those would be the folks you never hear from again.

So the question is:
Of the people who have applied to be members and been sent the "Action required to activate LibriVox forum account" message, how many have gone on to follow its instructions, sending a personalized message to the gmail address?
Some people may decide not to go through with the signup, but if a very high proportion do, we're probably good.
As a bonus, if you've kept track and can compare rates for the "mainstream" (Gmail, MSN, Yahoo) vs. other miscellaneous email addresses, we can put some more certainty behind that.

--

Explanatory answer, longer but light on jargon. Also skimmable.

Spoofing can be quite a bit more serious these days, but yes, we're unlikely to be chosen as a target.
If LibriVox sent me a message saying I needed to update my Audacity version or fill out a form, I'd be pretty suspicious. Most people probably would be. But a few people might click the link, or open the attachment, and wind up installing a program that steals much more than their LV account.
Not setting out to scare anyone, but this does happen, every day. Miscreants find that they can get paid for tricking people into clicking things, and they can trick a lot of people at once by pretending to be a trusted site. The thing that helps us most here is that they don't have a great big list of our email addresses to try all at once.

Keeping the forum software up on security updates is our best defense.


LibriVox is, relatively, an old and well-established sender of emails, so email is probably getting through to everyone.
Any large email provider has been receiving emails from LibriVox, which people have not been reporting as spam, since before DKIM and DMARC became "industry standard". You're grandfathered in, because they know you. New or smaller email providers won't all be aware of this, so DMARC and DKIM could be helpful in reaching people using those services.

See the question in "helpful answer", for just one way of finding out if initial sign-up emails are making it to people as they should.


DKIM is almost certainly more trouble than it's worth, at this point.
The forum software writes the emails, and probably sends them straight out. Many sites have a second server that they send mail through, which makes it easier to set up DKIM and a few other things. So, probably a large change for little gain.
DMARC, though, is easier to set up. It works either with DKIM, or with SPF - which is something we already have! It may make it slightly less likely LV's mail would be blocked, but the real advantage is:

DMARC, which is relatively simple to set up, lets you get better reports on how often your messages get blocked by spam filters.
knotyouraveragejo
LibriVox Admin Team
Posts: 22067
Joined: November 18th, 2006, 4:37 pm

Post by knotyouraveragejo »

Thanks for that detailed explanation of these terms, redrun. As far as registration emails, we do tell people to check their spam folders, but this doesn't seem to be a huge problem anymore. Anyone who is really serious about joining will generally send an email to our info email if they don't get the registration email, so I don't think a lot of people fall through the cracks. At this point most of the major commercial email providers are not blocking emails from librivox.
Jo
notartom
Posts: 382
Joined: September 14th, 2012, 4:34 pm

Post by notartom »

The setup we use for sending mail is documented/implemented at https://github.com/LibriVox/librivox-ansible/tree/master/roles/mail

It's been a while since I set it up, but I think we use SPF and nothing else? At least, that's what the DNS records tell me:

Code: Select all

[artom@zoe ~]$ dig librivox.org ANY

; <<>> DiG 9.16.33-RH <<>> librivox.org ANY
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48412
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;librivox.org.			IN	ANY

;; ANSWER SECTION:
librivox.org.		1783	IN	TXT	"v=spf1 a ~all"
librivox.org.		1778	IN	MX	10 aspmx3.googlemail.com.
librivox.org.		1778	IN	MX	5 alt1.aspmx.l.google.com.
librivox.org.		1778	IN	MX	10 aspmx2.googlemail.com.
librivox.org.		1778	IN	MX	5 alt2.aspmx.l.google.com.
librivox.org.		1778	IN	MX	1 aspmx.l.google.com.
librivox.org.		875	IN	A	208.70.31.70
librivox.org.		2675	IN	NS	ns14.dnsmadeeasy.com.
librivox.org.		2675	IN	NS	ns12.dnsmadeeasy.com.
librivox.org.		2675	IN	NS	ns13.dnsmadeeasy.com.
librivox.org.		2675	IN	NS	ns15.dnsmadeeasy.com.
librivox.org.		2675	IN	NS	ns11.dnsmadeeasy.com.
librivox.org.		2675	IN	NS	ns10.dnsmadeeasy.com.
It might be easier to set up an account with a mail relay somewhere, so that we don't have to deal with this stuff.
Post Reply