Page MenuHomePhabricator

Disavow emails from wikipedia.com
Open, NormalPublic

Description

As mentioned on otrs-en-l, ticket 2018010410009047 was complaining about emails purportedly from info@wikipedia.com with blatant advertisements.

Currently, wikipedia.com records are:
SPF: "v=spf1 include:wikimedia.org ~all"
DMARC: "v=DMARC1\; p=none\; sp=none\; rua=mailto:dmarc-rua@wikimedia.org\; ruf=mailto:dmarc-ruf@wikimedia.org\;"

Given that I don't think we have used any @wikipedia.com email address for at least the last 10 years, I propose strengthening them to spf -all and dmarc p=reject, so at least we send a clear signal to the email providers that those emails are not related to us.

Event Timeline

Restricted Application added a project: Traffic. · View Herald TranscriptJan 5 2018, 12:56 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Krenair added a subscriber: Krenair.Jan 5 2018, 1:35 AM
Restricted Application added a project: Operations. · View Herald TranscriptJan 5 2018, 1:35 AM

I have a funny feeling that fundraising may be using @wikipedia.com aliases in emails.

grin added a subscriber: grin.Jan 5 2018, 7:49 AM

Whoever uses it should be covered by the SPF anyway, that's the point.

wikimedia.org. 597 IN TXT "v=spf1 ip4:91.198.174.0/24 ip4:208.80.152.0/22 ip6:2620:0:860::/46 include:_spf.google.com ip4:74.121.51.111 ~all"

revi added a subscriber: revi.Jan 5 2018, 9:42 AM
Gestrid added a subscriber: Gestrid.Jan 5 2018, 4:55 PM

Hi all--just confirming we use the wikipedia.org domain for fundraising emails, but never wikipedia.com. +1 to strengthening DMARC and SPF rules.

faidon assigned this task to herron.Jan 12 2018, 4:32 PM
faidon triaged this task as Normal priority.
faidon removed projects: DNS, Traffic.
Bawolff added a subscriber: Bawolff.

Spent some time looking into this today. Sounds good overall. I'd like to roll these updates out in a phased way, and will need to split wikipedia.com into it's own dns zone file as it's currently an identical copy of wikipedia.org. Will follow up with patches!

Change 409405 had a related patch set uploaded (by Herron; owner: Herron):
[operations/dns@master] change wikipedia.com zone from symlink to file

https://gerrit.wikimedia.org/r/409405

Change 409406 had a related patch set uploaded (by Herron; owner: Herron):
[operations/dns@master] change wikipedia.com SPF record to fail all (-all)

https://gerrit.wikimedia.org/r/409406

Change 409407 had a related patch set uploaded (by Herron; owner: Herron):
[operations/dns@master] change wikipedia.com DMARC domain and subdomain policies to reject

https://gerrit.wikimedia.org/r/409407

Krinkle added a subscriber: Krinkle.EditedFeb 9 2018, 7:22 PM

@herron As follow-up, we should probably remove DNS entries for subdomains that don't have redirects configured.

I checked the ones listed under "Other" as starting point.

  • 15.wikipedia.com: Domain not served (and SSL invalid)
  • bugzilla.wikipedia.com: Works!
  • careers.wikipedia.com: Works!
  • donate.wikipedia.com: Works!
  • download.wikipedia.com: Works!
  • jobs.wikipedia.com: Works!
  • m.wikipedia.com: Works!
  • mail.wikipedia.com: Works!
  • shop.wikipedia.com: Works!
  • stats.wikipedia.com: Domain not served (and SSL invalid)
  • store.wikipedia.com: Works!
  • zero.wikipedia.com: Works!

The ones that don't work should probably be removed. And given it is now a copy, I presume that unless explicitly desired otherwise, that for most new subdomains, we'd add them to wikipedia.org only, right?

faidon moved this task from Backlog to Up Next on the Mail board.Sep 6 2018, 11:59 PM