Page MenuHomePhabricator
Create Task
Maniphest T184230

Disavow emails from wikipedia.com
Open, MediumPublic
Actions

Description

As mentioned on otrs-en-l, ticket 2018010410009047 was complaining about emails purportedly from info@wikipedia.com with blatant advertisements.

Currently, wikipedia.com records are:
SPF: "v=spf1 include:wikimedia.org ~all"
DMARC: "v=DMARC1\; p=none\; sp=none\; rua=mailto:dmarc-rua@wikimedia.org\; ruf=mailto:dmarc-ruf@wikimedia.org\;"

Given that I don't think we have used any @wikipedia.com email address for at least the last 10 years, I propose strengthening them to spf -all and dmarc p=reject, so at least we send a clear signal to the email providers that those emails are not related to us.

Details

ProjectBranchLines +/-Subject
operations/dnsmaster+1 -1change wikipedia.com DMARC domain and subdomain policies to reject
operations/dnsmaster+92 -1change wikipedia.com zone from symlink to file
operations/dnsmaster+1 -1change wikipedia.com SPF record to fail all (-all)
Customize query in gerrit

Event Timeline

Platonides created this task.Jan 5 2018, 12:56 AM
Restricted Application added a project: Traffic. · View Herald TranscriptJan 5 2018, 12:56 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Krenair added a subscriber: Krenair.Jan 5 2018, 1:35 AM
Restricted Application added a project: SRE. · View Herald TranscriptJan 5 2018, 1:35 AM
Peachey88 added a subscriber: Peachey88.Jan 5 2018, 7:31 AM

I have a funny feeling that fundraising may be using @wikipedia.com aliases in emails.

grin added a subscriber: grin.Jan 5 2018, 7:49 AM

Whoever uses it should be covered by the SPF anyway, that's the point.

wikimedia.org. 597 IN TXT "v=spf1 ip4:91.198.174.0/24 ip4:208.80.152.0/22 ip6:2620:0:860::/46 include:_spf.google.com ip4:74.121.51.111 ~all"

revi added a subscriber: revi.Jan 5 2018, 9:42 AM
Gestrid added a subscriber: Gestrid.Jan 5 2018, 4:55 PM
CCogdill_WMF added a subscriber: CCogdill_WMF.Jan 8 2018, 6:15 PM

Hi all--just confirming we use the wikipedia.org domain for fundraising emails, but never wikipedia.com. +1 to strengthening DMARC and SPF rules.

faidon assigned this task to herron.Jan 12 2018, 4:32 PM
faidon triaged this task as Medium priority.
faidon removed projects: DNS, Traffic.
Bawolff awarded a token.Jan 12 2018, 4:35 PM
Bawolff added a subscriber: Bawolff.
herron added a comment.Jan 17 2018, 10:26 PM

Spent some time looking into this today. Sounds good overall. I'd like to roll these updates out in a phased way, and will need to split wikipedia.com into it's own dns zone file as it's currently an identical copy of wikipedia.org. Will follow up with patches!

Krenair awarded a token.Jan 17 2018, 10:27 PM
gerritbot added a subscriber: gerritbot.Feb 9 2018, 6:31 PM

Change 409405 had a related patch set uploaded (by Herron; owner: Herron):
[operations/dns@master] change wikipedia.com zone from symlink to file

https://gerrit.wikimedia.org/r/409405

gerritbot added a project: Patch-For-Review.Feb 9 2018, 6:31 PM

Change 409406 had a related patch set uploaded (by Herron; owner: Herron):
[operations/dns@master] change wikipedia.com SPF record to fail all (-all)

https://gerrit.wikimedia.org/r/409406

gerritbot added a comment.Feb 9 2018, 6:31 PM

Change 409407 had a related patch set uploaded (by Herron; owner: Herron):
[operations/dns@master] change wikipedia.com DMARC domain and subdomain policies to reject

https://gerrit.wikimedia.org/r/409407

Krinkle added a subscriber: Krinkle.EditedFeb 9 2018, 7:22 PM

@herron As follow-up, we should probably remove DNS entries for subdomains that don't have redirects configured.

I checked the ones listed under "Other" as starting point.

  • 15.wikipedia.com: Domain not served (and SSL invalid)
  • bugzilla.wikipedia.com: Works!
  • careers.wikipedia.com: Works!
  • donate.wikipedia.com: Works!
  • download.wikipedia.com: Works!
  • jobs.wikipedia.com: Works!
  • m.wikipedia.com: Works!
  • mail.wikipedia.com: Works!
  • shop.wikipedia.com: Works!
  • stats.wikipedia.com: Domain not served (and SSL invalid)
  • store.wikipedia.com: Works!
  • zero.wikipedia.com: Works!

The ones that don't work should probably be removed. And given it is now a copy, I presume that unless explicitly desired otherwise, that for most new subdomains, we'd add them to wikipedia.org only, right?

OldUser02 added a subscriber: OldUser02.Mar 2 2018, 8:00 PM
faidon moved this task from Backlog to Up Next on the Mail board.Sep 6 2018, 11:59 PM
Phabricator_maintenance moved this task from Backlog to Acknowledged on the SRE board.Jan 26 2019, 9:40 PM
Aklapper added a comment.Nov 9 2020, 3:20 PM

Three years later, are there any plans to review or merge herron's three open patches in Gerrit?

Aklapper edited projects, added Patch-Needs-Improvement; removed Patch-For-Review.Apr 2 2021, 9:49 AM
Aklapper removed a subscriber: CCogdill_WMF.
Aklapper added a project: Infrastructure-Foundations.Jun 21 2021, 9:00 PM
Aklapper removed herron as the assignee of this task.Jul 2 2021, 5:21 AM
Aklapper added a subscriber: herron.

Removing task assignee due to inactivity, as this open task has been assigned for more than two years (see emails sent to assignee on May26 and Jun17, and T270544). Please assign this task to yourself again if you still realistically [plan to] work on this task - it would be very welcome!

(See https://www.mediawiki.org/wiki/Bug_management/Assignee_cleanup for tips how to best manage your individual work in Phabricator.)

joanna_borun moved this task from Backlog to Up Next on the Infrastructure-Foundations board.Aug 9 2021, 1:31 PM
joanna_borun moved this task from Up Next to Backlog on the Infrastructure-Foundations board.May 26 2023, 2:08 PM
Content licensed under Creative Commons Attribution-ShareAlike 4.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL