Yahoo breaks every mailing list in the world including the IETF's

"John Levine" <johnl@taugh.com> Mon, 07 April 2014 20:11 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C659C1A026E for <ietf@ietfa.amsl.com>; Mon, 7 Apr 2014 13:11:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.343
X-Spam-Level: **
X-Spam-Status: No, score=2.343 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, SPF_NEUTRAL=0.779] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JbkINjVpySoY for <ietf@ietfa.amsl.com>; Mon, 7 Apr 2014 13:11:39 -0700 (PDT)
Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) by ietfa.amsl.com (Postfix) with ESMTP id 085FC1A026F for <ietf@ietf.org>; Mon, 7 Apr 2014 13:11:32 -0700 (PDT)
Received: (qmail 53009 invoked from network); 7 Apr 2014 20:11:26 -0000
Received: from miucha.iecc.com (64.57.183.18) by mail1.iecc.com with QMQP; 7 Apr 2014 20:11:26 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:subject:mime-version:content-type:content-transfer-encoding; s=5343066e.xn--30v786c.k1404; i=johnl@user.iecc.com; bh=a8IFGY1og6UTSOGgvB7l6158a15id3zm50i2BWiqo44=; b=Jhjvd1b8WfguhemYGujvV3Dks46UpGDxlDvcfIomwuzq8wcb/SV8p2DGekQy4kU4sldBqv+ie7GQbxonngs3LOw7wukx0BXbrEwQ4fj31pgv/aSV96Z9iLm7bURjhBfSidVw1nPH+4oQXtegUp4I29b6uOTNK3rnCW5x3lGbsZpThhlJSxgTrNqwJeMKR5zQJlAmTKumA1AODOLKcbw1Pu5nPvVQaK7asoRAB76gE6h41AjCAkdQ7VFmSd26e1QM
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:subject:mime-version:content-type:content-transfer-encoding; s=5343066e.xn--30v786c.k1404; bh=a8IFGY1og6UTSOGgvB7l6158a15id3zm50i2BWiqo44=; b=fCmXPaD7VhuYhtHEQiVqxlbG7qja9PdegEJUjmfY0XdyPH4E+opigGuMaKzyNYo7iiiRSHCjHikS242JmUftTc8HtjWQNBwxP5bUKhyv0eZJGhbElPrz/osLcyn1eAyUHSWN1bbxN6J4KcbNevqSygU1zoFGQeuqDWxARg16Kd0CTJsKWlz9fwzcEPg27iTRwmG6qliF5osq2+12zz8JSQnLkHWW54spUBpk+/hnLJRSoij6hm4c3vaa25nt/b+4
Date: 7 Apr 2014 20:11:04 -0000
Message-ID: <20140407201104.42050.qmail@joyce.lan>
From: "John Levine" <johnl@taugh.com>
To: ietf@ietf.org
Subject: Yahoo breaks every mailing list in the world including the IETF's
Organization:
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset=utf-8
Content-transfer-encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/J-IsfA0Lb-6T_NeMD1ENKZyb9tA
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Apr 2014 20:11:48 -0000

DMARC is what one might call an emerging e-mail security scheme.
There's a draft on it at draft-kucherawy-dmarc-base-04, intended for
the independent stream.  It's emerging pretty fast, since many of the
largest mail systems in the world have already implemented it,
including Gmail, Hotmail/MSN/Outlook, Comcast, and Yahoo.

DMARC lets a domain owner make assertions about the From: address, in
particular that mail with their domain on the From: line will have a
DKIM signature with the same domain, or a bounce address in the same
domain that will pass SPF.  They can also offer policy advice about
what to do with mail that doesn't have matching DKIM or SPF, ranging
from nothing to reject the mail in the SMTP session.  The assertions
are in the DNS, in a TXT record at _dmarc.<domain>.  You can see mine
at _dmarc.taugh.com.

For a lot of mail, notably bulk mail sent by companies, DMARC works
great.  For other kinds of mail it works less great, because like
every mail security system, it has an implicit model of the way mail
is delivered that is similar but not identical to the way mail is
actually delivered.

Mailing lists are a particular weak spot for DMARC.  Lists invarably
use their own bounce address in their own domain, so the SPF doesn't
match. Lists generally modify messages via subject tags, body footers,
attachment stripping, and other useful features that break the DKIM
signature.  So on even the most legitimate list mail like, say, the
IETF's, most of the mail fails the DMARC assertions, not due to the
lists doing anything "wrong".

The reason this matters is that over the weekend Yahoo published a
DMARC record with a policy saying to reject all yahoo.com mail that
fails DMARC.  I noticed this because I got a blizzard of bounces from
my church mailing list, when a subscriber sent a message from her
yahoo.com account, and the list got a whole bunch of rejections from
gmail, Yahoo, Hotmail, Comcast, and Yahoo itself.  This is definitely
a DMARC problem, the bounces say so.

The problem for mailing lists isn't limited to the Yahoo subscribers.
Since Yahoo mail provokes bounces from lots of other mail systems,
innocent subscribers at Gmail, Hotmail, etc. not only won't get Yahoo
subscribers' messages, but all those bounces are likely to bounce them
off the lists.  A few years back we had a similar problem due to an
overstrict implementation of DKIM ADSP, but in this case, DMARC is
doing what Yahoo is telling it to do.

Suggestions:

* Suspend posting permission of all yahoo.com addresses, to limit damage

* Tell Yahoo users to get a new mail account somewhere else, pronto, if
  they want to continue using mailing lists

* If you know people at Yahoo, ask if perhaps this wasn't such a good idea

R's,
John