Re: Yahoo breaks every mailing list in the world including the IETF's

S Moonesamy <sm+ietf@elandsys.com> Tue, 08 April 2014 06:35 UTC

Return-Path: <sm@elandsys.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E6A81A00E6 for <ietf@ietfa.amsl.com>; Mon, 7 Apr 2014 23:35:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.8
X-Spam-Level:
X-Spam-Status: No, score=-1.8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, T_DKIM_INVALID=0.01, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AAHlaRuXKxsQ for <ietf@ietfa.amsl.com>; Mon, 7 Apr 2014 23:35:23 -0700 (PDT)
Received: from mx.ipv6.elandsys.com (mx.ipv6.elandsys.com [IPv6:2001:470:f329:1::1]) by ietfa.amsl.com (Postfix) with ESMTP id DE8361A0032 for <ietf@ietf.org>; Mon, 7 Apr 2014 23:35:23 -0700 (PDT)
Received: from SUBMAN.elandsys.com ([197.224.147.234]) (authenticated bits=0) by mx.elandsys.com (8.14.5/8.14.5) with ESMTP id s386Z5Yq017829 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 7 Apr 2014 23:35:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=opendkim.org; s=mail2010; t=1396938917; bh=GgkulmGwPhYQ6osUcFHBMXMaaXfskMLo1LfV2zRm3Qg=; h=Date:To:From:Subject:In-Reply-To:References; b=Fa/h21qH+mB8JOTufN5ySqLMcXH1BO83gRfU8Bp7/9thZ1eVxjUg4Kg9h8g7NhyIc bRBI7H8E+DpS4kfYAKNI+ugstY7NTL3gwwFRnUVFDEoLT2iPQ/WuGkxGTciyLJXh4T vMzwXwnqBsj/7k2voO3jbwfpsTL7pNKfCSm41swQ=
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=elandsys.com; s=mail; t=1396938917; i=@elandsys.com; bh=GgkulmGwPhYQ6osUcFHBMXMaaXfskMLo1LfV2zRm3Qg=; h=Date:To:From:Subject:In-Reply-To:References; b=U6VwXBWtspJINicoHGrpMCB5Ve/Z36onCurvefiV6j1XPG4wbOFC7r30ganIqDXS+ B6+xEvMfcnEf7MiZ2Li+Q0XCDfcyiov54DmKYhpbitks5GVxnKURyvXWDWvEkhfC+M R66PEbd6NkefDZgtXESJOwyqHyWzyW4RHe2UBc24=
Message-Id: <6.2.5.6.2.20140407214815.079d3670@resistor.net>
X-Mailer: QUALCOMM Windows Eudora Version 6.2.5.6
Date: Mon, 07 Apr 2014 23:19:44 -0700
To: John Levine <johnl@taugh.com>, ietf@ietf.org
From: S Moonesamy <sm+ietf@elandsys.com>
Subject: Re: Yahoo breaks every mailing list in the world including the IETF's
In-Reply-To: <20140407201104.42050.qmail@joyce.lan>
References: <20140407201104.42050.qmail@joyce.lan>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/K4ZIp5110ppdeHccAWkCnAD2dC8
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Apr 2014 06:35:28 -0000

Hi John,
At 13:11 07-04-2014, John Levine wrote:
>DMARC is what one might call an emerging e-mail security scheme.
>There's a draft on it at draft-kucherawy-dmarc-base-04, intended for
>the independent stream.  It's emerging pretty fast, since many of the
>largest mail systems in the world have already implemented it,
>including Gmail, Hotmail/MSN/Outlook, Comcast, and Yahoo.

[snip]

>Mailing lists are a particular weak spot for DMARC.  Lists invarably
>use their own bounce address in their own domain, so the SPF doesn't
>match. Lists generally modify messages via subject tags, body footers,
>attachment stripping, and other useful features that break the DKIM
>signature.  So on even the most legitimate list mail like, say, the
>IETF's, most of the mail fails the DMARC assertions, not due to the
>lists doing anything "wrong".

 From BCP 167:

   "In an idealized world, if an Author knows that the MLM to which a
    message is being sent is a non-participating resending MLM, the
    Author needs to be cautious when deciding whether or not to send a
    signed message to the list."

It will be interesting to see the results when other domains 
implement the specification.

Regards,
S. Moonesamy