Re: Yahoo breaks every mailing list in the world including the IETF's

[Brian E Carpenter <brian.e.carpenter@gmail.com>]

> * Suspend posting permission of all yahoo.com addresses, to limit damage

Mailman admins:

You can find all subscribers with a yahoo address from the mailman
list admin page:
1. select "Membership List"
2. enter "yahoo" in the search box
3. click "Search"

Regards
   Brian

On 08/04/2014 08:11, John Levine wrote:
> DMARC is what one might call an emerging e-mail security scheme.
> There's a draft on it at draft-kucherawy-dmarc-base-04, intended for
> the independent stream.  It's emerging pretty fast, since many of the
> largest mail systems in the world have already implemented it,
> including Gmail, Hotmail/MSN/Outlook, Comcast, and Yahoo.
> 
> DMARC lets a domain owner make assertions about the From: address, in
> particular that mail with their domain on the From: line will have a
> DKIM signature with the same domain, or a bounce address in the same
> domain that will pass SPF.  They can also offer policy advice about
> what to do with mail that doesn't have matching DKIM or SPF, ranging
> from nothing to reject the mail in the SMTP session.  The assertions
> are in the DNS, in a TXT record at _dmarc.<domain>.  You can see mine
> at _dmarc.taugh.com.
> 
> For a lot of mail, notably bulk mail sent by companies, DMARC works
> great.  For other kinds of mail it works less great, because like
> every mail security system, it has an implicit model of the way mail
> is delivered that is similar but not identical to the way mail is
> actually delivered.
> 
> Mailing lists are a particular weak spot for DMARC.  Lists invarably
> use their own bounce address in their own domain, so the SPF doesn't
> match. Lists generally modify messages via subject tags, body footers,
> attachment stripping, and other useful features that break the DKIM
> signature.  So on even the most legitimate list mail like, say, the
> IETF's, most of the mail fails the DMARC assertions, not due to the
> lists doing anything "wrong".
> 
> The reason this matters is that over the weekend Yahoo published a
> DMARC record with a policy saying to reject all yahoo.com mail that
> fails DMARC.  I noticed this because I got a blizzard of bounces from
> my church mailing list, when a subscriber sent a message from her
> yahoo.com account, and the list got a whole bunch of rejections from
> gmail, Yahoo, Hotmail, Comcast, and Yahoo itself.  This is definitely
> a DMARC problem, the bounces say so.
> 
> The problem for mailing lists isn't limited to the Yahoo subscribers.
> Since Yahoo mail provokes bounces from lots of other mail systems,
> innocent subscribers at Gmail, Hotmail, etc. not only won't get Yahoo
> subscribers' messages, but all those bounces are likely to bounce them
> off the lists.  A few years back we had a similar problem due to an
> overstrict implementation of DKIM ADSP, but in this case, DMARC is
> doing what Yahoo is telling it to do.
> 
> Suggestions:
> 
> * Suspend posting permission of all yahoo.com addresses, to limit damage
> 
> * Tell Yahoo users to get a new mail account somewhere else, pronto, if
>   they want to continue using mailing lists
> 
> * If you know people at Yahoo, ask if perhaps this wasn't such a good idea
> 
> R's,
> John
> 
>