Re: Yahoo breaks every mailing list in the world including the IETF's
Brian E Carpenter <brian.e.carpenter@gmail.com> Mon, 07 April 2014 20:38 UTC
Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1FE31A0259 for <ietf@ietfa.amsl.com>; Mon, 7 Apr 2014 13:38:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yCNhDsXnK92A for <ietf@ietfa.amsl.com>; Mon, 7 Apr 2014 13:37:54 -0700 (PDT)
Received: from mail-pb0-x231.google.com (mail-pb0-x231.google.com [IPv6:2607:f8b0:400e:c01::231]) by ietfa.amsl.com (Postfix) with ESMTP id 316611A082B for <ietf@ietf.org>; Mon, 7 Apr 2014 13:37:48 -0700 (PDT)
Received: by mail-pb0-f49.google.com with SMTP id jt11so7181234pbb.8 for <ietf@ietf.org>; Mon, 07 Apr 2014 13:37:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=5y1OlPoE/jWszBv3A08qPrf8OngpcDWC0G+85MZ82Tc=; b=K5eGyxMxh4eQhgeaWDO1DuKdtgj7znh2E3FQuX7ps8gkbzfxw/5msepTF9axyFkvHH ZO3qUUoOPJz3OgZRn1nGEuyr7fmRiyoIzZrEJVreLDwImcrc5OGYGWlFlW/VeIn/w6N/ cbxDqUzu356tRg+dvUqUaWWRUQycOkUiJOKNVCL0Y6sh/rpnEwpXtSixZIorsvQay5Ws 5y67EfHqYR6ONe9i32bKmCloOgXE20ZNqc9XDAtGdq0vVOW3zOn+WLD0Dp0hdEFAcwQ4 N8MafXBPVarBvb3JeDDr5UEG5uBxxCVqS2znIvOtHYRlr1kfycwr8uxVHY/lAY5BwPav lQtQ==
X-Received: by 10.67.1.106 with SMTP id bf10mr22753040pad.78.1396903062655; Mon, 07 Apr 2014 13:37:42 -0700 (PDT)
Received: from [192.168.178.23] (211.197.69.111.dynamic.snap.net.nz. [111.69.197.211]) by mx.google.com with ESMTPSA id et3sm38741038pbc.52.2014.04.07.13.37.40 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 07 Apr 2014 13:37:42 -0700 (PDT)
Message-ID: <53430C95.2070705@gmail.com>
Date: Tue, 08 Apr 2014 08:37:41 +1200
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: John Levine <johnl@taugh.com>
Subject: Re: Yahoo breaks every mailing list in the world including the IETF's
References: <20140407201104.42050.qmail@joyce.lan>
In-Reply-To: <20140407201104.42050.qmail@joyce.lan>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/RinBAOkJXsGsztgbEpEK73y2mG4
Cc: ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Apr 2014 20:38:01 -0000
> * Suspend posting permission of all yahoo.com addresses, to limit damage Mailman admins: You can find all subscribers with a yahoo address from the mailman list admin page: 1. select "Membership List" 2. enter "yahoo" in the search box 3. click "Search" Regards Brian On 08/04/2014 08:11, John Levine wrote: > DMARC is what one might call an emerging e-mail security scheme. > There's a draft on it at draft-kucherawy-dmarc-base-04, intended for > the independent stream. It's emerging pretty fast, since many of the > largest mail systems in the world have already implemented it, > including Gmail, Hotmail/MSN/Outlook, Comcast, and Yahoo. > > DMARC lets a domain owner make assertions about the From: address, in > particular that mail with their domain on the From: line will have a > DKIM signature with the same domain, or a bounce address in the same > domain that will pass SPF. They can also offer policy advice about > what to do with mail that doesn't have matching DKIM or SPF, ranging > from nothing to reject the mail in the SMTP session. The assertions > are in the DNS, in a TXT record at _dmarc.<domain>. You can see mine > at _dmarc.taugh.com. > > For a lot of mail, notably bulk mail sent by companies, DMARC works > great. For other kinds of mail it works less great, because like > every mail security system, it has an implicit model of the way mail > is delivered that is similar but not identical to the way mail is > actually delivered. > > Mailing lists are a particular weak spot for DMARC. Lists invarably > use their own bounce address in their own domain, so the SPF doesn't > match. Lists generally modify messages via subject tags, body footers, > attachment stripping, and other useful features that break the DKIM > signature. So on even the most legitimate list mail like, say, the > IETF's, most of the mail fails the DMARC assertions, not due to the > lists doing anything "wrong". > > The reason this matters is that over the weekend Yahoo published a > DMARC record with a policy saying to reject all yahoo.com mail that > fails DMARC. I noticed this because I got a blizzard of bounces from > my church mailing list, when a subscriber sent a message from her > yahoo.com account, and the list got a whole bunch of rejections from > gmail, Yahoo, Hotmail, Comcast, and Yahoo itself. This is definitely > a DMARC problem, the bounces say so. > > The problem for mailing lists isn't limited to the Yahoo subscribers. > Since Yahoo mail provokes bounces from lots of other mail systems, > innocent subscribers at Gmail, Hotmail, etc. not only won't get Yahoo > subscribers' messages, but all those bounces are likely to bounce them > off the lists. A few years back we had a similar problem due to an > overstrict implementation of DKIM ADSP, but in this case, DMARC is > doing what Yahoo is telling it to do. > > Suggestions: > > * Suspend posting permission of all yahoo.com addresses, to limit damage > > * Tell Yahoo users to get a new mail account somewhere else, pronto, if > they want to continue using mailing lists > > * If you know people at Yahoo, ask if perhaps this wasn't such a good idea > > R's, > John > >
- Yahoo breaks every mailing list in the world incl… John Levine
- Re: Yahoo breaks every mailing list in the world … Brian E Carpenter
- Re: Yahoo breaks every mailing list in the world … Sabahattin Gucukoglu
- Re: Yahoo breaks every mailing list in the world … S Moonesamy
- Re: Yahoo breaks every mailing list in the world … Eric Dynamic
- Re: Yahoo breaks every mailing list in the world … Phillip Hallam-Baker
- Re: Yahoo breaks every mailing list in the world … S Moonesamy
- Re: Yahoo breaks every mailing list in the world … Phillip Hallam-Baker
- Re: Yahoo breaks every mailing list in the world … S Moonesamy
- Re: Yahoo breaks every mailing list in the world … Eric Dynamic
- Re: Yahoo breaks every mailing list in the world … Yoav Nir
- Re: Yahoo breaks every mailing list in the world … Phillip Hallam-Baker
- Re: Yahoo breaks every mailing list in the world … Avri Doria
- Re: Yahoo breaks every mailing list in the world … Dave Crocker
- Re: Yahoo breaks every mailing list in the world … Randy Bush
- Re: Yahoo breaks every mailing list in the world … Dave Crocker
- Re: Yahoo breaks every mailing list in the world … Douglas Otis
- Re: Yahoo breaks every mailing list in the world … Phillip Hallam-Baker
- Re: Yahoo breaks every mailing list in the world … Fred Baker (fred)
- Re: Yahoo breaks every mailing list in the world … Phillip Hallam-Baker
- Re: Yahoo breaks every mailing list in the world … Douglas Otis
- Re: Yahoo breaks every mailing list in the world … Doug Ewell
- Re: Yahoo breaks every mailing list in the world … Douglas Otis
- Re: Yahoo breaks every mailing list in the world … Ted Lemon
- Re: Yahoo breaks every mailing list in the world … Eric Dynamic
- Re: Yahoo breaks every mailing list in the world … Scott Kitterman
- Re: Yahoo breaks every mailing list in the world … Douglas Otis
- Re: Yahoo breaks every mailing list in the world … Hector Santos