Re: Yahoo breaks every mailing list in the world including the IETF's

Brian E Carpenter <> Mon, 07 April 2014 20:38 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id C1FE31A0259 for <>; Mon, 7 Apr 2014 13:38:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id yCNhDsXnK92A for <>; Mon, 7 Apr 2014 13:37:54 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400e:c01::231]) by (Postfix) with ESMTP id 316611A082B for <>; Mon, 7 Apr 2014 13:37:48 -0700 (PDT)
Received: by with SMTP id jt11so7181234pbb.8 for <>; Mon, 07 Apr 2014 13:37:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=5y1OlPoE/jWszBv3A08qPrf8OngpcDWC0G+85MZ82Tc=; b=K5eGyxMxh4eQhgeaWDO1DuKdtgj7znh2E3FQuX7ps8gkbzfxw/5msepTF9axyFkvHH ZO3qUUoOPJz3OgZRn1nGEuyr7fmRiyoIzZrEJVreLDwImcrc5OGYGWlFlW/VeIn/w6N/ cbxDqUzu356tRg+dvUqUaWWRUQycOkUiJOKNVCL0Y6sh/rpnEwpXtSixZIorsvQay5Ws 5y67EfHqYR6ONe9i32bKmCloOgXE20ZNqc9XDAtGdq0vVOW3zOn+WLD0Dp0hdEFAcwQ4 N8MafXBPVarBvb3JeDDr5UEG5uBxxCVqS2znIvOtHYRlr1kfycwr8uxVHY/lAY5BwPav lQtQ==
X-Received: by with SMTP id bf10mr22753040pad.78.1396903062655; Mon, 07 Apr 2014 13:37:42 -0700 (PDT)
Received: from [] ( []) by with ESMTPSA id et3sm38741038pbc.52.2014. for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 07 Apr 2014 13:37:42 -0700 (PDT)
Message-ID: <>
Date: Tue, 08 Apr 2014 08:37:41 +1200
From: Brian E Carpenter <>
Organization: University of Auckland
User-Agent: Thunderbird (Windows/20070728)
MIME-Version: 1.0
To: John Levine <>
Subject: Re: Yahoo breaks every mailing list in the world including the IETF's
References: <20140407201104.42050.qmail@joyce.lan>
In-Reply-To: <20140407201104.42050.qmail@joyce.lan>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 07 Apr 2014 20:38:01 -0000

> * Suspend posting permission of all addresses, to limit damage

Mailman admins:

You can find all subscribers with a yahoo address from the mailman
list admin page:
1. select "Membership List"
2. enter "yahoo" in the search box
3. click "Search"


On 08/04/2014 08:11, John Levine wrote:
> DMARC is what one might call an emerging e-mail security scheme.
> There's a draft on it at draft-kucherawy-dmarc-base-04, intended for
> the independent stream.  It's emerging pretty fast, since many of the
> largest mail systems in the world have already implemented it,
> including Gmail, Hotmail/MSN/Outlook, Comcast, and Yahoo.
> DMARC lets a domain owner make assertions about the From: address, in
> particular that mail with their domain on the From: line will have a
> DKIM signature with the same domain, or a bounce address in the same
> domain that will pass SPF.  They can also offer policy advice about
> what to do with mail that doesn't have matching DKIM or SPF, ranging
> from nothing to reject the mail in the SMTP session.  The assertions
> are in the DNS, in a TXT record at _dmarc.<domain>.  You can see mine
> at
> For a lot of mail, notably bulk mail sent by companies, DMARC works
> great.  For other kinds of mail it works less great, because like
> every mail security system, it has an implicit model of the way mail
> is delivered that is similar but not identical to the way mail is
> actually delivered.
> Mailing lists are a particular weak spot for DMARC.  Lists invarably
> use their own bounce address in their own domain, so the SPF doesn't
> match. Lists generally modify messages via subject tags, body footers,
> attachment stripping, and other useful features that break the DKIM
> signature.  So on even the most legitimate list mail like, say, the
> IETF's, most of the mail fails the DMARC assertions, not due to the
> lists doing anything "wrong".
> The reason this matters is that over the weekend Yahoo published a
> DMARC record with a policy saying to reject all mail that
> fails DMARC.  I noticed this because I got a blizzard of bounces from
> my church mailing list, when a subscriber sent a message from her
> account, and the list got a whole bunch of rejections from
> gmail, Yahoo, Hotmail, Comcast, and Yahoo itself.  This is definitely
> a DMARC problem, the bounces say so.
> The problem for mailing lists isn't limited to the Yahoo subscribers.
> Since Yahoo mail provokes bounces from lots of other mail systems,
> innocent subscribers at Gmail, Hotmail, etc. not only won't get Yahoo
> subscribers' messages, but all those bounces are likely to bounce them
> off the lists.  A few years back we had a similar problem due to an
> overstrict implementation of DKIM ADSP, but in this case, DMARC is
> doing what Yahoo is telling it to do.
> Suggestions:
> * Suspend posting permission of all addresses, to limit damage
> * Tell Yahoo users to get a new mail account somewhere else, pronto, if
>   they want to continue using mailing lists
> * If you know people at Yahoo, ask if perhaps this wasn't such a good idea
> R's,
> John