Re: Yahoo breaks every mailing list in the world including the IETF's

Brian E Carpenter <brian.e.carpenter@gmail.com> Mon, 07 April 2014 20:38 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1FE31A0259 for <ietf@ietfa.amsl.com>; Mon, 7 Apr 2014 13:38:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yCNhDsXnK92A for <ietf@ietfa.amsl.com>; Mon, 7 Apr 2014 13:37:54 -0700 (PDT)
Received: from mail-pb0-x231.google.com (mail-pb0-x231.google.com [IPv6:2607:f8b0:400e:c01::231]) by ietfa.amsl.com (Postfix) with ESMTP id 316611A082B for <ietf@ietf.org>; Mon, 7 Apr 2014 13:37:48 -0700 (PDT)
Received: by mail-pb0-f49.google.com with SMTP id jt11so7181234pbb.8 for <ietf@ietf.org>; Mon, 07 Apr 2014 13:37:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=5y1OlPoE/jWszBv3A08qPrf8OngpcDWC0G+85MZ82Tc=; b=K5eGyxMxh4eQhgeaWDO1DuKdtgj7znh2E3FQuX7ps8gkbzfxw/5msepTF9axyFkvHH ZO3qUUoOPJz3OgZRn1nGEuyr7fmRiyoIzZrEJVreLDwImcrc5OGYGWlFlW/VeIn/w6N/ cbxDqUzu356tRg+dvUqUaWWRUQycOkUiJOKNVCL0Y6sh/rpnEwpXtSixZIorsvQay5Ws 5y67EfHqYR6ONe9i32bKmCloOgXE20ZNqc9XDAtGdq0vVOW3zOn+WLD0Dp0hdEFAcwQ4 N8MafXBPVarBvb3JeDDr5UEG5uBxxCVqS2znIvOtHYRlr1kfycwr8uxVHY/lAY5BwPav lQtQ==
X-Received: by 10.67.1.106 with SMTP id bf10mr22753040pad.78.1396903062655; Mon, 07 Apr 2014 13:37:42 -0700 (PDT)
Received: from [192.168.178.23] (211.197.69.111.dynamic.snap.net.nz. [111.69.197.211]) by mx.google.com with ESMTPSA id et3sm38741038pbc.52.2014.04.07.13.37.40 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 07 Apr 2014 13:37:42 -0700 (PDT)
Message-ID: <53430C95.2070705@gmail.com>
Date: Tue, 08 Apr 2014 08:37:41 +1200
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: John Levine <johnl@taugh.com>
Subject: Re: Yahoo breaks every mailing list in the world including the IETF's
References: <20140407201104.42050.qmail@joyce.lan>
In-Reply-To: <20140407201104.42050.qmail@joyce.lan>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/RinBAOkJXsGsztgbEpEK73y2mG4
Cc: ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Apr 2014 20:38:01 -0000

> * Suspend posting permission of all yahoo.com addresses, to limit damage

Mailman admins:

You can find all subscribers with a yahoo address from the mailman
list admin page:
1. select "Membership List"
2. enter "yahoo" in the search box
3. click "Search"

Regards
   Brian

On 08/04/2014 08:11, John Levine wrote:
> DMARC is what one might call an emerging e-mail security scheme.
> There's a draft on it at draft-kucherawy-dmarc-base-04, intended for
> the independent stream.  It's emerging pretty fast, since many of the
> largest mail systems in the world have already implemented it,
> including Gmail, Hotmail/MSN/Outlook, Comcast, and Yahoo.
> 
> DMARC lets a domain owner make assertions about the From: address, in
> particular that mail with their domain on the From: line will have a
> DKIM signature with the same domain, or a bounce address in the same
> domain that will pass SPF.  They can also offer policy advice about
> what to do with mail that doesn't have matching DKIM or SPF, ranging
> from nothing to reject the mail in the SMTP session.  The assertions
> are in the DNS, in a TXT record at _dmarc.<domain>.  You can see mine
> at _dmarc.taugh.com.
> 
> For a lot of mail, notably bulk mail sent by companies, DMARC works
> great.  For other kinds of mail it works less great, because like
> every mail security system, it has an implicit model of the way mail
> is delivered that is similar but not identical to the way mail is
> actually delivered.
> 
> Mailing lists are a particular weak spot for DMARC.  Lists invarably
> use their own bounce address in their own domain, so the SPF doesn't
> match. Lists generally modify messages via subject tags, body footers,
> attachment stripping, and other useful features that break the DKIM
> signature.  So on even the most legitimate list mail like, say, the
> IETF's, most of the mail fails the DMARC assertions, not due to the
> lists doing anything "wrong".
> 
> The reason this matters is that over the weekend Yahoo published a
> DMARC record with a policy saying to reject all yahoo.com mail that
> fails DMARC.  I noticed this because I got a blizzard of bounces from
> my church mailing list, when a subscriber sent a message from her
> yahoo.com account, and the list got a whole bunch of rejections from
> gmail, Yahoo, Hotmail, Comcast, and Yahoo itself.  This is definitely
> a DMARC problem, the bounces say so.
> 
> The problem for mailing lists isn't limited to the Yahoo subscribers.
> Since Yahoo mail provokes bounces from lots of other mail systems,
> innocent subscribers at Gmail, Hotmail, etc. not only won't get Yahoo
> subscribers' messages, but all those bounces are likely to bounce them
> off the lists.  A few years back we had a similar problem due to an
> overstrict implementation of DKIM ADSP, but in this case, DMARC is
> doing what Yahoo is telling it to do.
> 
> Suggestions:
> 
> * Suspend posting permission of all yahoo.com addresses, to limit damage
> 
> * Tell Yahoo users to get a new mail account somewhere else, pronto, if
>   they want to continue using mailing lists
> 
> * If you know people at Yahoo, ask if perhaps this wasn't such a good idea
> 
> R's,
> John
> 
>