Re: DMARC and yahoo

Theodore Ts'o <tytso@mit.edu> Wed, 16 April 2014 02:38 UTC

Return-Path: <tytso@thunk.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A30F1A0009 for <ietf@ietfa.amsl.com>; Tue, 15 Apr 2014 19:38:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.173
X-Spam-Level:
X-Spam-Status: No, score=-2.173 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KY4d4PpmB0MH for <ietf@ietfa.amsl.com>; Tue, 15 Apr 2014 19:38:19 -0700 (PDT)
Received: from imap.thunk.org (imap.thunk.org [IPv6:2600:3c02::f03c:91ff:fe96:be03]) by ietfa.amsl.com (Postfix) with ESMTP id 7010B1A0011 for <ietf@ietf.org>; Tue, 15 Apr 2014 19:38:19 -0700 (PDT)
Received: from root (helo=closure.thunk.org) by imap.thunk.org with local-esmtp (Exim 4.80) (envelope-from <tytso@thunk.org>) id 1WaFjq-0004H4-7n; Wed, 16 Apr 2014 02:38:14 +0000
Received: by closure.thunk.org (Postfix, from userid 15806) id 5A399580893; Tue, 15 Apr 2014 22:38:13 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=thunk.org; s=ef5046eb; t=1397615893; bh=I2IqAYlgIC9a8RZpI00rvlYt92W6gdo6X3Y0y/ejQ54=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=mVazR9XUSg7P273/akL7Y5d6vRUnNbBiQzSjKBhzJbFu9Jc0yNKjlecwQnXrDnomy P2LW/YTaew5xtOLO3SfW4DmX1hQGca+a9qmyKBnEbLzqR+cjzNoYhy7RRhK0dcmqcK pjfYOsBgjV63klmHIN1P51IGLhN0Z1mthbwkt8kk=
Date: Tue, 15 Apr 2014 22:38:13 -0400
From: Theodore Ts'o <tytso@mit.edu>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Subject: Re: DMARC and yahoo
Message-ID: <20140416023813.GA21807@thunk.org>
References: <CAKW6Ri6OUmxGaBOGR2hoWpDOGWsVQ9tQ2Q9ogkT5wzFhFJLBbQ@mail.gmail.com> <534D9C2C.8010606@gmail.com> <20140415214348.GL4456@thunk.org> <1397607352.389753533@f361.i.mail.ru> <534DCFFB.4080102@gmail.com> <20140416012205.GC12078@thunk.org> <24986.1397615002@sandelman.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <24986.1397615002@sandelman.ca>
User-Agent: Mutt/1.5.23 (2014-03-12)
X-SA-Exim-Connect-IP: <locally generated>
X-SA-Exim-Mail-From: tytso@thunk.org
X-SA-Exim-Scanned: No (on imap.thunk.org); SAEximRunCond expanded to false
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/o-LbCatkkJJyM0tMgRcirGf2x6k
Cc: ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Apr 2014 02:38:22 -0000

On Tue, Apr 15, 2014 at 10:23:22PM -0400, Michael Richardson wrote:
> So, as a WG chair, a person known to me just tried to post to the list
> From a brand new yahoo.com mail account.  They aren't subscribed with that
> address.  I would normally just approve, and add them...
> 
> It seems to me that I must now actually reject, because it would affect other
> subscribers.
> 
> I'm now thinking that we need to remove all the @yahoo.com addresses from
> posting to ietf mailing lists.

So on my mailman configuration (which I believe is the default), if
alice@hotmail.com receives 5 hard fail bounces she will get
automatically suspended from the mailing list.  So a single e-mail
from a @yahoo.com address won't cause damage, and if seven days go by
without any further bounce messages, the "bounce counter" gets reset
to zero.  The problem comes if you have many e-mail messages from
yahoo.com users (which according to yahoo and the DMARC cheerleaders,
shouldn't happen happen, because mailing list traffic is
"insignificant" :-).

So this is what I've done on my church mailman setup.  First of all,
I've disabled bounce processing, so even if a yahoo.com posting slips
by, it won't do any damage.  (It does mean more bounce mail will end
up going to the list-owner address, which I'll then have to manually
deal with, but as a short-term hack, I'm willing to live with it).
Secondly, I've taken all of the yahoo.com users, and set the
moderation bit, so if they do send e-mail, it will be held for
moderation.

I can then manually cut and paste their e-mail and send it to them on
their behalf.  Unfortunately, about 25% of my church's governing board
is using Yahoo, and so this is something I was willing to do as a
short-term remediation, since I didn't want to just bounce their
e-mail or let their e-mail cause other Vestry members to be removed
from the mailing list.

In the long-term, I'm going to try to convince some of them to move to
another mail provider, or at least use another mail provider for
church business.  I'll also try to see if I can get a patch to mailman
so it will do the "username@yahoo.com" -> "username@yahoo.com.INVALID"
from header rewrite.  But that's not something I can do on short
notice, since this is a rather busy week for me.

I don't know what the ietf.org secretariat should do.  My short-term
remediations aren't very scalable, so what works for a small church
probably wouldn't work for the entire IETF.

What a mess.

							- Ted