(Fwd) Fw: Fwd: Yahoo breaks every mailing list in the world in shadow@xxxxxx (10 Apr 2014 00:08 UTC)

(Fwd) Fw: Fwd: Yahoo breaks every mailing list in the world in shadow@xxxxxx 10 Apr 2014 00:07 UTC
------- Forwarded message follows -------
Date sent:	Mon, 7 Apr 2014 20:39:40 -0700 (PDT)
Subject:	Fw: Fwd: Yahoo breaks every mailing list in the world including the IETF's

Do you follow the IETF general discussion list?

-------- Original Message --------
        Subject: Yahoo breaks every mailing list in the world including the
        IETF's
        Date: 7 Apr 2014 20:11:04 -0000
        From: John Levine <xxxxxx@taugh.com>
        To: xxxxxx@ietf.org

        DMARC is what one might call an emerging e-mail security scheme.
        There's a draft on it at draft-kucherawy-dmarc-base-04, intended for
        the independent stream. It's emerging pretty fast, since many of the
        largest mail systems in the world have already implemented it,
        including Gmail, Hotmail/MSN/Outlook, Comcast, and Yahoo.

        DMARC lets a domain owner make assertions about the From: address, in
        particular that mail with their domain on the From: line will have a
        DKIM signature with the same domain, or a bounce address in the same
        domain that will pass SPF. They can also offer policy advice about
        what to do with mail that doesn't have matching DKIM or SPF, ranging
        from nothing to reject the mail in the SMTP session. The assertions
        are in the DNS, in a TXT record at _dmarc.<domain>. You can see mine
        at _dmarc.taugh.com.

        For a lot of mail, notably bulk mail sent by companies, DMARC works
        great. For other kinds of mail it works less great, because like
        every mail security system, it has an implicit model of the way mail
        is delivered that is similar but not identical to the way mail is
        actually delivered.

        Mailing lists are a particular weak spot for DMARC. Lists invarably
        use their own bounce address in their own domain, so the SPF doesn't
        match. Lists generally modify messages via subject tags, body footers,
        attachment stripping, and other useful features that break the DKIM
        signature. So on even the most legitimate list mail like, say, the
        IETF's, most of the mail fails the DMARC assertions, not due to the
        lists doing anything "wrong".

        The reason this matters is that over the weekend Yahoo published a
        DMARC record with a policy saying to reject all yahoo.com mail that
        fails DMARC. I noticed this because I got a blizzard of bounces from
        my church mailing list, when a subscriber sent a message from her
        yahoo.com account, and the list got a whole bunch of rejections from
        gmail, Yahoo, Hotmail, Comcast, and Yahoo itself. This is definitely
        a DMARC problem, the bounces say so.

        The problem for mailing lists isn't limited to the Yahoo subscribers.
        Since Yahoo mail provokes bounces from lots of other mail systems,
        innocent subscribers at Gmail, Hotmail, etc. not only won't get Yahoo
        subscribers' messages, but all those bounces are likely to bounce them
        off the lists. A few years back we had a similar problem due to an
        overstrict implementation of DKIM ADSP, but in this case, DMARC is
        doing what Yahoo is telling it to do.

        Suggestions:

        * Suspend posting permission of all yahoo.com addresses, to limit
        damage

        * Tell Yahoo users to get a new mail account somewhere else, pronto,
        if
         they want to continue using mailing lists

        * If you know people at Yahoo, ask if perhaps this wasn't such a good
        idea

        R's,
        John

------- End of forwarded message -------
--
Leonard Erickson (aka shadow)
shadow at shadowgard dot com