www.nettime.org
Nettime mailing list archives

<nettime> John Levine: Yahoo breaks every mailing list in the world incl
nettime's_weakest_link on Wed, 9 Apr 2014 14:22:55 +0200 (CEST)


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

<nettime> John Levine: Yahoo breaks every mailing list in the world including the IETF's


< http://www.ietf.org/mail-archive/web/ietf/current/msg87153.html >


       Yahoo breaks every mailing list in the world including the IETF's
     __________________________________________________________________

     * From: "John Levine" <[14]johnl at taugh.com>
     * To: [15]ietf at ietf.org
     * Date: 7 Apr 2014 20:11:04 -0000
     __________________________________________________________________

DMARC is what one might call an emerging e-mail security scheme.
There's a draft on it at draft-kucherawy-dmarc-base-04, intended for
the independent stream.  It's emerging pretty fast, since many of the
largest mail systems in the world have already implemented it,
including Gmail, Hotmail/MSN/Outlook, Comcast, and Yahoo.

DMARC lets a domain owner make assertions about the From: address, in
particular that mail with their domain on the From: line will have a
DKIM signature with the same domain, or a bounce address in the same
domain that will pass SPF.  They can also offer policy advice about
what to do with mail that doesn't have matching DKIM or SPF, ranging
from nothing to reject the mail in the SMTP session.  The assertions
are in the DNS, in a TXT record at _dmarc.<domain>.  You can see mine
at _dmarc.taugh.com.

For a lot of mail, notably bulk mail sent by companies, DMARC works
great.  For other kinds of mail it works less great, because like
every mail security system, it has an implicit model of the way mail
is delivered that is similar but not identical to the way mail is
actually delivered.

Mailing lists are a particular weak spot for DMARC.  Lists invarably
use their own bounce address in their own domain, so the SPF doesn't
match. Lists generally modify messages via subject tags, body footers,
attachment stripping, and other useful features that break the DKIM
signature.  So on even the most legitimate list mail like, say, the
IETF's, most of the mail fails the DMARC assertions, not due to the
lists doing anything "wrong".

The reason this matters is that over the weekend Yahoo published a
DMARC record with a policy saying to reject all yahoo.com mail that
fails DMARC.  I noticed this because I got a blizzard of bounces from
my church mailing list, when a subscriber sent a message from her
yahoo.com account, and the list got a whole bunch of rejections from
gmail, Yahoo, Hotmail, Comcast, and Yahoo itself.  This is definitely
a DMARC problem, the bounces say so.

The problem for mailing lists isn't limited to the Yahoo subscribers.
Since Yahoo mail provokes bounces from lots of other mail systems,
innocent subscribers at Gmail, Hotmail, etc. not only won't get Yahoo
subscribers' messages, but all those bounces are likely to bounce them
off the lists.  A few years back we had a similar problem due to an
overstrict implementation of DKIM ADSP, but in this case, DMARC is
doing what Yahoo is telling it to do.

Suggestions:

* Suspend posting permission of all yahoo.com addresses, to limit damage

* Tell Yahoo users to get a new mail account somewhere else, pronto, if
  they want to continue using mailing lists

* If you know people at Yahoo, ask if perhaps this wasn't such a good idea

R's,
John

     __________________________________________________________________

<...>

   Note Well: Messages sent to this mailing list are the opinions of the
   senders and do not imply endorsement by the IETF.

    Note: Messages sent to this list are the opinions of the senders and do not
    imply endorsement by the IETF.


#  distributed via <nettime>: no commercial use without permission
#  <nettime>  is a moderated mailing list for net criticism,
#  collaborative text filtering and cultural politics of the nets
#  more info: http://mx.kein.org/mailman/listinfo/nettime-l
#  archive: http://www.nettime.org contact: nettime {AT} kein.org