Just a thought. I keep thinking that Yahoo's publishing of their "p=reject" policy, and the subsequent massive denial of service to lost of list traffic might be viewed as a "computer security" incident.
Anybody think that reporting via CERT channels might be an appropriate response?
(I do, and probably will - but curious what others think.)
Miles Fidelman
I would recommend reading these two blog entries first:
http://yahoo.tumblr.com/post/82426971544/an-update-on-our-dmarc-policy-to-protect-our-users
and
http://yahoomail.tumblr.com/post/82426900353/yahoo-dmarc-policy-change-what-should-senders-do
Then, I would ask--if the situation is deemed CERT-worthy,
what is the emergency the community is being asked to
respond to? Is it that Yahoo has decided, after many years,
to start taking action to tighten down email abuse? Or is the
emergency that too many mailing lists operate fast-and-loose
with email headers, and that we as a community need to take
swift and immediate action to fix mailing lists to correctly
identify and attribute the true source of messages from
the lists?
My internal guess, based on the years and years of
griping about forged sender spam that I've seen on
this list, among others, is that the latter case is the
emergency to which you are seeking a call to action.
Thanks!
Matt
Matthew Petach wrote:
Just a thought. I keep thinking that Yahoo's publishing of their
"p=reject" policy, and the subsequent massive denial of service to
lost of list traffic might be viewed as a "computer security"
incident.Anybody think that reporting via CERT channels might be an
appropriate response?(I do, and probably will - but curious what others think.)
Miles Fidelman
-- In theory, there is no difference between theory and practice.
In practice, there is. .... Yogi BerraI would recommend reading these two blog entries first:
http://yahoo.tumblr.com/post/82426971544/an-update-on-our-dmarc-policy-to-protect-our-users
and
Yahoo DMARC Policy Change - What Should Senders... | Yahoo MailThen, I would ask--if the situation is deemed CERT-worthy,
what is the emergency the community is being asked to
respond to? Is it that Yahoo has decided, after many years,
to start taking action to tighten down email abuse? Or is the
emergency that too many mailing lists operate fast-and-loose
with email headers, and that we as a community need to take
swift and immediate action to fix mailing lists to correctly
identify and attribute the true source of messages from
the lists?
Well... how about this, from Yahoo's own posting:
We know there are about 30,000 affected email sending services, but we also know that the change needed to support our new DMARC policy is important and not terribly difficult to implement.
To me - this sure looks, smells, and quacks like a denial-of-service attack against a system I operate, and the subscriber to the lists that I support -- somewhat akin to exploding a bomb in a public square, and then taking credit for it.
Miles Fidelman
I don't see what the big deal is here. They don't want your messages and they made that clear. Their policy considers these messages spam. If you really want to get your mailing list messages through, then you need to evade their filters just like every other spammer has to.
-Laszlo
The problem isn't the rest of us trying to mail to Yahoo.
The problem is when Yahoo users post to lists that use DMARC, and the
result is the yahoo user's mail getting bounced or dumped on the postmaster.
Isn't it the other way around? They don't want their users to be able to send to mailing lists. They receive traffic from the lists just fine. Their policy considers only effects mail originating from their users. Yahoo subscribers can receive messages form nanog just fine, but they can't send to it.
Miles
Laszlo Hanyecz wrote:
By their statement it's obvious that yahoo doesn't care about what they broke. It's unfortunate that email has become so centralized that one entity can cause so much 'trouble'. Maybe it's a good opportunity to encourage the affected mailing list subscribers to use their own domains for email, and host it themselves if possible.
-Laszlo
Basically, this is just like old ORBS. If you were an ISP, you had to
check your local users' IP addresses smarthosting through your mail
server against ORBS or your mail server would inevitably be listed.
Now, as then, the solution is: if the domain has a DMARC listing, mail
addresses using it aren't permitted to post to the list.
As I tried to say before but was probably too subtle -- just flunk
validation for all DMARC-using messages, across the board without
exception, and then act on that failure as the DMARC DNS records
indicate that the sender wants you to. Especially the ones to abuse@
and your other POCs. That'll clean up the use of DMARC right quick.
Regards,
Bill Herrin
I sort of wonder if this is really just yahoo trying to use a stick to
motivate people to do the right thing? It seems like everyone's been
trying for a while to 'make email better'... and that perhaps DMARC
will make it somewhat better, and if setup properly this is a
non-issue... after much faffing: "Welp, how about we whack the
mail-lists (and others) with a stick and get movement int he right
direction?"
not sure this is all bad... and i think the fix is pretty
straightforward for list folk, right? so all the faffing on this list
and others took longer to do than the fix-action?
-chris
So, I take it you prefer a world in which there's no sender
validation, and receiving floods of spoofed sender email
spam is just part of the price of being on the internet?
I'm finding myself vaguely annoyed that for so long
people have complained that big mail providers need
to clean up their act; and now, when one of them
decides to respond to the complaints and start
taking action to try to clean things up, the response
seems to be "wait, we were happy just bitching
and moaning--we didn't want you to actually
*change* anything!"
Matt
Christopher Morrow wrote:
By their statement it's obvious that yahoo doesn't care about what they broke. It's
unfortunate that email has become so centralized that one entity can cause so
much 'trouble'. Maybe it's a good opportunity to encourage the affected mailing list
subscribers to use their own domains for email, and host it themselves if possible.I sort of wonder if this is really just yahoo trying to use a stick to
motivate people to do the right thing? It seems like everyone's been
trying for a while to 'make email better'... and that perhaps DMARC
will make it somewhat better, and if setup properly this is a
non-issue... after much faffing: "Welp, how about we whack the
mail-lists (and others) with a stick and get movement int he right
direction?"not sure this is all bad... and i think the fix is pretty
straightforward for list folk, right? so all the faffing on this list
and others took longer to do than the fix-action?
Well, if you consider writing software patches to complicated software simple.
And it would certainly help if the guidance on what to do is clearer - last week, dmarc.org's FAQ listed, as among the options for list operators:
"Add an Original Authentication Results <http://tools.ietf.org/html/draft-kucherawy-original-authres-00> (OAR) header to indicate that the list operator has performed authentication checks on the submitted message and share the results. " -- which would be transparent to list subscribers
but, as of a couple of days ago, that's qualified by:
"*This is not a short term solution.* Assumes a mechanism to establish trust between the list operator and the receiver. No such mechanism is known to be in use for this purpose at this time. Without such a mechanism, bad actors could simply add faked OAR headers to their messages to circumvent such measures. OAR was only described as a draft document, which expired in 2012. No receivers implementing DMARC are currently known to make use of OAR from external sources."
So the low-impact (to end users) fix is now not recommended, and all the other available fixes require changes that degrade long-accepted functionality of mailing lists (e.g., the ability to reply to the author of a message).
Miles Fidelman
So, I take it you prefer a world in which there's no sender
validation, and receiving floods of spoofed sender email
spam is just part of the price of being on the internet?
That is clearly not what this issue is about.
I'm finding myself vaguely annoyed that for so long
people have complained that big mail providers need
to clean up their act; and now, when one of them
decides to respond to the complaints and start
taking action to try to clean things up, the response
seems to be "wait, we were happy just bitching
and moaning--we didn't want you to actually
*change* anything!"
What yahoo didn't do was first tell their users to unsubscribe from
all mailinglists.
DMARC hasn't cut down on yahoo spam so far. Yahoo's spam problem was
(is?) centered on account hijacks.
-Jim P.
I just checked my spam folder for the past month.
Out of about 80 messages "from" Yahoo, I can see about 3 that went via
Yahoo's mail servers. ie, >90% were/would have been blocked using DMARC.
Of course, I'm sure the spammers will simply start changing yahoo.com to
somethingelse.com once they realize - but from Yahoo's perspective, that's
obviously a positive.
Whilst I don't agree with the way that Yahoo has done this (particularly
around communication), I think the end result is only going to be positive.
At a high level it's no different than when people started rejecting mail
from hosts without PTR records, or when ISPs started blocking outbound port
25 - they both caused things to break, and both caused people to have to
take action to fix the brokenness, but in the long run they were both
hugely positive.
Scott
how could they have communicated this better? how can we all learn from this?
-chris
The obvious ones would have been to announce a flag day somewhere far enough in advance to give list software devs time to adapt, and to work with list software devs on a solution.
Everyone involved in DMARC has known from day 1 that it will break mailing lists. There has been an enormous amount of whinging about this. (If you think NANOG is bad, you should see the IETF lists.) But if Yahoo! had stood up and said, "We know that this mailing lists are a problem, but we think that the value of DMARC outweighs this because ...." and then actually set a data, maybe some of the whinging could have turned into actual productive work on fixing the problem.
Doug
They could have communicated, as in "listen folks, we are going to make a
critical change that will affect mailing lists (etc...) in four weeks
time".
They could have made the change not late on a Friday afternoon (or well
into the weekend for most of the world).
-- Matthias
where would they communicate this?
on the blog that matt pointed at?
in bgp announcements?
err... homepage?
-chris
(I watch the ietf list for this, and muted the conversation...)
They could have communicated, as in "listen folks, we are going to make a
critical change that will affect mailing lists (etc...) in four weeks time".
communicated it where?
They could have made the change not late on a Friday afternoon (or well into
the weekend for most of the world).
a friday change like this is not ideal... but, it looks like any time
change like this would have had fallout.
What they should have done is followed their (the dmarc spec authors,
of which one works for Yahoo) own advice that dmarc wasn't for domains
with users. But, hey, we all know it's hard to get good tech press
by simply sponsoring and spec'ing a backend tech solution for some
dark corner of the internet.
-Jim P.
"The Internet".
A blog entry and a post to a few key relevant mailing lists would have
resulted in the message spreading far better than it was. There's no way
that they could have communicated it to every mailing list admin on the
planet, but they could have at least given a heads-up to some major parts
of the community.
The great thing about the Internet is that if it's important enough to be
shared, you don't need to try too hard to make that happen - others will
look after it for you. But you need to make the effort to get it started,
and Yahoo didn't do that here (or at least, they did, but they did it by
actually making the change by which time it was too late!)
Scott