re: Yahoo DMARC breakage

It occurs to me that, if you point a gun at me, aim at me, pull the trigger, and hit someone standing 10 feet to my left - the gun IS broken (or at least very poorly designed).

Miles Fidelman

Unfortunately, that has no relationship to do with the current situation. Again: Yahoo was fully aware of the implications of its choice.


I suspect they looked at the amount of spam they could stop, the number of Yahoo email users, and the number of Yahoo users using mailing lists, and said "That's just noise, it doesn't matter."

It happens to be very loud noise, but it's still tiny compared to the overall number of email users.

Which is, to a very good first approximation, zero.

Nearly all (at least 99% and likely quite a bit more) of the spam [as
observed by my numerous spamtraps] that purports to originate from Yahoo
really *does* originate from Yahoo. All that I have to do to verify that
is to look at the originating host -- that is, it's not necessary to
check DMARC or anything else.

There are several reasons for this. First, Yahoo has done an absolutely
miserable job of outbound abuse control. For over a decade. Second,
they've done a correspondingly miserable job of handling abuse reports,
so even when one of their victims is kind and generous enough to do
their work for them and tell them that they have a problem...they don't
pay attention and they don't take any action. (Or they fire back a
clueless boilerplate denial that it was their user on their host on
their network...even though it was all three.) Also for over a decade.
Third, why would any spammer forge a address when it's easy
enough to buy hijacked accounts by the bucketful -- or to use any of the
usual exploits to go get some? Fourth, at least some spammers seem to have
caught on that Yahoo isn't *worth* forging: it's a toxic cesspool because
the people running it have allowed it to be become one.

So let's not pretend that this has anything to do with stopping spam.
If Yahoo actually wanted to do something about spam, they could have
done that years and years ago simply by *paying attention* to what was
going on inside their own operation.