Yahoo DMARC Implementation Breaks Most Mailing Lists

pdclarry writes: "On April 8, Yahoo implemented a new DMARC policy that essentially bars any Yahoo user from accessing mailing lists hosted anywhere except on Yahoo and Google. While Yahoo is the initiator, it also affects Comcast, AT&T, Rogers, SBCGlobal, and several other ISPs. Internet Engineering Council expert John R. Levine, a specialist in email infrastructure and spam filtering, said, 'Yahoo breaks every mailing list in the world including the IETF's' on the Internet Engineering Task Force (IETF) list.

DMARC (Domain-based Message Authentication, Reporting & Conformance) is a two-year-old proposed standard previously discussed on Slashdot that is intended to curb email abuse, including spoofing and phishing. Unfortunately, as implemented by Yahoo, it claims most mailing list users as collateral damage. Messages posted to mailing lists (including listserv, mailman, majordomo, etc) by Yahoo subscribers are blocked when the list forwards them to other Yahoo (and other participating ISPs) subscribers. List members not using Yahoo or its partners are not affected and will receive posts from Yahoo users. Posts from non-Yahoo users are delivered to Yahoo members. So essentially those suffering the most are Yahoo's (and Comcast's, and AT&T's, etc) own customers. The Hacker News has details about why DMARC has this effect on mailing lists. Their best proposed solution is to ban Yahoo email users from mailing lists and encourage them to switch to other ISPs. Unfortunately, it isn't just Yahoo, although they are getting the most attention."

But who uses Yahoo! mail?

I mean, other than as a BS mail account.

Re:But who uses Yahoo! mail?

Can't even use it for that anymore. To my knowledge, they require you to give away a phone number so you can receive a text message with a code that you can use to create the account. Screw that.

Re:But who uses Yahoo! mail?

[rudy_wayne]

Their best proposed solution is to ban Yahoo email users from mailing lists and encourage them to switch to other ISPs

What the fuck? Since when is Yahoo an ISP?

A lot of people use Yahoo's shitty webmail but only because they are too brain dead to use a real email client sending/receiving email via their ISP's servers.

Although I have to admit, i do like the idea of banning anyone who uses Yahoo mail.

Re:But who uses Yahoo! mail?

I really hate how everything forces you to use text messages. I do not want text messaging and refuse to add it to my contract. If someone has something important to talk to me about, well, they already have my phone number.

Re:But who uses Yahoo! mail?

[Jeremiah+Cornelius]

Microsoft does the same for Hotmail/Live/Outlook. They claim suspicious use of your account was detected, and that to return access to you, you must change password, with a supplied phone number for secondary account control.

Bullshit. I had this happen across 5 MS hosted mail accounts in the same week - each were purpose-specific accounts to legitimately isolate commercial activity.

Google? The bastards try to wheedle your mobile number out of you at every PW change or update. They practically hide the UI to bypass this request.

Needles to say, all three are used only as "burner" addresses, now.

Re:But who uses Yahoo! mail?

[number6x]

[conspiracy theory]

It's probably an easy way to connect email with phone numbers to help email message to phone message matching algorithms at the NSA.

[/conspiracy theory]

Re:But who uses Yahoo! mail?

[Adrian+Harvey]

Their best proposed solution is to ban Yahoo email users from mailing lists and encourage them to switch to other ISPs

What the #%^+? Since when is Yahoo an ISP?

Several ISPs outsource their customer email service to Yahoo. If you're with one of those, and especially if you use your ISP provided email address, then moving would fix it (or just move to gmail/outlook.com/whatever, you're mail is in the cloud now anyway, since your ISP moved it there)

Re:But who uses Yahoo! mail?

[Jeremiah+Cornelius]

That's a useful side benefit. They correlate for commercial purposes. Selling out to Fed TLA is one such commercial purpose.

Re:But who uses Yahoo! mail?

[wulfhere]

I don't know if they still do, but AT&T DSL customers used Yahoo mail as recently as last year.

Re:But who uses Yahoo! mail?

The term "conspiracy theory" is usually used for something far-fetched and unlikely, not something virtually certain...

Re:But who uses Yahoo! mail?

[Richy_T]

On the other hand, I would be almost 100% happy if I didn't have the voice part of my smartphone.

Re:But who uses Yahoo! mail?

AT&T DSL customers still do.

Re:But who uses Yahoo! mail?

Yahoo, Microsoft, Google, Facebook... all now just as completely irrelevant as MySpace.
Oh, and their webmail/UI interfaces all suck balls now too... coincidence? I think not!

Re:But who uses Yahoo! mail?

So get a PDA.

Re:But who uses Yahoo! mail?

[Jeremiah+Cornelius]

Hotmail. Worse than Yahoo!. That takes effort.

Re:But who uses Yahoo! mail?

[number6x]

Wow! whoever is moderating needs a sense of humor overhall. This is considered trolling?

Re:But who uses Yahoo! mail?

[Richy_T]

The text and data are kinda a necessity.

Darmok and Jalad

[tylersoze]

DMARC and SMTP at Yahoo, mail broken.

Re:Darmok and Jalad

[Impy+the+Impiuos+Imp]

"Dmarc, his eyes close. His sails furl."

Re:Darmok and Jalad

[QuesarVII]

Worst. Episode. Ever.

Re:Darmok and Jalad

i thought it was great. best attempt i've seen at making full communication
breakdown understandable to normal people.

Re:Darmok and Jalad

[QuesarVII]

Where did any of the words they told those stories come from?

If they don't understand regular language, how do they understand Picard's story?

So many holes, and so stupid.

Re:Darmok and Jalad

[retchdog]

Obviously, he doesn't understand Picard's story. He's just being comforted by a newly-won ally, enjoying the bitter victory and what it might mean for the future of his people. What Picard is saying is basically irrelevant. It's simply a way for the character to celebrate and it emphasizes the themes of the episode, for one, that words have meanings beyond the literal or even evocative.

They may not have meant it that way, but it works.

Of course, it is completely impossible that a culture could develop space-faring technology, or even a fucking automobile, through such a simple language; the language would just be so information-poor, that it would be basically impossible to collaborate on anything beyond a wheeled cart. But most Star Trek episodes are total bullshit on a scientific level; it's just part of what you accept. They're simple fables and morality tales in spaaaaaace, nothing more, no matter how much obsessive neurotics fetishize it.

Yahoo Mail is blackholed everywhere

Anything that improves security at Yahoo Mail is a good thing.

Re:Yahoo Mail is blackholed everywhere

[Arancaytar]

Well, this improves security at Yahoo mail by making people stop using Yahoo mail.

That works, I guess...

The good news....

[Bomarc]

With the 'new' (sucky) web client -- I've started to move away from Yahoo. Bad news: Not gone yet. Biggest problem: Getting my old email messages out. (Need them for several reasons -- including legal)

Time to move out of Yahoo... (adding another buzz kill!)

Re:The good news....

I use yahoo with Thunderbird without any problems? Am I misunderstanding your dilemma when you say you can't move away from Yahoo mail?

Re:The good news....

I kept the old version of Yahoo as long as it would let me. When it finally forced me to "upgrade" to the new version, I discovered it did not work very well. I hate it. It looks like Yahoo was trying to get people to leave. It's bad enough at home, but I travel to some low bandwidth areas, and it is frequently unusable. Not just slow, just freezes and doesn't work. Tried MSIE, FF, Chrome, doesn't matter. Doesn't work.

Re:The good news....

[Khyber]

If you need your emails regarding legal matters, throw a subpoena duces tecum at them.

They'll unlock those accounts so goddamned quick, lest they be held in contempt of court.

Re:The good news....

[1u3hr]

You can get all your Yahoo email by POP. You can pay about $20 a year; or do it free if you change your location to a non-US location, like e.g. Singapore. Then you can turn on POP. You can't send via their SMTP though, which wasn't a problem till this week. Now I put my ISP address as "From" and Yahoo in my "Reply-To". But it's pushing me to give up Yahoo entirely. I've been uneasy about them since MS bought them anyway.

Just Yahoo

Just Yahoo being Yahoo. Nothing new.

http://www.slashdot.org?nobeta=1

Just for convenience, to make the site readable again, and without those popups showing up:

http://www.slashdot.org?nobeta=1

SPF..

[Bert64]

Implementing SPF can also do the same thing, the issue is that mailing lists don't rewrite the from headers so despite having been forwarded through the mailing list server the original sender is still shown in the headers, only the mailing list server isnt really supposed to be sending mail *from* other people's addresses...

So either you allow mail to come from anywhere with any sender address, which lets mailing lists and email forwarding work fine but also makes spoofed spam very easy...
Or you don't, and break the above...

Really legit mailing lists should be rewriting the sender headers to reflect that the mail has been redelivered by the mailing list, the only difficulty this would cause is when users try to reply directly to messages rather than forwarding their replies to the list itself.

Re:SPF..

[Minwee]

Really legit mailing lists should be rewriting the sender headers to reflect that the mail has been redelivered by the mailing list, the only difficulty this would cause is when users try to reply directly to messages rather than forwarding their replies to the list itself.

There really ought to be a better way to handle this.

And it really should be implemented properly everywhere. Oh, and I want a pony too.

Re:SPF..

[Zocalo]

A better solution might be to move the original sender's "From" to another header ("Return-Path", "Reply-To", - whatever works best for the list software/admin) and set a new "From" to an address that would feed any replies to the list's submission/moderation queue. If the address of the person replying is on the mailing list or the list accepts any submission address, it goes into the normal queue for remailing, if not it either gets discarded as a bogus reply that is probably spam or goes into a moderation queue, depending on the list.

This is still an implementation flaw in the way DMARC and SPF work with mailing lists rather than a problem with mailing lists though, so the onus really belongs with DMARC and SPF to better provide a way to support mailing lists. Including a way to specify in the DMARC/SPF configuration for the that the sender is a mailing list and that they need to validate the original sender against a different header instead - "X-Originally-From", rather than the mailing list's domain in the current "From", perhaps?

Re:SPF..

[EvanED]

Really legit mailing lists should be rewriting the sender headers to reflect that the mail has been redelivered by the mailing list, the only difficulty this would cause is when users try to reply directly to messages rather than forwarding their replies to the list itself.

No no no no no no no. "When users try to reply directly" is a significant problem -- "reply" going to the sender only is fail-safe. "reply" going to the list results in things like "take me off this list" bombs, people accidentally disclosing confidential or embarassing information to the list, etc.

In addition to that, if you have a reply-to-sender mailing list, replying to the list is easy: you just click reply all. (At least that's my default action when replying to an email anyway.) If you have a reply-to-list mailing list and want to reply to just the sender, now neither of your reply buttons work.

Re:SPF..

[Obfuscant]

There really ought to be a better way to handle this.

RFC822 has been obsoleted at least twice now. The current standard (RFC5322) says this about the origination headers:

The originator fields indicate the mailbox(es) of the source of the message. The "From:" field specifies the author(s) of the message, that is, the mailbox(es) of the person(s) or system(s) responsible for the writing of the message. The "Sender:" field specifies the mailbox of the agent responsible for the actual transmission of the message.

In other words, any mailing list that rewrites the From header field is wrong. It is also wrong for it to rewrite the Sender field, since the mailing list is not the "agent" responsible for the actual transmission of the message. It is only a transport agent, not an initiator. In the contextual history of RFC*22, the Sender is the person (secretary, e.g.) who sent the message when that person is not the author.

And, additionally: "In all cases, the 'From:' field SHOULD NOT contain any mailbox that does not belong to the author(s) of the message." While that's only a SHOULD not, it is still relevant and shows the intent of that header.

I've found the room full of horse droppings. I'm sure there's a pony around here somewhere. I'll let you ride him when I find him.

Re:SPF..

[UnderCoverPenguin]

RFC5322 also says this:

Note: Reintroducing a message into the transport system and using
            resent fields is a different operation from "forwarding".
            "Forwarding" has two meanings: One sense of forwarding is that a
            mail reading program can be told by a user to forward a copy of a
            message to another person, making the forwarded message the body
            of the new message. A forwarded message in this sense does not
            appear to have come from the original sender, but is an entirely
            new message from the forwarder of the message. Forwarding may
            also mean that a mail transport program gets a message and
            forwards it on to a different destination for final delivery.

So, one could make the case that a list server is a robot reading and forwarding messages, therefor it is technically not wrong for the list server to put its own address in the From field and a contact address for the list owner in the Sender field. Note that list servers that batch posts in to messages containing several posts already do this.

(Replies to the author and/or list could be directed by the Reply-To and Cc fields. Suggest author in Reply-To and list in Cc.)

Of course, best solution would be for DMARC and SPF (and the list servers) to be configured to properly use the Resent-From and Resent-Sender fields. Unfortunately, I think that DMARC and SPF will be left as they are, thus forcing the list servers to bare burden of a work around.

Re:SPF..

[VortexCortex]

Really legit mailing lists should be rewriting the sender headers to reflect that the mail has been redelivered by the mailing list, the only difficulty this would cause is when users try to reply directly to messages rather than forwarding their replies to the list itself.

Or the fucking email providers could not be dipshits and white-list the stuff you actually subscribed to when you validate your damn email address. This can be done with existing email solutions by offering an option:

"This is the first message from this sender, allow further unsolicited messages [_] Yes [o] No?"

The whole sender-provider and DMARC BS is fucking irrelevant since we've had white lists and PGP for essentially ever.

Re:SPF..

[Obfuscant]

So, one could make the case that a list server is a robot reading and forwarding messages, therefor it is technically not wrong for the list server to put its own address in the From field and a contact address for the list owner in the Sender field.

Other than such action would be a direct violation of the section of the RFC I quoted. The "robot" is not the author; its mailbox does not appear in the header field intended for the mailbox of the author. The "robot" is also not the agent that introduced the message for transmission, it is retransmitting a message already in the system.

Note that list servers that batch posts in to messages containing several posts already do this.

Not all mailing lists do this, many mailing lists allow recipients to determine whether this happens or not, and ones that do create digests are not the topic of discussion because Yahoo doesn't block them under DMARC (precisely because the digest is sent under different headers than the original messages).

Re:SPF..

[Quick+Reply]

Currently, all mailing lists implementations break DMARC specs. At first glance it would appear that the Mailing List specs and the DMARC specs are incompatible with each other...

HOWEVER, There IS a way to be compliant with both specs.

The mailing list is just a transport agent of list messages right? Well it can also be the transport agent of how users' actual email addresses are handled, between their real email address and usernames that obfusicates their actual email address.

For example:
* User "Bob Smith" emails TESTLIST@DOMAIN.ORG

* Mailing List implementation on DOMAIN looks up "BOB.SMITH@YAHOO.COM" and determines his username to be "USER-ADF2S89T"

(more friendly usernames like "BOBSMITH-YAHOO" might also be possible if verified/allowed by the list owner, even "BOB.SMITH_AT_YAHOO.COM" could be his username if he has no intention of hiding his email address and is not scared of spam bots)

* Mailing List implementation on DOMAIN rewrites the message FROM and/or SENDER fields to "USER-ADF2S89T@MAILING-LIST-USERS.DOMAIN.ORG" instead of his actual email address

* A mail transport agent is set up on MAILING-LIST-USERS.DOMAIN.ORG to forward any messages that are sent to USER-ADF2S89T to BOB.SMITH@YAHOO.COM so the author/sender are still contactable.

This is compliant with the Mailing List specs because "USER-ADF2S89T@MAILING-LIST-USERS.DOMAIN.ORG" 'belongs' to John Smith (Just in the same way that JOHN.SMITH@YAHOO.COM 'belongs' to him too even though he doesn't own YAHOO.)

This will also have the following benefits:

- Actual email addresses are completely hidden from Spam Bots. This is huge. Mailing Lists are are huge source of email addresses that spam bots like to harvest.

(It may be possible to have a web interface or mailing list -request command to reveal the users' actual email address - using a CAPCHA if the requesting user is not trusted - so users can't hide behind their special address)

- List Managers might like the option for users to be able to update to their new their email address while keeping the same username(s).

(If users are representing their company, companies might like an option - maybe with the use of a TXT record on their domain - not to allow their users to do this so they can't keep 'representing' their company after they lose access to their company email address)

- This way DMARC can be freely implemented by everyone, including the mailing list server itself, so users can't spoof each other when posting to the mailing list, nor can they use their "USER-ADF2S89T@MAILING-LIST-USERS.DOMAIN.ORG" address to send mail 'FROM' this address.

Re:SPF..

[UnderCoverPenguin]

such action would be a direct violation of the section of the RFC I quoted. The "robot" is not the author; its mailbox does not appear in the header field intended for the mailbox of the author. The "robot" is also not the agent that introduced the message for transmission, it is retransmitting a message already in the system.

If I had a secretary and I instructed him to forward messages related to certain topics to designated recipients, he would be the author of the new messages that contain the original messages. The section I quoted allows this. How is this different from having a list server perform the same task?

A multi-post digest is reasonably consided a new message. One that is "authored" by the list server. With the list owner as the responsible agent. As best I can decern, the people at IETF do not think this is a violation. So, why not a digest with just one post?

I think you and I are viewing this from two different perspectives. You seem to view the list server as part of the mail transport and delivery infrastructure. I view the list server as an "electronic secretary" interacting with, but outside of the mail infrastructure.

Granted, proper use of Resent-From and Resent-Sender would be the best solution. How likely do you think it would be for all the Sender Authentication systems to be updated to use these fields? I think very unlikely. So, that leaves it to the list server admins (and, possibly, developers) to implement a work around.

Re:SPF..

No, implementing SPF doesn't do the same thing, SPF is only about the envelope from ("return path") and doesn't care about headers at all. Mailing lists will send with a new envelope from, so that bounces go to the list software and not to the submitter of the message, so there should be no problem with SPF.

Re:SPF..

That sounds like Reply-To considered harmful extra bad edition:

http://www.unicom.com/pw/reply...

Return-path is to be filled by the MDA with the envelope from, so mailing list software has no business touching it, Reply-To is there for the sender to use to set a different reply address, so might in particular already have a value which you certainly should not overwrite, and in any case, the From header is supposed to indicate who wrote the mail, so mailings list software has no business touching it either. And in order to enable list replies, it should not break direct replies (which altering From or Reply-To headers does), because a proper MUA already has at least a group reply function, which exists exactly for that purpose - and a good MUA also will understand Mail-Followup-To in order to avoid double replies when the sender of the message that you group-reply to wants that (so, it's also something that the sender should set, never the mailing list).

Re:SPF..

[IamTheRealMike]

I would say it is a problem with mailing lists. They are taking mail, rewriting it to say something different, then delivering it in such a way that they claim they didn't change it (with broken digital signatures). This isn't Yahoo breaking mailing lists. This is just mailing lists doing something stupid. The fix is for them to stop doing MITM attacks on people's mail or to do it, but to resign the mail themselves so they take responsibility for it.

It's not like DKIM is new by the way, mailing list developers and admins have had this coming for years. But you won't find a more backward or stubborn bunch than crusty postmasters who ran mailing lists the same way since the 80's.

Re:SPF..

I've said it before- Email Certification.

Want to run a Certified Email server? Go to your ISP (or other such companies that may arise to offer the service). They check you out (Are you who you say you are? Do you have valid contact information? Etc...), then have you produce a Public/Private key pair. You give them the 'Public' key, and keep the 'Private' one to configure your email server with. Your email server must add an additional header with your Certifier's Certification Server (usually their email server), and a header that is encrypted with your Private key.

An email client that is Certification-compatible will, when it receives an email, look to see if it has those two headers. If not, it will handle it according to the user's wishes. This means NON-Certified email might be deleted, or sent to a different folder, or whatever. Whitelists/blacklists are still possible.

If the email has the headers, the email client will connect to the Certification Server listed in the one header, and download the 'Public' key to attempt to decrypt the other header. If the decrypted header is valid, the client treats the email the way it is configured to, usually by placing it in the Inbox. Again, whitelists and blacklists can still be used.

Here's the most important part: If the user receives Spam that is Certified, they can easily report it to the Certifier (email clients would have a 'Report Certified Spam' button that automatically shoots an email off to the Certifier, for instance). The Certifier can then contact the owner of the Certified Server and notify them of the spam. This gives the server owner a chance to stop the spam, in case the server was hacked or the spam was accidental. If the Server owner does not stop the spam, the Certifier simply pulls the Certification, by removing the 'Public' key on their server. From that moment forward, ALL email the Email server in question sends will be NON-certified (and quite frankly, probably deleted by the recipients).

If the Certifier refuses to do anything about the Spamming Server (because they are 'in on it', friendly to spammers, or just incompetent), then ALL Certifications from that Certifier can be marked as 'bad', either on a client-by-client basis, or thru the use of a Certifier black-list.

-There is no 'Central Authority'- your ISP Certifies you for a modest fee.
-You can still send non-certified email, so hobby mailing lists and the like are not affected- the people who receive the mailing list might just need to whitelist it.
-Legit email will (eventually, almost always) be Certified, so Certified emails can be sent straight to the Inbox. Non-certified email will (eventually, almost always) be spam, so it can be trashed.
-Any spam that is sent from a Certified server will quickly be reported by pissed-off recipients, and quick action will be needed to avoid that Certifier (and ALL the servers it has certified) from being put on a blacklist.
-Spam will dwindle as Spammers either move to 'spam-friendly' Certifiers (which are blacklisted so the spam never gets thru anyway), or will spend huge amounts of money switching ISPs every 2-3 days to get re-certified over and over. Of course, ISPs could take a clue from the Las Vegas Casinos, and keep a 'black book' of known spammers, and check new clients against them before Certifying them.
-This system does not need to be adopted all at once. Certified and non-certified emails can be handled both by email clients that are Certification aware and not.

It may not be perfect, but it'd be a good start.

Re:SPF..

[Obfuscant]

If I had a secretary and I instructed him to forward messages related to certain topics to designated recipients, he would be the author of the new messages that contain the original messages.

Nonsense. Whoever wrote the original message is the author. Your secretary would be the sender and his mailbox would appear in the Sender header field.

Here's just a trivial reason why that must be. The boss sends an email describing a new policy regarding the use of slashdot during working hours. Your secretary forwards that to others and in doing so obeys your instruction to become the author. Let's say I'm on that forwarding list. Now I would ask "why is a secretary writing a policy regarding use of slashdot?" You say he's the author? Well, he has no authority to be the author.

The section I quoted allows this.

No, it does not. The author remains the person who wrote the message. Under your system, if I make a photocopy of a book I'm now the author of that book. That's patently absurd.

A multi-post digest is reasonably consided a new message.

It is because it has a different message ID. And, as I've already said, digests are not the topic of this discussion because digests won't be blocked by DMARC because digests have headers that originate with the mailing list. The topic here is mailing lists that forward messages.

And digests are not forwarded messages, they are compilations of messages.

So, why not a digest with just one post?

Because that is not how mailing lists that act as simple forwarders work. I run both kinds. It isn't that hard to tell the difference.

So, that leaves it to the list server admins (and, possibly, developers) to implement a work around.

Here's my work-around as a mailing list admin: if you're using a mail system that blocks properly composed and valid messages from my mailing list, it is your responsibility to fix it. I'm following the standards. Playing the game "keep making changes as stupid people keep finding new ways of violating the standards" is a waste of my time.

Am I understanding this correctly?

[TheRealMindChild]

It looks to be blocking relayed email, from a domain that it shouldn't originate from. I would think that is what we would want... mail can't come from one domain and claim to be from another. If this is the case, shouldn't the mailing list actually rewrite that it comes from the domain of originating mailing list? Because it is essentially coming from the mailing list

Re:Am I understanding this correctly?

[pdclarry]

It's not blocking relayed mail in the usual sense. Most mailing lists use the original poster's email address as the FROM field so everyone on the list knows who posted the message. The SENDER field contains the actual list address. And that should match the sending server's IP address. So reverse DNS and SPF (and DKIM if enabled) will validate the SENDER as the list server software. The REPLY TO will be either the list or the original poster, depending on list policy. DMARC requires that the FROM field also match the sending server, and ignores SPF and DKIM.

Re:Am I understanding this correctly?

[Obfuscant]

I would think that is what we would want... mail can't come from one domain and claim to be from another.

Of course it can. It is perfectly reasonable that I use one email address for all my correspondence but use different outgoing SMTP servers depending on where my network connection is at the moment. Or I may want to use the address of a mail forwarder I use (one of many professional organizations that provide this service, e.g. IEEE) while sending an email.

Because it is essentially coming from the mailing list

Mailing list software is not the author of any email it distributes on behalf of a list user. The standards define what the From header contains.

Re:Am I understanding this correctly?

[Phoenix+Rising]

DKIM validates off of the 'd=' in the DKIM signature. If the mailing list software alters the message (by adding an unsubscribe notice or other list decoration, e.g.), then the original DKIM signature is invalid regardless of any header address.

SPF validates the sending IP to the SMTP mFROM claim. Most list software changes the mFROM to a list bounce address, and therefore SPF at least passes.

DMARC does a couple of things to validate messages... First, it compares DKIM and SPF domains to the header From domain - if they "align", then it checks to see if each passes. If either DKIM or SPF passes and is aligned, then DMARC rules aren't triggered.

So, for list software to work with DMARC, they either have to keep the original message content (and some headers) - i.e. act as a (reasonably) strict forwarding system - or they have to claim ownership of the email message and resign it.

Going down the route of From vs. Sender (i.e. purported responsible address) is a rehash of the attempted Microsoft SenderID "improvement" on SPF.

Re:Am I understanding this correctly?

[squiggleslash]

Forwarded email breaks all these kinds of "sender authentication" systems, and that's unlikely to change in the near future. Mailing lists are one type of forwarded email, but not the only type.

We do, ultimately, want to know an email originated with a particular account, but the anti-spammers have tied origination to logic based upon the IP address of the latest server to process the message. It's not really sane, it breaks things, it's the classic anti-spammer "trick" that ends up breaking email more than spam does.

Re:Am I understanding this correctly?

[UnderCoverPenguin]

Forwarded email breaks all these kinds of "sender authentication" systems, and that's unlikely to change in the near future. Mailing lists are one type of forwarded email, but not the only type.

Properly used, the Resent-From and Resent-Sender fields could help with this. Of course, this would require the Sender Authentication systems to properly handle these fields.

Another option occurred to me since I made my previous post. The original message could be made an attachment to the message sent by the list server. This way, both the list message and the original message would be available for DMARC/SPF/whatever sender authentication.

Re:Am I understanding this correctly?

[Obfuscant]

The original message could be made an attachment to the message sent by the list server. This way, both the list message and the original message would be available for DMARC/SPF/whatever sender authentication.

So not only do you suggest that the "robot" who is handing the mailing list forge emails to look like they were written by it instead of the real author, you want it to now use arbitrary contents of the body of the message (an attachment) for SPF and DMARC analysis? The body, which is under complete and full control of any spammer who happens to figure out there is a new way of bypassing spam filters by just putting something that looks like valid email transport information as an attachment to his spam?

Re:Am I understanding this correctly?

[UnderCoverPenguin]

No.

Are digest messages considered forgery?

Nor am I suggesting a back door for spammers. I do think it is likely that list servers will not be trusted to do proper Sender Authentication. Both the list message and the original message would have to pass sender authentication.

If the list server acted exactly as a proper MTA would, then the message would only be subject to a single level of sender authentication. My idea would subject the forwarded message to double authentication: Once for the original sender and the second for the list server.

Re:Am I understanding this correctly?

[Dog-Cow]

Mailing list software is not the author of any email it distributes on behalf of a list user.

That is only true in the sense that the list-serv isn't creative in the Human sense, and did not author the words contained in the message. From a technical standpoint, however, it is perfectly valid to state that list-serv software is authoring the message. It just happens to be quoting verbatim from some random message it received.

Re:Am I understanding this correctly?

[bmo]

DMARC requires that the FROM field also match the sending server

REALLY?

This is the stupidest thing I've seen in a long time.

In spam fighting circles, the FROM header is universally ignored, because it can be anything. We don't fucking care what the FROM header says. Indeed, treating the FROM header as "accurate" leads to insanity like joe-jobs.

Whoever came up with that idea should schedule a meeting with Bill Mattocks' wooden mallet.

"My sense of personal integrity is none of your concern."
-thus spake Walt "Pickle Jar" Rines

"I'm going to pound your balls flat with a wooden mallet."
-thus respondeth Bill Mattocks

--
BMO

Re:Am I understanding this correctly?

[Obfuscant]

From a technical standpoint, however, it is perfectly valid to state that list-serv software is authoring the message.

That's utter nonsense.

It just happens to be quoting verbatim from some random message it received.

If it is quoting verbatim then the outgoing headers will be the same as the ones it got. And quoting verbatim means that it is NOT the author, the person or entity it is quoting from is still the author.

You might want to note that any MTA is simply "quoting verbatim" the "random message" it receives, and yet nobody in their right mind would try claiming that the MTA has assumed authorship of the message and should fiddle with the origination headers. You might also note that many delivery agents have trivial ways for users (and admins) to deliver messages sent to one mailbox into two or more -- for example, sales@example.com may be delivered to every sales agent -- and nobody in their right mind would want or expect such a delivery agent to claim authorship of the message.

You can't sell verbatim copies of the latest Harry Potter book and claim that you're the author because you made the copy.

It's only when you move into the digest-style mailing lists that you can claim any authorship, and 1) those kinds of mailing lists already DO make that claim, and 3) they aren't the subject of discussion because they won't be blocked by DMARC.

Re:Am I understanding this correctly?

[Obfuscant]

Are digest messages considered forgery?

Digests are not relevant to this discussion because digests won't be blocked by DMARC. They are compilations of messages, not the original messages themselves. They already contain, or should contain, origination header fields that will pass SPF or whatever valid spam detection techniques are available.

If the list server acted exactly as a proper MTA would, then the message would only be subject to a single level of sender authentication.

If the list server acts as a proper MTA would, then there would still be a problem with DMARC because the list server won't fiddle with the origination headers.

My idea would subject the forwarded message to double authentication: Once for the original sender and the second for the list server.

Your idea is a waste of time, simply because if you're going to write a new list server that fiddles with messages the way you describe, and try lobbying Yahoo et.al. to adopt the system, why not just use an existing listserve that produces digests? You've got a solution in search of a problem.

Excellent!

[fuzzyfuzzyfungus]

Anything that helps isolate Yahoo from currently uninfected sectors is good by me. If I never see that virulent purple abomination again it'll be too soon.

just what I need ....

[nblender]

More ammunition for the members of various online communities I participate in for switching to some stupid forum...

Moving messages out of Yahoo!

Use IMAP.

Re:Moving messages out of Yahoo!

[Bomarc]

So far --- most solutions require yahoo+ (I don't want to pay yahoo to leave yahoo!)

Found a way to connect to gmail, but that has issue (gmail doesn't sort right)

Might need to break down and pay to get my data.

..and nothing of value was lost

$subj.

Congratulations, Marissa.

[Stormbringer]

In your quest to 'revitalize' your user-base by throwing out the loyal veterans, you pissed off people who have been members since eGroups and OneList by throwing that purple-abomination Neo web-interface at them... but still they refused to go away, they just relied more heavily on their 90's-style mail clients for access.

This strikes at the heart of that persistence. I do believe you've found a way to get rid of your remaining loyalists. Well done.

Re:Congratulations, Marissa.

That's nice. But doesn't change the fact she's still a smoking hot milf.

Mail receipts and what not... all broken...

One of my clients was using their yahoo email address as the sender for emails that were generated on their site as a result of actions, which included ecommerce receipts, contact receipts, etc. As of yesterday, emails sent to gmail and yahoo accounts started bouncing. I figured out very quickly that the problem was DMARC and a new policy at Yahoo. So, I ended up having to change all receipts to come from an address at my domain. That, of course, created new problems. What a horrible mess for us all to clean up.

Back when the Internet Mail Consortium was a thing

[tlambert]

Back when the Internet Mail Consortium was a thing, we established best common practices for mailing lists, and most of them were vehemently against mailing list servers rewriting mail headers. Some popular MLM software rewrites standard headers, which breaks DMARC SPF implementations.

The thing to do here is to fix the MLM software to use the correct additional headers, rather than rewriting the headers the DMARC policy feels are important; in addition, this would allow the DMARC policy to "whitelist" based on the attached headers, assuming everything else wasn't a black mark, and avoid the "greylisting" that would happen ordinarily with most SPAM filtering systems in "medium posture" rather than "low posture" (i.e. the ones that have the concept of "suspect email" as a middle ground).

The idea that this "breaks all the IETF mailing lists" is basically alarmist BS - the IETF mailing lists are run on an individual basis, they aren't all hosted on a single machine out there, which is why they have varying degrees of SPAM and signal/noise ratios. So to claim that e.g. Namedroppers (the IETF DNS Working Group) mailing list server is impacted the same way the one Levin is all upset about is, is disingenuous.

Your opeinion is not surprising

No offense, but I find this attitude is rife in America these days:
"Oh,yeah. Yahoo are not as bad. Well. They are the same as Google and MS etc. at this this and this. They're all the same really"

They're not the same. I use Yahoo. It's that slightly worse aspect that makes me use them. Fine lines. Hushmail is the best to use I think but like you say they're all burner addresses really. But what's your reliable and dependable address? Your own domain? Not all of us have that luxury.

Also, I almost always find this attitude whenever the EU does something positive - they're really no better than the US at that.

Re:Your opeinion is not surprising

But what's your reliable and dependable address?

The same one my ISP has given me since I signed up for dialup (now DSL) in 2000.

Re:Your opeinion is not surprising

[sglewis100]

But what's your reliable and dependable address?

The truth is, there's no way I want to have just one address. Here's what I use:

1) A very personal address that very few people have, but for close friends and family. I wouldn't even tell you what service I use, let alone accidentally give it out in a public place. I'm super protective of it, it's one that does do notifications on my iPhone, etc., and remarkably is still spam free. To be honest, I even have some family members that don't use it. I told them I was changing my email address and gave them a different one, since they can't stop sending joke chain emails with 200 people in the CC list.

2) A somewhat personal address that I give out to business contacts that aren't work-related (I use my corporate email account for those obviously). Pretty much spam free. It's the one that largely gets the Linkedin invites, the Plaxo spam, etc, but largely hasn't been sold off to spammers.

3) An address I use for websites that I reasonably trust. Amazon. Slashdot. Things that you sign up for once, and then have to opt out of whatever stupid newsletters you get by default. Rarely gets spam.

4) An address I use for websites I reasonably don't trust. Something where I want some content on a site but don't want them to have a way to contact me. Not loaded on a phone or computer, if I need to look for an account activation email, I hit web mail, wade through the incessant spam, find what I need, log back out.

5) Work email. Not much I can do about that. Loaded on my work computer, and on my work provided phone. Gets too much email. Very little spam though, since I use address #3 or #4 when signing up for web sites, even if they are work related.

That said, while it was a little work setting up, it's very easy to manage. Email #1 is checked constantly. #2 and #5 regularly. #3 occasionally, and most stuff is automatically filtered away (Amazon order receipts into a folder, etc). #4 is very popular with viagra sites and porno sites, since it's the address captured by sites that turn around and sell your email.

Amazon isn't likely to sell your email, they'd rather have you all to yourself.

There's other things you can do. If you use Apple products, they make it very easy to hook your phone number and every email address you own (iCloud or otherwise) to iMessage. But you don't have to. If you have multiple addresses, make sure just the private ones are hooked up to iMessage. For SMS, I have my cell published sparingly, most people get my Google Voice number, and those texts are reviewed less frequently.

But, email is broken. For sure. That's a lot of work just because I don't want to buy sugar pills labeled as Viagra from unknown sources and am comfortable in my manhood enough to not need to try to change anything geometrically.

Re:Back when the Internet Mail Consortium was a th

[pdclarry]

The thing to do here is to fix the MLM software to use the correct additional headers, rather than rewriting the headers the DMARC policy feels are important; in addition, this would allow the DMARC policy to "whitelist" based on the attached headers, assuming everything else wasn't a black mark, and avoid the "greylisting" that would happen ordinarily with most SPAM filtering systems in "medium posture" rather than "low posture" (i.e. the ones that have the concept of "suspect email" as a middle ground).

I think you will find that most MLM software uses correct additional headers. At least listserv and mailman (for the lists that I manage) do. We've been playing nicely with ISPs for years on our lists, we create no spam (once we fixed the bounceback spam problem 3 years ago) and generally are among the more well-behaved email users around. The problem is that Yahoo's implementation of DMARC is not using the additional headers. All it looks at is From.

The cost of free services

No commercial entity interested in getting paid for service they provide would ever intentionally act in such an arrogantly unacceptable manner yet freebie services making money off ads and selling your data to the highest bidder have demonstrated they have little reservation when it comes to doing whatever they want without regard for their users. Close a service when you feel bored, change something you know will cause mass breakage.. never a way to contact a human or work a sales rep. Putting up with this shit is not free or in any way worth while.

Re:The cost of free services

[Gavagai80]

Right, for example Microsoft would never push unpopular changes on users of their expensive operating system.

This is just yahoo being yahoo, always hard at work finding new ways to shoot themselves in the foot.

Marissa Mayer's Yahoo Mail is worse than ever

I used to have one Yahoo email account that I used regularly but that I gradually gave up on over the last twenty-plus years. It was trouble with Yahoo's overly aggressive email filters made me shift to a combination of my own domain for personal mail and a gmail account for commercial email. Now the Yahoo mail account gets used for things only slightly more important than those I use mailinator for, and I am seriously considering abandoning it entirely.

But what is worse is that lately I have noticed that mail from my own domain (hosted on its own ip) to my wife's Yahoo mail address gets trapped in their system for days and is eventually, even though we typically exchange a half dozen or so emails a day; are in each others' address books, etc. I've checked my mail server logs and the mail headers thoroughly--the problem is on Yahoo's end.

My conclusions from this: Yahoo's mail-spam engineers are completely incompetent, and the change at the top hasn't fixed what is driving users away from the Yahoo. But more importantly email is seriously broken--and we engineers need to work on an alternative encrypted and authenticated version of mail to replace email as we know it.

applause!!

[rewindustry]

n/t

YAYSNAFU!

[Askmum]

Yet another Yahoo SNAFU. The seem very intent on killing their own company.

Re:YAYSNAFU!

[orgelspieler]

This is what I was thinking. Although, in this case, it doesn't appear to be Yahoo!'s fault. I miss (the real, pre-Yahoo!) Flickr. :-(

Re:Back when the Internet Mail Consortium was a th

[tlambert]

I think you will find that most MLM software uses correct additional headers. At least listserv and mailman (for the lists that I manage) do. We've been playing nicely with ISPs for years on our lists, we create no spam (once we fixed the bounceback spam problem 3 years ago) and generally are among the more well-behaved email users around. The problem is that Yahoo's implementation of DMARC is not using the additional headers. All it looks at is From.

Not a problem, if you leave the "From:" line the hell alone, and only add new headers, per RFC 5322, and RFC 2919, etc.. It can look at the From line all it wants, and as far as it's concerned, as long as the rest of the headers are unadulterated, your list server is an intermediate relay server in the SMTP routing path.

Personal IETF mailing list experience...

[JacobA.Munoz]

..leads me to have sympathy for Yahoo. Over a decade ago, I was partly in charge of maintaining the mailing lists at the IETF Secretariat - so I remember what volume of email they were working with in 2001, and I would never want to manage a mailing list that big again (certainly not in 2014). In hind-sight it wasn't so bad then, I recall about 47,800 messages in 4 days @ roughly 85% spam for the whole IETF mailing list, but that was in 2001. We had to implement anti-spam filters for lists of people with very strong opinions regarding censorship, and rightly so - but present yourself with the thought of handling filters for the "Anti-Spam Research Group" mailing list. ..bweheheh .. heh ..pwfff. useless. Spam quickly discovered it could spam more easily through the anti-spam email list. ..so many penis pills.

I believe it just isn't possible to fix the spam problem in email as it currently exists. All is not lost, because auxiliary communications (phonecalls, texting, Twitter, Dropbox, Facebook, Skype, etc) are better suited for specific types of communication and are self-partitioning. Email is often just as boring and disappointing as physical mail - mostly advertising junk. Because it is based on physical mail, we can't really complain - it's doing exactly what we designed it to do.

The digital world treats bots and brains the same. Captcha was useful for a little while, but seems to be meaningless these days. These days, if I have a form that's getting spammed I use interactive JavaScript operations (mostly option selections) to create the html form and omit a submit-typed button. That way it takes a real person looking at the page to figure out where the "send" action is.

Fundamentally, the problem with the current SMTP infrastructure is that it is based on Recipient-liability without any real Sender-liability. It is the recipient's responsibility to have some gargantuan "put junk here" box instead of a reasonably-small tray for other's to say: "I have something for you, encrypted with this secret key, find it on my server here __ .".

That would handle the storage penalty (the message is waiting in their outbox or application, sent to your inbox only when you choose to accept it). If the message is SO important, and you're REALLY who you say you are, then I can get back to you when I want to read/download your message - making the sender easier to authenticate. And both parties would know when the message has been received, or if the message has been read before the intended recipient chose to accept it.

..but it's been 10 years, and so far email hasn't totally collapsed. Time will tell.

Google Groups also

[pdclarry]

I just received a private communication from the moderator of a Google Group. He says that mail from Yahoo members is being blocked by Comcast and Yahoo. Now that it's Google's ox being gored perhaps something will be done about it.

we should drop yahoo groups

[dickens]

seriously drop all mail incoming and outgoing to/from yahoo groups. Put them out of business instantly.

Re:we should drop yahoo groups

[nmr_andrew]

Sounds simple, but for some of us dropping all mail to/from Yahoo groups isn't feasible. Of six mailing lists that I receive messages from semi-regularly for work related purposes, three of them are on Yahoo groups. All are specific to niche software packages and for two of the three at least represent THE primary source of "support" for those packages. Taking your suggestion wouldn't necessarily be career suicide, but could hurt me.

Having said that, I receive those mailing lists at my work address and not through my Yahoo email account, so the DMARC issue isn't likely to affect me too much. I could probably move my personal mail from the latter, but a) inertia and b) I find the newest incarnations of Gmail not enough better than the abomination the Yahoo mail has become to force the issue.