On 04/09/2014 07:46 AM, John Levine wrote:
I understand that Yahoo has awful abuse problems, although I would guess that Google's are in the same ballpark. But Yahoo is a business, not a charity, and its problems are its problems to solve, not to demand that the rest of the world solve.
And indeed, it is solving them. Yahoo! is not demanding, nor even asking, that you do anything. Yahoo! has simply changed the terms under which its domain names can be used, you are free to continue to use them under the new terms, or cease doing so (or even continue doing so and incur some consequences), as you wish.
This is analogous to the realisation a little over a decade ago that putting an email message onto a receiver's server was a privilege extended by that receiver, not a right of a sender. It took a while (and even some lawsuits) for that view to be established, but eventually it was. An extension of this has already been mentioned: that receivers elected to refuse messages from open relays because of the heavy abuse of the latter. A comparable change, not yet mentioned on this thread, was the DUL and similar services which were used by receivers not merely to block known sources of abuse, but entire ranges of address space which would be particularly easy to abuse but which weren't necessarily being abused yet. I still recall vividly the discovery that I would be unable to email a bunch of people from the mail-server on the workstation in my apartment in 2000 (that discovery was made midway through an affected discussion...), that I would instead have to place a server somewhere other than an access circuit and send from there. It was frustrating, but a largely inescapable concomitant of receivers dealing with rising levels of abuse.
We're now in an analogous position with respect to the use of email addresses in From: headers. The rising abuse of this by criminals has put Domain Owners in the position of wishing the use of their domains from From: headers to be an act over which they have some control. Receivers responsible for most of the world's mailboxes have already seen the benefit and implemented their part of this. If you want to reliably send an email displaying a participating Domain Owner's domain in a From: header, then you can only do so if you're forwarding a [largely] unaltered message; you can't independently construct new messages, you can't make while forwarding changes that have customary for MLMs for decades. This is uncomfortable and it requires that we acknowledge a new class of "asset", but it's real and criminals are continuing to drive the incentives for this up.
You have presented Yahoo!'s act as though it were inappropriately moving a cost to you. In fact all that it's doing is coping with abuse, just as we've all done one way or another for more than a decade.
They could, for example, have built whitelists of sources of legitimate mail that DMARC doesn't handle, or more likely paid someone like Return Path to do it.
True, but it happens that this did not happen. That the convenience of MLMs hasn't been maximally pursued isn't a strong critique though.
so that Yahoo's users can continue to use services that make their Yahoo accounts valuable to them
This is your assessment, but clearly not Yahoo!'s. They'll act on their assessment, naturally.
- Roland -- Roland Turner | Director, Labs TrustSphere Pte Ltd | 3 Phillip Street #13-03, Singapore 048693 Mobile: +65 96700022 | Skype: roland.turner [email protected] | http://www.trustsphere.com/ _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
