Larry Finch wrote:
On May 2, 2014, at 6:28 PM, Terry Zink <[email protected]> wrote:
Given that large email providers like Yahoo and AOL do publish p=reject records, how is
the rest of the email community going to deal mailing lists and other legitimate cases
that fail DMARC? It's not enough to say "Yahoo and AOL shouldn't be doing it."
That ship has sailed. The question now is what can we do to improve user experience?
Several answers have been proposed:
1. Do nothing and let domains that publish p=reject live with the consequences
2. Don't permit domains with p=reject onto mailing lists
3. Mailing lists should reformat the message to prevent DMARC failures
4. Email receivers should be selective about how they enforce p=reject - send
it to Junk or even skip enforcing it from known good emailing lists
5. Extend DMARC so that it supports mailing lists
6. Something else?
These each have their pros and cons but it seems to me that working to support
p=reject with mailing lists is a net benefit to everyone.
I find 3 totally unacceptable. It is Yahoo (and AOL)’s problem. They have
pushed the expense and time of solving the phishing problem THEY created off
onto ME as a listserv site manager. Other ISPs (even free ones) do not have a
phishing problem. I’ve never gotten a phishing email from a gmail account. So
there ARE solutions to the problem that do not break 30,000 list servers (using
Yahoo’s numbers - I believe it is much higher).
You may find 3 "totally unacceptable" - but as someone who supports a
bunch of email lists, with lots of subscribers from yahoo and aol
accounts - that's the ONLY option that actually "works" - where "works"
is defined as continuing to allow list members to communicate.
It's NOT Yahoo and AOL's problem - they've pushed it onto their
subscribers (to find other email accounts), list managers (who's role is
to keep the mails flowing), and on list software developers, who
ultimately have to update software so that the mails keeps flowing.
The cost is not inconsiderable. We have a stable listserv license, but have
dropped maintenance. L-Soft HAS a fix of sorts, munging the FROM field, but it
is only available for those on maintenance and those who upgrade to the current
version. We operate a co-op server supporting not-for-profit organizations. Our
annual operating budget is under $1,000. To upgrade to the latest version of
listserv would cost us $10,000.
Not for nothing, but if your operating budget is under $1000, you should
be using one of the several, very good, FOSS mailing list managers.
Personally, I recommend Sympa.
The alternative is to switch to mailman. Once it has a viable solution (there
are a few proposed solutions, none perfect, and none out of beta). This would
require weeks of work by our volunteer staff to migrate and test all of our
lists. Yahoo isn’t going to pay our costs to upgrade listserv, and isn’t going
to pay for our volunteer’s time.
By the way, I, like many am really ticked off at Yahoo - but bit the
bullet and changed patched our configuration (thanks to a very nice
patch generated by a sysadmin at the Univ. of Auckland).
For reference, it took a lot less time to actually apply the patch, make
a few edits, and do some configuration changes; than it took to respond
to all the WTF messages from folks on our various lists; and I've
probably wasted far more time griping about things on this, and other
email lists, than it took to resolve the problem.
Do I like having to mung From addresses? Do I think it's a good model?
Hell no. But somehow I don't see Yahoo and AOL doing the right thing here.
Mind you, if you happen to know good lawyer, I'm really tempted to bring
a civil action against Yahoo, AOL, et. al. for "“knowingly caus[ing] the
transmission of a program, information code, or command, and as a result
of such conduct, intentionally causes damages without authorization to a
protected computer" - the Computer Fraud and Abuse Act allows for civil
action by “[a]ny person who suffers damage or loss by reason of a
violation of this section may maintain a civil action against the
violator to obtain compensatory damages and injunction relief.”
Miles Fidelman
--
In theory, there is no difference between theory and practice.
In practice, there is. .... Yogi Berra
_______________________________________________
dmarc-discuss mailing list
[email protected]
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
