On May 2, 2014, at 5:51 PM, Miles Fidelman <[email protected]> wrote:
> Larry Finch wrote: >> On May 2, 2014, at 6:28 PM, Terry Zink <[email protected]> wrote: >> >>> Given that large email providers like Yahoo and AOL do publish p=reject >>> records, how is the rest of the email community going to deal mailing lists >>> and other legitimate cases that fail DMARC? It's not enough to say "Yahoo >>> and AOL shouldn't be doing it." That ship has sailed. The question now is >>> what can we do to improve user experience? Several answers have been >>> proposed: >>> >>> 1. Do nothing and let domains that publish p=reject live with the >>> consequences >>> 2. Don't permit domains with p=reject onto mailing lists >>> 3. Mailing lists should reformat the message to prevent DMARC failures >>> 4. Email receivers should be selective about how they enforce p=reject - >>> send it to Junk or even skip enforcing it from known good emailing lists >>> 5. Extend DMARC so that it supports mailing lists >>> 6. Something else? >>> >>> These each have their pros and cons but it seems to me that working to >>> support p=reject with mailing lists is a net benefit to everyone. >> >> I find 3 totally unacceptable. It is Yahoo (and AOL)’s problem. They have >> pushed the expense and time of solving the phishing problem THEY created off >> onto ME as a listserv site manager. Other ISPs (even free ones) do not have >> a phishing problem. I’ve never gotten a phishing email from a gmail account. >> So there ARE solutions to the problem that do not break 30,000 list servers >> (using Yahoo’s numbers - I believe it is much higher). > > You may find 3 "totally unacceptable" - but as someone who supports a bunch > of email lists, with lots of subscribers from yahoo and aol accounts - that's > the ONLY option that actually "works" - where "works" is defined as > continuing to allow list members to communicate. Actually, #6 works too. Stop breaking DKIM signatures as the messages transit your list and you are now 100% DMARC compatible. In May of 2013 I did this on my email lists: cd path/to/ezmlm/list; rm prefix text/trailer addtrailer Seriously. It was that easy to make all my email lists DMARC compatible. This is where hyperbole like saying that DMARC breaks "every mailing list in the world" does real harm to real people. Many list owners are unaware that making a couple config changes to their email lists could completely solve their problem. Options 1-5 are necessary for mailing lists that *insist* on breaking the DKIM signature of the author's domain by altering the message. Yahoo and thousands of other domains go through the trouble to DKIM sign their messages to validate their authenticity. If you're going to alter the message and invalidate the signature, then you shouldn't be too surprised about being expected to take ownership of it by rewriting the From address. > By the way, I, like many am really ticked off at Yahoo I leapt for joy when Yahoo published p=reject. Yahoo and AOL have validated a minority position in the DMARC community who have always felt that DMARC p=reject is useful and sometimes appropriate for domains with human users. > - but bit the bullet and changed patched our configuration (thanks to a very > nice patch generated by a sysadmin at the Univ. of Auckland). For reference, > it took a lot less time to actually apply the patch, make a few edits, and do > some configuration changes; than it took to respond to all the WTF messages > from folks on our various lists; and I've probably wasted far more time > griping about things on this, and other email lists, than it took to resolve > the problem. And that's why I feel Yahoo made the right choice. > Mind you, if you happen to know good lawyer, I'm really tempted to bring a > civil action against Yahoo, AOL, et. al. for "“knowingly caus[ing] the > transmission of a program, information code, or command, and as a result of > such conduct, intentionally causes damages without authorization to a > protected computer" - the Computer Fraud and Abuse Act Perhaps before hiring that lawyer, you should consider whose "protected computer" Yahoo damaged. You might also review how the DNSBL lawsuits played out when spammers sued DNSBL operators. Hint: it didn't work out so well for the spammers because the DNSBL operators just publish lists. It's other private mail servers that subscribe to the lists and block the spammers messages. DMARC is not that dissimilar in that Yahoo publishes a DMARC policy in DNS and it's other DMARC validating mail servers that choose to apply it and reject the mail. Matt _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
