Mark Rousell writes: > It seems to me that if a protocol so easily allows (or even > effectively encourages) usage that craps on existing legitimate > Internet usage then the protocol (and its designers) must be in > part to blame.
I don't see any real difference between ESP abuse of "p=reject" and spam itself, though. They both use others' resources to accomplish one's own purposes while harming 3rd parties. as you may know, well-meaning people have long argued "freedom of speech" as a moral justification for spam and Usenet bots and so on. Well, well-meaning people are arguing "spam-fighting" as a moral justification for ESP (ab)use of "p=reject" now. "To a yahoo with a hammer, every problem looks like a thumb." (With all due disrespect to jwz) > Oh yes, the protocol has been well designed but it has been well > designed by its backers who were naturally looking at it *from a > certain perspective*. The protocol has been well designed to > achieve certain aims and it is likely to be successful at achieving > them (including via Yahoo's and AOL's particular implementation, > inappropriate though it is). Actually, that's apparently false. John L linked to or posted a graph provided by AOL which makes it quite clear that *except for one particular spammer* DMARC p=reject had *no* effect on spam claiming to originate from AOL. It just returned to pre-off-the-charts spamming level. It *does* seem to be successful at reducing phishing, for now. Whether it's reducing damage due to phishing, or just weeding out the less sophisticated felons, I don't know, and I don't think anybody does. > If a perhaps wider range of perspectives had been involved, i.e. if > it had been developed through IETF, then perhaps misuse/abuse of > the sort that Yahoo and AOL have demonstrated would have been less > easy or less tempting for them. Maybe, but I don't really see that. As John L points out, at present DMARC is a private protocol between "consenting adults", and even if the IETF publishes a competing standards track RFC, Yahoo! and AOL can continue to (ab)use it. > > Yahoo! and AOL simply don't care who > > gets hurt as long as they can present it to their own users as a > > necessary measure to combat spam (and other mail abuse). > > Exactly. But they have gone ahead and done it, and they have gone > ahead and done it because they can IMO, we could put a period here, because I don't see this: > and because the protocol as it stands almost encourages (and > certainly does not discourage) such behaviour. Well, it's quite clear from the document that DMARC is intended to protect domain names from being used in phishing attacks. AOL and Yahoo! did not (and AFAICS cannot) suffer from severe phishing problems. They explicitly refer to their spam problem (which continues) as justification. There is nothing that the document authors can do to stop that (except maybe resign in protest if they work for such a domain :-). The fact is that "p=reject" has been in use at many domains for a long time with no problem. The DMARC consortium is surely aware of the bad effect it would have on reliable delivery to conventionally configured mailing lists; we've told them often enough, and I doubt we're the only ones. Yahoo!'s and AOL's use of p=reject was an act of desperation AFAICS; even a MUST NOT in an RFC would not have stopped them. > If it is true that the designers never foresaw Yahoo's and AOL's > style of misuse No, what Murray wrote was that it was understood in the working group that ESP (ab)use of "p=reject" was inappropriate, and I understood that he believed that AOL and Yahoo! were part of that consensus. He went on to say later that he didn't have any insight as to why they went ahead and did it. > then this seems to me to confirm my point: That a wider range of > perspectives, which the IETF would hopefully have brought to it, > might have helped make possible misuses/abuses clear. We have known for a long time that use by ESPs like GMail (which hasn't yet), Hotmail (which hasn't yet), Yahoo!, and AOL would cause lots of problems for their users, and given the stubborn response of Mailman list operators on this list and mailman-developers, they surely were well aware that very few lists would be prepared. So they went and DoS'ed their own users! (Of course they also clearly planned to blame, not the victims, but any innocent bystanders. Still, they should have known that their users would get DoS'ed, and they did it anyway.) What wasn't known (to me, anyway) was the nasty effect that this would have on bounce processing. AFAIK, nobody anticipated that. I don't see how broader participation would have helped -- the ranking expert (Mark, take a bow!) on bounce processing has been aware of DMARC for a long time. I doubt that Yahoo! and AOL have the technical abilities to figure it out for themselves (they don't know how Mailman bounce processing works). So I don't think a more IETF-based process would have changed their logic. It would be nice if the current process could get some discouraging language into the document, but we'll see how that works over the next few weeks/months. Steve ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
