Peter Shute writes: > It's now about 2 months since Yahoo introduced their DMARC reject > policy. I'm taking this as a sign that it's unlikely that they'll > ever reverse the decision
On the DMARC list at IETF, a senior Yahoo! sysadmin said that because the attack based on stolen address book data continues, Yahoo! management sees no option but to continue. Even reducing to "p=quarantine" is out of the question. The fact that Yahoo! Groups has started to work around DMARC authentication (by moving the author's address into the display name, a tactic explicitly deprecated by the DMARC consortium's own FAQ) suggests they're in it for the long haul. > Or that any mailbox providers other than Yahoo and AOL have started > doing it, or have indicated that they ever/never will? Comcast made a point of saying in response to a question at a press conference that they have no intention of doing so. It's hardly trustworthy (the DMARC designers can't be happy about the bad press), but both one of the editors of the current draft and a senior IETF engineer whose name pops up all over the email-related RFCs have posted comments that Yahoo! has made no friends for itself. However, according to a graph I saw that described the attack on AOL, spoofing of AOL addresses ballooned to about 5X the volume preceding the attack, and presumably all of the new spoof messages were targeted to acquaintences since the attackers are known to have obtained millions of AOL users' contact lists. Not only is that attack huge, one would suppose it's more effective than broadcast spam or phishing. I would guess that any large provider that has a security breach like those at Yahoo! and AOL would be tempted to publish a "p=reject" policy, including Comcast. IANAL, but I have to wonder if they're not at substantial legal risk for contributory negligence (since apparently the addresses were stolen from the providers, although they're being coy about that) if they don't do something about this relatively effective form of abuse. ------------------------------------------------------ Mailman-Users mailing list [email protected] https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
