Re: DMARC - CERT?
* Christopher Morrow: I sort of wonder if this is really just yahoo trying to use a stick to motivate people to do the right thing? But what is the right thing here? Do we really want that *all* mailing lists must not provider reply to sender option to all their users? Will this list make the change? Probably not.
Re: DMARC - CERT?
On Wed 16 Apr 2014 09:40:11 PM PDT, Jim Popovitch wrote: On Thu, Apr 17, 2014 at 12:19 AM, Private Sender nob...@snovc.com wrote: On 04/14/2014 03:47 PM, Jim Popovitch wrote: On Mon, Apr 14, 2014 at 6:21 PM, Scott Howard sc...@doc.net.au wrote: On Mon, Apr 14, 2014 at 2:59 PM, Jim Popovitch jim...@gmail.com wrote: 7-April: Monday, Yahoo's dmarc change kicks everyone in the groin, the last full week before the US tax filing deadline. The change was made on the previous Friday, so that date is largely irrelevant. 7-April: OpenSSL's *public* advisory (after a full week of private notifications, of which yahoo surely was one tech company in on the early notifications) Given that many of their main services were vulnerable at the time of public disclosure, I think that's a very large assumption to make... If nothing else, I suspect the odds of it being known by the same people that made the DMARC decision/changes is low. I think you are right on that, but that doesn't change the fact that the sum of those things overburdened a lot of mailinglist operators. It is what it is, and the press has covered it and mailinglists are blocking/unsub'ing yahoo accounts in order to cope. -Jim P. I'm sorry but is there a fundamental misunderstanding of dmarc going on in this thread? Yahoo doesn't want you to be able to send @yahoo.com email from anything other than THEIR servers which contain the private key that corresponds to their DKIM implementation, and conversely dmarc. p=reject tells the receiving domain to reject the message if it isn't signed by the private key that corresponds with the public key that is in the dkim txt record for yahoo.com Isn't this the whole point of dmarc? Stop spammers from sending email with @yahoo.com that doesn't originate from a valid yahoo email server. Yes, but @yahoo.com is a bad example because it delivers user originated content. Yahoo's implementation of dmarc is working as intended. Are you also speaking for all yahoo uses when you declare that they should no longer be able to participate on mailinglists? Stealing someones password, and logging into their yahoo mail account and spamming isn't going to matter to dmarc. The mail originated from yahoo, and it was an authenticated user; the mail will be signed with the DKIM key, it will be accepted by the receiving domain (unless the email address is blacklisted by the receiving domain). But, but, but Yahoo implemented DMARC to supposedly stop Spam...(which ironically others have shown that a lot of spam originates from Yahoo servers, but I digress) There is no need to flame a company because they implemented a policy to ensure QoS to their customers. Either push your mail through their servers, or Just find somewhere else you can push your mailing lists through. LOL QoS, really? QoS to me, a yahoo account holder, would be less inbound spam. -Jim P. Well yeah inbound spam filtering would be nice. But they have refused to do anything about if for a better part of a decade. Sadly, they can't control mail originating from other domains (other than mail stating it's from yahoo). Is it possible yahoo doesn't understand how dmarc works? -- -- Bret Taylor
Re: DMARC - CERT?
On 04/16/2014 09:19 PM, Private Sender wrote: I'm sorry but is there a fundamental misunderstanding of dmarc going on in this thread? Yahoo doesn't want you to be able to send @yahoo.com email from anything other than THEIR servers which contain the private key that corresponds to their DKIM implementation, and conversely dmarc. p=reject tells the receiving domain to reject the message if it isn't signed by the private key that corresponds with the public key that is in the dkim txt record for yahoo.com Isn't this the whole point of dmarc? Stop spammers from sending email with @yahoo.com that doesn't originate from a valid yahoo email server. There fundamental misunderstanding is the assumption that DKIM signatures are never broken for valid uses of mail. They are. Would things be so simple. Mike
Re: DMARC - CERT?
On Wed, 16 Apr 2014 21:19:18 -0700, Private Sender said: I'm sorry but is there a fundamental misunderstanding of dmarc going on in this thread? Yes, apparently mostly on the part of Yahoo apologists... There is no need to flame a company because they implemented a policy to ensure QoS to their customers. Either push your mail through their servers, or Just find somewhere else you can push your mailing lists through. Is it me, or has every single Yahoo apologist in this thread insisted on this same misrepresentation of the situation? pgpYdEh0dGLC1.pgp Description: PGP signature
Re: DMARC - CERT?
On 04/17/2014 08:34 AM, valdis.kletni...@vt.edu wrote: On Wed, 16 Apr 2014 21:19:18 -0700, Private Sender said: I'm sorry but is there a fundamental misunderstanding of dmarc going on in this thread? Yes, apparently mostly on the part of Yahoo apologists... There is no need to flame a company because they implemented a policy to ensure QoS to their customers. Either push your mail through their servers, or Just find somewhere else you can push your mailing lists through. Is it me, or has every single Yahoo apologist in this thread insisted on this same misrepresentation of the situation? I'm rather interested to hear from the dmarc folks, one author of whom both works for y! and i've seen post to this list. I find this all rather incomprehensible; I wonder what Mark Delaney thinks about this. Mike
Re: DMARC - CERT?
Michael Thomas wrote: On 04/17/2014 08:34 AM, valdis.kletni...@vt.edu wrote: On Wed, 16 Apr 2014 21:19:18 -0700, Private Sender said: I'm sorry but is there a fundamental misunderstanding of dmarc going on in this thread? Yes, apparently mostly on the part of Yahoo apologists... There is no need to flame a company because they implemented a policy to ensure QoS to their customers. Either push your mail through their servers, or Just find somewhere else you can push your mailing lists through. Is it me, or has every single Yahoo apologist in this thread insisted on this same misrepresentation of the situation? I'm rather interested to hear from the dmarc folks, one author of whom both works for y! and i've seen post to this list. I find this all rather incomprehensible; I wonder what Mark Delaney thinks about this. Of course, they shouldn't send it from a @yahoo.com email address. -- In theory, there is no difference between theory and practice. In practice, there is. Yogi Berra
Re: DMARC - CERT?
On 04/14/2014 03:47 PM, Jim Popovitch wrote: On Mon, Apr 14, 2014 at 6:21 PM, Scott Howard sc...@doc.net.au wrote: On Mon, Apr 14, 2014 at 2:59 PM, Jim Popovitch jim...@gmail.com wrote: 7-April: Monday, Yahoo's dmarc change kicks everyone in the groin, the last full week before the US tax filing deadline. The change was made on the previous Friday, so that date is largely irrelevant. 7-April: OpenSSL's *public* advisory (after a full week of private notifications, of which yahoo surely was one tech company in on the early notifications) Given that many of their main services were vulnerable at the time of public disclosure, I think that's a very large assumption to make... If nothing else, I suspect the odds of it being known by the same people that made the DMARC decision/changes is low. I think you are right on that, but that doesn't change the fact that the sum of those things overburdened a lot of mailinglist operators. It is what it is, and the press has covered it and mailinglists are blocking/unsub'ing yahoo accounts in order to cope. -Jim P. I'm sorry but is there a fundamental misunderstanding of dmarc going on in this thread? Yahoo doesn't want you to be able to send @yahoo.com email from anything other than THEIR servers which contain the private key that corresponds to their DKIM implementation, and conversely dmarc. p=reject tells the receiving domain to reject the message if it isn't signed by the private key that corresponds with the public key that is in the dkim txt record for yahoo.com Isn't this the whole point of dmarc? Stop spammers from sending email with @yahoo.com that doesn't originate from a valid yahoo email server. Yahoo's implementation of dmarc is working as intended. Stealing someones password, and logging into their yahoo mail account and spamming isn't going to matter to dmarc. The mail originated from yahoo, and it was an authenticated user; the mail will be signed with the DKIM key, it will be accepted by the receiving domain (unless the email address is blacklisted by the receiving domain). There is no need to flame a company because they implemented a policy to ensure QoS to their customers. Either push your mail through their servers, or Just find somewhere else you can push your mailing lists through. Cheers
Re: DMARC - CERT?
On 4/16/2014 11:19 PM, Private Sender nobody snovc com wrote: Does that raise any alarms? -- Requiescas in pace o email Two identifying characteristics of System Administrators: Ex turpi causa non oritur actio Infallibility, and the ability to learn from their mistakes. (Adapted from Stephen Pinker)
Re: DMARC - CERT?
On Thu, Apr 17, 2014 at 12:29 AM, Larry Sheldon larryshel...@cox.netwrote: On 4/16/2014 11:19 PM, Private Sender nobody snovc com wrote: Does that raise any alarms? Of course it does. http://whois.domaintools.com/snovc.com computerguy0...@yahoo.com Bret Taylor -Jim P.
Re: DMARC - CERT?
On Thu, Apr 17, 2014 at 12:19 AM, Private Sender nob...@snovc.com wrote: On 04/14/2014 03:47 PM, Jim Popovitch wrote: On Mon, Apr 14, 2014 at 6:21 PM, Scott Howard sc...@doc.net.au wrote: On Mon, Apr 14, 2014 at 2:59 PM, Jim Popovitch jim...@gmail.com wrote: 7-April: Monday, Yahoo's dmarc change kicks everyone in the groin, the last full week before the US tax filing deadline. The change was made on the previous Friday, so that date is largely irrelevant. 7-April: OpenSSL's *public* advisory (after a full week of private notifications, of which yahoo surely was one tech company in on the early notifications) Given that many of their main services were vulnerable at the time of public disclosure, I think that's a very large assumption to make... If nothing else, I suspect the odds of it being known by the same people that made the DMARC decision/changes is low. I think you are right on that, but that doesn't change the fact that the sum of those things overburdened a lot of mailinglist operators. It is what it is, and the press has covered it and mailinglists are blocking/unsub'ing yahoo accounts in order to cope. -Jim P. I'm sorry but is there a fundamental misunderstanding of dmarc going on in this thread? Yahoo doesn't want you to be able to send @yahoo.com email from anything other than THEIR servers which contain the private key that corresponds to their DKIM implementation, and conversely dmarc. p=reject tells the receiving domain to reject the message if it isn't signed by the private key that corresponds with the public key that is in the dkim txt record for yahoo.com Isn't this the whole point of dmarc? Stop spammers from sending email with @yahoo.com that doesn't originate from a valid yahoo email server. Yes, but @yahoo.com is a bad example because it delivers user originated content. Yahoo's implementation of dmarc is working as intended. Are you also speaking for all yahoo uses when you declare that they should no longer be able to participate on mailinglists? Stealing someones password, and logging into their yahoo mail account and spamming isn't going to matter to dmarc. The mail originated from yahoo, and it was an authenticated user; the mail will be signed with the DKIM key, it will be accepted by the receiving domain (unless the email address is blacklisted by the receiving domain). But, but, but Yahoo implemented DMARC to supposedly stop Spam...(which ironically others have shown that a lot of spam originates from Yahoo servers, but I digress) There is no need to flame a company because they implemented a policy to ensure QoS to their customers. Either push your mail through their servers, or Just find somewhere else you can push your mailing lists through. LOL QoS, really? QoS to me, a yahoo account holder, would be less inbound spam. -Jim P.
DMARC - CERT?
Just a thought. I keep thinking that Yahoo's publishing of their p=reject policy, and the subsequent massive denial of service to lost of list traffic might be viewed as a computer security incident. Anybody think that reporting via CERT channels might be an appropriate response? (I do, and probably will - but curious what others think.) Miles Fidelman -- In theory, there is no difference between theory and practice. In practice, there is. Yogi Berra
Re: DMARC - CERT?
I don't see what the big deal is here. They don't want your messages and they made that clear. Their policy considers these messages spam. If you really want to get your mailing list messages through, then you need to evade their filters just like every other spammer has to. -Laszlo On Apr 14, 2014, at 4:32 PM, Miles Fidelman mfidel...@meetinghouse.net wrote: Well... how about this, from Yahoo's own posting: We know there are about 30,000 affected email sending services, but we also know that the change needed to support our new DMARC policy is important and not terribly difficult to implement. To me - this sure looks, smells, and quacks like a denial-of-service attack against a system I operate, and the subscriber to the lists that I support -- somewhat akin to exploding a bomb in a public square, and then taking credit for it. Miles Fidelman -- In theory, there is no difference between theory and practice. In practice, there is. Yogi Berra
Re: DMARC - CERT?
On Mon, 14 Apr 2014 16:56:46 -, Laszlo Hanyecz said: If you really want to get your mailing list messages through, The problem isn't the rest of us trying to mail to Yahoo. The problem is when Yahoo users post to lists that use DMARC, and the result is the yahoo user's mail getting bounced or dumped on the postmaster. pgpb7noPKGPZd.pgp Description: PGP signature
Re: DMARC - CERT?
Isn't it the other way around? They don't want their users to be able to send to mailing lists. They receive traffic from the lists just fine. Their policy considers only effects mail originating from their users. Yahoo subscribers can receive messages form nanog just fine, but they can't send to it. Miles Laszlo Hanyecz wrote: I don't see what the big deal is here. They don't want your messages and they made that clear. Their policy considers these messages spam. If you really want to get your mailing list messages through, then you need to evade their filters just like every other spammer has to. -Laszlo On Apr 14, 2014, at 4:32 PM, Miles Fidelman mfidel...@meetinghouse.net wrote: Well... how about this, from Yahoo's own posting: We know there are about 30,000 affected email sending services, but we also know that the change needed to support our new DMARC policy is important and not terribly difficult to implement. To me - this sure looks, smells, and quacks like a denial-of-service attack against a system I operate, and the subscriber to the lists that I support -- somewhat akin to exploding a bomb in a public square, and then taking credit for it. Miles Fidelman -- In theory, there is no difference between theory and practice. In practice, there is. Yogi Berra -- In theory, there is no difference between theory and practice. In practice, there is. Yogi Berra
Re: DMARC - CERT?
By their statement it's obvious that yahoo doesn't care about what they broke. It's unfortunate that email has become so centralized that one entity can cause so much 'trouble'. Maybe it's a good opportunity to encourage the affected mailing list subscribers to use their own domains for email, and host it themselves if possible. -Laszlo On Apr 14, 2014, at 5:05 PM, Miles Fidelman mfidel...@meetinghouse.net wrote: Isn't it the other way around? They don't want their users to be able to send to mailing lists. They receive traffic from the lists just fine. Their policy considers only effects mail originating from their users. Yahoo subscribers can receive messages form nanog just fine, but they can't send to it. Miles Laszlo Hanyecz wrote: I don't see what the big deal is here. They don't want your messages and they made that clear. Their policy considers these messages spam. If you really want to get your mailing list messages through, then you need to evade their filters just like every other spammer has to. -Laszlo On Apr 14, 2014, at 4:32 PM, Miles Fidelman mfidel...@meetinghouse.net wrote: Well... how about this, from Yahoo's own posting: We know there are about 30,000 affected email sending services, but we also know that the change needed to support our new DMARC policy is important and not terribly difficult to implement. To me - this sure looks, smells, and quacks like a denial-of-service attack against a system I operate, and the subscriber to the lists that I support -- somewhat akin to exploding a bomb in a public square, and then taking credit for it. Miles Fidelman -- In theory, there is no difference between theory and practice. In practice, there is. Yogi Berra -- In theory, there is no difference between theory and practice. In practice, there is. Yogi Berra
Re: DMARC - CERT?
On Mon, Apr 14, 2014 at 1:03 PM, valdis.kletni...@vt.edu wrote: The problem is when Yahoo users post to lists that use DMARC, and the result is the yahoo user's mail getting bounced or dumped on the postmaster. Basically, this is just like old ORBS. If you were an ISP, you had to check your local users' IP addresses smarthosting through your mail server against ORBS or your mail server would inevitably be listed. Now, as then, the solution is: if the domain has a DMARC listing, mail addresses using it aren't permitted to post to the list. As I tried to say before but was probably too subtle -- just flunk validation for all DMARC-using messages, across the board without exception, and then act on that failure as the DMARC DNS records indicate that the sender wants you to. Especially the ones to abuse@ and your other POCs. That'll clean up the use of DMARC right quick. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: DMARC - CERT?
On Mon, Apr 14, 2014 at 1:25 PM, Laszlo Hanyecz las...@heliacal.net wrote: By their statement it's obvious that yahoo doesn't care about what they broke. It's unfortunate that email has become so centralized that one entity can cause so much 'trouble'. Maybe it's a good opportunity to encourage the affected mailing list subscribers to use their own domains for email, and host it themselves if possible. I sort of wonder if this is really just yahoo trying to use a stick to motivate people to do the right thing? It seems like everyone's been trying for a while to 'make email better'... and that perhaps DMARC will make it somewhat better, and if setup properly this is a non-issue... after much faffing: Welp, how about we whack the mail-lists (and others) with a stick and get movement int he right direction? not sure this is all bad... and i think the fix is pretty straightforward for list folk, right? so all the faffing on this list and others took longer to do than the fix-action? -chris
Re: DMARC - CERT?
On Mon, Apr 14, 2014 at 10:25 AM, Laszlo Hanyecz las...@heliacal.netwrote: By their statement it's obvious that yahoo doesn't care about what they broke. It's unfortunate that email has become so centralized that one entity can cause so much 'trouble'. Maybe it's a good opportunity to encourage the affected mailing list subscribers to use their own domains for email, and host it themselves if possible. -Laszlo So, I take it you prefer a world in which there's no sender validation, and receiving floods of spoofed sender email spam is just part of the price of being on the internet? I'm finding myself vaguely annoyed that for so long people have complained that big mail providers need to clean up their act; and now, when one of them decides to respond to the complaints and start taking action to try to clean things up, the response seems to be wait, we were happy just bitching and moaning--we didn't want you to actually *change* anything! Matt
Re: DMARC - CERT?
Christopher Morrow wrote: On Mon, Apr 14, 2014 at 1:25 PM, Laszlo Hanyecz las...@heliacal.net wrote: By their statement it's obvious that yahoo doesn't care about what they broke. It's unfortunate that email has become so centralized that one entity can cause so much 'trouble'. Maybe it's a good opportunity to encourage the affected mailing list subscribers to use their own domains for email, and host it themselves if possible. I sort of wonder if this is really just yahoo trying to use a stick to motivate people to do the right thing? It seems like everyone's been trying for a while to 'make email better'... and that perhaps DMARC will make it somewhat better, and if setup properly this is a non-issue... after much faffing: Welp, how about we whack the mail-lists (and others) with a stick and get movement int he right direction? not sure this is all bad... and i think the fix is pretty straightforward for list folk, right? so all the faffing on this list and others took longer to do than the fix-action? Well, if you consider writing software patches to complicated software simple. And it would certainly help if the guidance on what to do is clearer - last week, dmarc.org's FAQ listed, as among the options for list operators: Add an Original Authentication Results http://tools.ietf.org/html/draft-kucherawy-original-authres-00 (OAR) header to indicate that the list operator has performed authentication checks on the submitted message and share the results. -- which would be transparent to list subscribers but, as of a couple of days ago, that's qualified by: *This is not a short term solution.* Assumes a mechanism to establish trust between the list operator and the receiver. No such mechanism is known to be in use for this purpose at this time. Without such a mechanism, bad actors could simply add faked OAR headers to their messages to circumvent such measures. OAR was only described as a draft document, which expired in 2012. No receivers implementing DMARC are currently known to make use of OAR from external sources. So the low-impact (to end users) fix is now not recommended, and all the other available fixes require changes that degrade long-accepted functionality of mailing lists (e.g., the ability to reply to the author of a message). Miles Fidelman -- In theory, there is no difference between theory and practice. In practice, there is. Yogi Berra
Re: DMARC - CERT?
On Mon, Apr 14, 2014 at 1:33 PM, Matthew Petach mpet...@netflight.com wrote: So, I take it you prefer a world in which there's no sender validation, and receiving floods of spoofed sender email spam is just part of the price of being on the internet? That is clearly not what this issue is about. I'm finding myself vaguely annoyed that for so long people have complained that big mail providers need to clean up their act; and now, when one of them decides to respond to the complaints and start taking action to try to clean things up, the response seems to be wait, we were happy just bitching and moaning--we didn't want you to actually *change* anything! What yahoo didn't do was first tell their users to unsubscribe from all mailinglists. DMARC hasn't cut down on yahoo spam so far. Yahoo's spam problem was (is?) centered on account hijacks. -Jim P.
Re: DMARC - CERT?
On Mon, Apr 14, 2014 at 11:24 AM, Jim Popovitch jim...@gmail.com wrote: DMARC hasn't cut down on yahoo spam so far. Yahoo's spam problem was (is?) centered on account hijacks. I just checked my spam folder for the past month. Out of about 80 messages from Yahoo, I can see about 3 that went via Yahoo's mail servers. ie, 90% were/would have been blocked using DMARC. Of course, I'm sure the spammers will simply start changing yahoo.com to somethingelse.com once they realize - but from Yahoo's perspective, that's obviously a positive. Whilst I don't agree with the way that Yahoo has done this (particularly around communication), I think the end result is only going to be positive. At a high level it's no different than when people started rejecting mail from hosts without PTR records, or when ISPs started blocking outbound port 25 - they both caused things to break, and both caused people to have to take action to fix the brokenness, but in the long run they were both hugely positive. Scott
Re: DMARC - CERT?
On Mon, Apr 14, 2014 at 4:10 PM, Scott Howard sc...@doc.net.au wrote: Whilst I don't agree with the way that Yahoo has done this (particularly around communication), how could they have communicated this better? how can we all learn from this? -chris
Re: DMARC - CERT?
On 04/14/2014 01:20 PM, Christopher Morrow wrote: On Mon, Apr 14, 2014 at 4:10 PM, Scott Howard sc...@doc.net.au wrote: Whilst I don't agree with the way that Yahoo has done this (particularly around communication), how could they have communicated this better? how can we all learn from this? The obvious ones would have been to announce a flag day somewhere far enough in advance to give list software devs time to adapt, and to work with list software devs on a solution. Everyone involved in DMARC has known from day 1 that it will break mailing lists. There has been an enormous amount of whinging about this. (If you think NANOG is bad, you should see the IETF lists.) But if Yahoo! had stood up and said, We know that this mailing lists are a problem, but we think that the value of DMARC outweighs this because and then actually set a data, maybe some of the whinging could have turned into actual productive work on fixing the problem. Doug
Re: DMARC - CERT?
On Mon, Apr 14, 2014 at 10:20 PM, Christopher Morrow morrowc.li...@gmail.com wrote: On Mon, Apr 14, 2014 at 4:10 PM, Scott Howard sc...@doc.net.au wrote: Whilst I don't agree with the way that Yahoo has done this (particularly around communication), how could they have communicated this better? how can we all learn from this? They could have communicated, as in listen folks, we are going to make a critical change that will affect mailing lists (etc...) in four weeks time. They could have made the change not late on a Friday afternoon (or well into the weekend for most of the world). -- Matthias
Re: DMARC - CERT?
On Mon, Apr 14, 2014 at 4:28 PM, Doug Barton do...@dougbarton.us wrote: The obvious ones would have been to announce a flag day somewhere far enough in advance to give list software devs time to adapt, and to work with list software devs on a solution. where would they communicate this? on the blog that matt pointed at? in bgp announcements? err... homepage? -chris (I watch the ietf list for this, and muted the conversation...)
Re: DMARC - CERT?
On Mon, Apr 14, 2014 at 4:34 PM, Matthias Leisi matth...@leisi.net wrote: They could have communicated, as in listen folks, we are going to make a critical change that will affect mailing lists (etc...) in four weeks time. communicated it where? They could have made the change not late on a Friday afternoon (or well into the weekend for most of the world). a friday change like this is not ideal... but, it looks like any time change like this would have had fallout.
Re: DMARC - CERT?
On Mon, Apr 14, 2014 at 4:38 PM, Christopher Morrow morrowc.li...@gmail.com wrote: On Mon, Apr 14, 2014 at 4:28 PM, Doug Barton do...@dougbarton.us wrote: The obvious ones would have been to announce a flag day somewhere far enough in advance to give list software devs time to adapt, and to work with list software devs on a solution. where would they communicate this? on the blog that matt pointed at? in bgp announcements? err... homepage? What they should have done is followed their (the dmarc spec authors, of which one works for Yahoo) own advice that dmarc wasn't for domains with users. But, hey, we all know it's hard to get good tech press by simply sponsoring and spec'ing a backend tech solution for some dark corner of the internet. -Jim P.
Re: DMARC - CERT?
On Mon, Apr 14, 2014 at 1:39 PM, Christopher Morrow morrowc.li...@gmail.com wrote: On Mon, Apr 14, 2014 at 4:34 PM, Matthias Leisi matth...@leisi.net wrote: They could have communicated, as in listen folks, we are going to make a critical change that will affect mailing lists (etc...) in four weeks time. communicated it where? The Internet. A blog entry and a post to a few key relevant mailing lists would have resulted in the message spreading far better than it was. There's no way that they could have communicated it to every mailing list admin on the planet, but they could have at least given a heads-up to some major parts of the community. The great thing about the Internet is that if it's important enough to be shared, you don't need to try too hard to make that happen - others will look after it for you. But you need to make the effort to get it started, and Yahoo didn't do that here (or at least, they did, but they did it by actually making the change by which time it was too late!) Scott
Re: DMARC - CERT?
On 04/14/2014 01:38 PM, Christopher Morrow wrote: On Mon, Apr 14, 2014 at 4:28 PM, Doug Barton do...@dougbarton.us wrote: The obvious ones would have been to announce a flag day somewhere far enough in advance to give list software devs time to adapt, and to work with list software devs on a solution. where would they communicate this? Well mailop for one. on the blog that matt pointed at? I suppose ... there used to be a Yahoo! mail blog but I think it got shut down. BTW, another obvious benefit to announcing a flag day would have been to give more people time to set up DMARC. I haven't yet (on my personal mail server) because there hadn't been sufficient uptake to warrant it. Yahoo! telling everyone that they will be implementing it would have given people incentive. Doug
Re: DMARC - CERT?
On Mon, Apr 14, 2014 at 4:39 PM, Christopher Morrow morrowc.li...@gmail.com wrote: On Mon, Apr 14, 2014 at 4:34 PM, Matthias Leisi matth...@leisi.net wrote: They could have communicated, as in listen folks, we are going to make a critical change that will affect mailing lists (etc...) in four weeks time. communicated it where? To their user base? They could have easily sent an email announcement to all their users explaining that the change would cause problems when their users post to mailinglists. -Jim P.
Re: DMARC - CERT?
On Mon, Apr 14, 2014 at 4:44 PM, Scott Howard sc...@doc.net.au wrote: On Mon, Apr 14, 2014 at 1:39 PM, Christopher Morrow morrowc.li...@gmail.com wrote: On Mon, Apr 14, 2014 at 4:34 PM, Matthias Leisi matth...@leisi.net wrote: They could have communicated, as in listen folks, we are going to make a critical change that will affect mailing lists (etc...) in four weeks time. communicated it where? The Internet. I was trying, really, to be not-funny with my question. if you're going to do something that has the potential to affect (say, for example) email to a wide set of people, most of which are NOT your direct users, how do you go about making that public? 'the internet' isn't really a good answer for 'how do you notify'. Doug's note that: email mailops is good... but I'm not sure how many people that run lists listen to mailops? (I don't ... i don't run any big list, but...) I also wonder about update cycles for software in this realm? and for very larger list operators there's probably some customization and such to hurdle over on the upgrade path, eh? so how much leadtime is enough? how much is too much? 1yr seems like a long time - people will forget, 1wk doesn't seem like enough to avoid firedrills and un-intended bugs. A blog entry and a post to a few key relevant mailing lists would have specifically which mail-lists? resulted in the message spreading far better than it was. There's no way that they could have communicated it to every mailing list admin on the planet, but they could have at least given a heads-up to some major parts of the community. The great thing about the Internet is that if it's important enough to be shared, you don't need to try too hard to make that happen - others will look after it for you. But you need to make the effort to get it started, and Yahoo didn't do that here (or at least, they did, but they did it by actually making the change by which time it was too late!) Scott
Re: DMARC - CERT?
On Mon, Apr 14, 2014 at 4:44 PM, Doug Barton do...@dougbarton.us wrote: On 04/14/2014 01:38 PM, Christopher Morrow wrote: On Mon, Apr 14, 2014 at 4:28 PM, Doug Barton do...@dougbarton.us wrote: The obvious ones would have been to announce a flag day somewhere far enough in advance to give list software devs time to adapt, and to work with list software devs on a solution. where would they communicate this? Well mailop for one. Or even the dmarc mailing list(s) I've seen Yahoo operate over the years, they are usually much better at orchestrating changes, which suggests that this change wasn't well thought out (or possibly even planned). -Jim P.
Re: DMARC - CERT?
On Mon, Apr 14, 2014 at 10:33:40AM -0700, Matthew Petach wrote: So, I take it you prefer a world in which there's no sender validation, and receiving floods of spoofed sender email spam is just part of the price of being on the internet? Sender validation means NOTHING in a world with hundreds of millions of bots and hundreds of millions of email accounts that are either (a) hijacked or (b) created at will by the bot herders. My spamtraps see spam all day every day from all over the world that passes whatever alleged sender validation technology is the flavor-of-the-month. Can it work in some isolated edge cases? Sure. Can it work on an Internet scale? No. As I've said many times, email forgery is not the problem. It's a symptom of the problem, and the problem is rotten underlying security coupled with negligent and incompetent operational practice. But fixing that is hard, and nobody -- not Yahoo and not anybody else either -- wants to tackle it. It's much easier to roll out stuff like this and pretend that it works and write a press release and declare success. ---rsk
Re: DMARC - CERT?
On Mon, Apr 14, 2014 at 4:52 PM, Christopher Morrow morrowc.li...@gmail.com wrote: if you're going to do something that has the potential to affect (say, for example) email to a wide set of people, most of which are NOT your direct users, how do you go about making that public? 'the internet' isn't really a good answer for 'how do you notify'. Doug's note that: email mailops is good... but I'm not sure how many people that run lists listen to mailops? (I don't ... i don't run any big list, but...) I also wonder about update cycles for software in this realm? and for very larger list operators there's probably some customization and such to hurdle over on the upgrade path, eh? so how much leadtime is enough? how much is too much? 1yr seems like a long time - people will forget, 1wk doesn't seem like enough to avoid firedrills and un-intended bugs. First, you don't start by telling mailinglist admins to NOT worry about dmarc as they are a special case that will be handled/whitelisted/etc. The dmarc discussion archives (of which Yahoo is a primary sponsor, and a Yahoo employee is one of the spec authors) are full of discussions that clearly show no cause or care about mailinglists. I was told, several times, that mailinglists would be ok, they would be whitelisted and that there was no need for all my concern (well over 6 months ago). -Jim P.
Re: DMARC - CERT?
Matthias Leisi wrote: On Mon, Apr 14, 2014 at 10:20 PM, Christopher Morrow morrowc.li...@gmail.com wrote: On Mon, Apr 14, 2014 at 4:10 PM, Scott Howard sc...@doc.net.au wrote: Whilst I don't agree with the way that Yahoo has done this (particularly around communication), how could they have communicated this better? how can we all learn from this? They could have communicated, as in listen folks, we are going to make a critical change that will affect mailing lists (etc...) in four weeks time. They could have made the change not late on a Friday afternoon (or well into the weekend for most of the world). On the weekend before tax filings are due in the US! And a couple of days before Passover. Miles -- In theory, there is no difference between theory and practice. In practice, there is. Yogi Berra
Re: DMARC - CERT?
Christopher Morrow wrote: On Mon, Apr 14, 2014 at 4:44 PM, Scott Howard sc...@doc.net.au wrote: On Mon, Apr 14, 2014 at 1:39 PM, Christopher Morrow morrowc.li...@gmail.com wrote: On Mon, Apr 14, 2014 at 4:34 PM, Matthias Leisi matth...@leisi.net wrote: They could have communicated, as in listen folks, we are going to make a critical change that will affect mailing lists (etc...) in four weeks time. communicated it where? The Internet. I was trying, really, to be not-funny with my question. if you're going to do something that has the potential to affect (say, for example) email to a wide set of people, most of which are NOT your direct users, how do you go about making that public? 'the internet' isn't really a good answer for 'how do you notify'. Doug's note that: email mailops is good... but I'm not sure how many people that run lists listen to mailops? (I don't ... i don't run any big list, but...) I also wonder about update cycles for software in this realm? and for very larger list operators there's probably some customization and such to hurdle over on the upgrade path, eh? so how much leadtime is enough? how much is too much? 1yr seems like a long time - people will forget, 1wk doesn't seem like enough to avoid firedrills and un-intended bugs. A blog entry and a post to a few key relevant mailing lists would have specifically which mail-lists? How about the support lists for all the email list packages they could think of - let's start with mailman, majordomo, listserve, listproc, sympa, ezmlm, . Might have been nice if they'd offered some support for patching the open source ones. Miles Fidelman -- In theory, there is no difference between theory and practice. In practice, there is. Yogi Berra
Re: DMARC - CERT?
On Mon, Apr 14, 2014 at 5:24 PM, Miles Fidelman mfidel...@meetinghouse.net wrote: Matthias Leisi wrote: On Mon, Apr 14, 2014 at 10:20 PM, Christopher Morrow morrowc.li...@gmail.com wrote: On Mon, Apr 14, 2014 at 4:10 PM, Scott Howard sc...@doc.net.au wrote: Whilst I don't agree with the way that Yahoo has done this (particularly around communication), how could they have communicated this better? how can we all learn from this? They could have communicated, as in listen folks, we are going to make a critical change that will affect mailing lists (etc...) in four weeks time. They could have made the change not late on a Friday afternoon (or well into the weekend for most of the world). On the weekend before tax filings are due in the US! And a couple of days before Passover. and in the middle of Heartbleed. It's enough to make you believe there was absolutely no care or concern for others. -Jim P.
RE: DMARC - CERT?
Plus I guarantee that something this SIGNIFICANT would catch the attention of many tech news outlets, social sites, and many email lists if they had given due notice and allowed people time to digest the change. But, I guess since everything except their email has become pretty much irrelevant these days, they had to do something to get attention and try to be the big bully again. I personally run only a couple of small email lists in which the subscribers are specifically added by me when someone wants on, and this has caused us, because the submitter has a long time Yahoo email address and will not change, a huge headache. The sender has had to resort to sending email from Yahoo account multiple time in order to get the emails out to the 180+ subscribers. Some people cannot change their email due to having it for so long it is just not practical. Only other work around I have for this user is to give them a private email list on the email server where he can send from that is not a Yahoo address. This causes extra work because every email he wants to forward on, he must now first send it to the new private address, then login to the private email address web mail, then forward. I have to agree with this others out there that Yahoo SHOULD, not COULD, have handled this a lot better. All the other big ISP's out there should be whipping Yahoo's a$$ about right now. But as usual, not a peep! Robert -Original Message- From: Miles Fidelman [mailto:mfidel...@meetinghouse.net] Sent: Monday, April 14, 2014 5:28 PM Cc: NANOG Subject: Re: DMARC - CERT? Christopher Morrow wrote: On Mon, Apr 14, 2014 at 4:44 PM, Scott Howard sc...@doc.net.au wrote: On Mon, Apr 14, 2014 at 1:39 PM, Christopher Morrow morrowc.li...@gmail.com wrote: On Mon, Apr 14, 2014 at 4:34 PM, Matthias Leisi matth...@leisi.net wrote: They could have communicated, as in listen folks, we are going to make a critical change that will affect mailing lists (etc...) in four weeks time. communicated it where? The Internet. I was trying, really, to be not-funny with my question. if you're going to do something that has the potential to affect (say, for example) email to a wide set of people, most of which are NOT your direct users, how do you go about making that public? 'the internet' isn't really a good answer for 'how do you notify'. Doug's note that: email mailops is good... but I'm not sure how many people that run lists listen to mailops? (I don't ... i don't run any big list, but...) I also wonder about update cycles for software in this realm? and for very larger list operators there's probably some customization and such to hurdle over on the upgrade path, eh? so how much leadtime is enough? how much is too much? 1yr seems like a long time - people will forget, 1wk doesn't seem like enough to avoid firedrills and un-intended bugs. A blog entry and a post to a few key relevant mailing lists would have specifically which mail-lists? How about the support lists for all the email list packages they could think of - let's start with mailman, majordomo, listserve, listproc, sympa, ezmlm, . Might have been nice if they'd offered some support for patching the open source ones. Miles Fidelman -- In theory, there is no difference between theory and practice. In practice, there is. Yogi Berra
Re: DMARC - CERT?
On Apr 14, 2014, at 3:58 PM, Rich Kulawiec r...@gsp.org wrote: As I've said many times, email forgery is not the problem. It's a symptom of the problem, and the problem is rotten underlying security coupled with negligent and incompetent operational practice. But fixing that is hard, and nobody -- not Yahoo and not anybody else either -- wants to tackle it. It's much easier to roll out stuff like this and pretend that it works and write a press release and declare success. I think you're on the right track, but still suggesting their is a technical solution. I submit there is not. There is no car alarm that prevents all car thefts, no door lock that prevents all burglaries. No trigger lock that prevents all gun deaths, no lane departure system that prevents all car crashes. Spam cannot, and will never be solved by technological measures alone. They can help reduce the levels in some cases, or squeeze the balloon and move the spam to some other form. Ultimately the way to reduce spam is to catch spammers, prosecute them, and put them in prison. The way we keep all of those other crimes low is primarily by enforcement; making the punishment not worth the crime. With spam, the chance that a spammer will be punished is infinitesimal. There are hundreds, or thousands, or tens of thousands of spammers for every one that is put into jail. If we'd put even 1% of the effort that's been thrown at technical measures over the years into better laws, tools for law enforcement, and helping them build cases we'd be several orders of magnitude better off than technological solutions that are little more than wack-a-mole. -- Leo Bicknell - bickn...@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ signature.asc Description: Message signed with OpenPGP using GPGMail
Re: DMARC - CERT?
Jim Popovitch wrote: On Mon, Apr 14, 2014 at 5:24 PM, Miles Fidelman mfidel...@meetinghouse.net wrote: Matthias Leisi wrote: On Mon, Apr 14, 2014 at 10:20 PM, Christopher Morrow morrowc.li...@gmail.com wrote: On Mon, Apr 14, 2014 at 4:10 PM, Scott Howard sc...@doc.net.au wrote: Whilst I don't agree with the way that Yahoo has done this (particularly around communication), how could they have communicated this better? how can we all learn from this? They could have communicated, as in listen folks, we are going to make a critical change that will affect mailing lists (etc...) in four weeks time. They could have made the change not late on a Friday afternoon (or well into the weekend for most of the world). On the weekend before tax filings are due in the US! And a couple of days before Passover. and in the middle of Heartbleed. It's enough to make you believe there was absolutely no care or concern for others. And.. it's worth contrasting the community response to Heartbleed - which didn't actually cause widespread denial of service! Miles -- In theory, there is no difference between theory and practice. In practice, there is. Yogi Berra
Re: DMARC - CERT?
On Mon, Apr 14, 2014 at 2:29 PM, Jim Popovitch jim...@gmail.com wrote: They could have made the change not late on a Friday afternoon (or well into the weekend for most of the world). On the weekend before tax filings are due in the US! And a couple of days before Passover. and in the middle of Heartbleed. You might have had a point - if it had been ANY of those. Other than the original claim of Friday afternoon it was none of those things. Scott
Re: DMARC - CERT?
Leo Bicknell wrote: Ultimately the way to reduce spam is to catch spammers, prosecute them, and put them in prison. The way we keep all of those other crimes low is primarily by enforcement; making the punishment not worth the crime. With spam, the chance that a spammer will be punished is infinitesimal. There are hundreds, or thousands, or tens of thousands of spammers for every one that is put into jail. Follow their money trails and take their bank accounts. Counterpunch with DDoS attacks. Attack them with drones. We're investing a lot of tax dollars into offensive cybersecurity - let's give those guys some practice! Makes sense to me!
Re: DMARC - CERT?
On Mon, Apr 14, 2014 at 5:48 PM, Scott Howard sc...@doc.net.au wrote: On Mon, Apr 14, 2014 at 2:29 PM, Jim Popovitch jim...@gmail.com wrote: They could have made the change not late on a Friday afternoon (or well into the weekend for most of the world). On the weekend before tax filings are due in the US! And a couple of days before Passover. and in the middle of Heartbleed. You might have had a point - if it had been ANY of those. Other than the original claim of Friday afternoon it was none of those things. 7-April: Monday, Yahoo's dmarc change kicks everyone in the groin, the last full week before the US tax filing deadline. 7-April: OpenSSL's *public* advisory (after a full week of private notifications, of which yahoo surely was one tech company in on the early notifications) 11-April: Yahoo discusses what needs to be done on their public tumblr account. -Jim P.
Re: DMARC - CERT?
On Mon, Apr 14, 2014 at 2:59 PM, Jim Popovitch jim...@gmail.com wrote: 7-April: Monday, Yahoo's dmarc change kicks everyone in the groin, the last full week before the US tax filing deadline. The change was made on the previous Friday, so that date is largely irrelevant. 7-April: OpenSSL's *public* advisory (after a full week of private notifications, of which yahoo surely was one tech company in on the early notifications) Given that many of their main services were vulnerable at the time of public disclosure, I think that's a very large assumption to make... If nothing else, I suspect the odds of it being known by the same people that made the DMARC decision/changes is low. Scott
Re: DMARC - CERT?
On Mon, Apr 14, 2014 at 3:21 PM, Scott Howard sc...@doc.net.au wrote: 7-April: OpenSSL's *public* advisory (after a full week of private notifications, of which yahoo surely was one tech company in on the early notifications) Given that many of their main services were vulnerable at the time of public disclosure, I think that's a very large assumption to make... Based on the article below it would appear that Yahoo did NOT know about Heartbleed at the time of public disclosure. http://www.smh.com.au/it-pro/security-it/heartbleed-disclosure-timeline-who-knew-what-and-when-20140414-zqurk.html Scott
Re: DMARC - CERT?
In article cal9jlazjjppz7vzw2ue4qfqwrkcbu7cs1ed3uu1nhudhxxk...@mail.gmail.com you write: On Mon, Apr 14, 2014 at 4:10 PM, Scott Howard sc...@doc.net.au wrote: Whilst I don't agree with the way that Yahoo has done this (particularly around communication), how could they have communicated this better? how can we all learn from this? Well, telling people in advance that they were planning to do it rather than just dropping it on the world over the weekend would be a good start. R's, John
Re: DMARC - CERT?
Jim Popovitch wrote: On Mon, Apr 14, 2014 at 5:48 PM, Scott Howard sc...@doc.net.au wrote: On Mon, Apr 14, 2014 at 2:29 PM, Jim Popovitch jim...@gmail.com wrote: They could have made the change not late on a Friday afternoon (or well into the weekend for most of the world). On the weekend before tax filings are due in the US! And a couple of days before Passover. and in the middle of Heartbleed. You might have had a point - if it had been ANY of those. Other than the original claim of Friday afternoon it was none of those things. 7-April: Monday, Yahoo's dmarc change kicks everyone in the groin, the last full week before the US tax filing deadline. 7-April: OpenSSL's *public* advisory (after a full week of private notifications, of which yahoo surely was one tech company in on the early notifications) 11-April: Yahoo discusses what needs to be done on their public tumblr account. 14-April: 1st night of Passover 15-April: Tax Filings due in the US -- In theory, there is no difference between theory and practice. In practice, there is. Yogi Berra
Re: DMARC - CERT?
On Mon, Apr 14, 2014 at 6:21 PM, Scott Howard sc...@doc.net.au wrote: On Mon, Apr 14, 2014 at 2:59 PM, Jim Popovitch jim...@gmail.com wrote: 7-April: Monday, Yahoo's dmarc change kicks everyone in the groin, the last full week before the US tax filing deadline. The change was made on the previous Friday, so that date is largely irrelevant. 7-April: OpenSSL's *public* advisory (after a full week of private notifications, of which yahoo surely was one tech company in on the early notifications) Given that many of their main services were vulnerable at the time of public disclosure, I think that's a very large assumption to make... If nothing else, I suspect the odds of it being known by the same people that made the DMARC decision/changes is low. I think you are right on that, but that doesn't change the fact that the sum of those things overburdened a lot of mailinglist operators. It is what it is, and the press has covered it and mailinglists are blocking/unsub'ing yahoo accounts in order to cope. -Jim P.
