On 04/14/2014 03:47 PM, Jim Popovitch wrote:
On Mon, Apr 14, 2014 at 2:59 PM, Jim Popovitch <jimpop@gmail.com> wrote:
7-April: Monday, Yahoo's dmarc change kicks everyone in the groin, the last full week before the US tax filing deadline.
The change was made on the previous Friday, so that date is largely irrelevant.
7-April: OpenSSL's *public* advisory (after a full week of private notifications, of which yahoo surely was one tech company in on the early notifications)
Given that many of their main services were vulnerable at the time of public disclosure, I think that's a very large assumption to make...
If nothing else, I suspect the odds of it being known by the same people that made the DMARC decision/changes is low. I think you are right on that, but that doesn't change the fact that
On Mon, Apr 14, 2014 at 6:21 PM, Scott Howard <scott@doc.net.au> wrote: the sum of those things overburdened a lot of mailinglist operators. It is what it is, and the press has covered it and mailinglists are blocking/unsub'ing yahoo accounts in order to cope.
-Jim P.
I'm sorry but is there a fundamental misunderstanding of dmarc going on in this thread? Yahoo doesn't want you to be able to send "@yahoo.com" email from anything other than THEIR servers which contain the private key that corresponds to their DKIM implementation, and conversely dmarc. "p=reject" tells the receiving domain to reject the message if it isn't signed by the private key that corresponds with the public key that is in the dkim txt record for "yahoo.com" Isn't this the whole point of dmarc? Stop spammers from sending email with "@yahoo.com" that doesn't originate from a valid yahoo email server. Yahoo's implementation of dmarc is working as intended. Stealing someones password, and logging into their yahoo mail account and spamming isn't going to matter to dmarc. The mail originated from yahoo, and it was an authenticated user; the mail will be signed with the DKIM key, it will be accepted by the receiving domain (unless the email address is blacklisted by the receiving domain). There is no need to flame a company because they implemented a policy to ensure QoS to their customers. Either push your mail through their servers, or Just find somewhere else you can push your mailing lists through. Cheers