Matthew Petach wrote:
On Mon, Apr 14, 2014 at 9:10 AM, Miles Fidelman <mfidelman@meetinghouse.net <mailto:mfidelman@meetinghouse.net>> wrote:
Just a thought. I keep thinking that Yahoo's publishing of their "p=reject" policy, and the subsequent massive denial of service to lost of list traffic might be viewed as a "computer security" incident.
Anybody think that reporting via CERT channels might be an appropriate response?
(I do, and probably will - but curious what others think.)
Miles Fidelman
-- In theory, there is no difference between theory and practice. In practice, there is. .... Yogi Berra
I would recommend reading these two blog entries first:
http://yahoo.tumblr.com/post/82426971544/an-update-on-our-dmarc-policy-to-pr... and http://yahoomail.tumblr.com/post/82426900353/yahoo-dmarc-policy-change-what-...
Then, I would ask--if the situation is deemed CERT-worthy, what is the emergency the community is being asked to respond to? Is it that Yahoo has decided, after many years, to start taking action to tighten down email abuse? Or is the emergency that too many mailing lists operate fast-and-loose with email headers, and that we as a community need to take swift and immediate action to fix mailing lists to correctly identify and attribute the true source of messages from the lists?
Well... how about this, from Yahoo's own posting: We know there are about 30,000 affected email sending services, but we also know that the change needed to support our new DMARC policy is important and not terribly difficult to implement. To me - this sure looks, smells, and quacks like a denial-of-service attack against a system I operate, and the subscriber to the lists that I support -- somewhat akin to exploding a bomb in a public square, and then taking credit for it. Miles Fidelman -- In theory, there is no difference between theory and practice. In practice, there is. .... Yogi Berra