re: Yahoo DMARC breakage
at some point, Dave Crocker wrote:
If I point a gun at you, and pull the trigger, but maybe shouldn't have done that, the gun is not broken.
It occurs to me that, if you point a gun at me, aim at me, pull the trigger, and hit someone standing 10 feet to my left - the gun IS broken (or at least very poorly designed). Miles Fidelman -- In theory, there is no difference between theory and practice. In practice, there is. .... Yogi Berra re
On 4/10/2014 5:13 AM, Miles Fidelman wrote:
If I point a gun at you, and pull the trigger, but maybe shouldn't have done that, the gun is not broken.
It occurs to me that, if you point a gun at me, aim at me, pull the trigger, and hit someone standing 10 feet to my left - the gun IS broken (or at least very poorly designed).
Unfortunately, that has no relationship to do with the current situation. Again: Yahoo was fully aware of the implications of its choice. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net
On 10 Apr 2014, at 9:49, Dave Crocker wrote:
Unfortunately, that has no relationship to do with the current situation. Again: Yahoo was fully aware of the implications of its choice.
I suspect they looked at the amount of spam they could stop, the number of Yahoo email users, and the number of Yahoo users using mailing lists, and said "That's just noise, it doesn't matter." It happens to be very loud noise, but it's still tiny compared to the overall number of email users.
On Thu, Apr 10, 2014 at 03:22:24PM -0400, Kee Hinckley wrote:
I suspect they looked at the amount of spam they could stop [...]
Which is, to a very good first approximation, zero. Nearly all (at least 99% and likely quite a bit more) of the spam [as observed by my numerous spamtraps] that purports to originate from Yahoo really *does* originate from Yahoo. All that I have to do to verify that is to look at the originating host -- that is, it's not necessary to check DMARC or anything else. There are several reasons for this. First, Yahoo has done an absolutely miserable job of outbound abuse control. For over a decade. Second, they've done a correspondingly miserable job of handling abuse reports, so even when one of their victims is kind and generous enough to do their work for them and tell them that they have a problem...they don't pay attention and they don't take any action. (Or they fire back a clueless boilerplate denial that it was their user on their host on their network...even though it was all three.) Also for over a decade. Third, why would any spammer forge a @yahoo.com address when it's easy enough to buy hijacked accounts by the bucketful -- or to use any of the usual exploits to go get some? Fourth, at least some spammers seem to have caught on that Yahoo isn't *worth* forging: it's a toxic cesspool because the people running it have allowed it to be become one. So let's not pretend that this has anything to do with stopping spam. If Yahoo actually wanted to do something about spam, they could have done that years and years ago simply by *paying attention* to what was going on inside their own operation. ---rsk
participants (4)
-
Dave Crocker
-
Kee Hinckley
-
Miles Fidelman
-
Rich Kulawiec