Just a thought. I keep thinking that Yahoo's publishing of their "p=reject" policy, and the subsequent massive denial of service to lost of list traffic might be viewed as a "computer security" incident. Anybody think that reporting via CERT channels might be an appropriate response? (I do, and probably will - but curious what others think.) Miles Fidelman -- In theory, there is no difference between theory and practice. In practice, there is. .... Yogi Berra
On Mon, Apr 14, 2014 at 9:10 AM, Miles Fidelman <mfidelman@meetinghouse.net>wrote:
Just a thought. I keep thinking that Yahoo's publishing of their "p=reject" policy, and the subsequent massive denial of service to lost of list traffic might be viewed as a "computer security" incident.
Anybody think that reporting via CERT channels might be an appropriate response?
(I do, and probably will - but curious what others think.)
Miles Fidelman
-- In theory, there is no difference between theory and practice. In practice, there is. .... Yogi Berra
I would recommend reading these two blog entries first: http://yahoo.tumblr.com/post/82426971544/an-update-on-our-dmarc-policy-to-pr... and http://yahoomail.tumblr.com/post/82426900353/yahoo-dmarc-policy-change-what-... Then, I would ask--if the situation is deemed CERT-worthy, what is the emergency the community is being asked to respond to? Is it that Yahoo has decided, after many years, to start taking action to tighten down email abuse? Or is the emergency that too many mailing lists operate fast-and-loose with email headers, and that we as a community need to take swift and immediate action to fix mailing lists to correctly identify and attribute the true source of messages from the lists? My internal guess, based on the years and years of griping about forged sender spam that I've seen on this list, among others, is that the latter case is the emergency to which you are seeking a call to action. Thanks! Matt
Matthew Petach wrote:
On Mon, Apr 14, 2014 at 9:10 AM, Miles Fidelman <mfidelman@meetinghouse.net <mailto:mfidelman@meetinghouse.net>> wrote:
Just a thought. I keep thinking that Yahoo's publishing of their "p=reject" policy, and the subsequent massive denial of service to lost of list traffic might be viewed as a "computer security" incident.
Anybody think that reporting via CERT channels might be an appropriate response?
(I do, and probably will - but curious what others think.)
Miles Fidelman
-- In theory, there is no difference between theory and practice. In practice, there is. .... Yogi Berra
I would recommend reading these two blog entries first:
http://yahoo.tumblr.com/post/82426971544/an-update-on-our-dmarc-policy-to-pr... and http://yahoomail.tumblr.com/post/82426900353/yahoo-dmarc-policy-change-what-...
Then, I would ask--if the situation is deemed CERT-worthy, what is the emergency the community is being asked to respond to? Is it that Yahoo has decided, after many years, to start taking action to tighten down email abuse? Or is the emergency that too many mailing lists operate fast-and-loose with email headers, and that we as a community need to take swift and immediate action to fix mailing lists to correctly identify and attribute the true source of messages from the lists?
Well... how about this, from Yahoo's own posting: We know there are about 30,000 affected email sending services, but we also know that the change needed to support our new DMARC policy is important and not terribly difficult to implement. To me - this sure looks, smells, and quacks like a denial-of-service attack against a system I operate, and the subscriber to the lists that I support -- somewhat akin to exploding a bomb in a public square, and then taking credit for it. Miles Fidelman -- In theory, there is no difference between theory and practice. In practice, there is. .... Yogi Berra
I don't see what the big deal is here. They don't want your messages and they made that clear. Their policy considers these messages spam. If you really want to get your mailing list messages through, then you need to evade their filters just like every other spammer has to. -Laszlo On Apr 14, 2014, at 4:32 PM, Miles Fidelman <mfidelman@meetinghouse.net> wrote:
Well... how about this, from Yahoo's own posting: We know there are about 30,000 affected email sending services, but we also know that the change needed to support our new DMARC policy is important and not terribly difficult to implement.
To me - this sure looks, smells, and quacks like a denial-of-service attack against a system I operate, and the subscriber to the lists that I support -- somewhat akin to exploding a bomb in a public square, and then taking credit for it.
Miles Fidelman
-- In theory, there is no difference between theory and practice. In practice, there is. .... Yogi Berra
On Mon, 14 Apr 2014 16:56:46 -0000, Laszlo Hanyecz said:
If you really want to get your mailing list messages through,
The problem isn't the rest of us trying to mail to Yahoo. The problem is when Yahoo users post to lists that use DMARC, and the result is the yahoo user's mail getting bounced or dumped on the postmaster.
On Mon, Apr 14, 2014 at 1:03 PM, <Valdis.Kletnieks@vt.edu> wrote:
The problem is when Yahoo users post to lists that use DMARC, and the result is the yahoo user's mail getting bounced or dumped on the postmaster.
Basically, this is just like old ORBS. If you were an ISP, you had to check your local users' IP addresses smarthosting through your mail server against ORBS or your mail server would inevitably be listed. Now, as then, the solution is: if the domain has a DMARC listing, mail addresses using it aren't permitted to post to the list. As I tried to say before but was probably too subtle -- just flunk validation for all DMARC-using messages, across the board without exception, and then act on that failure as the DMARC DNS records indicate that the sender wants you to. Especially the ones to abuse@ and your other POCs. That'll clean up the use of DMARC right quick. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
Isn't it the other way around? They don't want their users to be able to send to mailing lists. They receive traffic from the lists just fine. Their policy considers only effects mail originating from their users. Yahoo subscribers can receive messages form nanog just fine, but they can't send to it. Miles Laszlo Hanyecz wrote:
I don't see what the big deal is here. They don't want your messages and they made that clear. Their policy considers these messages spam. If you really want to get your mailing list messages through, then you need to evade their filters just like every other spammer has to.
-Laszlo
On Apr 14, 2014, at 4:32 PM, Miles Fidelman <mfidelman@meetinghouse.net> wrote:
Well... how about this, from Yahoo's own posting: We know there are about 30,000 affected email sending services, but we also know that the change needed to support our new DMARC policy is important and not terribly difficult to implement.
To me - this sure looks, smells, and quacks like a denial-of-service attack against a system I operate, and the subscriber to the lists that I support -- somewhat akin to exploding a bomb in a public square, and then taking credit for it.
Miles Fidelman
-- In theory, there is no difference between theory and practice. In practice, there is. .... Yogi Berra
-- In theory, there is no difference between theory and practice. In practice, there is. .... Yogi Berra
By their statement it's obvious that yahoo doesn't care about what they broke. It's unfortunate that email has become so centralized that one entity can cause so much 'trouble'. Maybe it's a good opportunity to encourage the affected mailing list subscribers to use their own domains for email, and host it themselves if possible. -Laszlo On Apr 14, 2014, at 5:05 PM, Miles Fidelman <mfidelman@meetinghouse.net> wrote:
Isn't it the other way around? They don't want their users to be able to send to mailing lists. They receive traffic from the lists just fine. Their policy considers only effects mail originating from their users. Yahoo subscribers can receive messages form nanog just fine, but they can't send to it.
Miles
Laszlo Hanyecz wrote:
I don't see what the big deal is here. They don't want your messages and they made that clear. Their policy considers these messages spam. If you really want to get your mailing list messages through, then you need to evade their filters just like every other spammer has to.
-Laszlo
On Apr 14, 2014, at 4:32 PM, Miles Fidelman <mfidelman@meetinghouse.net> wrote:
Well... how about this, from Yahoo's own posting: We know there are about 30,000 affected email sending services, but we also know that the change needed to support our new DMARC policy is important and not terribly difficult to implement.
To me - this sure looks, smells, and quacks like a denial-of-service attack against a system I operate, and the subscriber to the lists that I support -- somewhat akin to exploding a bomb in a public square, and then taking credit for it.
Miles Fidelman
-- In theory, there is no difference between theory and practice. In practice, there is. .... Yogi Berra
-- In theory, there is no difference between theory and practice. In practice, there is. .... Yogi Berra
On Mon, Apr 14, 2014 at 1:25 PM, Laszlo Hanyecz <laszlo@heliacal.net> wrote:
By their statement it's obvious that yahoo doesn't care about what they broke. It's unfortunate that email has become so centralized that one entity can cause so much 'trouble'. Maybe it's a good opportunity to encourage the affected mailing list subscribers to use their own domains for email, and host it themselves if possible.
I sort of wonder if this is really just yahoo trying to use a stick to motivate people to do the right thing? It seems like everyone's been trying for a while to 'make email better'... and that perhaps DMARC will make it somewhat better, and if setup properly this is a non-issue... after much faffing: "Welp, how about we whack the mail-lists (and others) with a stick and get movement int he right direction?" not sure this is all bad... and i think the fix is pretty straightforward for list folk, right? so all the faffing on this list and others took longer to do than the fix-action? -chris
Christopher Morrow wrote:
On Mon, Apr 14, 2014 at 1:25 PM, Laszlo Hanyecz <laszlo@heliacal.net> wrote:
By their statement it's obvious that yahoo doesn't care about what they broke. It's unfortunate that email has become so centralized that one entity can cause so much 'trouble'. Maybe it's a good opportunity to encourage the affected mailing list subscribers to use their own domains for email, and host it themselves if possible.
I sort of wonder if this is really just yahoo trying to use a stick to motivate people to do the right thing? It seems like everyone's been trying for a while to 'make email better'... and that perhaps DMARC will make it somewhat better, and if setup properly this is a non-issue... after much faffing: "Welp, how about we whack the mail-lists (and others) with a stick and get movement int he right direction?"
not sure this is all bad... and i think the fix is pretty straightforward for list folk, right? so all the faffing on this list and others took longer to do than the fix-action?
Well, if you consider writing software patches to complicated software simple. And it would certainly help if the guidance on what to do is clearer - last week, dmarc.org's FAQ listed, as among the options for list operators: "Add an Original Authentication Results <http://tools.ietf.org/html/draft-kucherawy-original-authres-00> (OAR) header to indicate that the list operator has performed authentication checks on the submitted message and share the results. " -- which would be transparent to list subscribers but, as of a couple of days ago, that's qualified by: "*This is not a short term solution.* Assumes a mechanism to establish trust between the list operator and the receiver. No such mechanism is known to be in use for this purpose at this time. Without such a mechanism, bad actors could simply add faked OAR headers to their messages to circumvent such measures. OAR was only described as a draft document, which expired in 2012. No receivers implementing DMARC are currently known to make use of OAR from external sources." So the low-impact (to end users) fix is now not recommended, and all the other available fixes require changes that degrade long-accepted functionality of mailing lists (e.g., the ability to reply to the author of a message). Miles Fidelman -- In theory, there is no difference between theory and practice. In practice, there is. .... Yogi Berra
* Christopher Morrow:
I sort of wonder if this is really just yahoo trying to use a stick to motivate people to do the right thing?
But what is the right thing here? Do we really want that *all* mailing lists must not provider "reply to sender" option to all their users? Will this list make the change? Probably not.
On Mon, Apr 14, 2014 at 10:25 AM, Laszlo Hanyecz <laszlo@heliacal.net>wrote:
By their statement it's obvious that yahoo doesn't care about what they broke. It's unfortunate that email has become so centralized that one entity can cause so much 'trouble'. Maybe it's a good opportunity to encourage the affected mailing list subscribers to use their own domains for email, and host it themselves if possible.
-Laszlo
So, I take it you prefer a world in which there's no sender validation, and receiving floods of spoofed sender email spam is just part of the price of being on the internet? I'm finding myself vaguely annoyed that for so long people have complained that big mail providers need to clean up their act; and now, when one of them decides to respond to the complaints and start taking action to try to clean things up, the response seems to be "wait, we were happy just bitching and moaning--we didn't want you to actually *change* anything!" Matt
On Mon, Apr 14, 2014 at 1:33 PM, Matthew Petach <mpetach@netflight.com> wrote:
So, I take it you prefer a world in which there's no sender validation, and receiving floods of spoofed sender email spam is just part of the price of being on the internet?
That is clearly not what this issue is about.
I'm finding myself vaguely annoyed that for so long people have complained that big mail providers need to clean up their act; and now, when one of them decides to respond to the complaints and start taking action to try to clean things up, the response seems to be "wait, we were happy just bitching and moaning--we didn't want you to actually *change* anything!"
What yahoo didn't do was first tell their users to unsubscribe from all mailinglists. DMARC hasn't cut down on yahoo spam so far. Yahoo's spam problem was (is?) centered on account hijacks. -Jim P.
On Mon, Apr 14, 2014 at 11:24 AM, Jim Popovitch <jimpop@gmail.com> wrote:
DMARC hasn't cut down on yahoo spam so far. Yahoo's spam problem was (is?) centered on account hijacks.
I just checked my spam folder for the past month. Out of about 80 messages "from" Yahoo, I can see about 3 that went via Yahoo's mail servers. ie, >90% were/would have been blocked using DMARC. Of course, I'm sure the spammers will simply start changing yahoo.com to somethingelse.com once they realize - but from Yahoo's perspective, that's obviously a positive. Whilst I don't agree with the way that Yahoo has done this (particularly around communication), I think the end result is only going to be positive. At a high level it's no different than when people started rejecting mail from hosts without PTR records, or when ISPs started blocking outbound port 25 - they both caused things to break, and both caused people to have to take action to fix the brokenness, but in the long run they were both hugely positive. Scott
On 04/14/2014 01:20 PM, Christopher Morrow wrote:
On Mon, Apr 14, 2014 at 4:10 PM, Scott Howard <scott@doc.net.au> wrote:
Whilst I don't agree with the way that Yahoo has done this (particularly around communication),
how could they have communicated this better? how can we all learn from this?
The obvious ones would have been to announce a flag day somewhere far enough in advance to give list software devs time to adapt, and to work with list software devs on a solution. Everyone involved in DMARC has known from day 1 that it will break mailing lists. There has been an enormous amount of whinging about this. (If you think NANOG is bad, you should see the IETF lists.) But if Yahoo! had stood up and said, "We know that this mailing lists are a problem, but we think that the value of DMARC outweighs this because ...." and then actually set a data, maybe some of the whinging could have turned into actual productive work on fixing the problem. Doug
On Mon, Apr 14, 2014 at 4:28 PM, Doug Barton <dougb@dougbarton.us> wrote:
The obvious ones would have been to announce a flag day somewhere far enough in advance to give list software devs time to adapt, and to work with list software devs on a solution.
where would they communicate this? on the blog that matt pointed at? in bgp announcements? err... homepage? -chris (I watch the ietf list for this, and muted the conversation...)
On Mon, Apr 14, 2014 at 4:38 PM, Christopher Morrow <morrowc.lists@gmail.com> wrote:
On Mon, Apr 14, 2014 at 4:28 PM, Doug Barton <dougb@dougbarton.us> wrote:
The obvious ones would have been to announce a flag day somewhere far enough in advance to give list software devs time to adapt, and to work with list software devs on a solution.
where would they communicate this? on the blog that matt pointed at? in bgp announcements? err... homepage?
What they should have done is followed their (the dmarc spec authors, of which one works for Yahoo) own advice that dmarc wasn't for domains with users. But, hey, we all know it's hard to get good tech press by simply sponsoring and spec'ing a backend tech solution for some dark corner of the internet. -Jim P.
On 04/14/2014 01:38 PM, Christopher Morrow wrote:
On Mon, Apr 14, 2014 at 4:28 PM, Doug Barton <dougb@dougbarton.us> wrote:
The obvious ones would have been to announce a flag day somewhere far enough in advance to give list software devs time to adapt, and to work with list software devs on a solution.
where would they communicate this?
Well mailop for one.
on the blog that matt pointed at?
I suppose ... there used to be a "Yahoo! mail blog" but I think it got shut down. BTW, another obvious benefit to announcing a flag day would have been to give more people time to set up DMARC. I haven't yet (on my personal mail server) because there hadn't been sufficient uptake to warrant it. Yahoo! telling everyone that they will be implementing it would have given people incentive. Doug
On Mon, Apr 14, 2014 at 4:44 PM, Doug Barton <dougb@dougbarton.us> wrote:
On 04/14/2014 01:38 PM, Christopher Morrow wrote:
On Mon, Apr 14, 2014 at 4:28 PM, Doug Barton <dougb@dougbarton.us> wrote:
The obvious ones would have been to announce a flag day somewhere far enough in advance to give list software devs time to adapt, and to work with list software devs on a solution.
where would they communicate this?
Well mailop for one.
Or even the dmarc mailing list(s).... I've seen Yahoo operate over the years, they are usually much better at orchestrating changes, which suggests that this change wasn't well thought out (or possibly even planned). -Jim P.
On Mon, Apr 14, 2014 at 1:44 PM, Doug Barton <dougb@dougbarton.us> wrote:
On 04/14/2014 01:38 PM, Christopher Morrow wrote:
on the blog that matt pointed at?
I suppose ... there used to be a "Yahoo! mail blog" but I think it got shut down.
Still is... http://yahoomail.tumblr.com/ Matt
On 04/14/2014 02:39 PM, Matthew Petach wrote:
On Mon, Apr 14, 2014 at 1:44 PM, Doug Barton <dougb@dougbarton.us <mailto:dougb@dougbarton.us>> wrote:
On 04/14/2014 01:38 PM, Christopher Morrow wrote:
on the blog that matt pointed at?
I suppose ... there used to be a "Yahoo! mail blog" but I think it got shut down.
Still is...
Ah ... someone should fix the my.yahoo module then, because that's where I was told the old one went away. :) Doug
On Mon, Apr 14, 2014 at 5:39 PM, Matthew Petach <mpetach@netflight.com> wrote:
On Mon, Apr 14, 2014 at 1:44 PM, Doug Barton <dougb@dougbarton.us> wrote:
On 04/14/2014 01:38 PM, Christopher Morrow wrote:
on the blog that matt pointed at?
I suppose ... there used to be a "Yahoo! mail blog" but I think it got shut down.
Still is...
And it contains nothing relevant before the dmarc change, and "makeup fluff" shortly thereafter. -Jim P.
On Mon, Apr 14, 2014 at 10:20 PM, Christopher Morrow < morrowc.lists@gmail.com> wrote:
On Mon, Apr 14, 2014 at 4:10 PM, Scott Howard <scott@doc.net.au> wrote:
Whilst I don't agree with the way that Yahoo has done this (particularly around communication),
how could they have communicated this better? how can we all learn from this?
They could have communicated, as in "listen folks, we are going to make a critical change that will affect mailing lists (etc...) in four weeks time". They could have made the change not late on a Friday afternoon (or well into the weekend for most of the world). -- Matthias
On Mon, Apr 14, 2014 at 4:34 PM, Matthias Leisi <matthias@leisi.net> wrote:
They could have communicated, as in "listen folks, we are going to make a critical change that will affect mailing lists (etc...) in four weeks time".
communicated it where?
They could have made the change not late on a Friday afternoon (or well into the weekend for most of the world).
a friday change like this is not ideal... but, it looks like any time change like this would have had fallout.
On Mon, Apr 14, 2014 at 1:39 PM, Christopher Morrow <morrowc.lists@gmail.com
wrote:
On Mon, Apr 14, 2014 at 4:34 PM, Matthias Leisi <matthias@leisi.net> wrote:
They could have communicated, as in "listen folks, we are going to make a critical change that will affect mailing lists (etc...) in four weeks time".
communicated it where?
"The Internet". A blog entry and a post to a few key relevant mailing lists would have resulted in the message spreading far better than it was. There's no way that they could have communicated it to every mailing list admin on the planet, but they could have at least given a heads-up to some major parts of the community. The great thing about the Internet is that if it's important enough to be shared, you don't need to try too hard to make that happen - others will look after it for you. But you need to make the effort to get it started, and Yahoo didn't do that here (or at least, they did, but they did it by actually making the change by which time it was too late!) Scott
On Mon, Apr 14, 2014 at 4:44 PM, Scott Howard <scott@doc.net.au> wrote:
On Mon, Apr 14, 2014 at 1:39 PM, Christopher Morrow <morrowc.lists@gmail.com> wrote:
On Mon, Apr 14, 2014 at 4:34 PM, Matthias Leisi <matthias@leisi.net> wrote:
They could have communicated, as in "listen folks, we are going to make a critical change that will affect mailing lists (etc...) in four weeks time".
communicated it where?
"The Internet".
I was trying, really, to be not-funny with my question. if you're going to do something that has the potential to affect (say, for example) email to a wide set of people, most of which are NOT your direct users, how do you go about making that public? 'the internet' isn't really a good answer for 'how do you notify'. Doug's note that: "email mailops" is good... but I'm not sure how many people that run lists listen to mailops? (I don't ... i don't run any big list, but...) I also wonder about update cycles for software in this realm? and for very larger list operators there's probably some customization and such to hurdle over on the upgrade path, eh? so how much leadtime is enough? how much is too much? 1yr seems like a long time - people will forget, 1wk doesn't seem like enough to avoid firedrills and un-intended bugs.
A blog entry and a post to a few key relevant mailing lists would have
specifically which mail-lists?
resulted in the message spreading far better than it was. There's no way that they could have communicated it to every mailing list admin on the planet, but they could have at least given a heads-up to some major parts of the community.
The great thing about the Internet is that if it's important enough to be shared, you don't need to try too hard to make that happen - others will look after it for you. But you need to make the effort to get it started, and Yahoo didn't do that here (or at least, they did, but they did it by actually making the change by which time it was too late!)
Scott
On Mon, Apr 14, 2014 at 4:52 PM, Christopher Morrow <morrowc.lists@gmail.com> wrote:
if you're going to do something that has the potential to affect (say, for example) email to a wide set of people, most of which are NOT your direct users, how do you go about making that public?
'the internet' isn't really a good answer for 'how do you notify'. Doug's note that: "email mailops" is good... but I'm not sure how many people that run lists listen to mailops? (I don't ... i don't run any big list, but...)
I also wonder about update cycles for software in this realm? and for very larger list operators there's probably some customization and such to hurdle over on the upgrade path, eh? so how much leadtime is enough? how much is too much? 1yr seems like a long time - people will forget, 1wk doesn't seem like enough to avoid firedrills and un-intended bugs.
First, you don't start by telling mailinglist admins to NOT worry about dmarc as they are a special case that will be handled/whitelisted/etc. The dmarc discussion archives (of which Yahoo is a primary sponsor, and a Yahoo employee is one of the spec authors) are full of discussions that clearly show no cause or care about mailinglists. I was told, several times, that mailinglists would be ok, they would be whitelisted and that there was no need for all my concern (well over 6 months ago). -Jim P.
Christopher Morrow wrote:
On Mon, Apr 14, 2014 at 4:44 PM, Scott Howard <scott@doc.net.au> wrote:
On Mon, Apr 14, 2014 at 1:39 PM, Christopher Morrow <morrowc.lists@gmail.com> wrote:
On Mon, Apr 14, 2014 at 4:34 PM, Matthias Leisi <matthias@leisi.net> wrote:
They could have communicated, as in "listen folks, we are going to make a critical change that will affect mailing lists (etc...) in four weeks time". communicated it where?
"The Internet". I was trying, really, to be not-funny with my question.
if you're going to do something that has the potential to affect (say, for example) email to a wide set of people, most of which are NOT your direct users, how do you go about making that public?
'the internet' isn't really a good answer for 'how do you notify'. Doug's note that: "email mailops" is good... but I'm not sure how many people that run lists listen to mailops? (I don't ... i don't run any big list, but...)
I also wonder about update cycles for software in this realm? and for very larger list operators there's probably some customization and such to hurdle over on the upgrade path, eh? so how much leadtime is enough? how much is too much? 1yr seems like a long time - people will forget, 1wk doesn't seem like enough to avoid firedrills and un-intended bugs.
A blog entry and a post to a few key relevant mailing lists would have specifically which mail-lists?
How about the support lists for all the email list packages they could think of - let's start with mailman, majordomo, listserve, listproc, sympa, ezmlm, ..... Might have been nice if they'd offered some support for patching the open source ones. Miles Fidelman -- In theory, there is no difference between theory and practice. In practice, there is. .... Yogi Berra
Plus I guarantee that something this SIGNIFICANT would catch the attention of many tech news outlets, social sites, and many email lists if they had given due notice and allowed people time to digest the change. But, I guess since everything except their email has become pretty much irrelevant these days, they had to do something to get attention and try to be the big bully again. I personally run only a couple of small email lists in which the subscribers are specifically added by me when someone wants on, and this has caused us, because the submitter has a long time Yahoo email address and will not change, a huge headache. The sender has had to resort to sending email from Yahoo account multiple time in order to get the emails out to the 180+ subscribers. Some people cannot change their email due to having it for so long it is just not practical. Only other work around I have for this user is to give them a private email list on the email server where he can send from that is not a Yahoo address. This causes extra work because every email he wants to forward on, he must now first send it to the new private address, then login to the private email address web mail, then forward. I have to agree with this others out there that Yahoo SHOULD, not COULD, have handled this a lot better. All the other big ISP's out there should be whipping Yahoo's a$$ about right now. But as usual, not a peep! Robert -----Original Message----- From: Miles Fidelman [mailto:mfidelman@meetinghouse.net] Sent: Monday, April 14, 2014 5:28 PM Cc: NANOG Subject: Re: DMARC -> CERT? Christopher Morrow wrote:
On Mon, Apr 14, 2014 at 4:44 PM, Scott Howard <scott@doc.net.au> wrote:
On Mon, Apr 14, 2014 at 1:39 PM, Christopher Morrow <morrowc.lists@gmail.com> wrote:
On Mon, Apr 14, 2014 at 4:34 PM, Matthias Leisi <matthias@leisi.net> wrote:
They could have communicated, as in "listen folks, we are going to make a critical change that will affect mailing lists (etc...) in four weeks time". communicated it where?
"The Internet". I was trying, really, to be not-funny with my question.
if you're going to do something that has the potential to affect (say, for example) email to a wide set of people, most of which are NOT your direct users, how do you go about making that public?
'the internet' isn't really a good answer for 'how do you notify'. Doug's note that: "email mailops" is good... but I'm not sure how many people that run lists listen to mailops? (I don't ... i don't run any big list, but...)
I also wonder about update cycles for software in this realm? and for very larger list operators there's probably some customization and such to hurdle over on the upgrade path, eh? so how much leadtime is enough? how much is too much? 1yr seems like a long time - people will forget, 1wk doesn't seem like enough to avoid firedrills and un-intended bugs.
A blog entry and a post to a few key relevant mailing lists would have specifically which mail-lists?
How about the support lists for all the email list packages they could think of - let's start with mailman, majordomo, listserve, listproc, sympa, ezmlm, ..... Might have been nice if they'd offered some support for patching the open source ones. Miles Fidelman -- In theory, there is no difference between theory and practice. In practice, there is. .... Yogi Berra
On Mon, Apr 14, 2014 at 4:39 PM, Christopher Morrow <morrowc.lists@gmail.com> wrote:
On Mon, Apr 14, 2014 at 4:34 PM, Matthias Leisi <matthias@leisi.net> wrote:
They could have communicated, as in "listen folks, we are going to make a critical change that will affect mailing lists (etc...) in four weeks time".
communicated it where?
To their user base? They could have easily sent an email announcement to all their users explaining that the change would cause problems when their users post to mailinglists. -Jim P.
Matthias Leisi wrote:
On Mon, Apr 14, 2014 at 10:20 PM, Christopher Morrow < morrowc.lists@gmail.com> wrote:
Whilst I don't agree with the way that Yahoo has done this (particularly around communication), how could they have communicated this better? how can we all learn from
On Mon, Apr 14, 2014 at 4:10 PM, Scott Howard <scott@doc.net.au> wrote: this?
They could have communicated, as in "listen folks, we are going to make a critical change that will affect mailing lists (etc...) in four weeks time".
They could have made the change not late on a Friday afternoon (or well into the weekend for most of the world).
On the weekend before tax filings are due in the US! And a couple of days before Passover. Miles -- In theory, there is no difference between theory and practice. In practice, there is. .... Yogi Berra
On Mon, Apr 14, 2014 at 5:24 PM, Miles Fidelman <mfidelman@meetinghouse.net> wrote:
Matthias Leisi wrote:
On Mon, Apr 14, 2014 at 10:20 PM, Christopher Morrow < morrowc.lists@gmail.com> wrote:
On Mon, Apr 14, 2014 at 4:10 PM, Scott Howard <scott@doc.net.au> wrote:
Whilst I don't agree with the way that Yahoo has done this (particularly around communication),
how could they have communicated this better? how can we all learn from this?
They could have communicated, as in "listen folks, we are going to make a critical change that will affect mailing lists (etc...) in four weeks time".
They could have made the change not late on a Friday afternoon (or well into the weekend for most of the world).
On the weekend before tax filings are due in the US! And a couple of days before Passover.
and in the middle of Heartbleed..... It's enough to make you believe there was absolutely no care or concern for others. -Jim P.
Jim Popovitch wrote:
On Mon, Apr 14, 2014 at 5:24 PM, Miles Fidelman <mfidelman@meetinghouse.net> wrote:
Matthias Leisi wrote:
On Mon, Apr 14, 2014 at 10:20 PM, Christopher Morrow < morrowc.lists@gmail.com> wrote:
Whilst I don't agree with the way that Yahoo has done this (particularly around communication), how could they have communicated this better? how can we all learn from
On Mon, Apr 14, 2014 at 4:10 PM, Scott Howard <scott@doc.net.au> wrote: this?
They could have communicated, as in "listen folks, we are going to make a critical change that will affect mailing lists (etc...) in four weeks time".
They could have made the change not late on a Friday afternoon (or well into the weekend for most of the world).
On the weekend before tax filings are due in the US! And a couple of days before Passover. and in the middle of Heartbleed.....
It's enough to make you believe there was absolutely no care or concern for others.
And.. it's worth contrasting the community response to Heartbleed - which didn't actually cause widespread denial of service! Miles -- In theory, there is no difference between theory and practice. In practice, there is. .... Yogi Berra
On Mon, Apr 14, 2014 at 2:29 PM, Jim Popovitch <jimpop@gmail.com> wrote:
They could have made the change not late on a Friday afternoon (or well into the weekend for most of the world).
On the weekend before tax filings are due in the US! And a couple of days before Passover.
and in the middle of Heartbleed.....
You might have had a point - if it had been ANY of those. Other than the original claim of "Friday afternoon" it was none of those things. Scott
On Mon, Apr 14, 2014 at 5:48 PM, Scott Howard <scott@doc.net.au> wrote:
On Mon, Apr 14, 2014 at 2:29 PM, Jim Popovitch <jimpop@gmail.com> wrote:
They could have made the change not late on a Friday afternoon (or well into the weekend for most of the world).
On the weekend before tax filings are due in the US! And a couple of days before Passover.
and in the middle of Heartbleed.....
You might have had a point - if it had been ANY of those. Other than the original claim of "Friday afternoon" it was none of those things.
7-April: Monday, Yahoo's dmarc change kicks everyone in the groin, the last full week before the US tax filing deadline. 7-April: OpenSSL's *public* advisory (after a full week of private notifications, of which yahoo surely was one tech company in on the early notifications) 11-April: Yahoo discusses what needs to be done on their public tumblr account. -Jim P.
On Mon, Apr 14, 2014 at 2:59 PM, Jim Popovitch <jimpop@gmail.com> wrote:
7-April: Monday, Yahoo's dmarc change kicks everyone in the groin, the last full week before the US tax filing deadline.
The change was made on the previous Friday, so that date is largely irrelevant. 7-April: OpenSSL's *public* advisory (after a full week of private
notifications, of which yahoo surely was one tech company in on the early notifications)
Given that many of their main services were vulnerable at the time of public disclosure, I think that's a very large assumption to make... If nothing else, I suspect the odds of it being known by the same people that made the DMARC decision/changes is low. Scott
On Mon, Apr 14, 2014 at 3:21 PM, Scott Howard <scott@doc.net.au> wrote:
7-April: OpenSSL's *public* advisory (after a full week of private
notifications, of which yahoo surely was one tech company in on the early notifications)
Given that many of their main services were vulnerable at the time of public disclosure, I think that's a very large assumption to make...
Based on the article below it would appear that Yahoo did NOT know about Heartbleed at the time of public disclosure. http://www.smh.com.au/it-pro/security-it/heartbleed-disclosure-timeline-who-... Scott
On Mon, Apr 14, 2014 at 6:21 PM, Scott Howard <scott@doc.net.au> wrote:
On Mon, Apr 14, 2014 at 2:59 PM, Jim Popovitch <jimpop@gmail.com> wrote:
7-April: Monday, Yahoo's dmarc change kicks everyone in the groin, the last full week before the US tax filing deadline.
The change was made on the previous Friday, so that date is largely irrelevant.
7-April: OpenSSL's *public* advisory (after a full week of private notifications, of which yahoo surely was one tech company in on the early notifications)
Given that many of their main services were vulnerable at the time of public disclosure, I think that's a very large assumption to make...
If nothing else, I suspect the odds of it being known by the same people that made the DMARC decision/changes is low.
I think you are right on that, but that doesn't change the fact that the sum of those things overburdened a lot of mailinglist operators. It is what it is, and the press has covered it and mailinglists are blocking/unsub'ing yahoo accounts in order to cope. -Jim P.
On 04/14/2014 03:47 PM, Jim Popovitch wrote:
On Mon, Apr 14, 2014 at 2:59 PM, Jim Popovitch <jimpop@gmail.com> wrote:
7-April: Monday, Yahoo's dmarc change kicks everyone in the groin, the last full week before the US tax filing deadline.
The change was made on the previous Friday, so that date is largely irrelevant.
7-April: OpenSSL's *public* advisory (after a full week of private notifications, of which yahoo surely was one tech company in on the early notifications)
Given that many of their main services were vulnerable at the time of public disclosure, I think that's a very large assumption to make...
If nothing else, I suspect the odds of it being known by the same people that made the DMARC decision/changes is low. I think you are right on that, but that doesn't change the fact that
On Mon, Apr 14, 2014 at 6:21 PM, Scott Howard <scott@doc.net.au> wrote: the sum of those things overburdened a lot of mailinglist operators. It is what it is, and the press has covered it and mailinglists are blocking/unsub'ing yahoo accounts in order to cope.
-Jim P.
I'm sorry but is there a fundamental misunderstanding of dmarc going on in this thread? Yahoo doesn't want you to be able to send "@yahoo.com" email from anything other than THEIR servers which contain the private key that corresponds to their DKIM implementation, and conversely dmarc. "p=reject" tells the receiving domain to reject the message if it isn't signed by the private key that corresponds with the public key that is in the dkim txt record for "yahoo.com" Isn't this the whole point of dmarc? Stop spammers from sending email with "@yahoo.com" that doesn't originate from a valid yahoo email server. Yahoo's implementation of dmarc is working as intended. Stealing someones password, and logging into their yahoo mail account and spamming isn't going to matter to dmarc. The mail originated from yahoo, and it was an authenticated user; the mail will be signed with the DKIM key, it will be accepted by the receiving domain (unless the email address is blacklisted by the receiving domain). There is no need to flame a company because they implemented a policy to ensure QoS to their customers. Either push your mail through their servers, or Just find somewhere else you can push your mailing lists through. Cheers
On Thu, Apr 17, 2014 at 12:19 AM, Private Sender <nobody@snovc.com> wrote:
On Mon, Apr 14, 2014 at 6:21 PM, Scott Howard <scott@doc.net.au> wrote:
On Mon, Apr 14, 2014 at 2:59 PM, Jim Popovitch <jimpop@gmail.com> wrote:
7-April: Monday, Yahoo's dmarc change kicks everyone in the groin, the last full week before the US tax filing deadline.
The change was made on the previous Friday, so that date is largely irrelevant.
7-April: OpenSSL's *public* advisory (after a full week of private notifications, of which yahoo surely was one tech company in on the early notifications)
Given that many of their main services were vulnerable at the time of
On 04/14/2014 03:47 PM, Jim Popovitch wrote: public
disclosure, I think that's a very large assumption to make...
If nothing else, I suspect the odds of it being known by the same people that made the DMARC decision/changes is low. I think you are right on that, but that doesn't change the fact that the sum of those things overburdened a lot of mailinglist operators. It is what it is, and the press has covered it and mailinglists are blocking/unsub'ing yahoo accounts in order to cope.
-Jim P.
I'm sorry but is there a fundamental misunderstanding of dmarc going on in this thread? Yahoo doesn't want you to be able to send "@yahoo.com" email from anything other than THEIR servers which contain the private key that corresponds to their DKIM implementation, and conversely dmarc. "p=reject" tells the receiving domain to reject the message if it isn't signed by the private key that corresponds with the public key that is in the dkim txt record for "yahoo.com"
Isn't this the whole point of dmarc? Stop spammers from sending email with "@yahoo.com" that doesn't originate from a valid yahoo email server.
Yes, but @yahoo.com is a bad example because it delivers user originated content.
Yahoo's implementation of dmarc is working as intended.
Are you also speaking for all yahoo uses when you declare that they should no longer be able to participate on mailinglists?
Stealing someones password, and logging into their yahoo mail account and spamming isn't going to matter to dmarc. The mail originated from yahoo, and it was an authenticated user; the mail will be signed with the DKIM key, it will be accepted by the receiving domain (unless the email address is blacklisted by the receiving domain).
But, but, but.... Yahoo implemented DMARC to supposedly stop Spam...(which ironically others have shown that a lot of spam originates from Yahoo servers, but I digress)
There is no need to flame a company because they implemented a policy to ensure QoS to their customers. Either push your mail through their servers, or Just find somewhere else you can push your mailing lists through.
LOL QoS, really? QoS to me, a yahoo account holder, would be less inbound spam. -Jim P.
On Wed 16 Apr 2014 09:40:11 PM PDT, Jim Popovitch wrote:
On Thu, Apr 17, 2014 at 12:19 AM, Private Sender <nobody@snovc.com> wrote:
On Mon, Apr 14, 2014 at 6:21 PM, Scott Howard <scott@doc.net.au> wrote:
On Mon, Apr 14, 2014 at 2:59 PM, Jim Popovitch <jimpop@gmail.com> wrote:
7-April: Monday, Yahoo's dmarc change kicks everyone in the groin, the last full week before the US tax filing deadline.
The change was made on the previous Friday, so that date is largely irrelevant.
7-April: OpenSSL's *public* advisory (after a full week of private notifications, of which yahoo surely was one tech company in on the early notifications)
Given that many of their main services were vulnerable at the time of
On 04/14/2014 03:47 PM, Jim Popovitch wrote: public
disclosure, I think that's a very large assumption to make...
If nothing else, I suspect the odds of it being known by the same people that made the DMARC decision/changes is low. I think you are right on that, but that doesn't change the fact that the sum of those things overburdened a lot of mailinglist operators. It is what it is, and the press has covered it and mailinglists are blocking/unsub'ing yahoo accounts in order to cope.
-Jim P.
I'm sorry but is there a fundamental misunderstanding of dmarc going on in this thread? Yahoo doesn't want you to be able to send "@yahoo.com" email from anything other than THEIR servers which contain the private key that corresponds to their DKIM implementation, and conversely dmarc. "p=reject" tells the receiving domain to reject the message if it isn't signed by the private key that corresponds with the public key that is in the dkim txt record for "yahoo.com"
Isn't this the whole point of dmarc? Stop spammers from sending email with "@yahoo.com" that doesn't originate from a valid yahoo email server.
Yes, but @yahoo.com is a bad example because it delivers user originated content.
Yahoo's implementation of dmarc is working as intended.
Are you also speaking for all yahoo uses when you declare that they should no longer be able to participate on mailinglists?
Stealing someones password, and logging into their yahoo mail account and spamming isn't going to matter to dmarc. The mail originated from yahoo, and it was an authenticated user; the mail will be signed with the DKIM key, it will be accepted by the receiving domain (unless the email address is blacklisted by the receiving domain).
But, but, but.... Yahoo implemented DMARC to supposedly stop Spam...(which ironically others have shown that a lot of spam originates from Yahoo servers, but I digress)
There is no need to flame a company because they implemented a policy to ensure QoS to their customers. Either push your mail through their servers, or Just find somewhere else you can push your mailing lists through.
LOL QoS, really? QoS to me, a yahoo account holder, would be less inbound spam.
-Jim P.
Well yeah inbound spam filtering would be nice. But they have refused to do anything about if for a better part of a decade. Sadly, they can't control mail originating from other domains (other than mail stating it's from yahoo). Is it possible yahoo doesn't understand how dmarc works? -- -- Bret Taylor
On 04/16/2014 09:19 PM, Private Sender wrote:
I'm sorry but is there a fundamental misunderstanding of dmarc going on in this thread? Yahoo doesn't want you to be able to send "@yahoo.com" email from anything other than THEIR servers which contain the private key that corresponds to their DKIM implementation, and conversely dmarc. "p=reject" tells the receiving domain to reject the message if it isn't signed by the private key that corresponds with the public key that is in the dkim txt record for "yahoo.com"
Isn't this the whole point of dmarc? Stop spammers from sending email with "@yahoo.com" that doesn't originate from a valid yahoo email server.
There fundamental misunderstanding is the assumption that DKIM signatures are never broken for valid uses of mail. They are. Would things be so simple. Mike
On Wed, 16 Apr 2014 21:19:18 -0700, Private Sender said:
I'm sorry but is there a fundamental misunderstanding of dmarc going on in this thread?
Yes, apparently mostly on the part of Yahoo apologists...
There is no need to flame a company because they implemented a policy to ensure QoS to their customers. Either push your mail through their servers, or Just find somewhere else you can push your mailing lists through.
Is it me, or has every single Yahoo apologist in this thread insisted on this same misrepresentation of the situation?
On 04/17/2014 08:34 AM, Valdis.Kletnieks@vt.edu wrote:
On Wed, 16 Apr 2014 21:19:18 -0700, Private Sender said:
I'm sorry but is there a fundamental misunderstanding of dmarc going on in this thread? Yes, apparently mostly on the part of Yahoo apologists...
There is no need to flame a company because they implemented a policy to ensure QoS to their customers. Either push your mail through their servers, or Just find somewhere else you can push your mailing lists through. Is it me, or has every single Yahoo apologist in this thread insisted on this same misrepresentation of the situation?
I'm rather interested to hear from the dmarc folks, one author of whom both works for y! and i've seen post to this list. I find this all rather incomprehensible; I wonder what Mark Delaney thinks about this. Mike
Michael Thomas wrote:
On 04/17/2014 08:34 AM, Valdis.Kletnieks@vt.edu wrote:
On Wed, 16 Apr 2014 21:19:18 -0700, Private Sender said:
I'm sorry but is there a fundamental misunderstanding of dmarc going on in this thread? Yes, apparently mostly on the part of Yahoo apologists...
There is no need to flame a company because they implemented a policy to ensure QoS to their customers. Either push your mail through their servers, or Just find somewhere else you can push your mailing lists through. Is it me, or has every single Yahoo apologist in this thread insisted on this same misrepresentation of the situation?
I'm rather interested to hear from the dmarc folks, one author of whom both works for y! and i've seen post to this list. I find this all rather incomprehensible; I wonder what Mark Delaney thinks about this.
Of course, they shouldn't send it from a @yahoo.com email address. -- In theory, there is no difference between theory and practice. In practice, there is. .... Yogi Berra
Jim Popovitch wrote:
On Mon, Apr 14, 2014 at 5:48 PM, Scott Howard <scott@doc.net.au> wrote:
On Mon, Apr 14, 2014 at 2:29 PM, Jim Popovitch <jimpop@gmail.com> wrote:
They could have made the change not late on a Friday afternoon (or well into the weekend for most of the world).
On the weekend before tax filings are due in the US! And a couple of days before Passover. and in the middle of Heartbleed.....
You might have had a point - if it had been ANY of those. Other than the original claim of "Friday afternoon" it was none of those things.
7-April: Monday, Yahoo's dmarc change kicks everyone in the groin, the last full week before the US tax filing deadline.
7-April: OpenSSL's *public* advisory (after a full week of private notifications, of which yahoo surely was one tech company in on the early notifications)
11-April: Yahoo discusses what needs to be done on their public tumblr account.
14-April: 1st night of Passover 15-April: Tax Filings due in the US -- In theory, there is no difference between theory and practice. In practice, there is. .... Yogi Berra
In article <CAL9jLaZJjPpZ7vzw2uE4QFQwrkcBu7cS1eD3Uu1NHUDHxxkthQ@mail.gmail.com> you write:
On Mon, Apr 14, 2014 at 4:10 PM, Scott Howard <scott@doc.net.au> wrote:
Whilst I don't agree with the way that Yahoo has done this (particularly around communication),
how could they have communicated this better? how can we all learn from this?
Well, telling people in advance that they were planning to do it rather than just dropping it on the world over the weekend would be a good start. R's, John
On Mon, Apr 14, 2014 at 10:33:40AM -0700, Matthew Petach wrote:
So, I take it you prefer a world in which there's no sender validation, and receiving floods of spoofed sender email spam is just part of the price of being on the internet?
Sender validation means NOTHING in a world with hundreds of millions of bots and hundreds of millions of email accounts that are either (a) hijacked or (b) created at will by the bot herders. My spamtraps see spam all day every day from all over the world that passes whatever alleged "sender validation" technology is the flavor-of-the-month. Can it work in some isolated edge cases? Sure. Can it work on an Internet scale? No. As I've said many times, email forgery is not the problem. It's a symptom of the problem, and the problem is "rotten underlying security" coupled with "negligent and incompetent operational practice". But fixing that is hard, and nobody -- not Yahoo and not anybody else either -- wants to tackle it. It's much easier to roll out stuff like this and pretend that it works and write a press release and declare success. ---rsk
On Apr 14, 2014, at 3:58 PM, Rich Kulawiec <rsk@gsp.org> wrote:
As I've said many times, email forgery is not the problem. It's a symptom of the problem, and the problem is "rotten underlying security" coupled with "negligent and incompetent operational practice". But fixing that is hard, and nobody -- not Yahoo and not anybody else either -- wants to tackle it. It's much easier to roll out stuff like this and pretend that it works and write a press release and declare success.
I think you're on the right track, but still suggesting their is a technical solution. I submit there is not. There is no car alarm that prevents all car thefts, no door lock that prevents all burglaries. No trigger lock that prevents all gun deaths, no lane departure system that prevents all car crashes. Spam cannot, and will never be solved by technological measures alone. They can help reduce the levels in some cases, or "squeeze the balloon" and move the spam to some other form. Ultimately the way to reduce spam is to catch spammers, prosecute them, and put them in prison. The way we keep all of those other crimes low is primarily by enforcement; making the punishment not worth the crime. With spam, the chance that a spammer will be punished is infinitesimal. There are hundreds, or thousands, or tens of thousands of spammers for every one that is put into jail. If we'd put even 1% of the effort that's been thrown at technical measures over the years into better laws, tools for law enforcement, and helping them build cases we'd be several orders of magnitude better off than technological solutions that are little more than wack-a-mole. -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/
Leo Bicknell wrote:
Ultimately the way to reduce spam is to catch spammers, prosecute them, and put them in prison. The way we keep all of those other crimes low is primarily by enforcement; making the punishment not worth the crime. With spam, the chance that a spammer will be punished is infinitesimal. There are hundreds, or thousands, or tens of thousands of spammers for every one that is put into jail.
Follow their money trails and take their bank accounts. Counterpunch with DDoS attacks. Attack them with drones. We're investing a lot of tax dollars into offensive cybersecurity - let's give those guys some practice! Makes sense to me!
participants (17)
-
Christopher Morrow -
Doug Barton -
Florian Weimer -
Jim Popovitch -
John Levine -
Laszlo Hanyecz -
Leo Bicknell -
Matthew Petach -
Matthias Leisi -
Michael Thomas -
Miles Fidelman -
Private Sender -
Rich Kulawiec -
rwebb@ropeguru.com -
Scott Howard -
Valdis.Kletnieks@vt.edu -
William Herrin