[Mailman-Users] Yahoo - what chance of change now?

Tue Jun 10 05:08:58 CEST 2014

Based on that, it's here forever, but will only spread to other mailbox providers if they experience a surge in spoofing.

I'm interested to know what's in store because our current tactic is to reject new Yahoo and AOL subscribers, encourage existing ones to get new addresses, and to forward their messages by hand. This is obviously not going to work if other providers gradually start doing it too. 

If our cpanel host ever upgrades then we'll be able to decide on a more permanent solution.

Peter Shute

> -----Original Message-----
> From: Stephen J. Turnbull [mailto:stephen at xemacs.org] 
> Sent: Tuesday, 10 June 2014 12:44 PM
> To: Peter Shute
> Cc: 'mailman-users at python.org'
> Subject: [Mailman-Users] Yahoo - what chance of change now?
> 
> Peter Shute writes:
> 
>  > It's now about 2 months since Yahoo introduced their DMARC 
> reject  > policy. I'm taking this as a sign that it's 
> unlikely that they'll  > ever reverse the decision
> 
> On the DMARC list at IETF, a senior Yahoo! sysadmin said that 
> because the attack based on stolen address book data 
> continues, Yahoo! 
> management sees no option but to continue.  Even reducing to 
> "p=quarantine" is out of the question.  The fact that Yahoo! 
> Groups has started to work around DMARC authentication (by 
> moving the author's address into the display name, a tactic 
> explicitly deprecated by the DMARC consortium's own FAQ) 
> suggests they're in it for the long haul.
> 
>  > Or that any mailbox providers other than Yahoo and AOL 
> have started  > doing it, or have indicated that they ever/never will?
> 
> Comcast made a point of saying in response to a question at a 
> press conference that they have no intention of doing so.  
> It's hardly trustworthy (the DMARC designers can't be happy 
> about the bad press), but both one of the editors of the 
> current draft and a senior IETF engineer whose name pops up 
> all over the email-related RFCs have posted comments that 
> Yahoo! has made no friends for itself.
> 
> However, according to a graph I saw that described the attack 
> on AOL, spoofing of AOL addresses ballooned to about 5X the 
> volume preceding the attack, and presumably all of the new 
> spoof messages were targeted to acquaintences since the 
> attackers are known to have obtained millions of AOL users' 
> contact lists.  Not only is that attack huge, one would 
> suppose it's more effective than broadcast spam or phishing.
> 
> I would guess that any large provider that has a security 
> breach like those at Yahoo! and AOL would be tempted to 
> publish a "p=reject"
> policy, including Comcast.  IANAL, but I have to wonder if 
> they're not at substantial legal risk for contributory 
> negligence (since apparently the addresses were stolen from 
> the providers, although they're being coy about that) if they 
> don't do something about this relatively effective form of abuse.
> 