[Mailman-Users] Yahoo - what chance of change now?

Stephen J. Turnbull stephen at xemacs.org
Tue Jun 10 04:44:24 CEST 2014 

Peter Shute writes:

 > It's now about 2 months since Yahoo introduced their DMARC reject
 > policy. I'm taking this as a sign that it's unlikely that they'll
 > ever reverse the decision

On the DMARC list at IETF, a senior Yahoo! sysadmin said that because
the attack based on stolen address book data continues, Yahoo! 
management sees no option but to continue.  Even reducing to
"p=quarantine" is out of the question.  The fact that Yahoo! Groups
has started to work around DMARC authentication (by moving the
author's address into the display name, a tactic explicitly deprecated
by the DMARC consortium's own FAQ) suggests they're in it for the long
haul.

 > Or that any mailbox providers other than Yahoo and AOL have started
 > doing it, or have indicated that they ever/never will?

Comcast made a point of saying in response to a question at a press
conference that they have no intention of doing so.  It's hardly
trustworthy (the DMARC designers can't be happy about the bad press),
but both one of the editors of the current draft and a senior IETF
engineer whose name pops up all over the email-related RFCs have
posted comments that Yahoo! has made no friends for itself.

However, according to a graph I saw that described the attack on AOL,
spoofing of AOL addresses ballooned to about 5X the volume preceding
the attack, and presumably all of the new spoof messages were targeted
to acquaintences since the attackers are known to have obtained
millions of AOL users' contact lists.  Not only is that attack huge,
one would suppose it's more effective than broadcast spam or phishing.

I would guess that any large provider that has a security breach like
those at Yahoo! and AOL would be tempted to publish a "p=reject"
policy, including Comcast.  IANAL, but I have to wonder if they're not
at substantial legal risk for contributory negligence (since
apparently the addresses were stolen from the providers, although
they're being coy about that) if they don't do something about this
relatively effective form of abuse.

More information about the Mailman-Users mailing list