[Mailman-Users] Digest option for Yahoo and AOL subscribers?

Mark Rousell markr at signal100.com
Mon May 26 07:12:44 CEST 2014 

On 26/05/2014 05:46, Stephen J. Turnbull wrote:
> Richard Damon writes:
>  > On 5/25/14, 11:30 AM, Mark Rousell wrote:
> 
>  > > Whilst Yahoo and AOL are the ones who have chosen to
>  > > use/misuse/abuse DMARC in this way, it could also be said that
>  > > DMARC (and all its backers on its current form) are to blame
>  > > precisely because DMARC *allows* Yahoo's/AOL's behaviour.
> 
> The "p=reject" policy option is useful, perhaps necessary, to prevent
> phishing at financial institutions.  My bank (Tokyo-Mitsubishi-UFJ) is
> in a total panic to the point where they are running a major
> television campaign (multiple channels, hitting all the major
> demographics) displaying a typical MUA (Outlook, of course) showing a
> typical phishing message and putting a big red X over the password
> input field.
> 
>  > > If the standard has been properly finished and properly thought
>  > > through from all angles then ways could surely have been found to
>  > > allow it to be used without harming existing, standards-compliant
>  > > behaviour.
> 
> DMARC's purely informational protocols have been in use successfully
> for years, and nobody ever noticed.  Some banks have been using
> "p=reject" for quite a long time (more than a year), and nobody ever
> noticed.

Of course (in fact I recently said words to the same effect as what you
say here on the mozilla.support.thunderbird group when the problem was
raised there) but the issue at hand is not appropriate usage of
"p=reject": The issue at hand is *inappropriate* usage of "p=reject" and
the way that the protocol in effect almost encourages this (or at least
naturally tends in that direction for a business who is desperate
enough). It seems to me that if a protocol so easily allows (or even
effectively encourages) usage that craps on existing legitimate Internet
usage then the protocol (and its designers) must be in part to blame.

> I don't think the evidence supports that belief.  The design of the
> protocol has been very careful, with multiple ways to mitigate the
> kind of effects we saw in April.

Oh yes, the protocol has been well designed but it has been well
designed by its backers who were naturally looking at it *from a certain
perspective*. The protocol has been well designed to achieve certain
aims and it is likely to be successful at achieving them (including via
Yahoo's and AOL's particular implementation, inappropriate though it is).

If a perhaps wider range of perspectives had been involved, i.e. if it
had been developed through IETF, then perhaps misuse/abuse of the sort
that Yahoo and AOL have demonstrated would have been less easy or less
tempting for them.

> Yahoo! and AOL simply don't care who
> gets hurt as long as they can present it to their own users as a
> necessary measure to combat spam (and other mail abuse).

Exactly. But they have gone ahead and done it, and they have gone ahead
and done it because they can and because the protocol as it stands
almost encourages (and certainly does not discourage) such behaviour.
Yes, they don't care but it seems to me that a protocol that does
nothing to prevent or discourage such behaviour must be to blame too.

> According to one of the editors of the Internet Draft (message to a
> closed list), use by ESPs of "p=reject" was never envisioned by the
> working group, and he believed (until it actually happened) that
> Yahoo!  and AOL knew that because they have active representatives in
> the group.  I'm not sure I really believe that, since one of the DMARC
> proponents on Mailman channels clearly believes that any problems are
> the fault of misconfigured lists, and one of the editors of the DMARC
> Internet Draft has a Yahoo! affiliation listed.

Interesting.

If it is true that the designers never foresaw Yahoo's and AOL's style
of misuse then this seems to me to confirm my point: That a wider range
of perspectives, which the IETF would hopefully have brought to it,
might have helped make possible misuses/abuses clear.

> *I* can and do play hardball, and (as mentioned in a previous post)
> the fiasco at yahoo.com triggered a reaction in the Japanese research
> and education communities (including an official advisory from the
> Ministry of Education, Culture, Science and Technology), so that
> students and to some extent faculty and researcher have switched to
> GMail en masse -- entirely unnecessary since yahoo.co.jp doesn't seem
> to publish a DMARC policy at all!

That's good to hear. Perhaps Yahoo will notice this since I understand
that their shareholding in the Japanese company is profitable for them.



-- 
Mark Rousell

PGP public key: http://www.signal100.com/markr/pgp
Key ID: C9C5C162

More information about the Mailman-Users mailing list