[Mailman-Users] Digest option for Yahoo and AOL subscribers?

[Stephen J. Turnbull]

Mark Rousell writes:

 > It seems to me that if a protocol so easily allows (or even
 > effectively encourages) usage that craps on existing legitimate
 > Internet usage then the protocol (and its designers) must be in
 > part to blame.

I don't see any real difference between ESP abuse of "p=reject" and
spam itself, though.  They both use others' resources to accomplish
one's own purposes while harming 3rd parties.  as you may know,
well-meaning people have long argued "freedom of speech" as a moral
justification for spam and Usenet bots and so on.  Well, well-meaning
people are arguing "spam-fighting" as a moral justification for ESP
(ab)use of "p=reject" now.  "To a yahoo with a hammer, every problem
looks like a thumb."  (With all due disrespect to jwz)

 > Oh yes, the protocol has been well designed but it has been well
 > designed by its backers who were naturally looking at it *from a
 > certain perspective*. The protocol has been well designed to
 > achieve certain aims and it is likely to be successful at achieving
 > them (including via Yahoo's and AOL's particular implementation,
 > inappropriate though it is).

Actually, that's apparently false.  John L linked to or posted a graph
provided by AOL which makes it quite clear that *except for one
particular spammer* DMARC p=reject had *no* effect on spam claiming to
originate from AOL.  It just returned to pre-off-the-charts spamming
level.

It *does* seem to be successful at reducing phishing, for now.
Whether it's reducing damage due to phishing, or just weeding out the
less sophisticated felons, I don't know, and I don't think anybody
does.

 > If a perhaps wider range of perspectives had been involved, i.e. if
 > it had been developed through IETF, then perhaps misuse/abuse of
 > the sort that Yahoo and AOL have demonstrated would have been less
 > easy or less tempting for them.

Maybe, but I don't really see that.  As John L points out, at present
DMARC is a private protocol between "consenting adults", and even if
the IETF publishes a competing standards track RFC, Yahoo! and AOL can
continue to (ab)use it.

 > > Yahoo! and AOL simply don't care who
 > > gets hurt as long as they can present it to their own users as a
 > > necessary measure to combat spam (and other mail abuse).
 > 
 > Exactly. But they have gone ahead and done it, and they have gone
 > ahead and done it because they can

IMO, we could put a period here, because I don't see this:

 > and because the protocol as it stands almost encourages (and
 > certainly does not discourage) such behaviour.

Well, it's quite clear from the document that DMARC is intended to
protect domain names from being used in phishing attacks.  AOL and
Yahoo! did not (and AFAICS cannot) suffer from severe phishing
problems.  They explicitly refer to their spam problem (which
continues) as justification.  There is nothing that the document
authors can do to stop that (except maybe resign in protest if they
work for such a domain :-).

The fact is that "p=reject" has been in use at many domains for a long
time with no problem.  The DMARC consortium is surely aware of the bad
effect it would have on reliable delivery to conventionally configured
mailing lists; we've told them often enough, and I doubt we're the
only ones.  Yahoo!'s and AOL's use of p=reject was an act of
desperation AFAICS; even a MUST NOT in an RFC would not have stopped
them.

 > If it is true that the designers never foresaw Yahoo's and AOL's
 > style of misuse

No, what Murray wrote was that it was understood in the working group
that ESP (ab)use of "p=reject" was inappropriate, and I understood
that he believed that AOL and Yahoo! were part of that consensus.  He
went on to say later that he didn't have any insight as to why they
went ahead and did it.

 > then this seems to me to confirm my point: That a wider range of
 > perspectives, which the IETF would hopefully have brought to it,
 > might have helped make possible misuses/abuses clear.

We have known for a long time that use by ESPs like GMail (which
hasn't yet), Hotmail (which hasn't yet), Yahoo!, and AOL would cause
lots of problems for their users, and given the stubborn response of
Mailman list operators on this list and mailman-developers, they
surely were well aware that very few lists would be prepared.  So they
went and DoS'ed their own users!  (Of course they also clearly planned
to blame, not the victims, but any innocent bystanders.  Still, they
should have known that their users would get DoS'ed, and they did it
anyway.)

What wasn't known (to me, anyway) was the nasty effect that this would
have on bounce processing.  AFAIK, nobody anticipated that.  I don't
see how broader participation would have helped -- the ranking expert
(Mark, take a bow!) on bounce processing has been aware of DMARC for a
long time.  I doubt that Yahoo! and AOL have the technical abilities
to figure it out for themselves (they don't know how Mailman bounce
processing works).  So I don't think a more IETF-based process would
have changed their logic.

It would be nice if the current process could get some discouraging
language into the document, but we'll see how that works over the next
few weeks/months.

Steve