Cedric Knight writes:
On 23/05/15 22:45, Allan Hansen wrote:
I have waited almost a year for AOL and Yahoo to admit that they messed up and to remove their DMARC policy.
Me too.
For some good news: people working with DMARC have come up with a protocol that may help lists with good reputations, and Mailman will implement it this summer.
Now the bad news: they're not going to revert to p=none. From management's point of view, p=reject is a rather good solution to a nasty problem. The massive leaks of address books that made "referral from a friend spam" possible means they're committed to this indefinitely, unless they do away with their traditional email addresses (ie, @aol.com and @yahoo.com). But that could cost them hundreds of millions of users.
It's certainly true that Yahoo! admins have stated that their little April Fool's joke didn't cost them any users to speak of, which is all that management really worried about, in view of the huge costs (both technical -- a spike in mail flows to Yahoo! of 6X the normal level -- and reputational -- the huge amount of directed spam that was being sent to correspondents of Yahoo users everywhere) involved in doing nothing.
A year and a bit later Ms. Zwicky (who arguably is doing her best for both Yahoo! users and Yahoo!'s bottom line, if lacking a little on the corporate social responsibility side) said that they were still getting probes that indicated that the spammers were ready to restart their "campaigns" if p=reject were ever relaxed. So they aren't going to do that.
Sadly, Yahoo has recently (28 March) compounded their mess,
I guess their take on the current situation, two years later, is that any indirect mailflows that they haven't already killed outright are prepared to deal with this extension.
Anyway, I would say that any large email provider that keeps user "friend" data on their servers (rather than on the user's machine) needs to be prepared to publish p=reject in the event they get cracked. You don't have to like the situation, but don't waste neurons hoping it will go away.
Steve