Digest option for Yahoo and AOL subscribers?
I just realized that setting the digest option could be a temporary solution for my Yahoo and AOL subscribers until things get sorted (hopefully by Yahoo and AOL stopping this nonsense). My Mailman installation comes with the system (Mac OS X). Maiman is 2.1.14 and the OS is 10.5.8. I have no plans to upgrade either any time soon.
The idea of using the list address as the From: address is not good. It hides the sender and it messes up the archives.
Yours,
Allan Hansen
Westminster, CA
On 5/24/14, 4:24 PM, Allan Hansen wrote: the problem. It is them posting that causes the problem.
Putting everyone on systems that respect the DMARC settings (which include Yahoo, AOL, plus a number of others including Comcast, SBC, and others) will "fix" the problem, as the digests don't claim to come from Yahoo or AOL, so their DMARC settings don't matter, but with all the problems of the digest instead.
You can just ban all Yahoo and AOL users. You can allow Yahoo and AOL users, but just not let them post. You can set you list to be anonymous. You can hack something into your email system to get around the problem. You can implement some semi-manual system to mitigate the problem. You can ignore the problem, and get a lot of you subscribers unsubscribed from bounces (or turn off bounce processing), live with the missing emails, and the possible loss of reputation from your email system due to all the "unauthorized" email that comes from it.
What I did while waiting for the 2.1.18 update was to place on moderation (via a "spam" filter, not actually going in a putting on moderation) all Yahoo and AOL email addresses, and when a message from one of them came in, I would temporarily switch the list to anonymous, release the message, and return the list to normal. This was a pain, which I was willing to endure til the fix came in, I would not want to commit to this long term. An alternative option would be to manually resubmit the messages, rewriting the from address to something that won't cause a problem (like adding .invalid to the domain of the address). Again, this would be a pain if you can't automate it.
My own opinion is that if there is any way you can upgrade to 2.1.18-1, do that, anything less will be draconian or a pain.
-- Richard Damon
Richard Damon writes:
From what I have seen, any version of Mailman before 2.1.16 (and preferably 2.1.18) just isn't compatible with DMARC
Please, it's the other way around! ;-) DMARC is the interloper, and some insiders fear that this mess will derail progress to RFC status of the useful informational part of DMARC as well as the pernicious "p=reject" policy.
On 5/24/14, 6:26 PM, Stephen J. Turnbull wrote:
Actually, from my reading of the proposal for DMARC, it really isn't that bad for what it is supposed to do. The BIG problem is that domains using DMARC are really saying that the identity of the posters of their emails are important, and that emails from this domain should be verifiable to having come from that domain. This is great for things like Banks and such. Any such domain should have in it TOS/AUP that users are not to send messages that would break this check (I.e. addresses are not to be used for things like mailing list, or 3rd party mailings). Yahoo and AOL have no such rule, and in fact have in the past even encouraged their use for mailing list.
The "problem" isn't DMARC, the problem is it's abuse by Yahoo and AOL. These are big players, and it isn't really practical for lists to just say they are breaking the rules so we won't let them play anymore. (If only for the old days of usenet where abusive servers were given the "death penalty" and they lost their connectivity for a while).
-- Richard Damon
(Not sent to list previously, apologies).
On 25/05/2014 01:00, Richard Damon wrote:
I t think your comments are compatible with DMARC being the "interloper", as Stephen put it. DMARC (whether in general or in terms of Yahoo's and AOL's use/misuse/abuse of it) is the interloper (i.e. newcomer) that is in practice impacting pre-existing and legitimate usage patterns.
I agree that the idea behind DMARC is a good one the reality is less good.
Whilst Yahoo and AOL are the ones who have chosen to use/misuse/abuse DMARC in this way, it could also be said that DMARC (and all its backers on its current form) are to blame precisely because DMARC *allows* Yahoo's/AOL's behaviour. If the standard has been properly finished and properly thought through from all angles then ways could surely have been found to allow it to be used without harming existing, standards-compliant behaviour. The consortium behind DMARC simply weren't willing to wait or play along. It seems that some of them were particularly desperate and were willing to harm interoperability.
-- Mark Rousell
PGP public key: http://www.signal100.com/markr/pgp Key ID: C9C5C162
On 5/25/14, 11:30 AM, Mark Rousell wrote:
My understanding is that DMARC WAS going through the standardization process, and actually was to the state where experimental use was justified (and in some sense actually required). The problem that happened is that Yahoo jumped into the limited clinical trial and experimented with millions before we had a chance to find out the side effects of the medicine.
I suppose that the communities response should have been to just kick off all Yahoo (and later AOL) users from mailing list (as that is really one meaning of the DMARC setting announced), but the community had too much compassion for the "innocent" users (since the real problem was with Yahoo "management" not it's users). Perhaps if we had been hard-lined, they would get enough complaints and people leaving to force them to change their mind, but I more expect we would have punished a lot of innocent users who really don't want to go through the hassle of changing email providers, and are more apt to just drop off mailing lists.
-- Richard Damon
On 25/05/2014 19:04, Richard Damon wrote:
Sadly I don't think this would have worked (although there might still be time). It seems to me that the reason that Yahoo and AOL (especially Yahoo) can get away with this at all is because of their market size. All mail lists providers are tiny in terms of Yahoo's size and so what they do has no real effect on Yahoo. Yahoo doesn't need to care if a few of its users are inconvenienced; on their scale of operations it will never be enough people to matter.
-- Mark Rousell
PGP public key: http://www.signal100.com/markr/pgp Key ID: C9C5C162
No, not at all. DMARC was designed and implemented by a small closed group of large companies listed on the DMARC web site at http://www.dmarc.org/about.html
It had been running for about two years at various ISPs with little trouble until AOL and Yahoo jumped the shark last month. There are free libraries which work pretty well, and I've been collecting DMARC reports on my various domains since Feb 2012 (but not, of course, paying attention to anyone's published policies on inbound mail.)
The DMARC group has asked the RFC Editor to publish the spec as a non-standards-track non-IETF independent submission. There was briefly talk of making it standards track until the DMARC group realized that gave the IETF change control, and we likely would change it, which they didn't want. The RFC Editor is currently thinking about it, and probably will publish on the theory that even if it's a bad idea, it might as well be documented.
R's, John
PS: This is first hand. I know the people involved.
John Levine writes:
That's a tiny bit unfair. Our sister list, mailman-developers, has been aware of DMARC for at least three years, and our opinions and even participation have been solicited on at least two occasions.
If it goes that way, we should write a one-line BCP:
Best Current Practice for DMARC "p=reject"
If your name isn't "J. P. Morgan", don't.Well, make that two lines:
AOL and Yahoo!, wake up! THIS MEANS YOU.Hm. AFAICT sec. 3(a)(ii) of "Legal Provisions Relating to IETF Documents" allows us to make only the necessary changes to their document, and submit our version to the standards track. That might be amusing! :-)
Richard Damon writes:
On 5/25/14, 11:30 AM, Mark Rousell wrote:
The "p=reject" policy option is useful, perhaps necessary, to prevent phishing at financial institutions. My bank (Tokyo-Mitsubishi-UFJ) is in a total panic to the point where they are running a major television campaign (multiple channels, hitting all the major demographics) displaying a typical MUA (Outlook, of course) showing a typical phishing message and putting a big red X over the password input field.
DMARC's purely informational protocols have been in use successfully for years, and nobody ever noticed. Some banks have been using "p=reject" for quite a long time (more than a year), and nobody ever noticed.
The consortium behind DMARC simply weren't willing to wait or play along.
I don't think the evidence supports that belief. The design of the protocol has been very careful, with multiple ways to mitigate the kind of effects we saw in April. Yahoo! and AOL simply don't care who gets hurt as long as they can present it to their own users as a necessary measure to combat spam (and other mail abuse).
According to one of the editors of the Internet Draft (message to a closed list), use by ESPs of "p=reject" was never envisioned by the working group, and he believed (until it actually happened) that Yahoo! and AOL knew that because they have active representatives in the group. I'm not sure I really believe that, since one of the DMARC proponents on Mailman channels clearly believes that any problems are the fault of misconfigured lists, and one of the editors of the DMARC Internet Draft has a Yahoo! affiliation listed.
In many cases, there's no "compassion" involved, just a hard-headed business calculation about whether the list can afford to offend the paying customers. In any case, it's pretty clear that
which both AOL and Yahoo! would find convenient for their own busienss models. (I don't think that's their aim, I just don't think they'll shed any tears as long as their spin control is successful.)
So I certainly don't recommend it if you don't have substantial and unshakably legitimate influence over your subscribers.
*I* can and do play hardball, and (as mentioned in a previous post) the fiasco at yahoo.com triggered a reaction in the Japanese research and education communities (including an official advisory from the Ministry of Education, Culture, Science and Technology), so that students and to some extent faculty and researcher have switched to GMail en masse -- entirely unnecessary since yahoo.co.jp doesn't seem to publish a DMARC policy at all!
But my situation is very unusual.
Steve
On 26/05/2014 05:46, Stephen J. Turnbull wrote:
Of course (in fact I recently said words to the same effect as what you say here on the mozilla.support.thunderbird group when the problem was raised there) but the issue at hand is not appropriate usage of "p=reject": The issue at hand is *inappropriate* usage of "p=reject" and the way that the protocol in effect almost encourages this (or at least naturally tends in that direction for a business who is desperate enough). It seems to me that if a protocol so easily allows (or even effectively encourages) usage that craps on existing legitimate Internet usage then the protocol (and its designers) must be in part to blame.
Oh yes, the protocol has been well designed but it has been well designed by its backers who were naturally looking at it *from a certain perspective*. The protocol has been well designed to achieve certain aims and it is likely to be successful at achieving them (including via Yahoo's and AOL's particular implementation, inappropriate though it is).
If a perhaps wider range of perspectives had been involved, i.e. if it had been developed through IETF, then perhaps misuse/abuse of the sort that Yahoo and AOL have demonstrated would have been less easy or less tempting for them.
Exactly. But they have gone ahead and done it, and they have gone ahead and done it because they can and because the protocol as it stands almost encourages (and certainly does not discourage) such behaviour. Yes, they don't care but it seems to me that a protocol that does nothing to prevent or discourage such behaviour must be to blame too.
Interesting.
If it is true that the designers never foresaw Yahoo's and AOL's style of misuse then this seems to me to confirm my point: That a wider range of perspectives, which the IETF would hopefully have brought to it, might have helped make possible misuses/abuses clear.
That's good to hear. Perhaps Yahoo will notice this since I understand that their shareholding in the Japanese company is profitable for them.
-- Mark Rousell
PGP public key: http://www.signal100.com/markr/pgp Key ID: C9C5C162
Mark Rousell writes:
I don't see any real difference between ESP abuse of "p=reject" and spam itself, though. They both use others' resources to accomplish one's own purposes while harming 3rd parties. as you may know, well-meaning people have long argued "freedom of speech" as a moral justification for spam and Usenet bots and so on. Well, well-meaning people are arguing "spam-fighting" as a moral justification for ESP (ab)use of "p=reject" now. "To a yahoo with a hammer, every problem looks like a thumb." (With all due disrespect to jwz)
Actually, that's apparently false. John L linked to or posted a graph provided by AOL which makes it quite clear that *except for one particular spammer* DMARC p=reject had *no* effect on spam claiming to originate from AOL. It just returned to pre-off-the-charts spamming level.
It *does* seem to be successful at reducing phishing, for now. Whether it's reducing damage due to phishing, or just weeding out the less sophisticated felons, I don't know, and I don't think anybody does.
Maybe, but I don't really see that. As John L points out, at present DMARC is a private protocol between "consenting adults", and even if the IETF publishes a competing standards track RFC, Yahoo! and AOL can continue to (ab)use it.
IMO, we could put a period here, because I don't see this:
and because the protocol as it stands almost encourages (and certainly does not discourage) such behaviour.
Well, it's quite clear from the document that DMARC is intended to protect domain names from being used in phishing attacks. AOL and Yahoo! did not (and AFAICS cannot) suffer from severe phishing problems. They explicitly refer to their spam problem (which continues) as justification. There is nothing that the document authors can do to stop that (except maybe resign in protest if they work for such a domain :-).
The fact is that "p=reject" has been in use at many domains for a long time with no problem. The DMARC consortium is surely aware of the bad effect it would have on reliable delivery to conventionally configured mailing lists; we've told them often enough, and I doubt we're the only ones. Yahoo!'s and AOL's use of p=reject was an act of desperation AFAICS; even a MUST NOT in an RFC would not have stopped them.
If it is true that the designers never foresaw Yahoo's and AOL's style of misuse
No, what Murray wrote was that it was understood in the working group that ESP (ab)use of "p=reject" was inappropriate, and I understood that he believed that AOL and Yahoo! were part of that consensus. He went on to say later that he didn't have any insight as to why they went ahead and did it.
We have known for a long time that use by ESPs like GMail (which hasn't yet), Hotmail (which hasn't yet), Yahoo!, and AOL would cause lots of problems for their users, and given the stubborn response of Mailman list operators on this list and mailman-developers, they surely were well aware that very few lists would be prepared. So they went and DoS'ed their own users! (Of course they also clearly planned to blame, not the victims, but any innocent bystanders. Still, they should have known that their users would get DoS'ed, and they did it anyway.)
What wasn't known (to me, anyway) was the nasty effect that this would have on bounce processing. AFAIK, nobody anticipated that. I don't see how broader participation would have helped -- the ranking expert (Mark, take a bow!) on bounce processing has been aware of DMARC for a long time. I doubt that Yahoo! and AOL have the technical abilities to figure it out for themselves (they don't know how Mailman bounce processing works). So I don't think a more IETF-based process would have changed their logic.
It would be nice if the current process could get some discouraging language into the document, but we'll see how that works over the next few weeks/months.
Steve
Allan Hansen writes:
I just realized that setting the digest option could be a temporary solution for my Yahoo and AOL subscribers
Just make sure you set it for *all* users, not just those using Yahoo! and AOL. The important thing is that non-AOL/Yahoo! subscribers be protected from the denial of service attack that the DMARC "p=reject" policy induces. You must also make it clear that changing their own setting back is likely to result in them losing posts and getting booted off the list.
Also be prepared for a spate of posts that break threading because both subject and reference message IDs refer to the digest message rather than the actual posts.
Steve
On 5/24/14, 4:24 PM, Allan Hansen wrote: the problem. It is them posting that causes the problem.
Putting everyone on systems that respect the DMARC settings (which include Yahoo, AOL, plus a number of others including Comcast, SBC, and others) will "fix" the problem, as the digests don't claim to come from Yahoo or AOL, so their DMARC settings don't matter, but with all the problems of the digest instead.
You can just ban all Yahoo and AOL users. You can allow Yahoo and AOL users, but just not let them post. You can set you list to be anonymous. You can hack something into your email system to get around the problem. You can implement some semi-manual system to mitigate the problem. You can ignore the problem, and get a lot of you subscribers unsubscribed from bounces (or turn off bounce processing), live with the missing emails, and the possible loss of reputation from your email system due to all the "unauthorized" email that comes from it.
What I did while waiting for the 2.1.18 update was to place on moderation (via a "spam" filter, not actually going in a putting on moderation) all Yahoo and AOL email addresses, and when a message from one of them came in, I would temporarily switch the list to anonymous, release the message, and return the list to normal. This was a pain, which I was willing to endure til the fix came in, I would not want to commit to this long term. An alternative option would be to manually resubmit the messages, rewriting the from address to something that won't cause a problem (like adding .invalid to the domain of the address). Again, this would be a pain if you can't automate it.
My own opinion is that if there is any way you can upgrade to 2.1.18-1, do that, anything less will be draconian or a pain.
-- Richard Damon
Richard Damon writes:
From what I have seen, any version of Mailman before 2.1.16 (and preferably 2.1.18) just isn't compatible with DMARC
Please, it's the other way around! ;-) DMARC is the interloper, and some insiders fear that this mess will derail progress to RFC status of the useful informational part of DMARC as well as the pernicious "p=reject" policy.
On 5/24/14, 6:26 PM, Stephen J. Turnbull wrote:
Actually, from my reading of the proposal for DMARC, it really isn't that bad for what it is supposed to do. The BIG problem is that domains using DMARC are really saying that the identity of the posters of their emails are important, and that emails from this domain should be verifiable to having come from that domain. This is great for things like Banks and such. Any such domain should have in it TOS/AUP that users are not to send messages that would break this check (I.e. addresses are not to be used for things like mailing list, or 3rd party mailings). Yahoo and AOL have no such rule, and in fact have in the past even encouraged their use for mailing list.
The "problem" isn't DMARC, the problem is it's abuse by Yahoo and AOL. These are big players, and it isn't really practical for lists to just say they are breaking the rules so we won't let them play anymore. (If only for the old days of usenet where abusive servers were given the "death penalty" and they lost their connectivity for a while).
-- Richard Damon
(Not sent to list previously, apologies).
On 25/05/2014 01:00, Richard Damon wrote:
I t think your comments are compatible with DMARC being the "interloper", as Stephen put it. DMARC (whether in general or in terms of Yahoo's and AOL's use/misuse/abuse of it) is the interloper (i.e. newcomer) that is in practice impacting pre-existing and legitimate usage patterns.
I agree that the idea behind DMARC is a good one the reality is less good.
Whilst Yahoo and AOL are the ones who have chosen to use/misuse/abuse DMARC in this way, it could also be said that DMARC (and all its backers on its current form) are to blame precisely because DMARC *allows* Yahoo's/AOL's behaviour. If the standard has been properly finished and properly thought through from all angles then ways could surely have been found to allow it to be used without harming existing, standards-compliant behaviour. The consortium behind DMARC simply weren't willing to wait or play along. It seems that some of them were particularly desperate and were willing to harm interoperability.
-- Mark Rousell
PGP public key: http://www.signal100.com/markr/pgp Key ID: C9C5C162
On 5/25/14, 11:30 AM, Mark Rousell wrote:
My understanding is that DMARC WAS going through the standardization process, and actually was to the state where experimental use was justified (and in some sense actually required). The problem that happened is that Yahoo jumped into the limited clinical trial and experimented with millions before we had a chance to find out the side effects of the medicine.
I suppose that the communities response should have been to just kick off all Yahoo (and later AOL) users from mailing list (as that is really one meaning of the DMARC setting announced), but the community had too much compassion for the "innocent" users (since the real problem was with Yahoo "management" not it's users). Perhaps if we had been hard-lined, they would get enough complaints and people leaving to force them to change their mind, but I more expect we would have punished a lot of innocent users who really don't want to go through the hassle of changing email providers, and are more apt to just drop off mailing lists.
-- Richard Damon
On 25/05/2014 19:04, Richard Damon wrote:
Sadly I don't think this would have worked (although there might still be time). It seems to me that the reason that Yahoo and AOL (especially Yahoo) can get away with this at all is because of their market size. All mail lists providers are tiny in terms of Yahoo's size and so what they do has no real effect on Yahoo. Yahoo doesn't need to care if a few of its users are inconvenienced; on their scale of operations it will never be enough people to matter.
-- Mark Rousell
PGP public key: http://www.signal100.com/markr/pgp Key ID: C9C5C162
No, not at all. DMARC was designed and implemented by a small closed group of large companies listed on the DMARC web site at http://www.dmarc.org/about.html
It had been running for about two years at various ISPs with little trouble until AOL and Yahoo jumped the shark last month. There are free libraries which work pretty well, and I've been collecting DMARC reports on my various domains since Feb 2012 (but not, of course, paying attention to anyone's published policies on inbound mail.)
The DMARC group has asked the RFC Editor to publish the spec as a non-standards-track non-IETF independent submission. There was briefly talk of making it standards track until the DMARC group realized that gave the IETF change control, and we likely would change it, which they didn't want. The RFC Editor is currently thinking about it, and probably will publish on the theory that even if it's a bad idea, it might as well be documented.
R's, John
PS: This is first hand. I know the people involved.
John Levine writes:
That's a tiny bit unfair. Our sister list, mailman-developers, has been aware of DMARC for at least three years, and our opinions and even participation have been solicited on at least two occasions.
If it goes that way, we should write a one-line BCP:
Best Current Practice for DMARC "p=reject"
If your name isn't "J. P. Morgan", don't.Well, make that two lines:
AOL and Yahoo!, wake up! THIS MEANS YOU.Hm. AFAICT sec. 3(a)(ii) of "Legal Provisions Relating to IETF Documents" allows us to make only the necessary changes to their document, and submit our version to the standards track. That might be amusing! :-)
Richard Damon writes:
On 5/25/14, 11:30 AM, Mark Rousell wrote:
The "p=reject" policy option is useful, perhaps necessary, to prevent phishing at financial institutions. My bank (Tokyo-Mitsubishi-UFJ) is in a total panic to the point where they are running a major television campaign (multiple channels, hitting all the major demographics) displaying a typical MUA (Outlook, of course) showing a typical phishing message and putting a big red X over the password input field.
DMARC's purely informational protocols have been in use successfully for years, and nobody ever noticed. Some banks have been using "p=reject" for quite a long time (more than a year), and nobody ever noticed.
The consortium behind DMARC simply weren't willing to wait or play along.
I don't think the evidence supports that belief. The design of the protocol has been very careful, with multiple ways to mitigate the kind of effects we saw in April. Yahoo! and AOL simply don't care who gets hurt as long as they can present it to their own users as a necessary measure to combat spam (and other mail abuse).
According to one of the editors of the Internet Draft (message to a closed list), use by ESPs of "p=reject" was never envisioned by the working group, and he believed (until it actually happened) that Yahoo! and AOL knew that because they have active representatives in the group. I'm not sure I really believe that, since one of the DMARC proponents on Mailman channels clearly believes that any problems are the fault of misconfigured lists, and one of the editors of the DMARC Internet Draft has a Yahoo! affiliation listed.
In many cases, there's no "compassion" involved, just a hard-headed business calculation about whether the list can afford to offend the paying customers. In any case, it's pretty clear that
which both AOL and Yahoo! would find convenient for their own busienss models. (I don't think that's their aim, I just don't think they'll shed any tears as long as their spin control is successful.)
So I certainly don't recommend it if you don't have substantial and unshakably legitimate influence over your subscribers.
*I* can and do play hardball, and (as mentioned in a previous post) the fiasco at yahoo.com triggered a reaction in the Japanese research and education communities (including an official advisory from the Ministry of Education, Culture, Science and Technology), so that students and to some extent faculty and researcher have switched to GMail en masse -- entirely unnecessary since yahoo.co.jp doesn't seem to publish a DMARC policy at all!
But my situation is very unusual.
Steve
On 26/05/2014 05:46, Stephen J. Turnbull wrote:
Of course (in fact I recently said words to the same effect as what you say here on the mozilla.support.thunderbird group when the problem was raised there) but the issue at hand is not appropriate usage of "p=reject": The issue at hand is *inappropriate* usage of "p=reject" and the way that the protocol in effect almost encourages this (or at least naturally tends in that direction for a business who is desperate enough). It seems to me that if a protocol so easily allows (or even effectively encourages) usage that craps on existing legitimate Internet usage then the protocol (and its designers) must be in part to blame.
Oh yes, the protocol has been well designed but it has been well designed by its backers who were naturally looking at it *from a certain perspective*. The protocol has been well designed to achieve certain aims and it is likely to be successful at achieving them (including via Yahoo's and AOL's particular implementation, inappropriate though it is).
If a perhaps wider range of perspectives had been involved, i.e. if it had been developed through IETF, then perhaps misuse/abuse of the sort that Yahoo and AOL have demonstrated would have been less easy or less tempting for them.
Exactly. But they have gone ahead and done it, and they have gone ahead and done it because they can and because the protocol as it stands almost encourages (and certainly does not discourage) such behaviour. Yes, they don't care but it seems to me that a protocol that does nothing to prevent or discourage such behaviour must be to blame too.
Interesting.
If it is true that the designers never foresaw Yahoo's and AOL's style of misuse then this seems to me to confirm my point: That a wider range of perspectives, which the IETF would hopefully have brought to it, might have helped make possible misuses/abuses clear.
That's good to hear. Perhaps Yahoo will notice this since I understand that their shareholding in the Japanese company is profitable for them.
-- Mark Rousell
PGP public key: http://www.signal100.com/markr/pgp Key ID: C9C5C162
Mark Rousell writes:
I don't see any real difference between ESP abuse of "p=reject" and spam itself, though. They both use others' resources to accomplish one's own purposes while harming 3rd parties. as you may know, well-meaning people have long argued "freedom of speech" as a moral justification for spam and Usenet bots and so on. Well, well-meaning people are arguing "spam-fighting" as a moral justification for ESP (ab)use of "p=reject" now. "To a yahoo with a hammer, every problem looks like a thumb." (With all due disrespect to jwz)
Actually, that's apparently false. John L linked to or posted a graph provided by AOL which makes it quite clear that *except for one particular spammer* DMARC p=reject had *no* effect on spam claiming to originate from AOL. It just returned to pre-off-the-charts spamming level.
It *does* seem to be successful at reducing phishing, for now. Whether it's reducing damage due to phishing, or just weeding out the less sophisticated felons, I don't know, and I don't think anybody does.
Maybe, but I don't really see that. As John L points out, at present DMARC is a private protocol between "consenting adults", and even if the IETF publishes a competing standards track RFC, Yahoo! and AOL can continue to (ab)use it.
IMO, we could put a period here, because I don't see this:
and because the protocol as it stands almost encourages (and certainly does not discourage) such behaviour.
Well, it's quite clear from the document that DMARC is intended to protect domain names from being used in phishing attacks. AOL and Yahoo! did not (and AFAICS cannot) suffer from severe phishing problems. They explicitly refer to their spam problem (which continues) as justification. There is nothing that the document authors can do to stop that (except maybe resign in protest if they work for such a domain :-).
The fact is that "p=reject" has been in use at many domains for a long time with no problem. The DMARC consortium is surely aware of the bad effect it would have on reliable delivery to conventionally configured mailing lists; we've told them often enough, and I doubt we're the only ones. Yahoo!'s and AOL's use of p=reject was an act of desperation AFAICS; even a MUST NOT in an RFC would not have stopped them.
If it is true that the designers never foresaw Yahoo's and AOL's style of misuse
No, what Murray wrote was that it was understood in the working group that ESP (ab)use of "p=reject" was inappropriate, and I understood that he believed that AOL and Yahoo! were part of that consensus. He went on to say later that he didn't have any insight as to why they went ahead and did it.
We have known for a long time that use by ESPs like GMail (which hasn't yet), Hotmail (which hasn't yet), Yahoo!, and AOL would cause lots of problems for their users, and given the stubborn response of Mailman list operators on this list and mailman-developers, they surely were well aware that very few lists would be prepared. So they went and DoS'ed their own users! (Of course they also clearly planned to blame, not the victims, but any innocent bystanders. Still, they should have known that their users would get DoS'ed, and they did it anyway.)
What wasn't known (to me, anyway) was the nasty effect that this would have on bounce processing. AFAIK, nobody anticipated that. I don't see how broader participation would have helped -- the ranking expert (Mark, take a bow!) on bounce processing has been aware of DMARC for a long time. I doubt that Yahoo! and AOL have the technical abilities to figure it out for themselves (they don't know how Mailman bounce processing works). So I don't think a more IETF-based process would have changed their logic.
It would be nice if the current process could get some discouraging language into the document, but we'll see how that works over the next few weeks/months.
Steve
Allan Hansen writes:
I just realized that setting the digest option could be a temporary solution for my Yahoo and AOL subscribers
Just make sure you set it for *all* users, not just those using Yahoo! and AOL. The important thing is that non-AOL/Yahoo! subscribers be protected from the denial of service attack that the DMARC "p=reject" policy induces. You must also make it clear that changing their own setting back is likely to result in them losing posts and getting booted off the list.
Also be prepared for a spate of posts that break threading because both subject and reference message IDs refer to the digest message rather than the actual posts.
Steve
participants (6)
-
Allan Hansen -
John Levine -
Mark Rousell -
Richard Damon -
Stephen J. Turnbull -
Stephen J. Turnbull