[Mailman-Users] DMARC issues
rsk at gsp.org
Fri Apr 11 12:13:58 CEST 2014
(my apologies to anyone who reads NANOG, this is mostly a repeat
of what I said there)
On Thu, Apr 10, 2014 at 11:36:16AM -0400, Barry Warsaw wrote:
> It *is* a shame that these anti-spam defenses knowingly break mailing lists.
It's a shame that this is being pushed as an anti-spam defense when in
fact (a) it has little-to-no anti-spam value and (b) measures that have
much higher anti-spam value with few adverse effects are not being used.
Nearly all (at least 99% and likely quite a bit more) of the spam [as
observed by my numerous spamtraps] that purports to originate from Yahoo
really *does* originate from Yahoo. All that I have to do to verify that
is to look at the originating host -- that is, it's not necessary to
check DMARC or anything else.
There are several reasons for this. First, Yahoo has done an absolutely
miserable job of outbound abuse control. For over a decade. Second,
they've done a correspondingly miserable job of handling abuse reports,
so even when one of their victims is kind and generous enough to do
their work for them and tell them that they have a problem...they don't
pay attention and they don't take any action. (Or they fire back a
clueless boilerplate denial that it was their user on their host on
their network...even though it was all three.) Also for over a decade.
Third, why would any spammer forge a @yahoo.com address when it's easy
enough to buy hijacked accounts by the bucketful -- or to use any of the
usual exploits to go get some? Fourth, at least some spammers seem to have
caught on that Yahoo isn't *worth* forging: it's a toxic cesspool because
the people running it have allowed it to be become one.
So let's not pretend that this has anything to do with stopping spam.
If Yahoo actually wanted to do something about spam, they could have
done that years and years ago simply by *paying attention* to what was
going on inside their own operation. This is just (a) propaganda,
so that they claim to be "doing something" and (b) a clumsy attempt
to coerce people into using *their* mailing lists, which are just
as horribly run as the rest of their mail system.
More information about the Mailman-Users