[Mailman-Users] (postfix &) Results of testing posts to yahoogroups from AOL

Cedric Knight cedric at gn.apc.org
Sat May 10 11:31:36 CEST 2014

Hope I'm not going too off-topic here (Yahoo Groups, AOL reject domains,
postfix hack).  Firstly thanks to Mark and everyone who's been thinking
around the DMARC p=reject problem, developing workarounds, talking to
IETF and also Yahoo and AOL to try to keep email working reliably.

On 09/05/14 22:50, Mark Sapiro wrote:
> I finally got around to testing this.

Note that the situation changed the day before you did the test.  There
is an announcement dated 8 May here:
"Following the recent changes in Yahoo DMARC policy to protect users
from email spam, we’ve made changes to how Yahoo Groups sends mails to
members’ inboxes. ... With these changes we are addressing
deliverability issues due to DMARC adoption by mail service providers."

Previously it seems aol.com addresses were causing problems for Yahoo
groups, for example
Also BTW AOL has published p=reject on two other domains:
$ dig +short txt _dmarc.aim.com
"v=DMARC1\; p=reject\; pct=100\; rua=mailto:d at rua.agari.com\;
ruf=mailto:d at ruf.agari.com\;"
$ dig +short txt _dmarc.cs.com
"v=DMARC1\; p=reject\; pct=100\; rua=mailto:d at rua.agari.com\;
ruf=mailto:d at ruf.agari.com\;"

So far I only know of yahoo.com, aol.com, aim.com and cs.com that have
become unusable with standard lists.

> I posted three times to my test
> Yahoo group from 'Mark Sapiro <my_aol_address at aol.com>'. One post with
> the group set to send replies to the group and one post with the group
> set to send replies to the sender and one post with the group set to
> send replies to the sender and the group.
> In all cases, the posts were sent with
> From: "Mark Sapiro my_aol_address at aol.com [my_yahoo_groupname]"
> <my_yahoo_groupname at yahoogroups.com>

Also note that this new rewriting by Yahoo groups applies to all From
addresses, not just AOL.com.  In itself, I've reservations about using
the group posting address.  What if (for example) Reply-To is not
honoured... (see below).  Plus adding the address to the real name is

Our listserv is stuck with Debian stable (2.1.15), so I implemented From
rewriting in Postfix.  (In case any Postfix postmaster is interested, a
simple way is creating a cleanup daemon which does header_checks using a
REPLACE rule on the From: line, then applying -o cleanup_service_name to
the smtpd daemon that receives email back from Mailman.)

Anyway, rather than the list address masquerading as the sender's real
name, I thought it best to raise awareness that there's a problem with
the yahoo.com/aol.com address in the From line, so make it very clear at
the start of the real name, and change the address to an auto-responder
with a description of the problem.

/^From: (.+)\@(aol|cs|aim|yahoo)\.com($|>.*| .*)/ REPLACE From:
(broken-address) $1@$2-is-broken.[a domain under my control]$3

Mailman adds a Reply-To, so other than the RFCs, IMHO it's not that
important what the actual address in the From line is, although it
should preserve the original.  So far I've not had complaints from list
owners about the real name rewriting with prefixing the literal
"[broken-address]", but maybe it should be shorter and less ugly.  It
still needs to be prominent, as most users might otherwise not get the
fact that the From address is not the address of the sender and they
shouldn't add it to their address book.  Like Dave Nathanson, I don't
like "via".

> In the first case (replies to group), there was
> Reply-To: <my_yahoo_groupname at yahoogroups.com>
> in the post from the group. This seems correct, and my actual address
> was in the display name portion of From:
> In the second case, there was no Reply-To: in the message meaning a
> simple 'reply' was addressed to the From: address which I suppose is
> fairly easy to edit to go to me, but without editing, 'reply' goes to
> the group which is wrong.

This is clearly a bug, as it doesn't follow the announcement 'When
replying to a Group message, Group “Reply-To” settings of the Group will
continue to be honored on the Reply compose screen on the web and in
your email service.'

Has caused a Yahoo list owners to complain starting 16 hours ago
<https://answers.yahoo.com/dir/index?sid=396546285>.  Among other
things, it increases list traffic, presents privacy problems, and can
get a list address automatically added to a users' address book under
the wrong name.  Doesn't really inspire confidence in Yahoo, I'm afraid.

> In the third (reply to both) case there is a
> Reply-To: my_yahoo_groupname at yahoogroups.com,Mark Sapiro
> <my_aol_address at aol.com>
> which is correct.
> So the bottom line is Yahoo groups does From: header munging when
> necessary because of DMARC policies on the From: domain and they manage
> Reply-To: well in two cases out of three.

2 out of 3 is quite bad if it's *your* Yahoo list that's supposed to be
set to Reply-To sender.  Another weird thing I've seen is occasional
email From @aol.com that wasn't DKIM signed, which breaks forwarding
because it doesn't pass SPF either.  Meanwhile, I don't see DMARC having
an impact on phishing, at least not one that phishers can't easily adapt to.

DMARC.org links to
http://blog.threadable.com/how-threadable-solved-the-dmarc-problem which
says  "Was this the right thing for Yahoo to do?  Not a chance. A
restricted DMARC policy makes sense for domains on which phishing is a
serious risk, and *who are not also email service providers*.  Because
lists tend to unsubscribe addresses that generate bounces, Yahoo is not
only breaking email for their own customers, but for everyone else."

I'm still hoping Yahoo and AOL aren't waiting to save face to reverse
their policy.  I do wonder if some major list provider or owner might
sue them for causing them to lose lots of list subscribers.

All best wishes


More information about the Mailman-Users mailing list