[Mailman-Users] Yahoo policy on list messages

Stephen J. Turnbull turnbull.stephen.fw at u.tsukuba.ac.jp
Sat Jul 23 18:26:00 EDT 2016

Christian F Buser via Mailman-Users writes:

 > "from what I can see from the text files you sent me, it's a matter of 
 > the mailing list configuration.
 > The sender ( From: ) needs to be set as the mailing list address and not 
 > as the original sender (eg, ekxxxxxka at yahoo.com)

Your provider, and Yahoo!, are advocating violating the standards that
*define* the Internet.  Putting the list's name in From means that the
list is claiming responsibility for the content of the message.

 > - but all mailing lists I know usually have the original sender's name 
 > in the From-field...

That is correct usage according to the definition of the From field.

 > So what am I doing wrong here?

According to the standards that define the Internet, *you* are doing
nothing wrong (except maybe you shouldn't be accepting posts from
Yahoo! email addresses[1]).  Yahoo! screwed up by leaking millions of
users' address books to spammers and phishers.  DMARC is the only
effective way to protect the people *in* those address books from spam
and phishing messages apparently sent by their friends who use Yahoo!
for email, but Yahoo! is completely unapologetic about the collateral
damage to both mailing lists and to many small businesses.  I tell my
friends that friends don't let friends use Yahoo! accounts -- both for
reasons of social conscience and because there are a lot of ways that
Yahoo!-originated mail can end up in the bitbucket.[2]

So bow in the direction of the nearest root nameserver, apologize to
the Higher Powers of the Internet, and set dmarc_moderation_action to
"Munge From".  This will put the mailing list's address in From, along
with the user's address in the "display name", for those posters whose
email providers abuse DMARC the same way that Yahoo! does, and only
those posters.

[1]  I'm not entirely joking.  For example, that is the official
policy of my employer, the Japanese Ministry of Education, because of
the mess AOL and Yahoo! created in April 2014 in this way.  Ironically
enough, the Japanese affiliate is one of the few in the Yahoo! family
that (still) does NOT cause this problem.

[2]  Of the popular freemail providers, GMail and Hotmail do not have
this problem (yet, they say they won't, but nobody can be 100% sure
they'll never leak a few million address books to the black hats :-( ).
You can can check your local providers by looking up the TXT record
for the _dmarc subdomain of the domain, and checking if it contains
"p=reject".  For example:

    $ host -t TXT _dmarc.yahoo.de
    v=DMARC1\; p=reject\; pct=100\; rua=mailto:dmarc_y_rua at yahoo.com\;

Your posts will bounce or be silently discarded at many subscribers to
many mailing lists.

More information about the Mailman-Users mailing list