[Mailman-Users] non-subscribers getting through--email address in "Real Name"

John Levine johnl at taugh.com
Tue Jul 24 17:16:20 EDT 2018

In article <78baab65-f7d3-ce56-bc36-a16a15118117 at spamtrap.tnetconsulting.net> you write:
>> If AOL and Yahoo just used the quarantine option for DMARC, it wouldn’t 
>> have been quite as bad. But they ABUSED DMARC by their settings.
>I still don't grok what you are considering "abuse" in this context?
>Rather than speculating, please clarify what the abusive activity was.

Turning it on for aol.com, yahoo.com, and other domains with user
mailboxes, to outsource the pain of the spam they were getting due
to letting user address books be stolen.

>My understanding is that AOL and Yahoo leveraged DMARC to expressly 
>identify messages that originated from AOL and Yahoo.  Or said another 
>way, they leveraged DMARC to make it easy for receiving servers to 
>identify messages that are not being sent from AOL or Yahoo servers 
>/during/ that current SMTP transaction.

Right, thereby causing a great deal of entirely legitimate mail that
DMARC cannot describe to go missing, along with a certain amount of
spam.  We've been cleaning up their mess ever since.



>Did they do so knowing that there would likely be a problem with 
>traditional .forward(ing) and mailing lists?  Quite likely.  Was an 
>internal business decision made that publishing such information and 
>dealing with the ramifications of .forward(ing) and mailing lists more 
>important than allowing bad actors to continue pretending to be AOL or 
>Yahoo?  Extremely likely.

Yes, they explicitly decided that the costs they imposed on
innocent bystanders were Not Their Problem.

More information about the Mailman-Users mailing list