Friday, April 11, 2014

IETF: Yahoo breaks every mailing list in the world including the IETF's

h/t Hacker News

Yahoo recently upgraded the "security" of their mail servers in an attempt to curb spam. Unfortunately, they decided to use a protocol that is still under development, has serious known problems, and they configured it for maximum paranoia. The result is that they reject nearly all mailing-list traffic (legitimate or otherwise) that comes from a Yahoo user, potentially crippling the lists themselves. (Except for lists hosted by Yahoo's own servers, of course.)

John Levine writes, in a message to an IETF mailing list:

DMARC lets a domain owner make assertions about the From: address, in particular that mail with their domain on the From: line will have a DKIM signature with the same domain, or a bounce address in the same domain that will pass SPF. They can also offer policy advice about what to do with mail that doesn't have matching DKIM or SPF, ranging from nothing to reject the mail in the SMTP session. The assertions are in the DNS
Mailing lists are a particular weak spot for DMARC. Lists invarably use their own bounce address in their own domain, so the SPF doesn't match. Lists generally modify messages via subject tags, body footers, attachment stripping, and other useful features that break the DKIM signature. So on even the most legitimate list mail like, say, the IETF's, most of the mail fails the DMARC assertions, not due to the lists doing anything "wrong".

The reason this matters is that over the weekend Yahoo published a DMARC record with a policy saying to reject all mail that fails DMARC. I noticed this because I got a blizzard of bounces from my church mailing list, when a subscriber sent a message from her account, and the list got a whole bunch of rejections from gmail, Yahoo, Hotmail, Comcast, and Yahoo itself. This is definitely a DMARC problem, the bounces say so.

The problem for mailing lists isn't limited to the Yahoo subscribers. Since Yahoo mail provokes bounces from lots of other mail systems, innocent subscribers at Gmail, Hotmail, etc. not only won't get Yahoo subscribers' messages, but all those bounces are likely to bounce them off the lists. A few years back we had a similar problem due to an overstrict implementation of DKIM ADSP, but in this case, DMARC is doing what Yahoo is telling it to do.


  • Suspend posting permission of all addresses, to limit damage
  • Tell Yahoo users to get a new mail account somewhere else, pronto, if they want to continue using mailing lists
  • If you know people at Yahoo, ask if perhaps this wasn't such a good idea

This would be funny if it wasn't affecting so many people.

I'm just glad that my Yahoo account is only used to subscribe to Yahoo-hosted mailing lists. All of my other lists go elsewhere.

No comments: