Internet and e-mail policy and practice
including Notes on Internet E-mail


2014
Months
Apr

Click the comments link on any story to see comments or add your own.


Subscribe to this blog


RSS feed


Home :: Email

07 Apr 2014

Yahoo addresses a security problem by breaking every mailing list in the world Email

DMARC is what one might call an emerging e-mail security scheme. It's emerging pretty fast, since many of the largest mail systems in the world have already implemented it, including Gmail, Hotmail/MSN/Outlook, Comcast, and Yahoo.

DMARC lets a domain owner make assertions about mail that has their domain in the address on the From: line. It lets the owner assert that mail will have a DKIM signature with the same domain, or an envelope return (bounce) address in the same domain that will pass SPF validation. The domain owner can also offer policy advice about what to do with mail that doesn't have matching DKIM or SPF, ranging from nothing to reject the mail in the SMTP session. The assertions are in the DNS, in a TXT record at _dmarc.domain. You can see mine at _dmarc.taugh.com.

For a lot of mail, notably bulk mail sent by companies, DMARC works great. For other kinds of mail it works less great, because like every mail security system, it has an implicit model of the way mail is delivered that is similar but not identical to the way mail is actually delivered.

Mailing lists are a particular weak spot for DMARC. Lists invarably use their own bounce address in their own domain so they can collect the error reports from list mail, so the SPF doesn't match. Lists generally modify messages via subject tags, body footers, attachment stripping, and other useful features that break the DKIM signature. So on even the most legitimate list mail, most of the mail fails the DMARC assertions, not due to the lists doing anything "wrong".

The reason this matters is that over the weekend Yahoo published a DMARC record with a policy saying to reject all yahoo.com mail that fails DMARC. I noticed this because I got a blizzard of bounces from my church mailing list, when a subscriber sent a message from her yahoo.com account, and the list got a whole bunch of rejections from gmail, Hotmail, Comcast, and Yahoo itself. This is definitely a DMARC problem, the bounces say so.

The problem for mailing lists isn't limited to the Yahoo subscribers. Since Yahoo mail provokes bounces from lots of other mail systems, innocent subscribers at Gmail, Hotmail, etc. not only won't get Yahoo subscribers' messages, but all those bounces are likely to bounce them off the lists. A few years back we had a similar problem due to an overstrict implementation of DKIM ADSP, but in this case, DMARC is doing what Yahoo is telling it to do.

The DMARC mailing list issue has been argued at length among us nerds, and one of the counter arguments has been that mail systems know who is sending mailing list mail, so they will whitelist those lists or otherwise avoid the problem. We now know that is not true. I've been running lists for years, no spam at all (they're all noncommercial stuff like my church, CAUCE's newsletter, and a group of folk dancers), and every possible technical feature including DKIM, SPF, correct forward and reverse DNS, you name it. As noted above it didn't help, and I have heard from many other list managers with the same problem, thanking me for explaining what happened.

I understand, from the always interesting Word to the Wise blog, that Yahoo has severe phishing problems, with crooks sending mail to Yahoo users, pretending to be yahoo.com administrators. Yahoo chased the crooks off their own servers, so now the crooks are (as I understand it) sending mail to Yahoo from the outside, pretending to be Yahoo. While I sympathize with their problems, and this is not exactly swatting a fly with a sledgehammer, it's a nail that needs a regular hammer, and the sledgehammer is demolishing the surrounding plaster every time it whacks the nail. Concretely, Yahoo should be able to figure out ways to reject non-Yahoo mail going into their own servers without abusing DMARC to screw up everyone else.

I hope they get their act together, but in the meantime here are some suggestions for people who run mailing lists or other mail software that might legitimately pass on a yahoo.com message:

  • Suspend posting permission of all yahoo.com addresses on any mailing lists you run, to limit the damage.
  • Tell Yahoo users to get a new mail account somewhere else, pronto, if they want to continue using mailing lists.
  • If you have source code for your list software, as a band-aid, see if you can add a hack to check for yahoo.com From: addresses and change them to something like "Address redacted", which will avoid triggering DMARC. I did that on my lists.
  • If you know people at Yahoo, ask if perhaps this wasn't such a good idea.

  posted at: 21:21 :: permanent link to this entry :: 9 comments
Stable link is https://jl.ly/Email/yahoobomb.html

Topics


My other sites

Who is this guy?

Airline ticket info

Taughannock Networks

Other blogs

CAUCE
Spam trends update for Sep-Nov 2023
55 days ago

A keen grasp of the obvious
Italian Apple Cake
553 days ago

Related sites

Coalition Against Unsolicited Commercial E-mail

Network Abuse Clearinghouse

My Mastodon feed



© 2005-2020 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.