Home / Blogs

Yahoo Addresses a Security Problem by Breaking Every Mailing List in the World

DMARC is what one might call an emerging e-mail security scheme. It’s emerging pretty fast, since many of the largest mail systems in the world have already implemented it, including Gmail, Hotmail/MSN/Outlook, Comcast, and Yahoo.

DMARC lets a domain owner make assertions about mail that has their domain in the address on the ‘From:’ line. It lets the owner assert that mail will have a DKIM signature with the same domain, or an envelope return (bounce) address in the same domain that will pass SPF validation. The domain owner can also offer policy advice about what to do with mail that doesn’t have matching DKIM or SPF, ranging from nothing to reject the mail in the SMTP session. The assertions are in the DNS, in a TXT record at _dmarc.domain. You can see mine at _dmarc.taugh.com.

For a lot of mail, notably bulk mail sent by companies, DMARC works great. For other kinds of mail it works less great, because like every mail security system, it has an implicit model of the way mail is delivered that is similar but not identical to the way mail is actually delivered.

Mailing lists are a particular weak spot for DMARC. Lists invariably use their own bounce address in their own domain so they can collect the error reports from list mail, so the SPF doesn’t match. Lists generally modify messages via subject tags, body footers, attachment stripping, and other useful features that break the DKIM signature. So on even the most legitimate list mail, most of the mail fails the DMARC assertions, not due to the lists doing anything “wrong”.

The reason this matters is that over the weekend Yahoo published a DMARC record with a policy saying to reject all yahoo.com mail that fails DMARC. I noticed this because I got a blizzard of bounces from my church mailing list, when a subscriber sent a message from her yahoo.com account, and the list got a whole bunch of rejections from gmail, Hotmail, Comcast, and Yahoo itself. This is definitely a DMARC problem, the bounces say so.

The problem for mailing lists isn’t limited to the Yahoo subscribers. Since Yahoo mail provokes bounces from lots of other mail systems, innocent subscribers at Gmail, Hotmail, etc. not only won’t get Yahoo subscribers’ messages, but all those bounces are likely to bounce them off the lists. A few years back we had a similar problem due to an overstrict implementation of DKIM ADSP, but in this case, DMARC is doing what Yahoo is telling it to do.

The DMARC mailing list issue has been argued at length among us nerds, and one of the counter arguments has been that mail systems know who is sending mailing list mail, so they will whitelist those lists or otherwise avoid the problem. We now know that is not true. I’ve been running lists for years, no spam at all (they’re all noncommercial stuff like my church, CAUCE’s newsletter, and a group of folk dancers), and every possible technical feature including DKIM, SPF, correct forward and reverse DNS, you name it. As noted above it didn’t help, and I have heard from many other list managers with the same problem, thanking me for explaining what happened.

I understand, from the always interesting Word to the Wise blog, that Yahoo has severe phishing problems, with crooks sending mail to Yahoo users, pretending to be yahoo.com administrators. Yahoo chased the crooks off their own servers, so now the crooks are (as I understand it) sending mail to Yahoo from the outside, pretending to be Yahoo. While I sympathize with their problems, and this is not exactly swatting a fly with a sledgehammer, it’s a nail that needs a regular hammer, and the sledgehammer is demolishing the surrounding plaster every time it whacks the nail. Concretely, Yahoo should be able to figure out ways to reject non-Yahoo mail going into their own servers without abusing DMARC to screw up everyone else.

I hope they get their act together, but in the meantime here are some suggestions for people who run mailing lists or other mail software that might legitimately pass on a yahoo.com message:

• Suspend posting permission of all yahoo.com addresses on any mailing lists you run, to limit the damage.

• Tell Yahoo users to get a new mail account somewhere else, pronto, if they want to continue using mailing lists.

• If you have source code for your list software, as a band-aid, see if you can add a hack to check for yahoo.com From: addresses and change them to something like “Address redacted”, which will avoid triggering DMARC. I did that on my lists.

• If you know people at Yahoo, ask if perhaps this wasn’t such a good idea.

By John Levine, Author, Consultant & Speaker

Filed Under

Comments

Those workaround is still weak Alessandro Vesely  –  Apr 9, 2014 4:40 PM

Changing the From: address was discussed many times as a workaround for DKIM+ADSP.  The conclusion seemed to imply that that would create more problems than it would solve.  Eventually, ADSP was demoted to historic.

DMARC seems to have more momentum than ADSP ever enjoyed.  Yet, I’m surprised to hear that the same technique which was considered bad then is now being re-proposed as a tolerable workaround, especially since you used to be among the most skeptical pundits when it came to changing well established mailing list behaviors.

How much worthiness can this Yahoo! move detract from DMARC policies?

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

New TLDs

Sponsored byRadix

Threat Intelligence

Sponsored byWhoisXML API

Cybersecurity

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign

DNS

Sponsored byDNIB.com

Brand Protection

Sponsored byCSC