Re: Yahoo DMARC breakage

[Jim Popovitch]

On Fri, Apr 25, 2014 at 12:12 PM, Jim Popovitch  wrote:
> On Fri, Apr 25, 2014 at 12:00 PM, Jim Popovitch  wrote:
>> Just a heads up to interested parties... Google seems to now be
>> bouncing where From: is another gmail account.  But it seems to be
>> inconsistent.  If you are reading this on a gmail account please let
>> me know.
>>
>> -Jim P.
>
> A few people have indicated to me that they are NOT seeing issues with
> GMail.  Just to be clear, what I am seeing a pattern of gmail users
> sending email to mailinglists and every outbound email to other gmail
> users logs this:
>
> Apr 24 18:19:20 svr5 postfix/smtp[32546]: BB2F73F2E3:
> to=,
> relay=gmail-smtp-in.l.google.com[74.125.201.109]:25, delay=27,
> delays=0/27/0.44/0.06, dsn=5.5.1, status=bounced (host
> gmail-smtp-in.l.google.com[74.125.201.109] said: 530-5.5.1
> Authentication Required. Learn more at 530 5.5.1
> http://support.google.com/mail/bin/answer.py?answer=14257
> hi8sm834730igb.8 - gsmtp (in reply to MAIL FROM command))
>
> It's as though Gmail wants a mailinglist to authenticate to send email
> to gmail recipients. :-)
>
> It's not persistent, it's just happened a few times in past 2 days,
> generally in the AM.

And it just happened again.  Can someone from Google please tell me
what to do when your inbound MX (port 25!) tells me to authenticate
mailinglist traffic to your clients.  Who's credentials should Mailman
use? lol.

Apr 25 22:22:23 svr5 postfix/smtp[1544]: 9CFA73F5BF:
to=<*@icaro.com.br>,
relay=aspmx.l.google.com[74.125.201.109]:25, delay=167,
delays=0/167/0.51/0.06, dsn=5.5.1, status=bounced (host
aspmx.l.google.com[74.125.201.109] said: 530-5.5.1 Authentication
Required. Learn more at 530 5.5.1
http://support.google.com/mail/bin/answer.py?answer=14257
m1sm33010igx.13 - gsmtp (in reply to MAIL FROM command))

-Jim P.

Re: Yahoo DMARC breakage

[Jim Popovitch]

On Fri, Apr 25, 2014 at 12:00 PM, Jim Popovitch  wrote:
> Just a heads up to interested parties... Google seems to now be
> bouncing where From: is another gmail account.  But it seems to be
> inconsistent.  If you are reading this on a gmail account please let
> me know.
>
> -Jim P.

A few people have indicated to me that they are NOT seeing issues with
GMail.  Just to be clear, what I am seeing a pattern of gmail users
sending email to mailinglists and every outbound email to other gmail
users logs this:

Apr 24 18:19:20 svr5 postfix/smtp[32546]: BB2F73F2E3:
to=,
relay=gmail-smtp-in.l.google.com[74.125.201.109]:25, delay=27,
delays=0/27/0.44/0.06, dsn=5.5.1, status=bounced (host
gmail-smtp-in.l.google.com[74.125.201.109] said: 530-5.5.1
Authentication Required. Learn more at 530 5.5.1
http://support.google.com/mail/bin/answer.py?answer=14257
hi8sm834730igb.8 - gsmtp (in reply to MAIL FROM command))

It's as though Gmail wants a mailinglist to authenticate to send email
to gmail recipients. :-)

It's not persistent, it's just happened a few times in past 2 days,
generally in the AM.

-Jim P.

Re: Yahoo DMARC breakage

[Franck Martin]

On Apr 20, 2014, at 4:07 PM, Scott Howard  wrote:

> On Sun, Apr 20, 2014 at 3:01 PM, Franck Martin  wrote:
> why does this list break DKIM when forwarding?
> 
> From the Gmail headers your email :
> 
>  Authentication-Results: mx.google.com;
>spf=neutral (google.com: nanog-bounces+scott=example@nanog.org 
> does not designate permitted sender hosts) 
> smtp.mail=nanog-bounces+scott=example@nanog.org;
>dkim=pass header.i=@linkedin.com;
>dmarc=pass (p=REJECT dis=NONE) header.from=linkedin.com
> 
>   Scott
> 

Sure as long as I make sure my post is plain text only which you know is not 
anymore a standard on many email clients (and not configureable on many mobile 
mail clients).

So if this list stops to strip the HTML mime part it will pass DMARC in all 
cases.



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: Yahoo DMARC breakage

[Dave Crocker]

On 4/9/2014 8:00 PM, Andrew Sullivan wrote:

On Wed, Apr 09, 2014 at 12:27:55PM -0500, Dave Crocker wrote:


>But it's the result of an informed
>corporate choice rather than software or operations error.

Why do you think (it seems to me you've said it more than once) that
this was "informed" choice?



Sorry for not responding when you posted this; I missed it.

The answer is that Yahoo was an active participant in the creation of 
DMARC and the applicability and limitations of the design were well and 
fully discussed.


Many times.

d/

--
Dave Crocker
Brandenburg InternetWorking
bbiw.net

Re: Yahoo DMARC breakage

[Franck Martin]

Sure as long as I make sure my post is plain text which you know is not anymore 
a standard on many email clients.

So if this lists stop to strip the HTML mime part it will pass DMARC regardless 
of the email client defaults.

Toute connaissance est une réponse à une question.

On Apr 20, 2014, at 16:07, "Scott Howard" 
mailto:sc...@doc.net.au>> wrote:

On Sun, Apr 20, 2014 at 3:01 PM, Franck Martin 
mailto:fmar...@linkedin.com>> wrote:
why does this list break DKIM when forwarding?

>From the Gmail headers your email :

 Authentication-Results: mx.google.com;
   spf=neutral (google.com: 
nanog-bounces+scott=example@nanog.org does 
not designate permitted sender hosts) 
smtp.mail=nanog-bounces+scott=example@nanog.org;
   dkim=pass header.i=@linkedin.com;
   dmarc=pass (p=REJECT dis=NONE) 
header.from=linkedin.com

  Scott

Re: Yahoo DMARC breakage

[Scott Howard]

On Sun, Apr 20, 2014 at 3:01 PM, Franck Martin  wrote:

> why does this list break DKIM when forwarding?
>

>From the Gmail headers your email :

 Authentication-Results: mx.google.com;
   spf=neutral (google.com:
nanog-bounces+scott=example.com@nanog.orgdoes not designate permitted
sender hosts) smtp.mail=nanog-bounces+scott=
example@nanog.org;
   dkim=pass header.i=@linkedin.com;
   *dmarc=pass* (p=REJECT dis=NONE) header.from=linkedin.com

  Scott

Re: Yahoo DMARC breakage

[Franck Martin]

On Apr 20, 2014, at 3:08 PM, Barney Wolff  wrote:

> On Sun, Apr 20, 2014 at 10:01:38PM +, Franck Martin wrote:
>> So I believe, if this list was not stripping the HTML part of the emails, as 
>> it does not add a subject tag nor a footer, then DKIM would survive the list 
>> and all would be fine?
>> 
>> why does this list break DKIM when forwarding?
> 
> My system says your message passed DKIM and DMARC.  Perhaps that's because
> linkedin.com does not publish an SPF record.

Linkedin.com publishes an SPF record, but the list change the envelope from, so 
while they may be an SPF pass it won’t be aligned.

If I send this email in plain text, DKIM survives, therefore DMARC pass.
If I send this email with plain text and html, the list strips the HTML and 
DKIM fails. Therefore DMARC fails

DMARC=(SPF OR DKIM pass) with domain alignment.

The ASCII blue ribbon campaign officially ended in june 2013, time to move with 
the times… ;)
http://en.wikipedia.org/wiki/ASCII_Ribbon_Campaign



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: Yahoo DMARC breakage

[staticsafe]

On 4/20/2014 18:08, Barney Wolff wrote:
> On Sun, Apr 20, 2014 at 10:01:38PM +, Franck Martin wrote:
>> So I believe, if this list was not stripping the HTML part of the emails, as 
>> it does not add a subject tag nor a footer, then DKIM would survive the list 
>> and all would be fine?
>>
>> why does this list break DKIM when forwarding?
> 
> My system says your message passed DKIM and DMARC.  Perhaps that's because
> linkedin.com does not publish an SPF record.
> 

They actually do:
linkedin.com.   86400   IN  SPF "v=spf1 ip4:8.18.31.21
ip4:8.18.31.22 ip4:69.28.149.0/24 ip4:199.101.160.0/25
ip4:199.101.162.0/25 ip4:108.174.3.0/24 ip6:2620:109:c006:104::/64
ip4:216.136.162.65 mx mx:docusign.net ~all"

-- 
staticsafe
https://asininetech.com

Re: Yahoo DMARC breakage

[Barney Wolff]

On Sun, Apr 20, 2014 at 10:01:38PM +, Franck Martin wrote:
> So I believe, if this list was not stripping the HTML part of the emails, as 
> it does not add a subject tag nor a footer, then DKIM would survive the list 
> and all would be fine?
> 
> why does this list break DKIM when forwarding?

My system says your message passed DKIM and DMARC.  Perhaps that's because
linkedin.com does not publish an SPF record.

Re: Yahoo DMARC breakage

[Franck Martin]

So I believe, if this list was not stripping the HTML part of the emails, as it 
does not add a subject tag nor a footer, then DKIM would survive the list and 
all would be fine…

why does this list break DKIM when forwarding?


signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: Yahoo DMARC breakage

[Jay Hennigan]

On 4/10/14 4:29 AM, Rich Kulawiec wrote:
> An aside:
> 
> On Wed, Apr 09, 2014 at 05:15:59PM -0400, William Herrin wrote:
>> Maybe this is a good thing - we can stop getting all the "sorry I'm
>> out of the office" emails when posting to a list.
> 
> I entirely support that goal, but my preferred solution is the complete
> eradication of the software (a lot of which makes mistakes that have
> been well-known as mistakes for decades) and thus the entire practice
> of setting up "out of office" messages.

As long as we're talking about complete eradication of software, please
include inane disclaimers sent to lists (as well as private email).

This type of thing

NOTICE:  This communication may contain confidential and/or privileged
information.  If you are not the intended recipient or believe that you
have received this communication in error you are obligated to kill
yourself and anyone else who may have read it, not necessarily in that
order.  So there.  My disclaimer is scarier than yours.  Nyaah.  You
started this silly nonsense.  Knock it off and I will too, ok?  It's
worthless from a legal standpoint and is responsible for the needless
suffering of billions of innocent electrons.  Nobody reads it anyway.
You're not actually reading this, are you?  I didn't think so.

--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

Re: Yahoo DMARC breakage

[Rich Kulawiec]

On Thu, Apr 10, 2014 at 03:22:24PM -0400, Kee Hinckley wrote:
> I suspect they looked at the amount of spam they could stop [...]

Which is, to a very good first approximation, zero.

Nearly all (at least 99% and likely quite a bit more) of the spam [as
observed by my numerous spamtraps] that purports to originate from Yahoo
really *does* originate from Yahoo.  All that I have to do to verify that
is to look at the originating host -- that is, it's not necessary to
check DMARC or anything else.

There are several reasons for this.  First, Yahoo has done an absolutely
miserable job of outbound abuse control.  For over a decade.  Second,
they've done a correspondingly miserable job of handling abuse reports,
so even when one of their victims is kind and generous enough to do
their work for them and tell them that they have a problem...they don't
pay attention and they don't take any action.  (Or they fire back a
clueless boilerplate denial that it was their user on their host on
their network...even though it was all three.)  Also for over a decade.
Third, why would any spammer forge a @yahoo.com address when it's easy
enough to buy hijacked accounts by the bucketful -- or to use any of the
usual exploits to go get some?  Fourth, at least some spammers seem to have
caught on that Yahoo isn't *worth* forging: it's a toxic cesspool because
the people running it have allowed it to be become one.

So let's not pretend that this has anything to do with stopping spam.
If Yahoo actually wanted to do something about spam, they could have
done that years and years ago simply by *paying attention* to what was
going on inside their own operation.

---rsk

Re: ID10T out of office responders (was Re: Yahoo DMARC breakage)

[Jethro R Binks]

On Fri, 11 Apr 2014, Tei wrote:

> Suppose I configure my email to send a "Thanks, we have received your
> email, we will reply shortly in office hours.". Whats the Holy Headers
> so even poorly configured servers don't cause a AutoReply Storm?
> Googling, I found "Precedence", "X-Auto-Response-Suppress",..? For
> something like this, normally I would scan lots of opensource projects
> in  www.google.com/codesearch  (so I can learn from the projects with
> a large number of hours in production)  , but seems down at the
> moment.

If that's what you want to do, then setting one or more of these may help:

  Auto-submitted: auto-generated
  X-Auto-Response-Suppress: OOF
  Precendence: bulk

(Other values of the last two are possible).

RFC3834 is background reading and references Auto-submitted:.  
X-Auto-Response-Suppress: is used by MS Exchange/Outlook.

But if those servers really are "poorly configured", there's no guarantee 
they will honour any of those anyway.

If you want more control for yourself, you need to filter the return 
messages out.  I do this in Exim to identify "automatically generated 
email" to be thrown away in some circumstances:

  condition = ${if or { \
{ match {$h_precedence:} {(?i)junk|bulk|list} } \
{ eq {$sender_address} {} } \
{ def:header_X-Cron-Env: } \
{ def:header_Auto-Submitted: } \
{ def:header_List-Id: } \
{ def:header_List-Help: } \
{ def:header_List-Unsubscribe: } \
{ def:header_List-Subscribe: } \
{ def:header_List-Owner: } \
{ def:header_List-Post: } \
{ def:header_List-Archive: } \
{ def:header_Autorespond: } \
{ def:header_X-Autoresponse: } \
{ def:header_X-Autoreply-From: } \
{ def:header_X-eBay-MailTracker: } \
{ def:header_X-MaxCode-Template: } \
{ match {$h_X-Auto-Response-Suppress: } {OOF} } \
{ match {$h_X-OS:} {HP Onboard Administrator} } \
{ match {$h_X-MimeOLE:} {\N^Produced By phpBB2$\N} } \
{ match {$h_Subject:} {\N^Yahoo! Auto Response$\N} } \
{ match {$h_Subject:} {\N^ezmlm warning$\N} } \
{ match {$h_X-FC-MachineGenerated:} {true} } \
{ match {$h_X-Spam-Flag:} {\N^yes\N} } \
{ match {$message_body} {\N^Your \"cron\" job on\N} } \
{ match {$h_Subject:} {\N^Out of Office\N} } \
{ match {$h_Subject:} {\N^Auto-Reply:\N} } \
{ match {$h_Subject:} {\N^Autoresponse:\N} } \
{ match {$h_Subject:} {\N(Auto Reply)$\N} } \
{ match {$h_Subject:} {\N(Out of Office)$\N} } \
{ match {$h_Subject:} {\Nis out of the office.$\N} } \
{ match {$h_From:} {\N(via the vacation program)\N } } \
{ ! match {$header_To: $header_CC: $header_Bcc: \
 $header_Resent-To: $header_Resent-Cc: $header_Resent-Bcc:} \
} \
   } {no} {yes} \
   }

(I have not reviewed this for a very long time).  Be careful.

Jethro.

.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .
Jethro R Binks, Network Manager,
Information Services Directorate, University Of Strathclyde, Glasgow, UK

The University of Strathclyde is a charitable body, registered in
Scotland, number SC015263.

Re: ID10T out of office responders (was Re: Yahoo DMARC breakage)

[Tei]

So

Suppose I configure my email to send a "Thanks, we have received your
email, we will reply shortly in office hours.". Whats the Holy Headers
so even poorly configured servers don't cause a AutoReply Storm?
Googling, I found "Precedence", "X-Auto-Response-Suppress",..? For
something like this, normally I would scan lots of opensource projects
in  www.google.com/codesearch  (so I can learn from the projects with
a large number of hours in production)  , but seems down at the
moment.



-- 
--
ℱin del ℳensaje.

ID10T out of office responders (was Re: Yahoo DMARC breakage)

[Larry Sheldon]

On 4/10/2014 6:29 AM, Rich Kulawiec wrote:

On Wed, Apr 09, 2014 at 05:15:59PM -0400, William Herrin wrote:

Maybe this is a good thing - we can stop getting all the "sorry I'm
out of the office" emails when posting to a list.


I entirely support that goal, but my preferred solution is the complete
eradication of the software (a lot of which makes mistakes that have
been well-known as mistakes for decades) and thus the entire practice
of setting up "out of office" messages.


[relevant discussion]


But I think by now everyone who is capable of being educated has been
educated and realizes that the one of the reasons for the absence of a
response is that the recipient hasn't seen the relevant message yet.
There's really no need to spin the roulette wheel and hope that the
combination of MUAs and MTAs on both ends is functional enough to enable
the out-of-office software (optimistically presuming it's halfway sane)
to figure out what it should do.


And the truly paranoid that are scared to death that nobody will miss 
them, have learned to forward the flow to a device that is never "out of 
the office".  (I have filters on the two accounts whose mail I EVER read 
that forward mail from named sources to my BlackBerry.  My Kindle gets 
copies af all mail sent to those two accounts (mostly since I have been 
to lazy to set up the filtered stream and I almost never look at it anyway).



And that's before we even get to the security and privacy issues
that are in play, which are substantial.


And that is where I started.  In every other part of my life the 
conventional wisdom has been "do NOT put a thing on the Sassiety page 
about your up-coming around-the-world cruise and the camera equipment 
you have bought for the trip",  "Leave lights and a radio on timers", 
"stop the mil and the newspapers", "get somebody to mow the lawn and 
pick up the trash every few days", "have somebody down the street park 
their car in your driveway"and so on.


Why on G*ds blue Earth would I want put up posters and flyers that say 
"need a stapler?  I just got a new one.",  "I won't be looking for my 
desk chair for a while.", and "If your keyboard fails,.."?



So while there are numerous approaches to solving the problem of
errant out-of-office messages, and some of those approaches work
pretty well in the field, I would prefer to kill the problem by
attacking the source: the *existence* of out-of-office autoresponders.


Amen


--
Requiescas in pace o email   Two identifying characteristics
of System Administrators:
Ex turpi causa non oritur actio  Infallibility, and the ability to
learn from their mistakes.
  (Adapted from Stephen Pinker)

Re: Yahoo DMARC breakage

[Geoffrey Keating]

Andrew Sullivan  writes:

> I think DMARC is mostly useful when used correctly.  There is no BCP
> yet...

There is, however, BCP167/RFC6377 covering DKIM and mailing lists.
Some relevant sections are 4.1 and 5.3:

4.1:
   ... site administrators wishing to
   employ ADSP with a "discardable" setting SHOULD separate the
   controlled mail stream warranting this handling from other mail
   streams that are less controlled, such as personal mail that transits
   MLMs [Mailing List Managers].  

5.3:
   At subscription time, an ADSP-aware MLM SHOULD check for a published
   ADSP record for the new subscriber's domain.  If the policy specifies
   "discardable", the MLM SHOULD disallow the subscription or present a
   warning...

Re: Yahoo DMARC breakage

[Kee Hinckley]

On 10 Apr 2014, at 9:49, Dave Crocker wrote:
Unfortunately, that has no relationship to do with the current 
situation.  Again:  Yahoo was fully aware of the implications of its 
choice.


I suspect they looked at the amount of spam they could stop, the number 
of Yahoo email users, and the number of Yahoo users using mailing lists, 
and said "That's just noise, it doesn't matter."


It happens to be very loud noise, but it's still tiny compared to the 
overall number of email users.

Re: Yahoo DMARC breakage

[Michael Thomas]

On 04/09/2014 06:04 PM, Miles Fidelman wrote:


Especially after reading some of the discussions on the DMARC mailing 
list where it's clear that issues of breaking mailing lists were 
explicitly ignored and dismissed.


There's been 10 years of ostrichism about policy and mailing lists, 
especially from the crowd

who were against ADSP until they were for it.

Mike

Re: Yahoo DMARC breakage

[Valdis . Kletnieks]

On Thu, 10 Apr 2014 07:56:16 -0700, Michael Thomas said:
> but I can't see what the point is in defending the idiocy as being some
> sort of sacred right.

I'm sure Randy Bush would defend his competitor's right to run their networks
that way. :)


pgpPc4rzVLYWF.pgp
Description: PGP signature

Re: Yahoo DMARC breakage

[Michael Thomas]

On 04/09/2014 09:54 PM, Jimmy Hess wrote:

Basic functionality is seriously and utterly broken ---  that DMARC doesn't
have a good answer for such situations, is a major indicator of its
immaturity,  in the sense that it is "Too specific" a solution and cannot
apply to e-mail in general.


DMARC is nothing more than warmed over ADSP which itself didn't have
a pat answer for mailing list traversal. For transactional mail ADSP was
just fine, but for regular mail the signing policy was meant to be a 
guide for

other heuristics. It says nothing more than "i sign my mail outgoing", so
what do you do if the signature is broken? If you want to take a hard line,
then you are going to get all kinds of false positives... this has been 
known
for 10 years at least. I'd be surprised to hear that Y! of all people 
was doing

that, but it's their pissed off users' problem. Vote with your feet.



If it were mature: a mechanism would be provided that would allow mailing
lists to function  without breaking changes such as substituting From:.

An example of a solution  would be the use of a DKIM alternative  with not
a single signature for the entire message,  but only partial signing   of
  parts of the message: specifically identified headers  and/or specific
body elements,   to validate  that the message was really sent and certain
elements are genuine   and certain elements were modified by the
mailing list.


You can more or less do this with DKIM already, and get about 90%
of mailing list traffic to pass verification. The question is whether that's
enough. I have no idea whether Y! is doing the things I did to get that
pass rate.



The technical issue,  is that the immaturity of the related specs.   limits
   the decisions are available  for a particular domain   so,
essentially,  if you have certain kind of user traffic: you have to  incur
technical issues with mailing lists,  or forego using DMARC.

In other words:  much as you would like to dismiss as purely a managerial
decision  the decisions available to be made are entangled with
  the limitations of the  technical options that are available  for
mitigating spoofing,

AND the public's understanding thereof.


Crocker may have some further insight that we're not privy to, but using
signing policy on the general population as a raw instrument is well known
to be a bad idea for DKIM and SPF's policy mechanisms as well. SPF in 
particular
had a huge amount of blowback by punitive mail operators who didn't 
understand
the implications, at least in the early days. It may indeed be 
management idiocy,
but I can't see what the point is in defending the idiocy as being some 
sort of

sacred right.

Mike

Re: Yahoo DMARC breakage

[Dave Crocker]

On 4/10/2014 5:13 AM, Miles Fidelman wrote:

If I point a gun at you, and pull the trigger, but maybe shouldn't have
done that, the gun is not broken.


It occurs to me that, if you point a gun at me, aim at me, pull the
trigger, and hit someone standing 10 feet to my left - the gun IS broken
(or at least very poorly designed).



Unfortunately, that has no relationship to do with the current 
situation.  Again:  Yahoo was fully aware of the implications of its choice.


d/

--
Dave Crocker
Brandenburg InternetWorking
bbiw.net

Re: Yahoo DMARC breakage

[Dave Crocker]

On 4/10/2014 5:05 AM, Tei wrote:

Your post advocates a

(*) technical ( ) legislative ( ) market-based ( ) vigilante



Since the nanog list isn't devoted to anti-spam work, folk might not 
know that you were calling upon the stellar web page developed by Cory 
Doctorow:


 http://craphound.com/spamsolutions.txt

As far as I know, he meant it strictly for humor.

However he did such a good job, it is common to point folk to it (or, as 
we've seen here, even fill it out) when the they declare that they have 
the FUSSP.


d/

--
Dave Crocker
Brandenburg InternetWorking
bbiw.net

Re: Yahoo DMARC breakage

[Dave Crocker]

On 4/9/2014 11:54 PM, Jimmy Hess wrote:

Basic functionality is seriously and utterly broken ---  that DMARC
doesn't have a good answer for such situations, is a major indicator
of its immaturity,  in the sense that it is "Too specific" a solution
and cannot apply to e-mail in general.

If it were mature: a mechanism would be provided that would allow
mailing lists to function  without breaking changes such as
substituting From:.




On 4/9/2014 11:54 PM, Jimmy Hess wrote:> Basic functionality is
seriously and utterly broken ---  that DMARC doesn't

have a good answer for such situations, is a major indicator of its
immaturity,  in the sense that it is "Too specific" a solution and
cannot apply to e-mail in general.

If it were mature: a mechanism would be provided that would allow
mailing lists to function  without breaking changes such as
substituting From:.




Every tool has limitations.

An 18-wheeler truck is not broken or immature because it fails to corner 
like a Maserati.  A Maserati is not broken or immature because it does 
not have the carrying capacity of an 18-wheeler.


DMARC was designed to handle a particular usage scenario and its 
limitations have been carefully documented.



Or perhaps we need to declare email broken and immature because it does 
not (yet) satisfy a long list of entirely reasonable functional 
requirements, such as, ummm, author authentication?


Long deployment and use and deep knowledge don't matter; only satisfying 
someone's list of requirements does?



d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net

Re: Yahoo DMARC breakage

[Rich Kulawiec]

I agree to a large extent with your comments/observations, but I'd
like to focus on one point in particular:

On Wed, Apr 09, 2014 at 11:00:57PM -0400, Andrew Sullivan wrote:
> So, I'm trying to imagine the presentation slide on which appears the
> advice to implement the controversial adopted policy.  I imagine in
> big, giant print "Will reduce yahoo.com abuse effects" and in one of
> those secondary bullets "May have consequences" and even lower "for
> our users on mailing lists" and "for mailing list
> managers/non-company".  

This decision by Yahoo will have no effect whatsoever on the largest
abuse problem, which is outbound spam/phishing/malware/etc. *sourced*
by Yahoo.  Those messages are (and have been for a long time) dutifully
marked as authentic and in one sense they are: they really do originate
from Yahoo's operation.  But of course in a much more important operational
sense they're not: they're forgeries created by the new owners of hijacked
Yahoo user accounts.  And those accounts are being hijacked at will by
the millions, as they have been for many years.

Yahoo is not alone in permitting an enormous volume of such messages to
leave their operation and attack the rest of the Internet: Hotmail, Gmail,
and the rest do the same.  (Of course the rates vary, as do the targets.
My spamtraps see large rate fluctuations across networks, domains, ASNs, etc.
as well as through time.  I strongly suspect that individual measurements
at any one are essentially meaningless and that aggregation over a
sufficiently diverse set over a sufficiently long time is necessary to
construct a coherent, useful statistical model of what's really happening.)

In other words, this deployment might reduce abuse OF Yahoo, but it
will do nothing about the far more important problem of abuse BY Yahoo.

Which pretty much lives up to my expectations.

---rsk

Re: Yahoo DMARC breakage

[Rich Kulawiec]

An aside:

On Wed, Apr 09, 2014 at 05:15:59PM -0400, William Herrin wrote:
> Maybe this is a good thing - we can stop getting all the "sorry I'm
> out of the office" emails when posting to a list.

I entirely support that goal, but my preferred solution is the complete
eradication of the software (a lot of which makes mistakes that have
been well-known as mistakes for decades) and thus the entire practice
of setting up "out of office" messages.

Out-of-office notices might have had some relevance 20 or 30 years ago
when much of the population was new to email and had not yet grasped
in *any* sense how it works.  And when there was a large overlap
between "people who use email" and "people who read/send email
from their offices and only from their offices".

But I think by now everyone who is capable of being educated has been
educated and realizes that the one of the reasons for the absence of a
response is that the recipient hasn't seen the relevant message yet.
There's really no need to spin the roulette wheel and hope that the
combination of MUAs and MTAs on both ends is functional enough to enable
the out-of-office software (optimistically presuming it's halfway sane)
to figure out what it should do.

And that's before we even get to the security and privacy issues
that are in play, which are substantial.

So while there are numerous approaches to solving the problem of
errant out-of-office messages, and some of those approaches work
pretty well in the field, I would prefer to kill the problem by
attacking the source: the *existence* of out-of-office autoresponders.

---rsk

Re: Yahoo DMARC breakage

[Miles Fidelman]

Tei wrote:

Your post advocates a

(*) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it
won't work. (One or more of the following may apply to your particular


(*) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!


Right about now, I'm starting to lean toward:

(*) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

Foisting this on the world, particularly as tax day approaches - heads 
should roll.


Sigh...

Miles Fidelman

--
In theory, there is no difference between theory and practice.
In practice, there is.    Yogi Berra

Re: procmail, was autoresponding to Yahoo DMARC breakage

[Miles Fidelman]

All this talk about procmail leads me to ask:

- has anybody come up with a procmail recipe, or other mechanism to 
validate DKIM-signed mail and apply an Original-Authentication-Results 
header, at the MTA level?

- if so, does it work with Yahoo mail directed to mailing lists?
- if yes, can you share?!

(So far, all the folks I know who are trying to react, have been doing 
so via hacks to their list management software.  I'm hoping to attack 
the problem at a more accessible step in mail processing).


--
In theory, there is no difference between theory and practice.
In practice, there is.    Yogi Berra

re: Yahoo DMARC breakage

[Miles Fidelman]

at some point, Dave Crocker wrote:


If I point a gun at you, and pull the trigger, but maybe shouldn't have
done that, the gun is not broken.


It occurs to me that, if you point a gun at me, aim at me, pull the 
trigger, and hit someone standing 10 feet to my left - the gun IS broken 
(or at least very poorly designed).


Miles Fidelman


--
In theory, there is no difference between theory and practice.
In practice, there is.    Yogi Berra

re

Re: Yahoo DMARC breakage

[Tei]

Your post advocates a

(*) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it
won't work. (One or more of the following may apply to your particular
idea, and it may have other flaws which used to vary from state to
state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
(*) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
(*) It will stop spam for two weeks and then we'll be stuck with it
(*) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
(*) Requires immediate total cooperation from everybody at once
(*) Many email users cannot afford to lose business or alienate
potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
(*) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

( ) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
(*) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
(*) Countermeasures should not involve sabotage of public networks
(*) Countermeasures must work if phased in gradually
( ) Sending email should be free
(*) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
(*) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(*) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

Re: procmail, was autoresponding to Yahoo DMARC breakage

[Jack Bates]

On 4/9/2014 9:21 PM, George Michaelson wrote:

Aside from a horrid config notation. the main problem for me has always
been getting sysadmins to include the changes which expose envelope-sender
and envelope-recipient to procmail. Thats not procmail, its the way
procmail is typically called. Without it, some stuff simply cannot be done
because you don't know the values passed by protocol, only the values
exposed in header.

(this may have changed. I don't use it any more)



It can still be a problem, although I believe LMTP fixes this problem 
along with the others it was designed to fix.



Jack

Re: Yahoo DMARC breakage

[Jimmy Hess]

On Wed, Apr 9, 2014 at 8:04 PM, Miles Fidelman
wrote:
On 4/9/2014 7:25 PM, Miles Fidelman wrote:

> Yahoo! is choosing to apply the technology for usage scenarios that have
>> long been known to be problematic.  Again, they've made an
>
> In fact... it is too generous to say "known to be problematic".

Basic functionality is seriously and utterly broken ---  that DMARC doesn't
have a good answer for such situations, is a major indicator of its
immaturity,  in the sense that it is "Too specific" a solution and cannot
apply to e-mail in general.

If it were mature: a mechanism would be provided that would allow mailing
lists to function  without breaking changes such as substituting From:.

An example of a solution  would be the use of a DKIM alternative  with not
a single signature for the entire message,  but only partial signing   of
 parts of the message: specifically identified headers  and/or specific
body elements,   to validate  that the message was really sent and certain
elements are genuine   and certain elements were modified by the
mailing list.


> informed choice.  Whether it's justified and whether it was the right
>> choice is more of a political or management discussion than a technical one.
>>
>
The technical issue,  is that the immaturity of the related specs.   limits
  the decisions are available  for a particular domain   so,
essentially,  if you have certain kind of user traffic: you have to  incur
technical issues with mailing lists,  or forego using DMARC.

In other words:  much as you would like to dismiss as purely a managerial
decision  the decisions available to be made are entangled with
 the limitations of the  technical options that are available  for
mitigating spoofing,

AND the public's understanding thereof.


>
>> In technical terms, DMARC is reasonably simple and reasonably well
>> understood and extensively deployed.
>>
>
I would say reasonably simple.
Only well-understood by a very limited fraction of the population of mail
operators.
Not widely deployed;  particularly on domains serving end user mailboxes.



>
>> For most discussions, that qualifies as 'mature'...
>>
>>
> Especially after reading some of the discussions on the DMARC mailing list
> where it's clear that issues of breaking mailing lists were explicitly
> ignored and dismissed.


+1.

Common use case ignored and dismissed, is a pretty convincing indicator of
a lack of maturity with regads to the spec.




>  Miles Fidelman
>
>
>
> --
> In theory, there is no difference between theory and practice.
> In practice, there is.    Yogi Berra
>
>
>


-- 
-Mysid

Re: Yahoo DMARC breakage

[Andrew Sullivan]

Hi Dave,

On Wed, Apr 09, 2014 at 12:27:55PM -0500, Dave Crocker wrote:

> But it's the result of an informed
> corporate choice rather than software or operations error.

Why do you think (it seems to me you've said it more than once) that
this was "informed" choice?  If I go to http://dmarc.org/, and read
the "who can use?" part, there is no big warning there that domains
with a lot of random users from all over who might be posting to
mailing lists will have a complicated problem.  On the contrary, the
only "who" in that section is "everyone".  Also, the "why important"
part says "DMARC addresses these issues, helping email senders and
receivers work together to better secure emails, protecting users and
brands from painfully costly abuse."

And indeed, if I follow the link for the current specification from
http://dmarc.org/, there is rather little discussion of what happens
to users.  This is as it should be.  That's an Internet-Draft of the
protocol.  It might one day be published as an Independent Submission,
partly because those who developed DMARC didn't want to give control
to the IETF.  I get that, but it's sort of hard to know what it means
in terms of corporate "informed choice".  There's no applicability
statement I can see.

So, I'm trying to imagine the presentation slide on which appears the
advice to implement the controversial adopted policy.  I imagine in
big, giant print "Will reduce yahoo.com abuse effects" and in one of
those secondary bullets "May have consequences" and even lower "for
our users on mailing lists" and "for mailing list
managers/non-company".  We all know the Tufte observations about
PowerPoint; that doesn't make them less true.  I can even give the
presentation I imagine, and I don't work at the company in question.

I think DMARC is mostly useful when used correctly.  There is no BCP
yet, however, and that's partly because there's as yet no broad
experience with DMARC in what we might call "mostly-user domains":
there is no "CP" at all.  There is quite good experience in the areas
where DMARC was intended to be effective.  Good.  To pretend that
there's any experience outside that realm, in my opinion, generalizing
inappropriately.  I think responsible Internet deployment ought to
point that out.  I'm sure there will be those who disagree.

Best regards,

A

-- 
Andrew Sullivan
Dyn, Inc.
asulli...@dyn.com
v: +1 603 663 0448

Re: procmail, was autoresponding to Yahoo DMARC breakage

[George Michaelson]

Aside from a horrid config notation. the main problem for me has always
been getting sysadmins to include the changes which expose envelope-sender
and envelope-recipient to procmail. Thats not procmail, its the way
procmail is typically called. Without it, some stuff simply cannot be done
because you don't know the values passed by protocol, only the values
exposed in header.

(this may have changed. I don't use it any more)


On Thu, Apr 10, 2014 at 11:58 AM, John R. Levine  wrote:

> On 4/9/2014 5:45 PM, George Michaelson wrote:
>>
>>> procmail is a rewrite of MMDF mailfilter. badly.
>>>
>>
>  Thanks, but I believe it slightly preceded MMDF's equivalent facility. On
>> the average, Allman put comparable features into sendmail sooner than I did.
>>
>
> Procmail's user interface, if you can call it that, is beyond awful and
> looks like line noise.  But the code is great.
>
> Regards,
> John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for
> Dummies",
> Please consider the environment before reading this e-mail. http://jl.ly

Re: procmail, was autoresponding to Yahoo DMARC breakage

[John R. Levine]

On 4/9/2014 5:45 PM, George Michaelson wrote:

procmail is a rewrite of MMDF mailfilter. badly.


Thanks, but I believe it slightly preceded MMDF's equivalent facility. On the 
average, Allman put comparable features into sendmail sooner than I did.


Procmail's user interface, if you can call it that, is beyond awful and 
looks like line noise.  But the code is great.


Regards,
John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly

smime.p7s
Description: S/MIME Cryptographic Signature

Re: autoresponding to Yahoo DMARC breakage

[John R. Levine]

On Wed, Apr 9, 2014 at 6:11 PM,   wrote:

and just how is an algorithm supposed to detect that
 is a single human and not a list?


If the autoresponder is sane, it looks for:

List-Id: North American Network Operators Group 


Yes, there are a lot of headers that give you a hint that a message is 
from a list.  But the heuristic to look for the recipient's address on the 
To: line works so well, along with a little rate limiting, that you don't 
really need anything else.


Regards,
John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly

smime.p7s
Description: S/MIME Cryptographic Signature

Re: Yahoo DMARC breakage

[Miles Fidelman]

Dave Crocker wrote:

On 4/9/2014 7:25 PM, Miles Fidelman wrote:

Dave Crocker wrote:

Everything they are doing is "legal".

Your (possibly entirely valid) assessment that their action is
ill-advised or unpleasant does not equal broken.


Well, sort of - given that DMARC is still an Internet draft, not even an
experimental standard.  Maybe it's doing what the draft says it is - but
it's an alpha-level protocol, that breaks a lot of things it touches. If
not "broken" it's certainly "not ready for prime time" - and large scale
deployment is akin to a DDoS attack - i.e., not "ill-advised" but
verging on criminal.



While IETF "full" standards status does indicate real deployment and 
serious technical maturity, IETF Proposed Standard does not mean 
mature or immature, given the varied history of work leading to Proposed.


SSL was quite mature, before the IETF did enhancements to produce TLS.

The IETF's version of DKIM was essentially v4 for the technology.

DMARC is estimated to currently cover roughly 60% of the world's email 
traffic.  As "not ready for prime time" goes, that's quite a lot of 
prime time.


Yahoo! is choosing to apply the technology for usage scenarios that 
have long been known to be problematic.  Again, they've made an 
informed choice.  Whether it's justified and whether it was the right 
choice is more of a political or management discussion than a 
technical one.


In technical terms, DMARC is reasonably simple and reasonably well 
understood and extensively deployed.


For most discussions, that qualifies as 'mature'...



Speaking as someone who runs a few dozen mailing lists, and based on 
discussions on mailops and admin lists for various listserver packages, 
I humbly suggest that, as John Levine put it:

"Yahoo breaks every mailing list in the world including the IETF's"
suggests something something other than "reasonably simple and 
reasonably well understood and extensively deployed" and "mature."


Especially after reading some of the discussions on the DMARC mailing 
list where it's clear that issues of breaking mailing lists were 
explicitly ignored and dismissed.


Miles Fidelman



--
In theory, there is no difference between theory and practice.
In practice, there is.    Yogi Berra

Re: Yahoo DMARC breakage

[Dave Crocker]

On 4/9/2014 7:25 PM, Miles Fidelman wrote:

Dave Crocker wrote:

Everything they are doing is "legal".

Your (possibly entirely valid) assessment that their action is
ill-advised or unpleasant does not equal broken.


Well, sort of - given that DMARC is still an Internet draft, not even an
experimental standard.  Maybe it's doing what the draft says it is - but
it's an alpha-level protocol, that breaks a lot of things it touches. If
not "broken" it's certainly "not ready for prime time" - and large scale
deployment is akin to a DDoS attack - i.e., not "ill-advised" but
verging on criminal.



While IETF "full" standards status does indicate real deployment and 
serious technical maturity, IETF Proposed Standard does not mean mature 
or immature, given the varied history of work leading to Proposed.


SSL was quite mature, before the IETF did enhancements to produce TLS.

The IETF's version of DKIM was essentially v4 for the technology.

DMARC is estimated to currently cover roughly 60% of the world's email 
traffic.  As "not ready for prime time" goes, that's quite a lot of 
prime time.


Yahoo! is choosing to apply the technology for usage scenarios that have 
long been known to be problematic.  Again, they've made an informed 
choice.  Whether it's justified and whether it was the right choice is 
more of a political or management discussion than a technical one.


In technical terms, DMARC is reasonably simple and reasonably well 
understood and extensively deployed.


For most discussions, that qualifies as 'mature'...

d/


--
Dave Crocker
Brandenburg InternetWorking
bbiw.net

Re: Yahoo DMARC breakage

[Miles Fidelman]

Dave Crocker wrote:

On 4/9/2014 3:05 PM, John Levine wrote:

In article <5345831b.4030...@dcrocker.net> you write:

Their implementation is not 'broken'.


I'd say it's pretty badly broken if Yahoo intends for their web mail
to continue to be a general purpose mail system for consumers. If
they want to make it something else, that's certainly their right, but
it would have been nice if they'd given us some advance warning so we
could take the yahoo.com addresses off our lists.



If I point a gun at you, and pull the trigger, but maybe shouldn't 
have done that, the gun is not broken.


Management decisions that are subject to criticism does not represent 
erroneous performance by the folks tasked with doing the task mandated.


Everything they are doing is "legal".

Your (possibly entirely valid) assessment that their action is 
ill-advised or unpleasant does not equal broken.


Well, sort of - given that DMARC is still an Internet draft, not even an 
experimental standard.  Maybe it's doing what the draft says it is - but 
it's an alpha-level protocol, that breaks a lot of things it touches.  
If not "broken" it's certainly "not ready for prime time" - and large 
scale deployment is akin to a DDoS attack - i.e., not "ill-advised" but 
verging on criminal.


Miles Fidelman

--
In theory, there is no difference between theory and practice.
In practice, there is.    Yogi Berra

Re: Yahoo DMARC breakage

[Jim Popovitch]

On Wed, Apr 9, 2014 at 8:12 PM, William Herrin  wrote:
> On Wed, Apr 9, 2014 at 6:11 PM,   wrote:
>> and just how is an algorithm supposed to detect that
>>  is a single human and not a list?
>
> If the autoresponder is sane, it looks for:
>
> List-Id: North American Network Operators Group 
> List-Unsubscribe: ,
>  
> List-Archive: 
> List-Post: 
> List-Help: 
> List-Subscribe: ,
>  
> Precedence: list

and if the autoresponder/MUA is smart it only autoresponds where To:
is the target address.

-Jim P.

Re: Yahoo DMARC breakage

[Jim Popovitch]

On Wed, Apr 9, 2014 at 8:02 PM, Jeff Kell  wrote:
>> Date: Wed, 9 Apr 2014 18:22:51 -0500
>> From: Larry Sheldon 
>> Organization: Maybe tomorrow
>> User-Agent: Mozilla/5.0 (Windows NT 5.1;
>>  rv:24.0) Gecko/20100101 Thunderbird/24.4.0
>> To: 
>> Subject: Re: Yahoo DMARC breakage

It's also worth mentioning that if someone else's previous advice
is/was followed (about changing the MLM From: to a generic list
address) there would be no way to killfile someone, filter by name,
NOR any sense to long threaded discussions where MUAs do quoting and
others copy+paste.   In Mailinglists, rfc5322.From: is sacred  (and
according to RFC 5322 so are Sender and Reply-To, which DMARC
conveniently disregard)

-Jim P.

Re: Yahoo DMARC breakage

[William Herrin]

On Wed, Apr 9, 2014 at 6:11 PM,   wrote:
> and just how is an algorithm supposed to detect that
>  is a single human and not a list?

If the autoresponder is sane, it looks for:

List-Id: North American Network Operators Group 
List-Unsubscribe: ,
 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: ,
 
Precedence: list

If the mailing list doesn't set those headers, that's the mailing list's fault.

-Bill

-- 
William D. Herrin  her...@dirtside.com  b...@herrin.us
3005 Crane Dr. .. Web: 
Falls Church, VA 22042-3004

Re: Yahoo DMARC breakage

[Larry Sheldon]

On 4/9/2014 7:02 PM, Jeff Kell wrote:

On 4/9/2014 7:22 PM, Larry Sheldon wrote:

On 4/9/2014 5:11 PM, bmann...@vacation.karoshi.com wrote:

On Wed, Apr 09, 2014 at 05:49:27PM -0400, Jeff Kell wrote:


The most "sane" out-of-mind response should only be sent *if* the
out-of-mind person is named explicitly as a recipient in the RFC822
header.  Anything To: somelist@somehost does not qualify :)

Jeff


 and just how is an algorithm supposed to detect that
  is a single human and not a list?


It is really too bad that there is not place to put a "precedence"
that the software could key on--with values like "bulk" or "junk" or
"list".


Headers of your message include:


Precedence: list


[snip]

I knew that.


Proper mail clients can provide "list links" based on the List- headers,
but few if any actually do.

So take your pick, but my point remains, it still retains:


Date: Wed, 9 Apr 2014 18:22:51 -0500
From: Larry Sheldon 
Organization: Maybe tomorrow
User-Agent: Mozilla/5.0 (Windows NT 5.1;
  rv:24.0) Gecko/20100101 Thunderbird/24.4.0
To: 
Subject: Re: Yahoo DMARC breakage


And I'm nowhere mentioned.  I only appear in the "envelope RCPT TO:<>
RFC821 header", nowhere in the RFC822 header.

It's not rocket science if you have headers available (which even
Outlook can see, although you have to jump through a few hoops to see them).


My point is, and was only that the ID10t's robot-responder needs only 
two rules (one of which is sortakinda off topic in a muchmorphed OT 
threadlet) are:  If the Precedence is "list", "junk", or "bulk" DO 
NOTHING, else, if the address to which the proposed babblegram is to be 
sent has received a babblegram from us since the controlling file was 
created DO NOTHING, else, BABBLEON.



--
Requiescas in pace o email   Two identifying characteristics
of System Administrators:
Ex turpi causa non oritur actio  Infallibility, and the ability to
learn from their mistakes.
  (Adapted from Stephen Pinker)

Re: Yahoo DMARC breakage

[Jeff Kell]

On 4/9/2014 7:22 PM, Larry Sheldon wrote:
> On 4/9/2014 5:11 PM, bmann...@vacation.karoshi.com wrote:
>> On Wed, Apr 09, 2014 at 05:49:27PM -0400, Jeff Kell wrote:
>>>
>>> The most "sane" out-of-mind response should only be sent *if* the
>>> out-of-mind person is named explicitly as a recipient in the RFC822
>>> header.  Anything To: somelist@somehost does not qualify :)
>>>
>>> Jeff
>>
>> and just how is an algorithm supposed to detect that
>>  is a single human and not a list?
>
> It is really too bad that there is not place to put a "precedence"
> that the software could key on--with values like "bulk" or "junk" or
> "list".

Headers of your message include:

> Precedence: list
> List-Id: North American Network Operators Group 
> List-Unsubscribe: <http://mailman.nanog.org/mailman/options/nanog>,
>  <mailto:nanog-requ...@nanog.org?subject=unsubscribe>
> List-Archive: <http://mailman.nanog.org/pipermail/nanog/>
> List-Post: <mailto:nanog@nanog.org>
> List-Help: <mailto:nanog-requ...@nanog.org?subject=help>
> List-Subscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>,
>  <mailto:nanog-requ...@nanog.org?subject=subscribe>
> Errors-To: nanog-bounces+jeff-kell=utc@nanog.org
> Return-Path: nanog-bounces+jeff-kell=utc@nanog.org

Proper mail clients can provide "list links" based on the List- headers,
but few if any actually do.

So take your pick, but my point remains, it still retains:

> Date: Wed, 9 Apr 2014 18:22:51 -0500
> From: Larry Sheldon 
> Organization: Maybe tomorrow
> User-Agent: Mozilla/5.0 (Windows NT 5.1;
>  rv:24.0) Gecko/20100101 Thunderbird/24.4.0
> To: 
> Subject: Re: Yahoo DMARC breakage

And I'm nowhere mentioned.  I only appear in the "envelope RCPT TO:<>
RFC821 header", nowhere in the RFC822 header.

It's not rocket science if you have headers available (which even
Outlook can see, although you have to jump through a few hoops to see them).

Jeff
Jeff

Re: autoresponding to Yahoo DMARC breakage

[Dave Crocker]

On 4/9/2014 5:45 PM, George Michaelson wrote:

procmail is a rewrite of MMDF mailfilter. badly.





Thanks, but I believe it slightly preceded MMDF's equivalent facility. 
On the average, Allman put comparable features into sendmail sooner than 
I did.


Of course, my design's were sooo much better than his, but that seems to 
have hurt it's adoption...


d/


--
Dave Crocker
Brandenburg InternetWorking
bbiw.net

Re: Yahoo DMARC breakage

[Larry Sheldon]

On 4/9/2014 5:11 PM, bmann...@vacation.karoshi.com wrote:

On Wed, Apr 09, 2014 at 05:49:27PM -0400, Jeff Kell wrote:


The most "sane" out-of-mind response should only be sent *if* the
out-of-mind person is named explicitly as a recipient in the RFC822
header.  Anything To: somelist@somehost does not qualify :)

Jeff


and just how is an algorithm supposed to detect that
 is a single human and not a list?


It is really too bad that there is not place to put a "precedence" that 
the software could key on--with values like "bulk" or "junk" or "list".



--
Requiescas in pace o email   Two identifying characteristics
of System Administrators:
Ex turpi causa non oritur actio  Infallibility, and the ability to
learn from their mistakes.
  (Adapted from Stephen Pinker)

Re: autoresponding to Yahoo DMARC breakage

[John R. Levine]

This highly effective trick was in the procmail example vacation script in
1991, and doubtless goes back much farther than that.  It's a little
dismaying to hear that there are still people writing autoresponders who
don't know about it.


what is procmail?


The scriptable mail delivery agent that most Unix-ish systems use to sort 
mail at delivery time.  It's a marvel of robust programming, no updates 
since 2001 but still works great.


http://lmgtfy.com/?q=procmail&l=1

Regards,
John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly

Re: autoresponding to Yahoo DMARC breakage

[George Michaelson]

procmail is a rewrite of MMDF mailfilter. badly.


On Thu, Apr 10, 2014 at 8:42 AM, Christopher Morrow  wrote:

> On Wed, Apr 9, 2014 at 6:27 PM, John R. Levine  wrote:
> >>> The most "sane" out-of-mind response should only be sent *if* the
> >>> out-of-mind person is named explicitly as a recipient in the RFC822
> >>> To: header.  Anything To: somelist@somehost does not qualify :)
> >
> >
> > This highly effective trick was in the procmail example vacation script
> in
> > 1991, and doubtless goes back much farther than that.  It's a little
> > dismaying to hear that there are still people writing autoresponders who
> > don't know about it.
>
> what is procmail?
>
>

Re: autoresponding to Yahoo DMARC breakage

[Christopher Morrow]

On Wed, Apr 9, 2014 at 6:27 PM, John R. Levine  wrote:
>>> The most "sane" out-of-mind response should only be sent *if* the
>>> out-of-mind person is named explicitly as a recipient in the RFC822
>>> To: header.  Anything To: somelist@somehost does not qualify :)
>
>
> This highly effective trick was in the procmail example vacation script in
> 1991, and doubtless goes back much farther than that.  It's a little
> dismaying to hear that there are still people writing autoresponders who
> don't know about it.

what is procmail?

Re: hack #2 for Yahoo DMARC breakage

[John R. Levine]

2: introduce an "Original Authentication Results" header to indicate
you have performed the authentication and you are validating it


This was someone's hack that doesn't work.  The idea is that you make an 
RFC5451 Authentication-Results header for the incoming message, change the 
name to original-authentication-results to circumvent some MTAs that strip 
incoming A-R headers, and send it as part of the signed outgoing message.


The reason it doesn't work is that spammers can add fake o-a-r headers as 
easily as lists can add real ones, so you need to make a whitelist of well 
behaved senders who don't send faked mail so you know whether to believe 
them.  But once you have the whitelist of well behaved senders, you can 
skip the o-a-r stuff and just deliver the mail.


I gather somewhere there is a private non-standard bilateral 
implementation of this, but it still seems like an awfully complicated way 
to do your spam filtering.


Regards,
John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly

smime.p7s
Description: S/MIME Cryptographic Signature

Re: autoresponding to Yahoo DMARC breakage

[John R. Levine]

The most "sane" out-of-mind response should only be sent *if* the
out-of-mind person is named explicitly as a recipient in the RFC822
To: header.  Anything To: somelist@somehost does not qualify :)


This highly effective trick was in the procmail example vacation script in 
1991, and doubtless goes back much farther than that.  It's a little 
dismaying to hear that there are still people writing autoresponders who 
don't know about it.


Regards,
John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly

smime.p7s
Description: S/MIME Cryptographic Signature

Re: Yahoo DMARC breakage

[Jeff Kell]

On 4/9/2014 6:11 PM, bmann...@vacation.karoshi.com wrote:
> On Wed, Apr 09, 2014 at 05:49:27PM -0400, Jeff Kell wrote:
>> The most "sane" out-of-mind response should only be sent *if* the
>> out-of-mind person is named explicitly as a recipient in the RFC822
>> header.  Anything To: somelist@somehost does not qualify :)
>>
>> Jeff
>   and just how is an algorithm supposed to detect that 
>is a single human and not a list?

Because *I* set the out-of-office notification for my email
address[es].  If I'm not in the recipient list, do not respond.  This is
a "per user" knob we are talking about here, so it knows darn well what
address[es] are me.

Jeff

Re: Yahoo DMARC breakage

[bmanning]

On Wed, Apr 09, 2014 at 05:49:27PM -0400, Jeff Kell wrote:
> 
> The most "sane" out-of-mind response should only be sent *if* the
> out-of-mind person is named explicitly as a recipient in the RFC822
> header.  Anything To: somelist@somehost does not qualify :)
> 
> Jeff

and just how is an algorithm supposed to detect that 
 is a single human and not a list?

/bill

Re: Yahoo DMARC breakage

[Dave Crocker]

On 4/9/2014 3:05 PM, John Levine wrote:

In article <5345831b.4030...@dcrocker.net> you write:

Their implementation is not 'broken'.


I'd say it's pretty badly broken if Yahoo intends for their web mail
to continue to be a general purpose mail system for consumers.  If
they want to make it something else, that's certainly their right, but
it would have been nice if they'd given us some advance warning so we
could take the yahoo.com addresses off our lists.



If I point a gun at you, and pull the trigger, but maybe shouldn't have 
done that, the gun is not broken.


Management decisions that are subject to criticism does not represent 
erroneous performance by the folks tasked with doing the task mandated.


Everything they are doing is "legal".

Your (possibly entirely valid) assessment that their action is 
ill-advised or unpleasant does not equal broken.


d/


--
Dave Crocker
Brandenburg InternetWorking
bbiw.net

Re: Yahoo DMARC breakage

[Jim Popovitch]

> The most "sane" out-of-mind response should only be sent *if* the
> out-of-mind person is named explicitly as a recipient in the RFC822
> header.  Anything To: somelist@somehost does not qualify :)

Funny story:  When I was at IBM I filed that as a bug with Lotus
Notes.  The Notes team rejected the bug.

-Jim P.

Re: Yahoo DMARC breakage

[Jeff Kell]

On 4/9/2014 5:24 PM, valdis.kletni...@vt.edu wrote:
> On Wed, 09 Apr 2014 17:15:59 -0400, William Herrin said:
>
>> Meh. This just means list software will have to rewrite the From
>> header to "From: John Levine " and rely on the
>> Reply-To header for anybody who wants to send a message back to the
>> originator.
>>
>> Maybe this is a good thing - we can stop getting all the "sorry I'm
>> out of the office" emails when posting to a list.
>
> The sort of programmer that writes out-of-mind software that doesn't
> employ the long well-known heuristics for detecting mailing lists
> (starting with checking Return-Path: for "owner-" and similar) will also
> likely disregard the Reply-To: header.  This Is Not A Good Thing.

The most "sane" out-of-mind response should only be sent *if* the
out-of-mind person is named explicitly as a recipient in the RFC822
header.  Anything To: somelist@somehost does not qualify :)

Jeff

Re: Yahoo DMARC breakage

[Ted Hatfield]

On Wed, 9 Apr 2014, valdis.kletni...@vt.edu wrote:


On Wed, 09 Apr 2014 17:15:59 -0400, William Herrin said:


Meh. This just means list software will have to rewrite the From
header to "From: John Levine " and rely on the
Reply-To header for anybody who wants to send a message back to the
originator.

Maybe this is a good thing - we can stop getting all the "sorry I'm
out of the office" emails when posting to a list.


The sort of programmer that writes out-of-mind software that doesn't
employ the long well-known heuristics for detecting mailing lists
(starting with checking Return-Path: for "owner-" and similar) will also
likely disregard the Reply-To: header.  This Is Not A Good Thing.




According to the DMARC FAQ at http://dmarc.org/faq.html

Q:  I operate a mailing list and I want to interoperate with DMARC, what
should I do?

DMARC introduces the concept of aligned identifiers. It means the domain
in the from header must match the d= in the DKIM signature and the domain
in the mail from envelope.

1: operate as a strict forwarder, where the message is not changed and
the validity of the DKIM signature is preserved

2: introduce an "Original Authentication Results" header to indicate
you have performed the authentication and you are validating it

3: take ownership of the email, by removing the DKIM signature and
putting your own as well as changing the from header in the email to
contain an email address within your mailing list domain.


Option 1 is out of the question.  Option 3 is what a lot of people are
starting to do.  Can anybody tell me what exactly option 2 is.

What exactly is an "Original Authentication Results" header?

I'm already doing my own research but if someone can give a concise answer
as to what it is that would be appreciated.


Ted Hatfield

Re: Yahoo DMARC breakage

[Jim Popovitch]

On Wed, Apr 9, 2014 at 5:15 PM, William Herrin  wrote:
> On Wed, Apr 9, 2014 at 4:05 PM, John Levine  wrote:
>> I'd say it's pretty badly broken if Yahoo intends for their web mail
>> to continue to be a general purpose mail system for consumers.  If
>> they want to make it something else, that's certainly their right, but
>> it would have been nice if they'd given us some advance warning so we
>> could take the yahoo.com addresses off our lists.
>
> Meh. This just means list software will have to rewrite the From
> header to "From: John Levine " and rely on the
> Reply-To header for anybody who wants to send a message back to the
> originator.

Or perhaps DMARC can go back to it's original goal.

Go here: https://datatracker.ietf.org/doc/draft-kucherawy-dmarc-base/
Notice the early versions of the spec contained the word
"transactional", notice the current version has it removed.   Also
notice that one of the authors is from Yahoo!.

> Maybe this is a good thing - we can stop getting all the "sorry I'm
> out of the office" emails when posting to a list.

The OoO problem is a Client/MUA problem.  Most (other than Lotus
Notes, and some older copies of Outlook) properly tag OoO emails with
well-defined headers (RFC 3834).

-Jim P.

Re: Yahoo DMARC breakage

[Valdis . Kletnieks]

On Wed, 09 Apr 2014 17:15:59 -0400, William Herrin said:

> Meh. This just means list software will have to rewrite the From
> header to "From: John Levine " and rely on the
> Reply-To header for anybody who wants to send a message back to the
> originator.
>
> Maybe this is a good thing - we can stop getting all the "sorry I'm
> out of the office" emails when posting to a list.

The sort of programmer that writes out-of-mind software that doesn't
employ the long well-known heuristics for detecting mailing lists
(starting with checking Return-Path: for "owner-" and similar) will also
likely disregard the Reply-To: header.  This Is Not A Good Thing.


pgpFq6vPjwUGn.pgp
Description: PGP signature

Re: Yahoo DMARC breakage

[William Herrin]

On Wed, Apr 9, 2014 at 4:05 PM, John Levine  wrote:
> I'd say it's pretty badly broken if Yahoo intends for their web mail
> to continue to be a general purpose mail system for consumers.  If
> they want to make it something else, that's certainly their right, but
> it would have been nice if they'd given us some advance warning so we
> could take the yahoo.com addresses off our lists.

Meh. This just means list software will have to rewrite the From
header to "From: John Levine " and rely on the
Reply-To header for anybody who wants to send a message back to the
originator.

Maybe this is a good thing - we can stop getting all the "sorry I'm
out of the office" emails when posting to a list.

-Bill


-- 
William D. Herrin  her...@dirtside.com  b...@herrin.us
3005 Crane Dr. .. Web: 
Falls Church, VA 22042-3004

Re: Yahoo DMARC breakage

[John Levine]

In article <5345831b.4030...@dcrocker.net> you write:
>On 4/9/2014 10:13 AM, Royce Williams wrote:
>> Am I interpreting this correctly -- that Yahoo's implementation of
>> DMARC is broken, such that anyone using a Yahoo address to participate
>> in a mailing list is dead in the water?
>
>
>Their implementation is not 'broken'.

I'd say it's pretty badly broken if Yahoo intends for their web mail
to continue to be a general purpose mail system for consumers.  If
they want to make it something else, that's certainly their right, but
it would have been nice if they'd given us some advance warning so we
could take the yahoo.com addresses off our lists.

R's,
John

Re: Yahoo DMARC breakage

[Jim Popovitch]

> Confirmed across a variety of Mailman lists I administer.

Mailman can be patched to reject/discard posts from members with p=reject.

https://code.launchpad.net/~jimpop/mailman/dmarc-reject


I'm sort of glad that Yahoo did what they did, people are now seeing
the dark side of DMARC.  WooHoo!! Vindication!

-Jim P.

Re: Yahoo DMARC breakage

[Dave Crocker]

On 4/9/2014 10:13 AM, Royce Williams wrote:

Am I interpreting this correctly -- that Yahoo's implementation of
DMARC is broken, such that anyone using a Yahoo address to participate
in a mailing list is dead in the water?



Their implementation is not 'broken'.

Rather, Yahoo has made a very conscious policy decision.  So the "such 
that" clause of your sentence is correct.  That is, the effect really is 
what you describe.  But it's the result of an informed corporate choice 
rather than software or operations error.


From background exchanges and Yahoo participation in the development of 
DMARC, I believe they fully understood the technical and operations 
effects of the decision.


Whether it is the 'right' choice is primarily a political debate, and 
I'm not commenting on that.


d/

--
Dave Crocker
Brandenburg InternetWorking
bbiw.net

Re: Yahoo DMARC breakage

[Tom Simes]

On 04/09/14 07:13, Royce Williams wrote:
> Am I interpreting this correctly -- that Yahoo's implementation of
> DMARC is broken, such that anyone using a Yahoo address to participate
> in a mailing list is dead in the water?
> 
> http://www.ietf.org/mail-archive/web/ietf/current/msg87153.html
> http://www.theregister.co.uk/2014/04/08/yahoo_breaks_every_mailing_list_in_the_world_says_email_guru/
> 
> My mailman bounce action notifications are going through the roof.
> 
> Royce
> 

Ugly.  Confirmed across a variety of Mailman lists I administer.
Harvested addresses from the bounce logs, scripted up a notification to
small batches of addresses and moderated all @yahoo! addresses on the lists.

Can you say Collateral! Damage! Yahoo!

-- 
Tom

==
   "Z80 system stack overflow.  Shut 'er down Scotty, she's
 sucking mud again!" - Error message on XENIX v3.0

Tom Simes   sime...@netexpress.com
==

Re: Yahoo DMARC breakage

[Rich Kulawiec]

On Wed, Apr 09, 2014 at 07:13:47AM -0800, Royce Williams wrote:
> Am I interpreting this correctly -- that Yahoo's implementation of
> DMARC is broken, such that anyone using a Yahoo address to participate
> in a mailing list is dead in the water?

Yes.  It seems that Yahoo wasn't content with just breaking Flickr [1]
but decided to branch out into email as well.  John Levine's comments
(in the first link you provided) have been, I think, the most articulate 
on the subject.

The worst part of this is (a) it creates massive problems for everyone
running mailing lists and (b) it doesn't solve any problems for anybody,
including Yahoo and its users.

Mitigation tactics vary, but one is to put everyone using a yahoo.com
address on moderation, using whatever mechanism the mailing list manager
(e.g. Mailman, majordomo, etc.) provides.  Another is to encourage people
with Yahoo accounts to move elsewhere.

(There's nothing "wrong" with DMARC, per se, although I remain somewhat
skeptical about its widespread/long-term utility.  What's "wrong" here
is that it's been badly misapplied to a use case that it doesn't fit.
To borrow a line from Zathras, "This...is wrong tool.")

---rsk

[1] http://boingboing.net/2014/04/07/restoring-cc-attribution-to-fl.html

Yahoo DMARC breakage

[Royce Williams]

Am I interpreting this correctly -- that Yahoo's implementation of
DMARC is broken, such that anyone using a Yahoo address to participate
in a mailing list is dead in the water?

http://www.ietf.org/mail-archive/web/ietf/current/msg87153.html
http://www.theregister.co.uk/2014/04/08/yahoo_breaks_every_mailing_list_in_the_world_says_email_guru/

My mailman bounce action notifications are going through the roof.

Royce