Feeds

'Yahoo! Breaks! Every! Mailing! List! In! The! World!' says email guru

Purple Palace tweaks security setting, sparks worldwide email bounce blizzard

Beginner's guide to SSL certificates

Email luminary John Levine has accused Yahoo! of sabotaging email lists for everyone, everywhere.

In a post titled “Yahoo! Breaks! Every! Mailing! List! In! The! World! Including! The! IETF's!'”, Levin explains “an emerging e-mail security scheme” called DMARC that “lets a domain owner make assertions about the From: address, in particular that mail with their domain on the From: line will have a DKIM signature with the same domain, or a bounce address in the same domain that will pass SPF [sender policy framework.”

Levine explains that DMARC has weaknesses, notably because “Lists invarably [sic] use their own bounce address in their own domain, so the SPF doesn't match. Lists generally modify messages via subject tags, body footers, attachment stripping, and other useful features that break the DKIM signature. So on even the most legitimate list mail like, say, the IETF's, most of the mail fails the DMARC assertions, not due to the lists doing anything 'wrong'.”

Most of the time that's not a big problem for the world at large. But Levine says “over the weekend Yahoo published a DMARC record with a policy saying to reject all yahoo.com mail that fails DMARC.”

Aside from lots of bounced emails that should go through, here's what Levine says will result from Yahoo!'s change:

“Since Yahoo mail provokes bounces from lots of other mail systems, innocent subscribers at Gmail, Hotmail, etc. not only won't get Yahoo subscribers' messages, but all those bounces are likely to bounce them off the lists.”

In other words lots of email not getting through, lots of automatic unsubscribes and lots of angry users and sysadmins.

Levine offers three suggestions to ameliorate the situation:

  • Suspend posting permission of all yahoo.com addresses, to limit damage
  • Tell Yahoo users to get a new mail account somewhere else, pronto, if they want to continue using mailing lists
  • If you know people at Yahoo, ask if perhaps this wasn't such a good idea

Who wants to be the one to action the third suggestion? ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Hackers thrash Bash Shellshock bug: World races to cover hole
Update your gear now to avoid early attacks hitting the web
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT
Gets back up again after half an hour though
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.