Re: DMARC -> CERT?

[Matthew Petach <mpetach () netflight com>]

On Mon, Apr 14, 2014 at 9:10 AM, Miles Fidelman
<mfidelman () meetinghouse net>wrote:

> Just a thought.  I keep thinking that Yahoo's publishing of their
> "p=reject" policy, and the subsequent massive denial of service to lost of
> list traffic might be viewed as a "computer security" incident.
>
> Anybody think that reporting via CERT channels might be an appropriate
> response?
>
> (I do, and probably will - but curious what others think.)
>
> Miles Fidelman
>
> --
> In theory, there is no difference between theory and practice.
> In practice, there is.   .... Yogi Berra

I would recommend reading these two blog entries first:

http://yahoo.tumblr.com/post/82426971544/an-update-on-our-dmarc-policy-to-protect-our-users
and
http://yahoomail.tumblr.com/post/82426900353/yahoo-dmarc-policy-change-what-should-senders-do

Then, I would ask--if the situation is deemed CERT-worthy,
what is the emergency the community is being asked to
respond to?  Is it that Yahoo has decided, after many years,
to start taking action to tighten down email abuse?  Or is the
emergency that too many mailing lists operate fast-and-loose
with email headers, and that we as a community need to take
swift and immediate action to fix mailing lists to correctly
identify and attribute the true source of messages from
the lists?

My internal guess, based on the years and years of
griping about forged sender spam that I've seen on
this list, among others, is that the latter case is the
emergency to which you are seeking a call to action.

Thanks!

Matt