nanog mailing list archives
Re: DMARC -> CERT?
From: Miles Fidelman <mfidelman () meetinghouse net>
Date: Mon, 14 Apr 2014 12:32:05 -0400
Matthew Petach wrote:
On Mon, Apr 14, 2014 at 9:10 AM, Miles Fidelman <mfidelman () meetinghouse net <mailto:mfidelman () meetinghouse net>> wrote:Just a thought. I keep thinking that Yahoo's publishing of their "p=reject" policy, and the subsequent massive denial of service to lost of list traffic might be viewed as a "computer security" incident. Anybody think that reporting via CERT channels might be an appropriate response? (I do, and probably will - but curious what others think.) Miles Fidelman-- In theory, there is no difference between theory and practice.In practice, there is. .... Yogi Berra I would recommend reading these two blog entries first: http://yahoo.tumblr.com/post/82426971544/an-update-on-our-dmarc-policy-to-protect-our-users and http://yahoomail.tumblr.com/post/82426900353/yahoo-dmarc-policy-change-what-should-senders-do Then, I would ask--if the situation is deemed CERT-worthy, what is the emergency the community is being asked to respond to? Is it that Yahoo has decided, after many years, to start taking action to tighten down email abuse? Or is the emergency that too many mailing lists operate fast-and-loose with email headers, and that we as a community need to take swift and immediate action to fix mailing lists to correctly identify and attribute the true source of messages from the lists?
Well... how about this, from Yahoo's own posting:We know there are about 30,000 affected email sending services, but we also know that the change needed to support our new DMARC policy is important and not terribly difficult to implement.
To me - this sure looks, smells, and quacks like a denial-of-service attack against a system I operate, and the subscriber to the lists that I support -- somewhat akin to exploding a bomb in a public square, and then taking credit for it.
Miles Fidelman -- In theory, there is no difference between theory and practice. In practice, there is. .... Yogi Berra
Current thread:
- DMARC -> CERT? Miles Fidelman (Apr 14)
- Re: DMARC -> CERT? Matthew Petach (Apr 14)
- Re: DMARC -> CERT? Miles Fidelman (Apr 14)
- Re: DMARC -> CERT? Laszlo Hanyecz (Apr 14)
- Re: DMARC -> CERT? Valdis . Kletnieks (Apr 14)
- Re: DMARC -> CERT? William Herrin (Apr 14)
- Re: DMARC -> CERT? Miles Fidelman (Apr 14)
- Re: DMARC -> CERT? Laszlo Hanyecz (Apr 14)
- Re: DMARC -> CERT? Christopher Morrow (Apr 14)
- Re: DMARC -> CERT? Miles Fidelman (Apr 14)
- Re: DMARC -> CERT? Florian Weimer (Apr 21)
- Re: DMARC -> CERT? Miles Fidelman (Apr 14)
- Re: DMARC -> CERT? Matthew Petach (Apr 14)
- Re: DMARC -> CERT? Jim Popovitch (Apr 14)
- Re: DMARC -> CERT? Matthew Petach (Apr 14)