nanog mailing list archives

Re: DMARC -> CERT?

From: Miles Fidelman <mfidelman () meetinghouse net>
Date: Mon, 14 Apr 2014 12:32:05 -0400

Matthew Petach wrote:

On Mon, Apr 14, 2014 at 9:10 AM, Miles Fidelman<mfidelman () meetinghouse net <mailto:mfidelman () meetinghouse net>> wrote:


    Just a thought.  I keep thinking that Yahoo's publishing of their
    "p=reject" policy, and the subsequent massive denial of service to
    lost of list traffic might be viewed as a "computer security"
    incident.

    Anybody think that reporting via CERT channels might be an
    appropriate response?

    (I do, and probably will - but curious what others think.)

    Miles Fidelman

--In theory, there is no difference between theory and practice.

    In practice, there is.   .... Yogi Berra




I would recommend reading these two blog entries first:

http://yahoo.tumblr.com/post/82426971544/an-update-on-our-dmarc-policy-to-protect-our-users
and
http://yahoomail.tumblr.com/post/82426900353/yahoo-dmarc-policy-change-what-should-senders-do

Then, I would ask--if the situation is deemed CERT-worthy,
what is the emergency the community is being asked to
respond to?  Is it that Yahoo has decided, after many years,
to start taking action to tighten down email abuse?  Or is the
emergency that too many mailing lists operate fast-and-loose
with email headers, and that we as a community need to take
swift and immediate action to fix mailing lists to correctly
identify and attribute the true source of messages from
the lists?

Well... how about this, from Yahoo's own posting:

We know there are about 30,000 affected email sending services, but wealso know that the change needed to support our new DMARC policy isimportant and not terribly difficult to implement.

To me - this sure looks, smells, and quacks like a denial-of-serviceattack against a system I operate, and the subscriber to the lists thatI support -- somewhat akin to exploding a bomb in a public square, andthen taking credit for it.


Miles Fidelman

--
In theory, there is no difference between theory and practice.
In practice, there is.   .... Yogi Berra

Current thread:

DMARC -> CERT? Miles Fidelman (Apr 14)
- Re: DMARC -> CERT? Matthew Petach (Apr 14)
  - Re: DMARC -> CERT? Miles Fidelman (Apr 14)
    - Re: DMARC -> CERT? Laszlo Hanyecz (Apr 14)
    - Re: DMARC -> CERT? Valdis . Kletnieks (Apr 14)
    - Re: DMARC -> CERT? William Herrin (Apr 14)
    - Re: DMARC -> CERT? Miles Fidelman (Apr 14)
    - Re: DMARC -> CERT? Laszlo Hanyecz (Apr 14)
    - Re: DMARC -> CERT? Christopher Morrow (Apr 14)
    - Re: DMARC -> CERT? Miles Fidelman (Apr 14)
    - Re: DMARC -> CERT? Florian Weimer (Apr 21)
    - Re: DMARC -> CERT? Matthew Petach (Apr 14)
    - Re: DMARC -> CERT? Jim Popovitch (Apr 14)

(Thread continues...)