Re: DMARC -> CERT?

[Private Sender <nobody () snovc com>]

On Wed 16 Apr 2014 09:40:11 PM PDT, Jim Popovitch wrote:
> On Thu, Apr 17, 2014 at 12:19 AM, Private Sender <nobody () snovc com> wrote:
>
> > On 04/14/2014 03:47 PM, Jim Popovitch wrote:
> > > On Mon, Apr 14, 2014 at 6:21 PM, Scott Howard <scott () doc net au> wrote:
> > > > On Mon, Apr 14, 2014 at 2:59 PM, Jim Popovitch <jimpop () gmail com>
> > wrote:
> > > > > 7-April: Monday, Yahoo's dmarc change kicks everyone in the groin, the
> > > > > last full week before the US tax filing deadline.
> > > >
> > > > The change was made on the previous Friday, so that date is largely
> > > > irrelevant.
> > > >
> > > > > 7-April: OpenSSL's *public* advisory (after a full week of private
> > > > > notifications, of which yahoo surely was one tech company in on the
> > > > > early notifications)
> > > >
> > > > Given that many of their main services were vulnerable at the time of
> > public
> > > > disclosure, I think that's a very large assumption to make...
> > > >
> > > > If nothing else, I suspect the odds of it being known by the same people
> > > > that made the DMARC decision/changes is low.
> > > I think you are right on that, but that doesn't change the fact that
> > > the sum of those things overburdened a lot of mailinglist operators.
> > > It is what it is, and the press has covered it and mailinglists are
> > > blocking/unsub'ing yahoo accounts in order to cope.
> > >
> > > -Jim P.
> >
> > I'm sorry but is there a fundamental misunderstanding of dmarc going on
> > in this thread? Yahoo doesn't want you to be able to send "@yahoo.com"
> > email from anything other than THEIR servers which contain the private
> > key that corresponds to their DKIM implementation, and conversely dmarc.
> > "p=reject" tells the receiving domain to reject the message if it isn't
> > signed by the private key that corresponds with the public key that is
> > in the dkim txt record for "yahoo.com"
> >
> > Isn't this the whole point of dmarc? Stop spammers from sending email
> > with "@yahoo.com" that doesn't originate from a valid yahoo email server.
>
> Yes, but @yahoo.com is a bad example because it delivers user originated
> content.
>
>
> > Yahoo's implementation of dmarc is working as intended.
>
> Are you also speaking for all yahoo uses when you declare that they should
> no longer be able to participate on mailinglists?
>
>
> > Stealing someones password, and logging into their yahoo mail account
> > and spamming isn't going to matter to dmarc. The mail originated from
> > yahoo, and it was an authenticated user; the mail will be signed with
> > the DKIM key, it will be accepted by the receiving domain (unless the
> > email address is blacklisted by the receiving domain).
>
> But, but, but.... Yahoo implemented DMARC to supposedly stop Spam...(which
> ironically others have shown that a lot of spam originates from Yahoo
> servers, but I digress)
>
>
> > There is no need to flame a company because they implemented a policy to
> > ensure QoS to their customers. Either push your mail through their
> > servers, or Just find somewhere else you can push your mailing lists
> > through.
> LOL QoS, really?   QoS to me, a yahoo account holder, would be less inbound
> spam.
>
> -Jim P.

Well yeah inbound spam filtering would be nice. But they have refused 
to do anything about if for a better part of a decade. Sadly, they 
can't control mail originating from other domains (other than mail 
stating it's from yahoo). Is it possible yahoo doesn't understand how 
dmarc works?

--
-- Bret Taylor