Yahoo DMARC breakage

Thu Apr 10 11:42:00 UTC 2014

I agree to a large extent with your comments/observations, but I'd
like to focus on one point in particular:

On Wed, Apr 09, 2014 at 11:00:57PM -0400, Andrew Sullivan wrote:
> So, I'm trying to imagine the presentation slide on which appears the
> advice to implement the controversial adopted policy.  I imagine in
> big, giant print "Will reduce yahoo.com abuse effects" and in one of
> those secondary bullets "May have consequences" and even lower "for
> our users on mailing lists" and "for mailing list
> managers/non-company".  

This decision by Yahoo will have no effect whatsoever on the largest
abuse problem, which is outbound spam/phishing/malware/etc. *sourced*
by Yahoo.  Those messages are (and have been for a long time) dutifully
marked as authentic and in one sense they are: they really do originate
from Yahoo's operation.  But of course in a much more important operational
sense they're not: they're forgeries created by the new owners of hijacked
Yahoo user accounts.  And those accounts are being hijacked at will by
the millions, as they have been for many years.

Yahoo is not alone in permitting an enormous volume of such messages to
leave their operation and attack the rest of the Internet: Hotmail, Gmail,
and the rest do the same.  (Of course the rates vary, as do the targets.
My spamtraps see large rate fluctuations across networks, domains, ASNs, etc.
as well as through time.  I strongly suspect that individual measurements
at any one are essentially meaningless and that aggregation over a
sufficiently diverse set over a sufficiently long time is necessary to
construct a coherent, useful statistical model of what's really happening.)

In other words, this deployment might reduce abuse OF Yahoo, but it
will do nothing about the far more important problem of abuse BY Yahoo.

Which pretty much lives up to my expectations.

---rsk