Yahoo DMARC breakage

Rich Kulawiec rsk at gsp.org
Fri Apr 11 08:55:53 UTC 2014


On Thu, Apr 10, 2014 at 03:22:24PM -0400, Kee Hinckley wrote:
> I suspect they looked at the amount of spam they could stop [...]

Which is, to a very good first approximation, zero.

Nearly all (at least 99% and likely quite a bit more) of the spam [as
observed by my numerous spamtraps] that purports to originate from Yahoo
really *does* originate from Yahoo.  All that I have to do to verify that
is to look at the originating host -- that is, it's not necessary to
check DMARC or anything else.

There are several reasons for this.  First, Yahoo has done an absolutely
miserable job of outbound abuse control.  For over a decade.  Second,
they've done a correspondingly miserable job of handling abuse reports,
so even when one of their victims is kind and generous enough to do
their work for them and tell them that they have a problem...they don't
pay attention and they don't take any action.  (Or they fire back a
clueless boilerplate denial that it was their user on their host on
their network...even though it was all three.)  Also for over a decade.
Third, why would any spammer forge a @yahoo.com address when it's easy
enough to buy hijacked accounts by the bucketful -- or to use any of the
usual exploits to go get some?  Fourth, at least some spammers seem to have
caught on that Yahoo isn't *worth* forging: it's a toxic cesspool because
the people running it have allowed it to be become one.

So let's not pretend that this has anything to do with stopping spam.
If Yahoo actually wanted to do something about spam, they could have
done that years and years ago simply by *paying attention* to what was
going on inside their own operation.

---rsk




More information about the NANOG mailing list