DMARC -> CERT?

Thu Apr 17 13:13:47 UTC 2014

On Wed 16 Apr 2014 09:40:11 PM PDT, Jim Popovitch wrote:
> On Thu, Apr 17, 2014 at 12:19 AM, Private Sender <nobody at snovc.com> wrote:
>
>> On 04/14/2014 03:47 PM, Jim Popovitch wrote:
>>> On Mon, Apr 14, 2014 at 6:21 PM, Scott Howard <scott at doc.net.au> wrote:
>>>> On Mon, Apr 14, 2014 at 2:59 PM, Jim Popovitch <jimpop at gmail.com>
>> wrote:
>>>>> 7-April: Monday, Yahoo's dmarc change kicks everyone in the groin, the
>>>>> last full week before the US tax filing deadline.
>>>>
>>>> The change was made on the previous Friday, so that date is largely
>>>> irrelevant.
>>>>
>>>>> 7-April: OpenSSL's *public* advisory (after a full week of private
>>>>> notifications, of which yahoo surely was one tech company in on the
>>>>> early notifications)
>>>>
>>>> Given that many of their main services were vulnerable at the time of
>> public
>>>> disclosure, I think that's a very large assumption to make...
>>>>
>>>> If nothing else, I suspect the odds of it being known by the same people
>>>> that made the DMARC decision/changes is low.
>>> I think you are right on that, but that doesn't change the fact that
>>> the sum of those things overburdened a lot of mailinglist operators.
>>> It is what it is, and the press has covered it and mailinglists are
>>> blocking/unsub'ing yahoo accounts in order to cope.
>>>
>>> -Jim P.
>>>
>>
>> I'm sorry but is there a fundamental misunderstanding of dmarc going on
>> in this thread? Yahoo doesn't want you to be able to send "@yahoo.com"
>> email from anything other than THEIR servers which contain the private
>> key that corresponds to their DKIM implementation, and conversely dmarc.
>> "p=reject" tells the receiving domain to reject the message if it isn't
>> signed by the private key that corresponds with the public key that is
>> in the dkim txt record for "yahoo.com"
>>
>> Isn't this the whole point of dmarc? Stop spammers from sending email
>> with "@yahoo.com" that doesn't originate from a valid yahoo email server.
>>
>
> Yes, but @yahoo.com is a bad example because it delivers user originated
> content.
>
>
>> Yahoo's implementation of dmarc is working as intended.
>>
>
> Are you also speaking for all yahoo uses when you declare that they should
> no longer be able to participate on mailinglists?
>
>
>> Stealing someones password, and logging into their yahoo mail account
>> and spamming isn't going to matter to dmarc. The mail originated from
>> yahoo, and it was an authenticated user; the mail will be signed with
>> the DKIM key, it will be accepted by the receiving domain (unless the
>> email address is blacklisted by the receiving domain).
>>
>
> But, but, but.... Yahoo implemented DMARC to supposedly stop Spam...(which
> ironically others have shown that a lot of spam originates from Yahoo
> servers, but I digress)
>
>
>>
>> There is no need to flame a company because they implemented a policy to
>> ensure QoS to their customers. Either push your mail through their
>> servers, or Just find somewhere else you can push your mailing lists
>> through.
>>
>>
> LOL QoS, really?   QoS to me, a yahoo account holder, would be less inbound
> spam.
>
> -Jim P.

Well yeah inbound spam filtering would be nice. But they have refused 
to do anything about if for a better part of a decade. Sadly, they 
can't control mail originating from other domains (other than mail 
stating it's from yahoo). Is it possible yahoo doesn't understand how 
dmarc works?

--
-- Bret Taylor