Hi All,
Due to a rather bold, unprecedented and rather frankly, a completely asinine move on the part of Yahoo Mail, we may potentially have to remove the posting ability of any members with @yahoo.com email addresses to prevent ‘bounce storms’ which could cause other, non-Yahoo folks to be deleted. I am running into this very issue on other lists that I manage, and it’s quite a mess. The issue is worldwide, not resolved at this point, and there is no current workaround.
I am investigating what we can do at this point. In the meantime, I need to ask any and all Yahoo Mail users to please refrain from sending to or replying to any messages from this list until I notify everyone of a workaround. If any Yahoo users post to the list, I will unfortunately be forced to turn off their posting ability until this mess is resolved – sorry, but there’s not much else I can do (except for suggesting getting a Gmail account instead).
If you are a Yahoo email user who needs to contact me about this issue, please contact me directly at dave.stragand@xxxxxxxxxxxxxxx and NOT reply to this email on the list. Please bear in mind though, that I am unable to do anything about Yahoo’s decision, there is no current workaround, and any complaints need to be directed to Yahoo (not me!) at this time.
A technical explanation of the issue is below.
Thanks,
-Dave
http://thehackernews.com/2014/04/yahoos-new-dmarc-policy-destroys-every.html#
Tuesday, April 08, 2014 by Wang Wei
Yahoo! The one who enabled the HTTPS connections by default from the beginning of this year, the one who encrypts traffic moving between its data centers from 31st March, now has been accused of harming every Mailing List across the world.
Experts from the Internet Engineering Council John R. Levine, specialized in email infrastructure and spam filtering claimed this in the post titled “Yahoo breaks every mailing list in the world including the IETF's.” on Internet Engineering Task Force (IETF).
Yahoo has established a new rule to automatically exclude Yahoo users from the mailing list, because Mailing List server does not comply with DMARC requirements and they strongly modifies each email.
He talks about an “emerging e-mail security scheme” known as Domain-based Message Authentication, Reporting and Conformance (DMARC) that has been implemented by almost every largest email service providers, including Gmail, Hotmail, Comcast, and Yahoo.
DMARC helps to reduce the potential for email-based abuse, such as phishing emails and email spoofing, by solving issues related to email authentication protocols. The receiver of the email performs email authentication by using the well-known Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) mechanisms.
DMARC “lets a domain owner make assertions about the From: address, in particular that mail with their domain on the From: line will have a DKIM signature with the same domain, or a bounce address in the same domain that will pass SPF [sender policy framework,” Levin explained.
He claimed that the DMARC has drawback, since mailing list is the main weakness for DMARC because “Lists invariably use their own bounce address in their own domain, so the SPF doesn't match. Lists generally modify messages via subject tags, body footers, attachment stripping, and other useful features that break the DKIM signature. So on even the most legitimate list mail like, say, the IETF's, most of the mail fails the DMARC assertions, not due to the lists doing anything 'wrong'.”
YAHOO DMARC POLICY UPDATE TO “p=reject,”
This would not been a major problem at a large scale but over the weekend yahoo published a DMARC record and changed it’s DMARC policy to “p=reject,” that suggests to reject all the yahoo.com mails that fails DMARC.
“I noticed this because I got a blizzard of bounces from my church mailing list, when a subscriber sent a message from her yahoo.com account, and the list got a whole bunch of rejections from Gmail, Hotmail, Comcast, and Yahoo itself. This is definitely a DMARC problem, the bounces say so,” says Levin.
This weakness in the mailing lists is not just restricted to only the Yahoo! subscribers, in fact the subscribers at Gmail, Hotmail, Comcast etc are also facing it. There are a number of different bounces that people are reporting due to Yahoo publishing a DMARC record of p=reject.
“Since Yahoo mail provokes bounces from lots of other mail systems, innocent subscribers at Gmail, Hotmail, etc. not only won't get Yahoo subscribers' messages, but all those bounces are likely to bounce them off the lists,” Levin says, adding, “A few years back we had a similar problem due to an overstrict implementation of DKIM ADSP, but in this case, DMARC is doing what Yahoo is telling it to do.”
HOW TO KEEP YOUR 'MAILING LIST' UP!
Levine offers three suggestions for people who run mailing lists or other mail software that might legitimately pass on a yahoo.com message, to improve the condition:
· Suspend posting permission of all yahoo.com addresses, to limit damage
· Tell Yahoo users to get a new mail account somewhere else, pronto, if they want to continue using mailing lists
· If you know people at Yahoo, ask if perhaps this wasn't such a good idea.
It might sound like a perfectly reasonable security measure, Yahoo should consider reversing the change.