
Yahoo breaks every mailing list in the world including the IETF's - somerandomness
http://www.ietf.org/mail-archive/web/ietf/current/msg87153.html
======
codinghorror
We really want Discourse
([http://www.discourse.org](http://www.discourse.org)) to get to a place where
we have extremely robust 100% open source mailing list support -- we now have
reply via email, notify via email, and community contributed submit topics via
email. Working on attachments via email this week.

It's interesting -- unlike forums, people _really_ enjoy mailing lists. I
don't think I've ever met anyone, ever, who said they liked forums. But
mailing lists seem to inspire people.

I want to see a long term hybrid model where you can interact nearly
completely via email, or a good, modern web UI that _YOUR_ org owns (not
google groups or yahoo groups). This should be supported.

~~~
fennecfoxen
Forget forums. Forget mailing lists. Bring back NNTP, so we can just point
people at com.mycompany.engineering.infrastructure and _not worry about
setting up another lame inbox filter_.

~~~
WalterBright
[http://forum.dlang.org](http://forum.dlang.org) is an NNTP forum. You can
also access it via newsgroups news://www.digitalmars.com/digitalmars/D or even
a mailing list at [http://lists.puremagic.com/cgi-
bin/mailman/listinfo/digitalm...](http://lists.puremagic.com/cgi-
bin/mailman/listinfo/digitalmars-d)

It works out quite nicely for us.

~~~
na85
Wow is their forum software open source/freely available?

I love how snappy they are.

~~~
WalterBright
Sure: [http://forum.dlang.org/help#about](http://forum.dlang.org/help#about)

------
dredmorbius
Having managed a number of largish email systems over the past few years, I've
got to say that dealing with Yahoo -- DKIM and other anti-spam related issues
-- is one of my larger ongoing headaches. The lack of response and
transparency of Yahoo in general is a huge problem -- I managed to get
resolution in one case via an executive email carpet bomb (this after repeated
contacts with their support team and direct emails to the CTO/Postmaster's
address).

Sadly, as much of a fading giant as Yahoo are, their email presence remains
huge.

~~~
codinghorror
Yahoo may be bad, but Outlook/Hotmail are without a doubt worse. Exhibit A:

[http://serverfault.com/questions/434703/why-does-hotmail-
sti...](http://serverfault.com/questions/434703/why-does-hotmail-still-reject-
my-emails/452896#452896)

~~~
kbuck
I disagree. I've had Yahoo reject my emails completely silently (didn't arrive
in inbox OR 'spam' folder, even though Yahoo's MX said the message was
accepted). Yahoo was entirely unresponsive about this issue. We didn't have
the same problem with any other provider and it was resolved immediately upon
switching to a third-party email delivery service.

Additionally, Yahoo has a huge amount of abuse and doesn't seem to have an
abuse handle either; you have to fill out some form buried deep on their site.
On the other hand, I've reported abuse incidents to Hotmail before and have
gotten an actual reply from a human (a rarity when submitting abuse reports;
most places act on them but don't bother responding).

~~~
dredmorbius
Yeah, don't even get me started on Yahoo's spam emissions and lack of
reporting.

------
mike-cardwell
I played with DMARC about a year ago. I put it in monitoring mode so that I'd
get email reports from systems to tell me when they received emails from my
domain which failed DMARC. I started getting them from all over the place.
Pretty much all related to mailing lists breaking the DKIM signature by
rewriting headers or the body. My conclusion was: If any email address on your
domain subscribes to one or more mailing lists, DMARC will break your email. I
disabled it. I don't see myself enabling it again any time soon.

------
jmathai
We noticed noticed last month that one of our Yahoo! Groups mailing lists
would randomly drop emails[1]. We couldn't find any consistent behavior to it.
Wonder if this is the culprit.

[1]
[https://twitter.com/jmathai/status/440529845198790656](https://twitter.com/jmathai/status/440529845198790656)

------
billpg
So what should Yahoo do? Change settings to say "Actually, anyone in the world
can send emails from @yahoo.com now."?

(Honest question.)

~~~
mike-cardwell
Yes. If they want their users to be able to use mailing lists.

~~~
billpg
Is that the trade-off? Either we neuter SPF et al or we break mailing lists?

I vote for SPF et al.

~~~
mike-cardwell
Yes, that is the tradeoff.

SPF doesn't really come into it. Mailing lists use their own sender envelope.
The problem is, when a mailing list makes changes to an email which breaks the
DKIM signature. But the sender uses DMARC to say that DKIM _must_ pass.

Another fix would be for all mailing lists to be updated to not make any
changes to messages which might break DKIM. E.g by adding [listname] to the
subject line, or messing with other headers, or adding signatures to the body.

~~~
avz
The tradeoff isn't that bad: it's possible to make mailing lists work with
DMARC, see for example their suggestions in the FAQ:
[http://dmarc.org/faq.html#s_3](http://dmarc.org/faq.html#s_3).

It can be argued that the required changes are very burdensome and not
mailing-list-friendly. The mail body modifications seem to me like something
mailing lists could drop taking advantage of the list-* headers instead. The
harder usability issue arises from the fact that DMARC imposes a different way
of setting the from header potentially breaking all those filters we've set
up.

DMARC claim both issues can be solved using "Original Authentication Results"
header but since it requires the receiving MTA to trust the mailing list the
administrative overhead here just doesn't scale and will likely end up being
pushed onto the list admins.

Also, SPF _does_ come into it since DMARC requires "alignment" between the
from domains in the envelope and the header (see again the FAQ answer above).

~~~
mike-cardwell
My point about SPF not coming into it, was made because SPF _will_ fail in a
forwarding/list setup. DKIM _can_ work in this setup, so that's what we want
to make work, but which all mailing list software seems to break.

------
meepmeep
DMARC.org has very clear remedies.

Q: I operate a mailing list and I want to interoperate with DMARC, what should
I do?

A: DMARC introduces the concept of aligned identifiers. It means the domain in
the from header must match the d= in the DKIM signature and the domain in the
mail from envelope. You have a few solutions:

\- operate as a strict forwarder, where the message is not changed and the
validity of the DKIM signature is preserved \- introduce an "Original
Authentication Results" header to indicate you have performed the
authentication and you are validating it \- take ownership of the email, by
removing the DKIM signature and putting your own as well as changing the from
header in the email to contain an email address within your mailing list
domain.

Spoofing is a huge issue for all email customers. DMARC was started, in part,
to deal with the coming problems that were foreseen here. Mailing Lists don't
have to forge or spoof to work. They can adjust and everyone is better off.

~~~
avz
(the post above has been largely copy-pasted from
[http://dmarc.org/faq.html#s_3](http://dmarc.org/faq.html#s_3))

Interesting point for the discussion on whether MLMs are allowed to modify the
from header is in the section 3.6.2 of rfc 2822:
[http://tools.ietf.org/html/rfc2822#section-3.6.2](http://tools.ietf.org/html/rfc2822#section-3.6.2).
The intended meaning of the from field is to indicate the _author_ of a
message which is explicitly allowed to be different than the sender. Thus
list-originated communication like digest messages should be sent with the
from header of the list, but messages forwarded by the MLM should be sent with
the from header indicating the _original author_. In the absence of the sender
header it can be assumed to be the same as the from header. Thus, DMARC could
use the sender header instead of the from header and fall back to the from
header only when sender is absent. This way MLMs would have a way of avoiding
the issue by supplying the sender header. Unfortunately, DMARC chose not to
use the sender header citing abuse and bugs in some MUAs which don't display
the sender header to the user correctly: [http://www.ietf.org/mail-
archive/web/dmarc/current/msg00064....](http://www.ietf.org/mail-
archive/web/dmarc/current/msg00064.html).

As for the "Original Authentication Results" it doesn't solve the problem for
most lists since it requires the destination domain to explicitly trust the
list, see [http://www.dmarc.org/pipermail/dmarc-
discuss/2012-February/0...](http://www.dmarc.org/pipermail/dmarc-
discuss/2012-February/000428.html) and [http://tools.ietf.org/id/draft-
kucherawy-original-authres-00...](http://tools.ietf.org/id/draft-kucherawy-
original-authres-00.txt). Few list admins could afford getting a trust
explicitly established with every domain where the members happen to have
mailboxes.

------
JohnTHaller
For this to fail, wouldn't the mailing list have to send the message on to its
subscribers listing it as "From" the Yahoo email address? In that case, it's
the mailing list doing it 'wrong' (in the eyes of SPF, DKIM, et al, anyway),
as they should be sending it 'from' their mailing list email address, not the
original person who sent the message. This isn't a new problem as SPF has
required mailing lists to do this for years now.

*UPDATE: Clarified 'wrong' wrt the various protocols.

~~~
dragonwriter
> For this to fail, wouldn't the mailing list have to send the message on to
> its subscribers listing it as "From" the Yahoo email address?

Yes, which many mailing lists do.

> In that case, it's the mailing list doing it wrong

Is it? Not having the actual originator as the "From:" seems to be "doing it
wrong".

~~~
vidarh
Exactly, and "From:" has "always" been expected to possibly be a different
identity to the sender of the e-mail: We have "Sender:" to indicate where the
message was sent from when "From:" does not.

------
syntheticnature
I'm amused to note that this probably applies to Yahoo Groups as well, since
it uses the yahoogroups.com domain, not a yahoo.com domain.

Looking at the headers of a recent message from a Yahoo user over Yahoo groups
it seems like it would be the case:

    
    
      dkim=pass header.i=@yahoogroups.com;
      dmarc=pass (p=REJECT dis=NONE) header.from=yahoo.com
    

Of course, anyone who is using Yahoo Groups regularly has probably noticed
that even with last year's redesign it's not getting much attention.

------
aendruk
Please forgive my naivety—why are mailing lists forging from addresses in the
first place? Have they just been fragilely dependent for years on the
exploitation of an authentication vulnerability?

~~~
bashcoder
Fair question. The basic internet email spec has virtually no security
features whatsoever, and is completely unauthenticated. Mailing list
management software doesn't forge sender information, but rather often retains
it and generally trusts incoming headers. Back in the old days, some folks
even referred to discussion lists as "reflectors."

The proper usage of SMTP mail headers is outlined in RFC2822 (originally
RFC822), and the definition of the headers From, Sender, Resent-From, etc. The
rules for specifying sender information are spelled out in 3.6.2. [0]

That said, system behavior also depends on if the MLM software is running
behind a mail transport agent that enforces authentication protocols for
incoming emails, scans for viruses, etc.

When discussion list owners are concerned about receiving forged posts, they
usually use list moderation features so they can ensure emails do not get
distributed that haven't been reviewed first. But the biggest problem for MLMs
isn't usually dealing with impostors, but rather blocking email-borne viruses
and misconfigured auto-responders that could cause bogus emails to get
reflected out to subscribers.

The behavior of the outgoing From header from MLM software typically depends
on the configuration of the list. Some lists (especially digests) are
configured so outgoing messages are "From" the list itself. But most
discussion lists are configured to retain the original From line, while
clarifying their role as an email proxy through other headers.

[0]
[http://tools.ietf.org/html/rfc2822#section-3.6.2](http://tools.ietf.org/html/rfc2822#section-3.6.2)

------
joemaller1
This and SpamCop flagging a bunch of Google's mail server IPs broke a bunch of
email last week.

------
kimonos
I don't use Yahoo anymore because it runs very slow for me..

------
throwwit
So would this explain a spam email in my hotmail inbox that had the same
From&To, with no mention of my actual email in the raw message source?

