<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<font size="+1">It's probably Yahoo's fault. Here is an article
that describes in some detail what's happening.<br>
<br>
Note that the local telephone wiring now managed by Frontier,
formerly Verizon, and before that GTE, is connected via Frontier
to Yahoo e-mail servers, so that may be your connection to
mis-managed e-mail obnoxiousness.<br>
<br>
Perhaps our local ISP could comment on the latest status of this
ongoing challenge not only for Vision 2020 but also for other
mailing lists whose posts arrive locally via Frontier's twisted
pairs. <br>
<br>
<br>
Ken<br>
<br>
<br>
<a class="moz-txt-link-freetext" href="http://www.pcworld.com/article/2141120/yahoo-email-antispoofing-policy-breaks-mailing-lists.html">http://www.pcworld.com/article/2141120/yahoo-email-antispoofing-policy-breaks-mailing-lists.html</a>
<br>
<br>
</font>Yahoo email anti-spoofing policy breaks mailing lists <span
itemprop="articleBody text">
<section class="page">
<p>
In an attempt to block email spoofing attacks on yahoo.com
addresses, Yahoo began imposing a stricter email validation
policy that unfortunately breaks the usual workflow on
legitimate mailing lists.
</p>
<p>
The problem is a new DMARC (Domain-based Message
Authentication, Reporting and Conformance) “reject” policy
advertised by Yahoo to third-party email servers, said John
Levine, a long-time email infrastructure consultant and
president of the Coalition Against Unsolicited Commercial
Email (CAUCE), in <a
href="http://www.ietf.org/mail-archive/web/ietf/current/msg87153.html">a
message sent to the Internet Engineering Task Force</a>
(IETF) mailing list Monday.
</p>
<p>
DMARC is a technical specification for implementing the SPF
(Sender Policy Framework) and DKIM (DomainKeys Identified
Mail) email validation and authentication mechanisms. These
technologies were designed to prevent email address spoofing
commonly used in spam and phishing attacks.
</p>
<p>
The goal of DMARC is to achieve a uniform implementation of
SPF and DKIM among the top email service providers and other
companies that want to benefit from email validation.<br>
</p>
<p> The specification introduces the concept of aligned
identifiers, which requires the SPF or DKIM validation domains
to be the same as or sub-domains of the domain for the email
address in the “from” field. The domain owners can use a DMARC
policy setting called “p=" to tell receiving email servers
what should happen if the DMARC check fails. The possible
values for this setting can be "none” or “reject.”<br>
<br>
Over the weekend Yahoo published a DMARC record with
“p=reject” essentially telling all receiving email servers to
reject emails from yahoo.com addresses that don’t originate
from its servers, Levine said.<br>
<br>
While this is a good thing from an anti-spoofing perspective,
it raises problems for legitimate mailing lists, according to
the email expert.<br>
<br>
“Lists invariably use their own bounce address in their own
domain, so the SPF doesn’t match,” Levine said. “Lists
generally modify messages via subject tags, body footers,
attachment stripping, and other useful features that break the
DKIM signature. So on even the most legitimate list mail like,
say, the IETF’s, most of the mail fails the DMARC assertions,
not due to the lists doing anything ‘wrong’.”<br>
<br>
With the new policy, when a Yahoo user sends an email to a
mailing list, the list’s server distributes that message to
all subscribers, changing the headers and breaking DMARC
validation. List subscribers with email accounts on servers
that perform DMARC checks, such as Gmail, Hotmail
(Outlook.com), Comcast or Yahoo itself, will reject the
original message and respond back to the list with automated
DMARC error messages.<br>
<br>
For example, Gmail will respond with a message that reads:
“smtp;550 5.7.1 Unauthenticated email from yahoo.com is not
accepted due to domain’s DMARC policy. Please contact
administrator of yahoo.com domain if this was a legitimate
mail.”<br>
Email<br>
<br>
So users of Gmail, Hotmail and other DMARC-enabled providers
will not only fail to receive messages sent to the mailing
list by Yahoo users, but will flood the list with bounce
messages, risking to be bounced off the list themselves,
Levine said.<br>
<br>
The email expert recommended that mailing list operators
suspend the list posting rights of yahoo.com users and ask
them to re-subscribe to their lists with accounts from
different email providers.<br>
<br>
“We are currently experimenting with an anti-abuse technology
that helps us protect our users from phishing and spoofing
attacks,” a Yahoo representative said via email. “As a result
of this experiment, a small percentage of our users who use
service providers external to Yahoo may experience issues.
Affected users can visit our help page to learn more. We
apologize for any inconvenience this may have caused.”<br>
<br>
Yahoo published a help page with information on how its new
DMARC policy affects third-party email service providers.<br>
<br>
A test of Yahoo’s DMARC records Tuesday done with a tool on
dmarcian.com revealed that the “p=reject” setting was still in
place for the yahoo.com domain. By comparison, gmail.com had a
policy record of “p=none,” meaning it doesn’t tell other email
servers how to handle messages from gmail.com addresses that
fail DMARC checks.<br>
<br>
Laura Tessmer Atkins, co-founder of email anti-spam
consultancy firm Word to the Wise based in Palo Alto,
California, also confirmed and documented the issue in a blog
post Monday. She believes that Yahoo began advertising a
“reject” policy because of a recent attack against Yahoo users
that involved attackers compromising yahoo.com email accounts
and sending unauthorized emails to their contacts.<br>
<br>
“The attackers have modified their attacks and are now sending
mail from Yahoo users to their contacts through other
servers,” Atkins said. “By publishing a p=reject record, Yahoo
is telling other systems to not accept mail from Yahoo users
if it doesn’t come through Yahoo controlled servers. This
includes the mail from the attackers, but also mail from
regular Yahoo users that use another SMTP server, including
bulk mail sent through ESPs [email service providers], and
individual mail sent to mailing lists.”<br>
<br>
DMARC.org, the industry group that oversees the development
and adoption of the DMARC standard, did not immediately
respond to a request for comment about the Yahoo situation.
However, the frequently asked questions section of the group’s
website acknowledges the interoperability problems mailing
lists can have with DMARC and offers some recommendations.<br>
<br>
Updated April 9 with a comment from Yahoo.<br>
<br>
</p>
</section>
</span><br>
<div class="moz-cite-prefix">On 3/29/2015 3:33 PM, Scott Dredge
wrote:<br>
</div>
<blockquote cite="mid:BAY178-W13994F61E66570A02DF01EE4F60@phx.gbl"
type="cite">
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style>
<div dir="ltr">Does anyone else receive these types of emails?
I'm guessing that what often happens is that Tom will send
something the viz, it gets reflected to all subscriber's emails,
for some reason it gets bounced back as spam, undeliverable, or
some other error type after which n number of these bounces
results in my account being disabled as if this were all somehow
my fault.<br>
<br>
-Scott<br>
<br>
<div>> From: <a class="moz-txt-link-abbreviated" href="mailto:vision2020-request@moscow.com">vision2020-request@moscow.com</a><br>
> To: <a class="moz-txt-link-abbreviated" href="mailto:scooterd408@hotmail.com">scooterd408@hotmail.com</a><br>
> Subject: confirm<br>
> Date: Sun, 29 Mar 2015 08:47:53 -0700<br>
> <br>
> Your membership in the mailing list Vision2020 has been
disabled due<br>
> to excessive bounces The last bounce received from you
was dated<br>
> 29-Mar-2015. You will not get any more messages from this
list until<br>
> you re-enable your membership. You will receive 3 more
reminders like<br>
> this before your membership in the list is deleted.<br>
> <br>
> To re-enable your membership, you can simply respond to
this message<br>
> (leaving the Subject: line intact), or visit the
confirmation page at<br>
> <br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">=======================================================
List services made available by First Step Internet,
serving the communities of the Palouse since 1994.
<a class="moz-txt-link-freetext" href="http://www.fsr.net">http://www.fsr.net</a>
<a class="moz-txt-link-freetext" href="mailto:Vision2020@moscow.com">mailto:Vision2020@moscow.com</a>
=======================================================</pre>
</blockquote>
<br>
</body>
</html>