The Hacker News
Yahoo! The one who enabled the HTTPS connections by default from the beginning of this year, the one who encrypts traffic moving between its data centers from 31st March, now has been accused of harming every Mailing List across the world.

Experts from the Internet Engineering Council John R. Levine, specialized in email infrastructure and spam filtering claimed this in the post titled "Yahoo breaks every mailing list in the world including the IETF's." on Internet Engineering Task Force (IETF).

Yahoo has established a new rule to automatically exclude Yahoo users from the mailing list, because Mailing List server does not comply with DMARC requirements and they strongly modifies each email.

He talks about an "emerging e-mail security scheme" known as Domain-based Message Authentication, Reporting and Conformance (DMARC) that has been implemented by almost every largest email service providers, including Gmail, Hotmail, Comcast, and Yahoo.

DMARC helps to reduce the potential for email-based abuse, such as phishing emails and email spoofing, by solving issues related to email authentication protocols. The receiver of the email performs email authentication by using the well-known Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) mechanisms.

DMARC "lets a domain owner make assertions about the From: address, in particular that mail with their domain on the From: line will have a DKIM signature with the same domain, or a bounce address in the same domain that will pass SPF [sender policy framework," Levin explained.

He claimed that the DMARC has drawback, since mailing list is the main weakness for DMARC because "Lists invariably use their own bounce address in their own domain, so the SPF doesn't match. Lists generally modify messages via subject tags, body footers, attachment stripping, and other useful features that break the DKIM signature. So on even the most legitimate list mail like, say, the IETF's, most of the mail fails the DMARC assertions, not due to the lists doing anything 'wrong'."

This would not been a major problem at a large scale but over the weekend yahoo published a DMARC record and changed it's DMARC policy to "p=reject," that suggests to reject all the mails that fails DMARC.

"I noticed this because I got a blizzard of bounces from my church mailing list, when a subscriber sent a message from her account, and the list got a whole bunch of rejections from Gmail, Hotmail, Comcast, and Yahoo itself. This is definitely a DMARC problem, the bounces say so," says Levin.

This weakness in the mailing lists is not just restricted to only the Yahoo! subscribers, in fact the subscribers at Gmail, Hotmail, Comcast etc are also facing it. There are a number of different bounces that people are reporting due to Yahoo publishing a DMARC record of p=reject.

"Since Yahoo mail provokes bounces from lots of other mail systems, innocent subscribers at Gmail, Hotmail, etc. not only won't get Yahoo subscribers' messages, but all those bounces are likely to bounce them off the lists," Levin says, adding, "A few years back we had a similar problem due to an overstrict implementation of DKIM ADSP, but in this case, DMARC is doing what Yahoo is telling it to do."

Levine offers three suggestions for people who run mailing lists or other mail software that might legitimately pass on a message, to improve the condition:
  • Suspend posting permission of all addresses, to limit damage
  • Tell Yahoo users to get a new mail account somewhere else, pronto, if they want to continue using mailing lists
  • If you know people at Yahoo, ask if perhaps this wasn't such a good idea.
It might sound like a perfectly reasonable security measure, Yahoo should consider reversing the change.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.