[Vision2020] Excessive bounces

Kenneth Marcy kmmos1 at frontier.com
Sun Mar 29 18:52:09 PDT 2015 

It's probably Yahoo's fault.  Here is an article that describes in some 
detail what's happening.

Note that the local telephone wiring now managed by Frontier, formerly 
Verizon, and before that GTE, is connected via Frontier to Yahoo e-mail 
servers, so that may be your connection to mis-managed e-mail obnoxiousness.

Perhaps our local ISP could comment on the latest status of this ongoing 
challenge not only for Vision 2020 but also for other mailing lists 
whose posts arrive locally via Frontier's twisted pairs.


Ken


http://www.pcworld.com/article/2141120/yahoo-email-antispoofing-policy-breaks-mailing-lists.html 


Yahoo email anti-spoofing policy breaks mailing lists

In an attempt to block email spoofing attacks on yahoo.com addresses, 
Yahoo began imposing a stricter email validation policy that 
unfortunately breaks the usual workflow on legitimate mailing lists.

The problem is a new DMARC (Domain-based Message Authentication, 
Reporting and Conformance) “reject” policy advertised by Yahoo to 
third-party email servers, said John Levine, a long-time email 
infrastructure consultant and president of the Coalition Against 
Unsolicited Commercial Email (CAUCE), in a message sent to the Internet 
Engineering Task Force 
<http://www.ietf.org/mail-archive/web/ietf/current/msg87153.html> (IETF) 
mailing list Monday.

DMARC is a technical specification for implementing the SPF (Sender 
Policy Framework) and DKIM (DomainKeys Identified Mail) email validation 
and authentication mechanisms. These technologies were designed to 
prevent email address spoofing commonly used in spam and phishing attacks.

The goal of DMARC is to achieve a uniform implementation of SPF and DKIM 
among the top email service providers and other companies that want to 
benefit from email validation.

  The specification introduces the concept of aligned identifiers, which 
requires the SPF or DKIM validation domains to be the same as or 
sub-domains of the domain for the email address in the “from” field. The 
domain owners can use a DMARC policy setting called “p=" to tell 
receiving email servers what should happen if the DMARC check fails. The 
possible values for this setting can be "none” or “reject.”

Over the weekend Yahoo published a DMARC record with “p=reject” 
essentially telling all receiving email servers to reject emails from 
yahoo.com addresses that don’t originate from its servers, Levine said.

While this is a good thing from an anti-spoofing perspective, it raises 
problems for legitimate mailing lists, according to the email expert.

“Lists invariably use their own bounce address in their own domain, so 
the SPF doesn’t match,” Levine said. “Lists generally modify messages 
via subject tags, body footers, attachment stripping, and other useful 
features that break the DKIM signature. So on even the most legitimate 
list mail like, say, the IETF’s, most of the mail fails the DMARC 
assertions, not due to the lists doing anything ‘wrong’.”

With the new policy, when a Yahoo user sends an email to a mailing list, 
the list’s server distributes that message to all subscribers, changing 
the headers and breaking DMARC validation. List subscribers with email 
accounts on servers that perform DMARC checks, such as Gmail, Hotmail 
(Outlook.com), Comcast or Yahoo itself, will reject the original message 
and respond back to the list with automated DMARC error messages.

For example, Gmail will respond with a message that reads: “smtp;550 
5.7.1 Unauthenticated email from yahoo.com is not accepted due to 
domain’s DMARC policy. Please contact administrator of yahoo.com domain 
if this was a legitimate mail.”
Email

So users of Gmail, Hotmail and other DMARC-enabled providers will not 
only fail to receive messages sent to the mailing list by Yahoo users, 
but will flood the list with bounce messages, risking to be bounced off 
the list themselves, Levine said.

The email expert recommended that mailing list operators suspend the 
list posting rights of yahoo.com users and ask them to re-subscribe to 
their lists with accounts from different email providers.

“We are currently experimenting with an anti-abuse technology that helps 
us protect our users from phishing and spoofing attacks,” a Yahoo 
representative said via email. “As a result of this experiment, a small 
percentage of our users who use service providers external to Yahoo may 
experience issues. Affected users can visit our help page to learn more. 
We apologize for any inconvenience this may have caused.”

Yahoo published a help page with information on how its new DMARC policy 
affects third-party email service providers.

A test of Yahoo’s DMARC records Tuesday done with a tool on dmarcian.com 
revealed that the “p=reject” setting was still in place for the 
yahoo.com domain. By comparison, gmail.com had a policy record of 
“p=none,” meaning it doesn’t tell other email servers how to handle 
messages from gmail.com addresses that fail DMARC checks.

Laura Tessmer Atkins, co-founder of email anti-spam consultancy firm 
Word to the Wise based in Palo Alto, California, also confirmed and 
documented the issue in a blog post Monday. She believes that Yahoo 
began advertising a “reject” policy because of a recent attack against 
Yahoo users that involved attackers compromising yahoo.com email 
accounts and sending unauthorized emails to their contacts.

“The attackers have modified their attacks and are now sending mail from 
Yahoo users to their contacts through other servers,” Atkins said. “By 
publishing a p=reject record, Yahoo is telling other systems to not 
accept mail from Yahoo users if it doesn’t come through Yahoo controlled 
servers. This includes the mail from the attackers, but also mail from 
regular Yahoo users that use another SMTP server, including bulk mail 
sent through ESPs [email service providers], and individual mail sent to 
mailing lists.”

DMARC.org, the industry group that oversees the development and adoption 
of the DMARC standard, did not immediately respond to a request for 
comment about the Yahoo situation. However, the frequently asked 
questions section of the group’s website acknowledges the 
interoperability problems mailing lists can have with DMARC and offers 
some recommendations.

Updated April 9 with a comment from Yahoo.


On 3/29/2015 3:33 PM, Scott Dredge wrote:
> Does anyone else receive these types of emails? I'm guessing that what 
> often happens is that Tom will send something the viz, it gets 
> reflected to all subscriber's emails, for some reason it gets bounced 
> back as spam, undeliverable, or some other error type after which n 
> number of these bounces results in my account being disabled as if 
> this were all somehow my fault.
>
> -Scott
>
> > From: vision2020-request at moscow.com
> > To: scooterd408 at hotmail.com
> > Subject: confirm
> > Date: Sun, 29 Mar 2015 08:47:53 -0700
> >
> > Your membership in the mailing list Vision2020 has been disabled due
> > to excessive bounces The last bounce received from you was dated
> > 29-Mar-2015. You will not get any more messages from this list until
> > you re-enable your membership. You will receive 3 more reminders like
> > this before your membership in the list is deleted.
> >
> > To re-enable your membership, you can simply respond to this message
> > (leaving the Subject: line intact), or visit the confirmation page at
> >
>
>
> =======================================================
>   List services made available by First Step Internet,
>   serving the communities of the Palouse since 1994.
>                 http://www.fsr.net
>            mailto:Vision2020 at moscow.com
> =======================================================

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.fsr.com/pipermail/vision2020/attachments/20150329/5fd614d5/attachment-0001.html>

More information about the Vision2020 mailing list