AOL, Yahoo email problems show limits of email security

AOL, Yahoo email problems show limits of email security

Summary: Two very large email providers decide to deal with phishing and other attacks by setting a harsh DMARC policy, causing a storm of bounce messages.

SHARE:
TOPICS: Security
15

For over ten years, standards bodies and others have worked to add measures of authentication to the SMTP email system in order to stop abusive email. A very large percentage of abusive email employs some technique to hide its true origin, the classic example being the phishing message that purportedly comes from support@paypal.com.

The current state of the art in email authentication is DMARC (Domain-based Message Authentication, Reporting & Conformance), which mixes DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework) to strengthen confidence that mail that says it is "From:" a certain domain is, in fact, from that domain.

But, as shown by John Levine, who has long been involved in the drafting of these standards, both AOL and Yahoo have recently taken DMARC a bit too seriously, causing more trouble than the solved. If you have been receiving a lot of bounce messages lately, it's likely because of this problem.

spoof-email[1]
"Yahoo: How can I recognize a phishing email?"

Here is Levine's definition of the relevant parts of DMARC. It's medium-technical, but there's no way to give a complete explanation in the space I have here:

    DMARC lets a domain owner make assertions about mail that has their domain in the address on the From: line. It lets the owner assert that mail will have a DKIM signature with the same domain, or an envelope return (bounce) address in the same domain that will pass SPF validation. The domain owner can also offer policy advice about what to do with mail that doesn't have matching DKIM or SPF, ranging from nothing to reject the mail in the SMTP session. The assertions are in the DNS, in a TXT record at _dmarc.domain. You can see mine at _dmarc.taugh.com.

Perhaps out of frustration with all the phishing and other abuse using their domains, both AOL and Yahoo have recently published DMARC policies to reject email purportedly from: their domains which fails DMARC tests. The problem with this is that lots of legitimate email fails DMARC tests, the most prominent example being mailing lists. Lists commonly modify various headers in when sending content out, so when a message from: an AOL or Yahoo user goes to a mailing list, and the mail server for recipients of the message checks DMARC, it will reject the message and send a bounce.

As Levine says, this is understandable, if not excusable. The policy blocks a lot of spam, but a lot of legit mail in the process. AOL and Yahoo so far are suggesting that everyone change the way they have always done things in order to work within the new restrictions.

It may end up this way, that mailing lists and other mechanisms (like "Send this article") which modify headers will have to compromise their usability in order to accommodate DMARC. Email security wasn't supposed to have so much collateral damage.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

15 comments
Log in or register to join the discussion
  • Mr. Seltzer, What is your solution to this?

    Larry

    Thank you for an informative article. I was one of many that got burned by the latest Spoofing episode due to my AOL account. Had account for 18 years with no problems. It seems that the perpetrators have AOL users contact list and can continue this spoofing scam forever if AOL did not take this action. Is it more effort to have the mailing list be altered to show the actual "From" instead of spoofing and have a "Reply to" in the body of the email than to close account for AOL users and lose all the historical emails and changing email accounts for login for website like Zdnet? It seems from the web messages that closed accounts and dormant accounts were also used.

    On a side humorous note the techie snobs had a field day making fun of people still using AOL accounts. It seems having the latest domain email account is the new cool.

    Thank you
    dvpatel
    • Who says I have a solution?

      But I'd be rich if I did.

      The problem with making mailing lists compliant with DMARC is that they become much less usable then. You'd need to do stuff like create virtual addresses for everyone (larry.seltzer@listserver.com), not insert anything in the subject, etc.
      larry@...
  • Thank you for information.

    Larry

    Thanks you for clarification and additional explanation.

    Thank you
    dvpatel
  • Thanks for the information

    Does explain a few problems. It is not only listservers that can come aground on this issue. We often send out confirmation emails on behalf of our clients to our clients customers.
    chips@...
    • Yeah, bad news

      They just weren't very forward-looking when they set up SMTP, and now it's so pervasive we're stuck with it.
      larry@...
      • I've grown to hate email...

        ...because of stuff like this. It's a nightmare for sys admins. SPF, DKIM, DMARK, Blacklists... It's a never ending pile of half baked fixes to the fundamentally flawed smtp protocol that only ends up resulting in more "brokeness."

        SMTP is an anachronism from a time when people actually trusted each other. Unfortunately trust it's built upon no longer exists.
        spackle
  • Looking for clarity

    I'm curious about the statement that Yahoo & AOL's DMARC reject policy is "causing more trouble than it solved". How are you measuring the relative value?

    Thanks in advance for the added clarity.
    jtrentadams
  • newsletters? bah! let dmarc banish them!

    if the strict dmarc works, then that's absolutely wonderful. if it stops the spam, the phishing, etc., then the collateral damage to newsletters means even less email to sort through. it's like who really wants newsletters anymore??? really for me, newsletters are like bothersome cluttering up my inbox when personally have no time to read them. and particularly if you did NOT subscribe to them in the first place. oftentimes it's like HOW DID MY EMAIL GET ON A NEWSLETTER MAILING LIST??? some so-called newsletters are just like spam. so, treat them all the same. thank you for the strict dmarc.
    i-want-gizmos
    • You are confused

      listservs are not "newsletter mailing lists". No one would be worried about the stupid newletter spam, nor is it affected by this change. Listservs are mailing lists that a person not only actively subscribes to, but typically replies to. It is an interactive system; think of it as a distributed forum.

      Most of the web technologies used to create and deliver this page are open source projects completely coordinated via a mailing list. It is a cheap, "thin" structure used to distribute important discussions to a wide audience.

      You can thank Yahoo and AOL for the DMARC if you want to, but you're talking out of your rear. This change makes the internet harder to improve for the people working behind the scenes on technologies that you use to cheer like an idiot for the wrong thing. I guess you're realize it when you get another spam newsletter later today.
      GRMule
  • De-worm, De-louse

    All of these 3rd party emails are basically spam anyway. And who relies on a listserv in 2014? Just put up a forum or blog site, use RSS, etc.

    Getting rid of all of this crap might make SMTP mail useful once again.
    dilettante
    • Worms on the brain

      Listservs are not "basically spam", it is content that people actively interact with.

      Who uses listservs in 2014? HTML5 working group, EMACScript working group, PHP internals, browser working groups, etc, etc, etc. More than half the open source technologies that drive the internet are managed on listservs.
      GRMule
      • DMARC was probably conceived on a listserv

        ^
        GRMule
        • AOL and Yahoo currently had no choice to protect their users for spoofing

          Hopefully tech community can ultimately figure out solution. Until than AOL users like me need this in place since our accounts were compromised. Spoofers were using my Email to send spam and possibly virus to all my contact and there was nothing I or AOL could do until strict DMARC. Technical community should look at this as challenge to improve security etc.
          On another note, spam in my spam folder and directly in my inbox was greatly reduce.
          dvpatel
  • You'd be surprised!

    I help to facilitate online support groups that use "Mailman" to communicate. These groups are comprised of brain tumor patients and their loved ones and have been a lifeline for many members (literally). We have over 1,000 members distributed all over the world who rely heavily on each other. This move by Yahoo and AOL has caused some major inconveniences for our members. At this point, we are not allowing any of them to post using their yahoo or aol addresses. Many are just changing to other services but some will be lost to us altogether because of this. Listservs happen to be a very effective way for our groups to communicate. Many of our members have difficulty using computers to begin with. Email based mailing lists make it about as easy as it gets.

    I don't wish a brain tumor on anyone, but dilettante may someday find himself/herself or somebody he/she cares for in a similar situation. I hope Yahoo and AOL don't do to them what they've done to some of our members.
    BTfacilitator
  • My AOL address is 25 years old

    and is my permanent address. Unfortunately, the best solution for listservs would be to ban AOL & Yahoo addresses from joining.

    That said, however, I was just told by Yahoo to use only Yahoo servers to send my emails from my GMail-run ISP address if I want to send/receive to/from Yahoo. Except, I DON'T HAVE a Yahoo account!
    romad@...