Search This Blog

Saturday 3 February 2018

Email Spam, Yahoo, DMARC and Mailing Lists: A Journey of Discovery

I belong to a small hobby organization, and assist with simple techy things that can help the group in various ways, like helping maintain the website.
A while back, the group was looking for a simpler way to be sure that they could communicate effectively and easily among the groups executive, using email.  This sounds easy, but in a group of 10, someone always seems to get left out of group emails sent from personal email accounts, or the wrong email gets included in a list, or emails get left in someone's personal list, that are no longer needed.
The group experimented with setting up a shared gmail account for this purpose, but gmail account security makes it very hard to share a single account, accessed from multiple locations.  Next up was a google discussion group, but that had it's own list of complexities.
So I suggested we just set up an Old School email list service.  You know, the ones were you define an email account, give a list of other emails to forward to, and just send anythng you want to share to it, for automatic forwarding to everyone.  The list gets maintained in one place, and we are done.
Well, they still exist, but most are commercial Marketing remailers, with tons of bells and whistles, and probably lots of other strings attached.  Some are free for entry level use, but I didn't spend too much time on them after looking into FreeLists.org .

FreeLists.org has been around for quite a while.  They are truly free, although they do not accept just anyone.  However our group met their criteria, so we set up our first list, and populated it with some emails and started testing.  Everything went fairly well, and we were happy, until one of our members sent out a test, and we discovered that his Reply To: email had been Redacted, and replaced with "dmarc-noreply@freelists.org" .  An interesting problem!  Since I already had one request for advice in the hands of the FreeLists Staff, I decided to nibble at this one for a while myself.

DMARC and Spam:
In my research, I learned there is an anti-spam toolset used by major email providers world-wide, known as DMARC.  One of the things DMARC does is allow email providers to identify the domain names they use to send email from (like gmail.com, cogeco.com, rogers.com, etc), and to embed that knowledge in several secure ways in emails and in Domain Name Servers (the "address book" of the internet), to allow receiving email services to securely determine if a given email has actually come from the email service it says it originated from (the "domain name" test).

Reject or Ignore:
Email sending services can also optionally tell a receiving email service what to do with email that fails this "domain name" test: either reject the email, or ignore it (allowing the receiving email service to decide what to do about it instead).  When DMARC was first rolled out in 2012 - 2013, this failure action was defaulted to ignore, by virtually everyone who implemented DMARC.

Yahoo got Spammed:
In early April, 2014, Yahoo.com was hit by major email spammers, who were spoofing the yahoo.com domain name, and creating havoc among yahoo email users and others.  Yahoo made a quick decision one weekend to change the DMARC failure action for their domain name from ignore to reject.  In doing so, all mail list and other remailing applications that included any yahoo email users, broke instantly  (their email spoofing problem was solved, though).  Not only did they fail, but the resulting error messages began bouncing back, and some of the bounces resulted in further rejects and bounces... See https://www.pcworld.com/article/2141120/yahoo-email-antispoofing-policy-breaks-mailing-lists.html for further information.

Fixing Mail Lists:

Mail List and other remailing service providers needed to deal with this, including our Mail List provider Freelists.org.  DMARC also provided some work-arounds.  See for example https://www.spamresource.com/2014/04/run-email-discussion-list-heres-how-to.html . At the time, FreeLists.org Facebook page reported:
   " Freelists - Freelists.org     April 19, 2014 ·
     A solution to DMARC-related issues has been developed and is being tested on a handful of lists that reported deliverability problems to us. Should feedback be positive, we'll continue rolling this out to the entire site in the coming days.
     Let us (staff@freelists.org) know if you'd like advance access to the fix, which replaces the subscriber's From: address with an "address redacted" sort of message when posting IF his mail provider publishes DMARC records."
Another common fix was to ask Yahoo email users to switch to another major email provider, like Gmail or Outlook...

So why did our Rogers.com Member get Redacted?
Examining the email header of messages from our Rogers User showed references to Yahoo!  Now that is very interesting!  No other user of our list had such references in their email headers.  But further research quickly uncovered the fact that Rogers has outsourced it's email to Yahoo.ca!!
I then discovered the toolset at the website dmarcian.com: https://dmarcian.com/dmarc-inspector/yahoo.ca
I ran this for the Rogers.Yahoo.ca email service, and determined that "p=reject", which is why our member's email is getting redacted.  His email provider prevents him from full use of a mail list.

In conclusion, our member gets to decide if a redacted reply address is okay when he uses our list, or if he will set up a different email account, to gain full use of the list.
We can also move forward to add a list that allows us to email amongst our total membership efficiently.

No comments:

Post a Comment