Yahoo FBL problems

Multiple ESPs are reporting that the volume of Yahoo! FBL reports have slowed to a trickle over the last 24 or so hours. While we don’t know exactly what is going on yet, or if it’s on track for being fixed, there does seem to be a problem.
There has been some ongoing maintenance issues with the Yahoo! FBL, where requests for updates and changes weren’t being handled in a timely fashion. Informed speculation was the resources needed to fix the FBL modification weren’t available. The interesting question is if Y! will commit the resources to fix the FBL. I could make arguments either way. But Yahoo! gets the benefit of the this-is-spam button whether or not they send a complaint back to the sender.
5/21 5pm: Both Yahoo and Return Path (who administer the Y! FBL) are aware of the problem and are working on it.
5/21 6:30pm: Reports are flowing again according to multiple sources.

Related Posts

DMARC and organizations

Comcast recently published a statement on DMARC over on their postmaster page. The short version is that Comcast is publishing a DMARC record, but has no current intentions to publish a p=reject policy for Comcast user email. Comcast will be publishing a p=reject for some of their domains that they use exclusively to communicate with customers, like billing notices and security notices.
Comcast does point out that Yahoo! and AOL’s usage of p=reject is “not common usage.”
This is something a lot of people have been arguing loudly about on various mail operations lists and network lists. DMARC is about organizational identity. In fact, I was contacted about my DMARC primer and told that I didn’t mention that it’s not about domains, it’s about organizations.
The way I read the DMARC spec, it is all about organizational identity. The underlying theme being that the domain name is linked to a particular organization and everyone using email at that domain has some official relationship with that organization. I’ve always read the spec mentally replacing organization with corporate brand. This was for brands and organizations that strictly control how their domains are used, who can use those domains and how the mail is sent with those domains.
I never expected any mailbox provider or commercial ISP to publish a p=reject message as it would just break way too much of the way customers use email. And it did break a lot of legitimate and end user uses of email. Many organizations have had to scramble to update mailing list software to avoid bouncing users off the lists. Some of these upgrades have broken mailbox filters, forcing endusers to change how they manage their mailboxes.
Even organizations see challenges with a p=reject message and can have legitimate mail blocked. At M3AAWG 30 in San Francisco I was talking with some folks who have been actively deploying DMARC for organizations. From my point of view anyone who wants to publish a DMARC p=reject should spend at least 6 months monitoring DMARC failures to identify legitimate sources of email. The person I was talking to said he recommends a minimum of 12 months.
This is just an example of how difficult it is to capture all the legitimate sources of emails from a domain and effectively authenticate that mail. For a mailbox provider, I think it’s nearly impossible to capture all the legitimate uses of email and authenticate them.
It remains to be seen if the other mailbox providers imitate Yahoo! and AOL or if they push back against the use of DMARC reject policies at mailbox providers. Whatever the outcome, this is a significant shift in how email is used. And we’re all going to have to deal with the fallout of that.

Read More

Yahoo DMARC articles worth reading

There are a bunch of them and they’re all worth reading.
I have more to say about DMARC, both in terms of advice for senders and list managers affected by this, and in terms of the broader implications of this policy decision. But those articles are going to take me a little longer to write.
How widespread is the problem? Andrew Barrett publishes numbers, pulled from his employer, related to the number of senders using @yahoo.com addresses in their commercial emails. Short version: a low percentage but a lot of users and emails in raw numbers.
What can mailing list managers do? Right now the two answers seem to be stop Yahoo.com addresses from posting or fix your mailing list software. Al has posted how he patched his software to cope, and linked to a post by OnlineGroups.net about how they patched their software.
A number of people are recommending adding an Original Authentication Results header as recommended in the DMARC.org FAQ. I’m looking for more information about how that would work.
For commercial mailers, there doesn’t seem to be that much to do except to not use @yahoo.com address as your header-From address. Yes, this may affect delivery while you’re switching to the new From address, but right now your mail isn’t going to any mailbox provider that implements DMARC checking.
One other thing that commercial mailers and ESPs should be aware of. Depending on your bounce handling processes, this may cause other addresses to bounce off the list. Once the issue of the header-From address is settled, you can reactivate addresses that bounced off the list due to authentication failures since April 4.
 

Read More

Yahoo update

It has been quite a while since I have had the opportunity to share information about Yahoo here on the blog, but there is new information to share.
Yesterday, Mark Risher from Yahoo spent some time talking with people about all things spam over at Yahoo. Matt from EmailKarma posted the transcripts as well as some excerpts from the talk. The really interesting bit, for me, was confirmation that Yahoo will be bringing back their FBL in the next few weeks. I have been hearing rumors about the return of the FBL for a while now, and it seems the general timeline (fall-ish) is accurate.
Speaking of the feedback loop, there have also been rumors that Yahoo is not accepting any changes to existing feedback loops. This does not seem to be the case. According to an internal person, companies who are currently in the beta FBL program can make changes to the program by contacting the postmaster team.

Read More