[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Sat, Oct 24, 2015 at 05:56:58PM +0100, Brad Rogers wrote: > I've not paid much attention to yahoo recently, I admit. However, I've > more than three dozen spam mails arrive here from broken/hacked yahoo > accounts in the last 24 hours. Of course, my experience may not reflect > the norm. Can a sample of one ever do so? (rhetorical question) True and you may well be right. My experience may not reflect the norm either. > I'd argue the other way; Mailing lists (MLs) existed before the > necessity for these security measures. Such security measures should > allow for the existence of MLs and not 'break' them. Now, if the > security brigade had worked _with_ ML authors rather than simply > ignoring them, maybe the breakage could have been avoided. No doubt it > would require give and take on both sides to get working properly. I've long agreed with you and even argued this way in IETF groups. I've come to change my mind and see that the DMARC setting helped them fight abuse taking place at that very moment, at a relatively minor cost (very few people use mailing lists). I've also come to see that the way mailing lists work, though completely valid according to all standards, makes it impossible for domain owners to protect the occurrence of their domain in the From field. This is bad for security and goes against how many people expect email to work. It is not uncommon for new security measures, often unilaterally decided by the Google's and Microsoft's of this world (almost always the former, actually), to prevent people from using things that have worked fine for years. Think of a stricter SSL/TLS requirements that prevent you from accessing an internal server, even though the threats the measures protect against aren't relevant at all. It's always sad when it happens, but often these things are in the common interest. > In the end though, I think big business is trying to kill of email - > simply because it's extremely hard to monetise. I don't think Google, Yahoo, Microsoft and many other local webmail providers would agree with that. Email is relatively cheap to run anyway. These companies also tend to run hosted email solutions, which are quite popular and likely make them quite a bit of money. Probably so much that it might be worth running the free webmail service purely for the extra telemetry (which can be used to improve spam filters etc) it gives. Also, if Yahoo and AOL would have wanted to let email die, they wouldn't care very much about spam. The strict DMARC setting, whether you agree with it or not, was an active way to fight that. > I trust you mean by that that all email should be encrypted, rather than > the more common usage of 'plain text vs HTML'. I actually meant unencrypted data in general, whether it's SMTP, HTTP or something else. > I agree. The trouble is > most people are too naive (of email technology) to understand just how > insecure it is. Furthermore, until encryption "just works" most people > aren't interested enough to learn about it, never mind actually use it. Yes, email has some fundamental issues when it comes to security in general and encryption in particular. I hope we can slowly replace it with something better. Martijn.
Attachment:
signature.asc
Description: Digital signature
-- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq