Terry Zink: Security Talk

Discussing Internet security in (mostly) plain English

Yahoo has a false positive problem and then rolls it back

Yahoo has a false positive problem and then rolls it back

  • Comments 1

JD Falk of Box of Meat has a post that describes a problem Yahoo had with one of its new email security features. The article states that the problem arose when Yahoo decided to stop any emails going through the servers, which it runs for its partner BT (British Telecom), that did not have a matching BT/Yahoo address in the From: field.  People who tried to send using their own domain names found the email did not get sent, and received a confusing message that they had "error 553" and offered a link where they could validate their domain.

The theory behind this is that Yahoo doesn't want spammers spoofing the From: field in messages using their service so they were going to cut everyone off who was doing that.  The bad thing is that lots of people do it for legitimate reasons.  Back in January of this year, I blogged about outbound spam filtering and listed a bunch of scenarios that we could implement in order to stop it. 

One that we examined internally (but I never blogged about) was stopping people from sending mail from (From:) domains that they don't have listed in our admin center.  We dropped that idea when we learned that we have piles and piles of clients that do this.  One example is real estate agents that send outbound mail through us but have Reply-To's to a Yahoo.com email address, for example.  You may be saying "Well, they shouldn't do that."  Be that as it may, people do it and we need to work around it.  Yahoo's case is a perfect example.

It appears that Yahoo opted for my option 3 that I did post about 4 months ago.  Had Yahoo consulted my blog, they would have read that it was a complex option to implement and that it could annoy users to have to click a link to get their message through.  I didn't write it at the time, but I should have added that it was far more likely to confuse users than annoy them.

Let this be a lesson for all of us: users are not easily fooled but they are easily confused.

Leave a Comment
  • Please add 1 and 4 and type the answer here:
  • Post
  • Actually, it wasn't me who wrote the boxofmeat post you're referring to -- I worked on that particular feature when I was one of Yahoo! Mail's anti-spam product managers, so it wouldn't be appropriate for me to comment publicly now.

    The Box of Meat tumblog has a variety of contributors; I'm just one of 'em.

Page 1 of 1 (1 items)