AOL Bans Mail From DSL-Hosted Servers

kmself writes "As first reported at linux-elitists by Aaron Sherman, and with a demonstration of the denial at zIWETHEY, AOL has begun blocking mailservers identified with residential DSL lines as an anti-spam measure, apparently heedless of the huge collateral damage this move imposes (and guess who can't send mail to Mom...). This action was unannounced, and has received virtually no coverage, spare an oblique mention at News.com. It also violates SMTP RFCs, as Aaron points out, not to mention the 'good neighbor' conventions of Internet communications. Mail to AOL's postmaster is also bounced -- this is RFC-ignorant. I strongly recommend that as a compensatory measure, non-AOL MTAs be configured to deny all incoming mail from AOL's domain."

Good move

[Adnans]

If you have DSL you should still use your upstream SMTP server for outgoing mail. About 90% of incoming SPAM on my box originates from Windows boxes on DSL lines with open relays. I've set up exim to ignore all incoming SMTP calls from dsl hosts (*.dsl.*) and also to block hosts without proper reverse-DNS. These 2 simple steps take care in blocking a huuuge quantity of incoming SPAM at the doorstep...It's not fullproof, but it helps a great deal.

-adnans

Re:Good move

[SoupIsGood+Food]

Verifying reverse-DNS isn't a terribly good idea... you're blocking mail comming from sites that do virtual hosting. In the olden days of one-to-one mapping of hostname and IP, it was a smart move. Now, when a single box can host hundred domains or more, filtering out connections from domains without reverse-DNS is going to cause more problems than it solves.

SoupIsGood Food

Re:Good move

[raju1kabir]

All these residential users should be using their ISP as a relay. That's what the ISP is there for.

I have Verizon DSL. Their relay won't let me send mail with any return address other than @verizon.net. That's completely useless, so I don't use it. Are you honestly saying that all broadband customers should restrict their email addresses to those assigned by their bandwidth providers?

Re:Good move

[doorbot.com]

1) Most of these "home servers" don't have a PTR record at all.
2) Those that do, almost NEVER have one pointing to the domain they claim to be recieving for.

Maybe because that would cost me even more money, and I don't see the need to pay for that, when all I really need is a static IP. If you want to pay for it, though, drop me an email (if you can).

3) All these residential users should be using their ISP as a relay. That's what the ISP is there for.

Except I have to pay for this service too. If I want to host my own domain, I can do it with Linux and an MTA. I don't need to rely on Pacific Bell, and more importantly I don't need to pay them extra for a service I can provide on my own.

4) Since there's no reason for them to need to send it out *not* through the ISP as a relay host, the majority of these users are spammers or just ignorant. In the first case, it's good to block them. In the second, maybe they will get a clue.

Pacific Bell's mail servers have been blacklisted in the past, thanks to these spammers. My IP, however, has never been blacklisted. If I tried to relay out through my ISP's SMTP server, I would have a hard time delivering my email.

I agree with your points, but in reality it is a flawed plan. All it takes is one spammer to get an ISP's mail server blacklisted (and I think we all know how quickly the ISPs react to get themselves removed from the lists). At least with my DSL line, as long as I am (apparently now it's "was") a good citizen, I could send mail to whomever I wanted.

If it comes down to me relaying through my ISP, I'll probably bounce through the server at work. Unfortunately, not everyone has that option.

Re:Good move

[chill]

Really? You just pay for connectivity? Who is your provider? I need to switch!

Of course, if you mean you didn't read your TOS and only THINK you are playing just for connectivity, then never mind.

Re:Good move

[Mastoid]

I have Verizon DSL. Their relay won't let me send mail with any return address other than @verizon.net. That's completely useless, so I don't use it.

True. In fact, Verizon requires that you both use a From address for a domain that they host (such as bellatlantic.net or verizon.net, or a domain you pay them to host) and authenticate with their outgoing relay.

However, for what it's worth, you can put whatever you want as a Reply-To.

This didn't start April 10th ...

[dougmc]

The first I noticed it was March 27th (and I don't email my dad @ AOL that often, so it probably happened even before that ...)

The original message was received at Thu, 27 Mar 2003 13:35:36 -0600
from dougmc@localhost

----- Transcript of session follows ----- ... while talking to mailin-03.mx.aol.com.:
550-The IP address you're using to connect to AOL is either open to the
550-free relaying of e-mail, is serving as an open proxy, or is a dynamic
550-(residential) IP address. AOL cannot accept further e-mail
550-transactions from your server until either your server is closed to free
550-relaying/proxy, or your ISP removes your IP address from their list of
550-dynamic IP addresses. For additional information, please visit
550 http://postmaster.info.aol.com. ... while talking to mailin-04.mx.aol.com.:

Open Proxy Madness

[Akai]

As a network engineer of a DSL and T1 only ISP (we have dialup but only for traveling DSL/T1 customers) I can let you know that this will probably stop oodles of spam.

The latest spammer tactic is not to seek out open relays, but open windows proxies, and from there they can initial outbound SMTP connections to legit SMTP servers and send spam.

Already a large number of dialup providers will only allow you to send through their mail server, and a larger number of ISPs user the DUN RBL to block email directly from dialup pools.

This is just more of the same. Your ISP should provide you with SMTP service, use them as a smart host even if you're running your own SMTP server, so it'll offload the requeing/etc from your box to theirs.

DSL and Cable are the new dialup, and should be treated as such, a place where the majority of the customers are clueless idiots who ruin the party for the smart people.

Several ISPs are starting to scan mail servers sending them mail for open proxy/open relay before accepting the mails, expect to see this practive and AOL's solution spread to most ISPs in the near future.

If you want to run a real mail server, perhaps you should get a real internet conenction, like Colocation or T1.

Trivial fix

[harlows_monkeys]

In /etc/mail/sendmail.mc:

define(`SMART_HOST',`smtp.server.of.you.isp')

You want these rights for *YOUR* MTA, right?

[Cirkit]

I'd expect users of RBLs (see http://www.spews.org) and certainly the denizens of NANAE to argue that they have the right to refuse to receive email from anyone, for any reason, since that mailserver is private property.

It can be used in ways you like (refusing emails from Verizon's corporate HQ because they refuse to kick their spammers) or in ways you don't like (making it more difficult to send outgoing mail), but I don't see how you can reasonably kick and scream against one and not the other.

Actually, several providers have been refusing email from dial-up pools for a year or more, which is what caused me to decide that I would need to send outbound email through my ISP. IIRC, attbi refused email from my server on my ISDN line over a year ago.

The solution isn't difficult - go dig around on your ISP's website (or call them) and figure out the mailserver that you'd be using if you WEREN'T running your own MTA. Set your mail server to relay outbound emails through them. (See your man pages - it isn't difficult.) There's NO way your ISP's mailserver is going to refuse to accept your email, since if they did, no one not running an MTA could get email out. Sure, you'll have an extra line of headers in your outbound email, but it doesn't seem like such a big deal. Was the location of your mail server a secret anyway?

Of course, if your ISP is a notorious hoster of spammers, you're going to need to find a new ISP. You didn't really want to support those spammers anyway, did you?

Re:bouncing mail to postmaster?

[Zocalo]

Nope. It's actually in RFC2821 section 4.5.1 - Minimum Implementation:

Any system that includes an SMTP server supporting mail relaying or delivery MUST support the reserved mailbox "postmaster" as a case-insensitive local name. This postmaster address is not strictly necessary if the server always returns 554 on connection opening (as described in section 3.1). The requirement to accept mail for postmaster implies that RCPT commands which specify a mailbox for postmaster at any of the domains for which the SMTP server provides mail service, as well as the special case of "RCPT TO:" (with no domain specification), MUST be supported.

SMTP systems are expected to make every reasonable effort to accept mail directed to Postmaster from any other system on the Internet. In extreme cases --such as to contain a denial of service attack or other breach of security-- an SMTP server may block mail directed to Postmaster. However, such arrangements SHOULD be narrowly tailored so as to avoid blocking messages which are not part of such attacks.

Note that there are no punitive measures are listed at all, in fact the worst that can happen for bending an RFC is that you will be named and shamed on a site like www.rfc-ignorant.org and maybe be blocked by some system admins. If you actually *break* the protocol on the otherhand, then things will probably get a little more ugly... ;)

Re:No problem

[Zocalo]

I've never had a single spam message from those places.

I've had a few, but in the main, you are correct in saying not much spam comes from aol.com. However, an awful lot of spam *claims* to come from aol.com, even when it actually originates in China, Korea, or some spamhaus in the USA/EU. For this reason refusing mail from aol.com and others may give exceedingly good results with low enough colateral damage to be bearable for some home mail server operators.

Re:heh...

[ThreeZee]

550-The IP address you're using to connect to AOL is either open to the 550-free relaying of e-mail, is serving as an open proxy, or is a dynamic 550-(residential) IP address. AOL cannot accept further e-mail 550-transactions from your server until either your server is closed to free 550-relaying/proxy, or your ISP removes your IP address from their list of 550-dynamic IP addresses. For additional information, please visit 550 http://postmaster.info.aol.com. Comcast IPs are now blocked also. (That's cable!)

No, it's NOT a good move, censors lists and boards

[SuperBanana]

If you have DSL you should still use your upstream SMTP server for outgoing mail.

If I did that, I'd be accused of spamming by my ISP, since I run a VERY high volume mailing list. We have approximately 12 lists; the bigest list has 1,500 subscribers and gets about 100 emails a DAY. We have another major list that's about 500 people and similar volume.

About 90% of incoming SPAM on my box originates from Windows boxes on DSL lines with open relays.

99% of MY spam comes from chinese and eastern european ISPs that don't give a crap what people do with their internet connections. The solution is not blacklisting DSL and cable connections(because, among other things, it's not easy to switch, unlike dialup.) The solution is cutting off bad ISPs from backbones...but that's not likely to happen any time soon, because the backbone providers don't give a crap- every packet is money in their pocket, regardless of what kind of packet it is.

And guess what? If you are getting lots of spam from DSL/Cable users, it's really easy to solve. Report it. If there's a report of spam, the ISP disconnects the customer until they fix it. Imagine how fast people will learn to keep their machine clean if their internet connection goes down. ISPs will whine about the work, but, gee, that's like the gas station attendant whining about having to give directions to people all the time. Comes with the territory, bub.

It's ignorant people like you(who think "since -I- don't need to send mail directly, neither does anyone else!") that cause people like me grief.

We get next to NO money from subscribers to pay for costs- $5 donations here and there. DSL and Cable offer a nice, cheap way to host a mailing list, or a webboard; we don't use very much bandwidth at all, and occasional hiccups aren't a problem, especially given the design of SMTP; if at first you don't succeed, try, try, again. Commercial DSL is just less down bandwidth, slightly more up bandwidth, a 'real' static IP instead of a DHCP-assigned address that basically never changes...and a HELL of a lot more expensive. Oh, and instead of telling you to go screw yourself when you scream at them for your line being down, they -politely- tell you there's nothing they can do(and, by the way, -please- go screw yourself.)

Luckily, we're sucking bandwidth off a hosting company that has graciously allowed the box to sit off their network- but if they tank, we'll be screwed- commercial hosting runs about $90+ or more, and our box isn't rackmountable, so there's another $25-50/mo.

Slowly but surely, the media companies are doing their best to squeeze out other sources of competition- the little guys. Check your Terms of Service/Acceptable Use Policy. My home connection(ATTBI, now Comcast) has banned "messageboards and mailing lists" for years, along with FTP, web, mail, IRC...and specifically states it's an "entertainment service", and I am a "consumer" of that service- ie, sit down, shut up, and be a good little consumer of mass web media. How dare you produce your OWN media...

No, you did not

[autopr0n]

There is no way to Spam from AOL/Yahoo or Hotmail. It's physically impossible for a common user to do it.

What is possible to do to forge a 'from' address in an email header. Look again at the emails you have in your spam bucket and look at the recived-from: header. I'll bet you $100 they didn't come from anywhere with a '.yahoo.com' at the end.

Excellent point

[KMSelf]

I hadn't considered that, but they've got a $1 billion interest in just that area.

Re:ummmm...

[darkonc]

One thing that you can do is foreward your email through your ISP. If you're using Sendmail this is done with the smarthost entry:

# "Smart" relay host (may be null)
DSmail.MyISP.net

would forward youre spam (er, email) through the box mail.myISP.net . Most ISPs have a designated server that will allow email forewarding from anybody in their network space.

Selective relaying with sendmail

[Piquan]

My ISP has not shown that its servers are reliable. I like to be able to use mailq to see what's backed up. I'd also like to be able to use my own mailer's parameters for bounces. There's lots of reasons to prefer to use your own mailer instead of your ISP's, even if you technically could use your ISP's. But now, you'll want to relay through your ISP for all the mail that AOL won't accept, while sticking to your own SMTP services for everything else. That's what this document is for.

I encourage people to write corresponding documents for other MTAs. Also, some people can only send mail through their ISP with their ISP-assigned username. It's possible to configure sendmail to adapt AOL-bound mail to have the ISP-assigned sender. That is not discussed in this document; email me if you need it, and I'll write a followup post.

HOWTO: Configuring Sendmail to use your ISP's relay for AOL

This uses the sendmail mailertable feature. The mailertable feature allows you to specify the mailer and relay parameters for individual domains. That's exactly what we need here.

1. First, you'll need mailertable support in your sendmail config. Grep your sendmail.cf for the string "Id: mailertable.m4". If it's in there, you've got it and can skip the next step.
2. Since you don't have mailertable support, you'll need to add the following line to your .mc file:

   FEATURE(mailertable, `hash -o /etc/mail/mailertable')

   Note that the first quote is a backquote! After you do this, you'll need to rebuild your sendmail.cf file. (On FreeBSD, you can just run 'make' in /etc/mail to do this. You can also use the following command (it's on one line):

   m4 -D_CF_DIR_=/path/to/sendmail/cf/ /path/to/sendmail/cf/m4/cf.m4 sendmail.mc > sendmail.cf

   You'll need to put sendmail.cf in its proper place, usually /etc/mail but sometimes /etc or elsewhere.
3. Create a file /etc/mail/mailertable. In it, add lines like the following:

   aol.com esmtp:relay.my-isp.net
   earthlink.net esmtp:relay.my-isp.net

   Fill in relay.my-isp.net with your ISP's relay hostname.
4. Rebuild the mailertable file. On FreeBSD, you can just run 'make' in /etc/mail to do this. You can also use the following command:

   makemap hash mailertable.db < mailertable

5. Restart sendmail. On FreeBSD, you can just run 'make restart' in /etc/mail. Other OS's may vary.

Remember that some ISPs may require you to use your ISP-assigned email address to relay through them. This won't help with that, but there's easy solutions for it. (This sort of thing is where Sendmail rocks.) Email me if you need it, and I'll post a followup.

Re:Privatized mail

[innocent_white_lamb]

And frankly our postal system is a bargain. Try sending 2 oz letter 3500 miles for $0.36 in any other country in the world.

48 cents in Canada, which is about 31 US cents at current exchange rates.

Try again.

Re:bouncing mail to postmaster?

[ajs]

It's worse. Here are the ways that I know AOL is violating RFCs for valid mail traffic:

1. Mail bound for postmaster@aol.com is not accepted.

2. They issue a 550 response before the client has a chance to issue a greeting. There are two allowed responses at that point: 554 and 220. 550 is right out.

3. They disconnect before the client issues a "QUIT" command or times out. Also bogus.

AOL is playing a game of chicken here to see how much of the net will blacklist them for breaking the RFCs. Once they smell blood in the water because not enough sites care, they can pretty much start writing their own book....

More reasons why this is necessary:

[scrain]

Let me preface this with a disclaimer. I worked in AOL's mail and anti-spam groups for 5 years, ending back about a 2 years ago. I still keep in touch with the people back there, and I have a good idea what's up, as I still work in the anti-spam 'industry'.

Not that anyone will see this, as it's on the second page of comments...

A massive percentage of spam (well over 50%) comes from compromised windows boxes running either trojan software to open ports for spammers to proxy through, software like AnalogX that does the same, or just users who somehow manage to set up a proxy that's open to the world. There's also a big problem with a LOT of the DSL hardware on the market, that allows people to proxy through it transparently, via use of a security hole. Check Bugtraq if you want to find details.

These broadband connections are where the spammers are headed for anonymity. Yeah, sure, there's still a bunch of big-time professional spammers out there who spam away from their often-moving netblocks. That bunch isn't so hard to keep up with.

There's also the problem of Klez and other SMTP aware worms that busily want to send you lots of infected mail. Sure, *nix users don't really care about that, but companies like AOL, with a crapload of less-than-savvy users have to.

It's been this way for 56k dialups for about 3 years or so... but the noise about that only lasted a few weeks, much like this will. If your DSL company can't support your needs, vote with your feet! Switch your service to one that can. If Verizon can offer you service, you can pretty much bet that Covad can too.

(shameless plug: Check out lmi.net for that stuff.. small companies make for better service, and if you need the medium-sized company feel, go with Speakeasy.)

So what if you have a contract... if they can't get your mail to AOL with the right domain, it sounds like grounds to break it to me. =)