Slashdot Mirror
AOL Bans Mail From DSL-Hosted Servers
kmself writes "As first reported at linux-elitists by Aaron Sherman, and with a demonstration of the denial at zIWETHEY, AOL has begun blocking mailservers identified with residential DSL lines as an anti-spam measure, apparently heedless of the huge collateral damage this move imposes (and guess who can't send mail to Mom...). This action was unannounced, and has received virtually no coverage, spare an oblique mention at News.com. It also violates SMTP RFCs, as Aaron points out, not to mention the 'good neighbor' conventions of Internet communications. Mail to AOL's postmaster is also bounced -- this is RFC-ignorant.
I strongly recommend that as a compensatory measure, non-AOL MTAs be configured to deny all incoming mail from AOL's domain."
If AOL doesn't want to accept your mail, that's their choice. It's their network, and their mail servers. Of course, when AOL customers find that they can't receive any email, AOL might lose business.
Like all other spam blocking attempts, there will be collateral damage. They try to keep their customers happy, and the market decides if they succeeded.
Tarsnap: Online backups for the truly paranoid
Bullshit. I pay for connectivity and know what I'm doing, and run my own SMTP server. If you don't want my email, you certainly don't have to accept it, but I'll run my own anyway, and the ignorant among you can just not communicate with me.
I run my own mail server on a "business DSL" connection with a static IP address, but it runs to my home and I doubt there is any genuine distinction between "residential" and "business" DSL lines. I run my own server, of course, so that I can have a fairly powerful set of spam filters at the server side, in addition to a complex set of client-side spam filters -- all because I receive hundreds of spam emails per day, including dozens that I can identify as coming from AOL-owned servers.
I assume that AOL has only disabled receipt of email from DSL lines, and continues to send its customers' spam to folks like me. It's hard to know, since my filters already reject more than 98% of incoming email delivery attempts.
Let's at least try to be fair to AOL: they are just like the rest of us, forced to seek out triage solutions to the increasingly aggressive strategies used by spammers. Until a new structure is widely adopted for exchange of email (something that allows for true source verification and financial compensation for abuse), triage is the only solution that will work. Hence I block nearly all email from earthlink servers and customers, as well as juno.com and HUNDREDs of other domain names and IP addresses.
-- http://www.MarkWelch.com/ Pleasanton California
I currently don't have mod points or you and others who have said the same thing would be modded up.
There's no RFC that says you have to accept mail from *everyone*. You're free to bounce mail to whomever you like.
As to why this is an effective technique:
1) Most of these "home servers" don't have a PTR record at all.
2) Those that do, almost NEVER have one pointing to the domain they claim to be recieving for.
3) All these residential users should be using their ISP as a relay. That's what the ISP is there for.
4) Since there's no reason for them to need to send it out *not* through the ISP as a relay host, the majority of these users are spammers or just ignorant. In the first case, it's good to block them. In the second, maybe they will get a clue.
I'm generally against crippling services on the ISP end, but I've even thought that maybe it's high time that ISPs do what AOL does, and block outbound port 25. Incomming is another story, but as the parent and I have pointed out- the residential users should be using their ISP's mail servers as relay hosts.
- Serge Wroclawski
If this turns into the death of SMTP, I won't cry.
The fact is, SMTP is based on the flawed assumptions that every e-mail sent is one that the recipient wants to see because nobody would ever spam, and that there's no harm in letting the message travel unencrypted because nobody would ever snoop.
It's time for reform in the overall e-mail system, the only problem is that there's a huge installed user base that'd be forced to upgrade in order for a new e-mail protocol to work. It's gonna take something silly like this to get out of hand for that to happen.
What about game servers - I can't host a match of Age Of Kings for my friends?
So, really, those TOS are a joke. A bit OT, all of this, I guess.
Switch back to Slashdot's D1 system.
The United States Postal Service has announced it will stop delivering
any mail from Florida, due to the large number of mail-order scams originating from that state
Don't laugh too hard on that one, there are schemes in place of trying to privatize and eliminate the whole of the US mail system including first class postage. While it might be neat to have all your mail sent by one company like UPS and while the post office does need to get its act together ASAP, my concern is that rural areas would by stuck with only one greedy private company as their only means of communication (thus making it expensive to send or recieve mail at all). Remember, the postal system in the US is a time-honored tradition that has been the envy and model for the rest of the planet. It is also in good working order, thus if AOL chooses not to accept e-mail anymore, why not just bombard them with snail mail? We could also return their bloody disks right back to them while we're at it. Maybe after they get several hundred thousand they'll get the hint.
And if you think the AOL-Time-Warner lawyers will allow their most lucrative domain to be taken from them then I have to disagree. I figure they've already got a loophole in the fine print somewhere that is as easily exploited as the pictures of children for those old Sally Struthers commercials (the ones where the kids keep starving but she kept growing). There hsa to be some reason behind this that is not yet shared, hopefully their decision has a more rational basis than some of the arguments for privatizing the US postal system.
As long as there is a Second Amendment, there will always be a First Amendment.
50% of the spam I receives has an odd number of letters in the domain name,
but I wouldn't consider filtering based on that.
A 70% false negative rate is pretty meaningless without knowing the false positive rate as well.
What percentage of your non-spam email comes from dsl ip's?
Sounds like a load of claptrap to me.
Care to cite an RFC that suggests such a thing?
How about a good network reason why email should be relayed instead of sent directly?
-- this is not a
Actually, we should; it's called putting pressure on the corporation. If we were to pressure the corp, then they'll give in if enough users are f-ed up.
You don't need a new protocol. The one we have will work fine.
What people need to do is stop trusting every email connection that's made, and instead insist that every email connection comes from a listed MX.
This is easy to do: check the MXes for the domain listed in the SMTP "MAIL FROM" command (not to be confused with the "From:" header in the email message itself) and reject the connection if the IP address of the connection doesn't match one of the listed MXes for the domain. If you want to send email from a system that isn't a real MX, list it as a low priority one and block incoming SMTP traffic to that box (something anyone with any brains will be doing anyway), so that all incoming email goes only to the MXes that can handle incoming email.
End result: it forces spammers to buy a domain (that won't last very long since it'll be blacklisted immediately if it starts sending spam), makes it easy to create useful blacklists that work, and ultimately significantly increases the costs of spamming. And finally provides a way of reliably ignoring open relays (because you can blacklist the domain associated with the open relay).
And all of this can be done now, with no changes to SMTP required at all.
So why are we all sitting around on our asses complaining about spam when a viable solution already exists?
Use 'slashdot stuff' in the subject line in any email you send me if you want to get past the spam filter.
But having your own SMTP server doesn't provide any functionality that you can't get from Comcast at base price anyway.
Actually, it provides three bits of functionality:
This move by AOL is a good thing.
No, actually, it's a fucking bad thing. But you won't realize it until the day that you want to send your friend on MSN email but can't, and neither of you can talk to your parents who are on AOLMail, both of which are playing games to close their protocols to make sure that GnuMail can't play.
Providing an open replacement for SMTP that has the authentication and accountability that SMTP is sorely lacking would be a good thing. Segregating the Internet address space into ghettoes is not.
Right, I'll bite.
Let's pretend I am an idiot who has a cable modem. And let's pretend that said cable modem issues an IP within the verboten rage. And now let's pretend that I have my own email domain completely unrelated to that of my ISP's, and that I use sendmail to send mail out.
With me so far?
Now, let's pretend that said ISP has implemented authentication requirements -- in other words, I must identify myself with a SMTP AUTH username and password before my ISP's server will accept my outbound mail.
So. How do I configure my sendmail so that it uses my ISP's server as a relay (SMARTHOST definition) but feeds it the magic username and password first?...
Any ideas?
you should read everything on the internet as if it had "but I'm probably talking out of my ass" appended to it.
It isn't worth a whole hell of a lot.
I have several customers who have Verizon DSL, but have domains hosted elsewhere, with mail hosted elsewhere, without authenticated SMTP relay. I would imagine, while certianly doing this to decrease their spam problem, that there's some sort of collusion (spoken or unspoken) industry wide to try and force ISP customers to use their bandwidth provider's services, hence making them more money.
Never invited 15 friends to a barbeque?
Never tried to announce a new baby to more than 10 people?
Never sent out "I'm moving, my new snail mail address is..."?
I guess if you don't have more than 10 friends, you'd never need to bcc more than 10 people. But if that's the case, I feel sorry for you.
Which in itself is an RFC violation.
Give me a Visa card with a $2000 limit and I can own about 200 domains inside of 24 hours. Considering SPAMmers are purchasing $750k houses with the proceeds from their efforts, I'd say that's not a huge problem.
Now consider what happens when SPAMmers start routinely issuing "MAIL FROM: <kcbrown@sysexperts.com>"
Oh, wait, they already do that, and implementations like you suggest would only re-double their efforts. I'd rather not find myself at the wraith of people who have the capabilities to send 10 billion messages/month in my name, thanks.
BD Phone Home!
Shameless plug. Like you weren't expecting it.
> reject the connection if the IP address of the
> connection doesn't match one of the listed MXes
> for the domain
Wrong assumption: incoming SMTP server = outgoing SMTP server. Many large and small organizations use different machines to recieve and send mail via SMTP. In other words, you'll end up rejecting a huge (50-80?) percentage of legitimate mail.
The doamins aren't their only expense. Now they also have to pay for their own hosting as well, as well as for the DNS servers that will be authoritative for their domains. They won't be able to make nearly as much use of open relays because the domains associated with any open relays will be blacklisted as quickly as theirs (and the definition of an "open relay" becomes more complicated under my scheme anyway, because an open relay has to either claim that it's sending your email under its domain or it has to be listed as an MX for your domain).
Those 200 domains aren't going to last you very long...perhaps a couple of weeks once the blacklisting mechanisms become good (and note that blacklisting can happen on a local level now, too). So that $2000 you talk about grows to $50,000 over the course of a year. That's going to eliminate a lot of spammers.
What happens when they do that is that the system they're connecting to looks up the MXes for sysexperts.com and -- surprise -- finds out that the IP address the connection is coming from doesn't match any of the MX records for sysexperts.com...and drops the connection right then and there. It doesn't register the sysexperts.com domain in the blacklist because there's no need: it's obvious that the connection was a forgery! The purpose of the blacklist is to eliminate domains that are successfully sending spam, i.e. the ones for which the connection address matches the MX lookup but for which the payload is still spam -- the domains that either belong to the spammers or which are open relays, in other words.
Spammers will be able to send email in your name just as they can right now, but only because the enforcement mechanism I describe operates on information from the "MAIL FROM" SMTP command and not the "From:" header. It would be possible to enforce it on the "From:" header, too, but that will cause a lot more inconvenience, since some people legitimately rely on the ability to define the "From:" header to be whatever they want.
Now, you may be right about the economic argument, but the technique I describe will simultaneously cost spammers more money (which is always a good thing) and more time and make it easier to fight spam at the same time, because blacklists will become a lot more effective (since now you can target domains instead of dynamically-assigned IP addresses) and a lot fairer (since you won't be targeting netblocks that could contain legitimate users). To relate back to the original article, because it'll completely eliminate the need to block IP addresses and will thus drastically reduce the need for ISPs to block SMTP (inbound or outbound).
By the way, I think it's ridiculous for ISPs to be blocking SMTP when they could easily limit the number of outbound SMTP connections originating from any of their IP addresses to something low enough to make spam impractical but high enough for legitimate use.
Use 'slashdot stuff' in the subject line in any email you send me if you want to get past the spam filter.
If you actually *break* the protocol on the otherhand, then things will probably get a little more ugly
Then it's time for it to get ugly. AOL breaks the protocol by issuing at 550 (not a 554) and not leaving the session open until timeout or client issues "QUIT" (you are allowd to say "553 Get bent" to every command issued, but you're not allowed to disconnect).
Let the blacklisting of AOL begin!
RFCs aside, though, they're blacklisting folks for getting an address assigned by a protocol. This is arbitrary and foolish. It also eliminates a lot of good mail.
I'll keep running my mail server, and AOL can keep ignoring me, but I'm going to start sending my friends and familly to AOL's competition, must as I hate to because that's mostly folks like MSN and the regional phone companies.
IMO too much time is spent ranting about how Tha Man is keeping the $30/mo broadband user down by not allowing the minority who know how to run a secure server to use their residential line as a commercial line. We should be putting a hell of a lot more energy bitching about the masses of clueless users who randomly click on any email attachment they get, setup their P2P apps in slut-mode, and otherwise connect to the Internet in such a way that they become:
- just another hop for viruses to propagate through
- just another misconfigured AnalogX proxy or Lovgate infected SMTP/NNTP open relay
- just another DDoS drone host
Its sad, but the majority of broadband users have forced this action. If people understood the concepts of due diligence and responsibility we wouldn't have David Ritz and others spending huge amounts of time battling USENET spam, ISPs getting slammed with DoS all the time (and I mean that litterally), and spam gangs doing automated scans of broadband networks for open relays so they can spread their email polution.Its a myth that spam only comes from networks in Asia that don't give a damn. It comes from Ma and Pa's Windows 98 box that got infected with one of several variants of Lovgate and helps spam the planet, all from their speedy little DSL/cable connection.
Before the /. community jumps down AOL's throat at this carpet-bomb tactic, we need to realize that it is a business response to the realities of security on broadband networks. If users took responsibility for their connections and had good firewalls, anti-virus and intelligent email practices then this problem probably wouldn't exist.
perl -e 'print $i=pack(c5, (41*2), sqrt(7056), (unpack(c,H)-2), oct(115), 10)'