Slashdot Mirror
AOL Bans Mail From DSL-Hosted Servers
kmself writes "As first reported at linux-elitists by Aaron Sherman, and with a demonstration of the denial at zIWETHEY, AOL has begun blocking mailservers identified with residential DSL lines as an anti-spam measure, apparently heedless of the huge collateral damage this move imposes (and guess who can't send mail to Mom...). This action was unannounced, and has received virtually no coverage, spare an oblique mention at News.com. It also violates SMTP RFCs, as Aaron points out, not to mention the 'good neighbor' conventions of Internet communications. Mail to AOL's postmaster is also bounced -- this is RFC-ignorant.
I strongly recommend that as a compensatory measure, non-AOL MTAs be configured to deny all incoming mail from AOL's domain."
If AOL doesn't want to accept your mail, that's their choice. It's their network, and their mail servers. Of course, when AOL customers find that they can't receive any email, AOL might lose business.
Like all other spam blocking attempts, there will be collateral damage. They try to keep their customers happy, and the market decides if they succeeded.
Tarsnap: Online backups for the truly paranoid
I run my own mail server on a "business DSL" connection with a static IP address, but it runs to my home and I doubt there is any genuine distinction between "residential" and "business" DSL lines. I run my own server, of course, so that I can have a fairly powerful set of spam filters at the server side, in addition to a complex set of client-side spam filters -- all because I receive hundreds of spam emails per day, including dozens that I can identify as coming from AOL-owned servers.
I assume that AOL has only disabled receipt of email from DSL lines, and continues to send its customers' spam to folks like me. It's hard to know, since my filters already reject more than 98% of incoming email delivery attempts.
Let's at least try to be fair to AOL: they are just like the rest of us, forced to seek out triage solutions to the increasingly aggressive strategies used by spammers. Until a new structure is widely adopted for exchange of email (something that allows for true source verification and financial compensation for abuse), triage is the only solution that will work. Hence I block nearly all email from earthlink servers and customers, as well as juno.com and HUNDREDs of other domain names and IP addresses.
-- http://www.MarkWelch.com/ Pleasanton California
I currently don't have mod points or you and others who have said the same thing would be modded up.
There's no RFC that says you have to accept mail from *everyone*. You're free to bounce mail to whomever you like.
As to why this is an effective technique:
1) Most of these "home servers" don't have a PTR record at all.
2) Those that do, almost NEVER have one pointing to the domain they claim to be recieving for.
3) All these residential users should be using their ISP as a relay. That's what the ISP is there for.
4) Since there's no reason for them to need to send it out *not* through the ISP as a relay host, the majority of these users are spammers or just ignorant. In the first case, it's good to block them. In the second, maybe they will get a clue.
I'm generally against crippling services on the ISP end, but I've even thought that maybe it's high time that ISPs do what AOL does, and block outbound port 25. Incomming is another story, but as the parent and I have pointed out- the residential users should be using their ISP's mail servers as relay hosts.
- Serge Wroclawski
If this turns into the death of SMTP, I won't cry.
The fact is, SMTP is based on the flawed assumptions that every e-mail sent is one that the recipient wants to see because nobody would ever spam, and that there's no harm in letting the message travel unencrypted because nobody would ever snoop.
It's time for reform in the overall e-mail system, the only problem is that there's a huge installed user base that'd be forced to upgrade in order for a new e-mail protocol to work. It's gonna take something silly like this to get out of hand for that to happen.
What about game servers - I can't host a match of Age Of Kings for my friends?
So, really, those TOS are a joke. A bit OT, all of this, I guess.
Switch back to Slashdot's D1 system.
The United States Postal Service has announced it will stop delivering
any mail from Florida, due to the large number of mail-order scams originating from that state
Don't laugh too hard on that one, there are schemes in place of trying to privatize and eliminate the whole of the US mail system including first class postage. While it might be neat to have all your mail sent by one company like UPS and while the post office does need to get its act together ASAP, my concern is that rural areas would by stuck with only one greedy private company as their only means of communication (thus making it expensive to send or recieve mail at all). Remember, the postal system in the US is a time-honored tradition that has been the envy and model for the rest of the planet. It is also in good working order, thus if AOL chooses not to accept e-mail anymore, why not just bombard them with snail mail? We could also return their bloody disks right back to them while we're at it. Maybe after they get several hundred thousand they'll get the hint.
And if you think the AOL-Time-Warner lawyers will allow their most lucrative domain to be taken from them then I have to disagree. I figure they've already got a loophole in the fine print somewhere that is as easily exploited as the pictures of children for those old Sally Struthers commercials (the ones where the kids keep starving but she kept growing). There hsa to be some reason behind this that is not yet shared, hopefully their decision has a more rational basis than some of the arguments for privatizing the US postal system.
As long as there is a Second Amendment, there will always be a First Amendment.
50% of the spam I receives has an odd number of letters in the domain name,
but I wouldn't consider filtering based on that.
A 70% false negative rate is pretty meaningless without knowing the false positive rate as well.
What percentage of your non-spam email comes from dsl ip's?
Sounds like a load of claptrap to me.
Care to cite an RFC that suggests such a thing?
How about a good network reason why email should be relayed instead of sent directly?
-- this is not a
Actually, we should; it's called putting pressure on the corporation. If we were to pressure the corp, then they'll give in if enough users are f-ed up.
You don't need a new protocol. The one we have will work fine.
What people need to do is stop trusting every email connection that's made, and instead insist that every email connection comes from a listed MX.
This is easy to do: check the MXes for the domain listed in the SMTP "MAIL FROM" command (not to be confused with the "From:" header in the email message itself) and reject the connection if the IP address of the connection doesn't match one of the listed MXes for the domain. If you want to send email from a system that isn't a real MX, list it as a low priority one and block incoming SMTP traffic to that box (something anyone with any brains will be doing anyway), so that all incoming email goes only to the MXes that can handle incoming email.
End result: it forces spammers to buy a domain (that won't last very long since it'll be blacklisted immediately if it starts sending spam), makes it easy to create useful blacklists that work, and ultimately significantly increases the costs of spamming. And finally provides a way of reliably ignoring open relays (because you can blacklist the domain associated with the open relay).
And all of this can be done now, with no changes to SMTP required at all.
So why are we all sitting around on our asses complaining about spam when a viable solution already exists?
Use 'slashdot stuff' in the subject line in any email you send me if you want to get past the spam filter.
But having your own SMTP server doesn't provide any functionality that you can't get from Comcast at base price anyway.
Actually, it provides three bits of functionality:
This move by AOL is a good thing.
No, actually, it's a fucking bad thing. But you won't realize it until the day that you want to send your friend on MSN email but can't, and neither of you can talk to your parents who are on AOLMail, both of which are playing games to close their protocols to make sure that GnuMail can't play.
Providing an open replacement for SMTP that has the authentication and accountability that SMTP is sorely lacking would be a good thing. Segregating the Internet address space into ghettoes is not.
Which in itself is an RFC violation.
Give me a Visa card with a $2000 limit and I can own about 200 domains inside of 24 hours. Considering SPAMmers are purchasing $750k houses with the proceeds from their efforts, I'd say that's not a huge problem.
Now consider what happens when SPAMmers start routinely issuing "MAIL FROM: <kcbrown@sysexperts.com>"
Oh, wait, they already do that, and implementations like you suggest would only re-double their efforts. I'd rather not find myself at the wraith of people who have the capabilities to send 10 billion messages/month in my name, thanks.
BD Phone Home!
Shameless plug. Like you weren't expecting it.
If you actually *break* the protocol on the otherhand, then things will probably get a little more ugly
Then it's time for it to get ugly. AOL breaks the protocol by issuing at 550 (not a 554) and not leaving the session open until timeout or client issues "QUIT" (you are allowd to say "553 Get bent" to every command issued, but you're not allowed to disconnect).
Let the blacklisting of AOL begin!
RFCs aside, though, they're blacklisting folks for getting an address assigned by a protocol. This is arbitrary and foolish. It also eliminates a lot of good mail.
I'll keep running my mail server, and AOL can keep ignoring me, but I'm going to start sending my friends and familly to AOL's competition, must as I hate to because that's mostly folks like MSN and the regional phone companies.
IMO too much time is spent ranting about how Tha Man is keeping the $30/mo broadband user down by not allowing the minority who know how to run a secure server to use their residential line as a commercial line. We should be putting a hell of a lot more energy bitching about the masses of clueless users who randomly click on any email attachment they get, setup their P2P apps in slut-mode, and otherwise connect to the Internet in such a way that they become:
- just another hop for viruses to propagate through
- just another misconfigured AnalogX proxy or Lovgate infected SMTP/NNTP open relay
- just another DDoS drone host
Its sad, but the majority of broadband users have forced this action. If people understood the concepts of due diligence and responsibility we wouldn't have David Ritz and others spending huge amounts of time battling USENET spam, ISPs getting slammed with DoS all the time (and I mean that litterally), and spam gangs doing automated scans of broadband networks for open relays so they can spread their email polution.Its a myth that spam only comes from networks in Asia that don't give a damn. It comes from Ma and Pa's Windows 98 box that got infected with one of several variants of Lovgate and helps spam the planet, all from their speedy little DSL/cable connection.
Before the /. community jumps down AOL's throat at this carpet-bomb tactic, we need to realize that it is a business response to the realities of security on broadband networks. If users took responsibility for their connections and had good firewalls, anti-virus and intelligent email practices then this problem probably wouldn't exist.
perl -e 'print $i=pack(c5, (41*2), sqrt(7056), (unpack(c,H)-2), oct(115), 10)'