Slashdot Mirror

← Back to Stories (view on slashdot.org)

AOL Now Publishing SPF Records

Posted by CowboyNeal on from the slowly-gaining-ground dept.

SPF Fan writes "It looks like SPF is starting to catch on with the bigger ISPs. AOL is now publishing SPF records which you can verify with 'dig aol.com txt'. Will Hotmail and Yahoo be far behind? Who else is publishing SPF records for their domains? Slashdot has covered SPF in the past a couple times."

9 of 340 comments (clear)

  1. Re:How does this reduce spam in any shape or form? by JanneM · · Score: 4, Interesting

    Spammers can just use their own domain

    Yes, they can. And all I need to do is to let the domain be one feature to do adaptive filtering on. Two mails on penile enlargement, and no non-spam email from one domain, and that domain will be a pretty clear signal to throw stuff away. Time for the spammer to get a new domain.

    Many will not implement this!

    Well, whether everybody implements it or not, it does give me another factor to filter on. If the mail comes from a domain that does not implement it, that's grounds enough for a big, fat -5 spamassassin rule right there.

    Oh, and as more and more people implement this, those who do not can be more and more severely punished by spam filters (as the exceptions for any one person becomes few enough to whitelist and so on).

    But if you blacklist any domain without it, some people won't be able to send stuff to you anymore!

    Cry me a river.

    --
    Trust the Computer. The Computer is your friend.
  2. Re:How does this reduce spam in any shape or form? by skaag · · Score: 5, Interesting

    My own experience:

    I happen to be hosting a few domain names that attract a lot of joe jobs, if this method helps me reduce the amount of joe jobs by 5%, it was worth it. The amount is simply HUGE.

    The Deterring factor:

    If the Spammers are smart enough to check my domain for SPF records before doing a joe job on it, they might not select it for their joe job, simply because they will know their campaign might not be as effective as it would be if they used another domain that does not publish SPF records. So the deterring factor is important here!

    Conclusion:

    Every effort counts. And let's not forget that sometimes, all it takes for an idea to catch on is some large corporation using the technology or technique, and it will catch like wildfire. I'm also publishing SPF records for my own domains, and checking for them as well (with the help of qpsmtpd which has a nice SPF plugin).

    --

    All those moments will be lost in time, like tears in rain... time... to... die...

  3. Re:boo by Saven+Marek · · Score: 5, Interesting

    > 2) Spammers tend to use made up domains anyways.

    This is true, but combined with domain checking AND SPF I can see it being more powerful than both.

    for ex.
    spammer makes up umergeh.drewhs.com
    email gets canned because the domain is fake. lose for spammers

    spammer sends faked address from aol.com
    SPF shows its a fake sender (rteal IP not match aol.com spf list). lose for spammers

    spammer at aol sends real spam from aol.com
    aol come down and bite spammers head off, spammer goes to jail. lose for spammers!

    SPF is only one tool, and there are many combine them together and you have strength

    mac desktops, dare to be nude

  4. anti-spoofing by colinleroy · · Score: 4, Interesting

    As I don't think this will stop spam (at least not before massive adoption, as others said), I think it can protect us from having a spammer using our email address as From:.
    I publish SPF records for my small domain now, and next time some dumb ISP complains getting spam "from me", I'll be able to tell them to go and check my SPF records, and to match these with "my" spam's headers.

    Of course, this is for my little domain with few users, all well-educated enough to use authenticated SMTPS to my server.

    --
    blah
  5. Some of the benefits. by mcroot · · Score: 4, Interesting

    Some people seem to be missing the point of spf. SPF is a mechanism that allows people to publish their own records to defend themselves against joe-jobbing. Anyone who has been joe-jobbed will be all over something like this. The fact that publishing these records benefits you directly, will help something like this spread in a timely manner.

    It's also beneficial in the regard that when rolled out to where it becomes standard, mail will be far more accountable, and as spammers start joe-jobbing those people who have not yet published these records, it will only help motivate those hold-outs to get on the bandwagon and defend themselves.

  6. This doesn't help much.... by ^BR · · Score: 3, Interesting

    What if I don't have access to the authorized relay, as in all company outgoing mail must go through company SMTP server, wether it as a @company.com from address or a @vanitydomain.com address.

    If you read personnal email at work (bad) but keep it separate from your professionnal email (good) this will greatly inconvenience you.

    And what about the consultant on a customer's site, if he don't have access to the authorized relay. He can't send mail while still having a perfectly usable SMTP relay at his disposition...

  7. Other problems with SPF by 0x0d0a · · Score: 4, Interesting

    ...SPF technically wise sucks

    Agreed. I'm going to cut-and-paste the set of flaws I was talking about *last* time SPF came up on Slashdot:
    First, this is nothing more than an authentication system. It's designed to allow a server to authenticate itself as a trusted source for a domain's email. However, the designers chose to use DNS as a transport mechanism. Not a good idea. DNS is designed to be lightweight and low latency, not to be secure. It's pretty easy to spoof DNS responses. Plus, DNS data tends to get cached. All you need to do is spoof a response, the nameserver's cache is poisoned with false data, and the next N emails (until the cached data expires) are accepted as valid.

    Second, this system relies on having everyone implement such functionality. Spammers don't give a damn about return addresses, so they can send email with a from address at any domain. The annoying and ineffective attempts at stopping all open mail relays on the Internet illustrate the failure of this model. A security system that relies on correct implementation over the full Internet to function properly will not work in real life.

    Third, this fails to deal with throwaway domains. The authors waffle a bit about them, and finally come out and admit that more mechanisms are required. Dammit, if we had a good PKI trust-ranking system (which is the sort of thing that they are requiring to fix their failings) we wouldn't need this system at *all*, since we could simply sign email and have trust rankings for users.

    Enough about the bad design: other reasons I don't like it include:

    * The authors have made a decision to make it really annoying to send email from a machine, and have to work with your ISP just to have a mail server. There are plenty of more solid antispam proposed mechanisms that do not place restrictions on who runs what servers (pay-per-email or pay-per-initial-email, PKI systems). This is much more in line with the way the Internet works for most services.

    * There is a supposedly trusted authentication system being spread across the entire Internet over an insecure transport protocol.

    * DNS caching can make moving an SMTP server or setting up a new one take a significant amount of time.

    * IP-based auth isn't a great idea anyway, for a number of reasons. The authors claim that it isn't a huge issue, because IP spoofing is harder (I disagree -- things like Mobile IP have made it harder to *block* IP spoofing).

    * Users have no control over what gets blocked. If I *want* to receive email of a particular type, I can't. Two ISPs (sending and receiving) are the ones that determine what mail I can receive). This is perhaps acceptable within a company, but annoying and goes against traditional Internet structure.

    * It does nothing to avoid compromised end user machines.

    * It does nothing to deal with throwaway accounts.

    * It does nothing to deal with misconfigured servers.

    --
    May we never see th
  8. Re:I see a problem here.... by SydShamino · · Score: 3, Interesting

    I'm not a networking expert (as everyone who corrects me will probably point out), but couldn't you do something like:

    1. Make the customers use Webmail or equivalent when traveling. The mail still originates with your servers.

    2. Make the customers VPN to your domain when traveling. The mail is then handled by your servers.

    AOL basically does the second, if you connect to them via another service (like AOL High Speed stuff).

    I know neither of those are as convenient as "free mail, anywhere, anytime, no questions asked", but that system is too open to abuse.

    --
    It doesn't hurt to be nice.
  9. Re:I see a problem here.... by dozer · · Score: 3, Interesting

    Um, how about actually watching for cracking attempts? "My word, user jimj just tried to log in 100 times in less than 1 hour. Let's deny the IP address he's trying to log in from."

    As far as I can understand, your argument boils down to "I don't like SPF because my systems are hideously insecure, I'm cool with them being used as open relays, and I don't feel like being a competent sysadmin"?