Slashdot Mirror

← Back to Stories (view on slashdot.org)

AOL Tests Sender Permitted From / E-mail Caller ID

Posted by timothy on from the spammers-need-some-heavy-suin' dept.

securitas writes "ZDNet reports that AOL is testing Sender Permitted From (SPF), 'an antispam filter intended to accurately trace the origin of e-mail messages.' AOL is performing the widescale SPF test with its 33 million subscribers worldwide. The system works by letting recipients use the SPF record to cross-check DNS data associated with AOL's IP addresses and confirm that the message originated from AOL's servers. The system is one of three competing e-mail authentication protocols. The other IP-identifying protocols are the Designated Mailers Protocol (DMP) and Reverse Mail Exchange (RME/RMX). All systems alter the DNS database to let e-mail servers publish the IP addresses that they use to send e-mail."

36 of 448 comments (clear)

  1. I like AOL. by Anonymous Coward · · Score: 1, Informative

    I like how AOL has recently been classifying all email from my domain as spam, making it difficult for new users who are expecting their registration confirmation in their mailbox to actually complete their signup on my site. Or to get their important notices that, like, their transactions (with other users - it's an auction site) are completed.

    I get a half dozen AOL users complaining that they never get their registration or notification emails every single day. And, of course, I can email them to tell them that it's an AOL problem, because AOL will filter that out, too.

    So.. basically. Fuck AOL up the ass.

  2. this is not whitelist. by man_ls · · Score: 5, Informative

    This is not a whitelist filter.

    It's not any kind of a filter.

    It just means that AOL has published SPF records for its mail servers in their DNS entries. Any mail server speaking SPF, receiving mail from AOL.COM, will check the SPF record.

    If the SPF record (which will contain the IP addresses of AOL's mail servers) doesn't match the originating IP address of the mail message (as in, a spoofed header) the message is invalid. Then it can be either dropped or bounced or whatever.

    If the SPF record matches the initiating IP address (as in the case of a message legitimately sent by the mail server) it's clear and goes through.

    1. Re:this is not whitelist. by Frater+219 · · Score: 5, Informative
      So, in essence, AOL has decided that it's customers can no longer send mail from their AOL email address, unless they're logged into AOL.

      No, they haven't. Here's the current TXT record for aol.com.:

      v=spf1 ip4:152.163.225.0/24 ip4:205.188.139.0/24 ip4:205.188.144.0/24 ip4:205.188.156.0/24 ip4:205.188.157.0/24 ip4:205.188.159.0/24 ip4:64.12.136.0/24 ip4:64.12.137.0/24 ip4:64.12.138.0/24 ptr:mx.aol.com ?all

      Now, if you knew SPF, you would recognize that the last bit -- ?all -- means that AOL is not stating that AOL-user mail is only legitimate if sent from AOL mail servers. The ?all tag means that hosts that don't match the rest of the SPF record are taken as unknown -- not as failures. That would be -all.

    2. Re:this is not whitelist. by LostCluster · · Score: 2, Informative

      f MY ISP decided that I could no longer use my personal email address while I was at work (or at an internet cafe, or whatever), I'd be pretty pissed.

      What you're supposed to do is use a From: address indicating where you actually are, and a Reply-To: address that indicates where you would like replies to go. What AOL is setting up is the ability to say "That didn't really go through aol.com!" which basically makes aol.com a bad domain name to pick if you're going to spoof and spam.

      Besides, any AOL subscriber who wants to send from their AOL address at work can by logging on through AOL's website...

    3. Re:this is not whitelist. by brain159 · · Score: 2, Informative

      It's been 6+ beautiful months since I was last an AOL customer (side-effect of no wired lan in university halls, only a landline which was actually through some 2-bit student telephone service), but I think AOL have a webmail service. There are also many established approaches to authenticating users back in to their "home" SMTP server (pop3-before-send and more) which would make this a non-issue.

      Those facilities aside, this isn't your ISP making any such decision of "you can't use your personal email address while you're at work" - merely that if you do that and not use their SMTP host then you risk being filtered by your intended recipients.

      As with all filter services (like blacklists for dial-up ip blocks or spam-friendly hosts) it's up to the recipient how much to care about it - what score weighting to give it in SpamAssassin or whatever.

    4. Re:this is not whitelist. by fo0bar · · Score: 3, Informative
      Good idea, but the default port for SMTP over SSL is still port 25.

      Actually, the default port for SMTP-over-SSL is 465. However, there is also SSL-over-SMTP (aka STARTTLS), where the client connects to the server on port 25, client does an EHLO, server lists STARTTLS as a capability, client issues STARTTLS command, and from that point on both sides communicate over SSL.

    5. Re:this is not whitelist. by kiolbasa · · Score: 3, Informative

      ISPs that provide SMTP-auth relaying accessible from outside their network usually make it available on an alternate port, say 2025. Most moderm mail apps now make it easy to use a different port. And I don't think it is too much to ask, or too dirty of a hack, since the only purpose of this port is authenticated mail relaying, not actual delivery. The distinction between the two is becoming more important for a useful system. E-mail is changing. Thank the spammers.

      --

      Beer wants to be free
    6. Re:this is not whitelist. by GlassUser · · Score: 2, Informative

      Set the From: field as the user account that you use to dial in to your ISP, and set Reply-To: as your third party email address. That's how it was originally intended any way.

      --
      funny munging
  3. Publish SPF records by FattMattP · · Score: 4, Informative

    Don't forget to publish SPF records for your domain if you have the ability to do so. If you have already done so, please register your domain via the validator.

    --
    Prevent email address forgery. Publish SPF records for y
  4. Old news by Anonymous Coward · · Score: 1, Informative

    See: this SlashDot post story

  5. Re:AOL muscle by FattMattP · · Score: 5, Informative
    Using muscle to force the Internet into a standard isn't going to work. We need something that *is* a standard, rather than *pushing* a standard upon people.
    SPF isn't an AOL thing. It's something created independently and several people, most notably Meng Weng Wong, are working hard to make it a standard. There is an RFC in draft form. Feel free to join the mailing list if you want to participate in its development. AOL is just the largest user at the moment along with several others:
    • AOL.com
    • AltaVista.com
    • DynDNS.org
    • LiveJournal.com
    • OReilly.com
    • Oxford.ac.uk
    • PhilZimmermann.com
    • Perl.org
    • w3.org
    --
    Prevent email address forgery. Publish SPF records for y
  6. Re:Hrm by GammaTau · · Score: 5, Informative

    I don't know anyone respectable who uses AOL so I won't ever be able to find out how this works...

    Heh. Actually (if I have understood correctly) SPF should prevent anyone from spoofing aol.com as the sender address during the SMTP session. So if a spammer attempts to spoof aol.com and your mail server is SPF-aware, then it would be good for you and AOL because you won't get spam and AOL won't get bounces for the addresses that had problems with delivery (and with spam, problems with delivery are not rare).

    At least this is how I have understood it.

  7. Re:Simply Amazed by Anonymovs+Coward · · Score: 2, Informative
    SPF is broken. It breaks forwarding, unless you want to rewrite the From header at every hop.

    That seems to be by design. (Not offering an opinion, merely commenting. Seems to me all these schemes will cause much more pain for the small guys than for the big ones.)

  8. Built on existing standard by richard_za · · Score: 5, Informative
    A little research showed that it is built on existing standards, namely DNS and SASL SMTP. This should ease it's implementation. But heres some obvious ways to prevent spam.
    • If you have a common first name, don't have an email address of the form firstname@domain, you are guaranteed to be hit by a dictionary attack
    • Don't publish your email address on the web, make sure any websites you subscribe to hide your email address or use email address hiding technique
    • If your on a mailing list make sure that if the archive is available on web that it hides your address
    • Use a bayesian mail filter
  9. Re:Doesn't protect against cracked computers by FattMattP · · Score: 5, Informative
    The biggest weakness of this system is that it doesn't protect against some user's system sitting on a broadband DSL/Modem line that has a Trojan Horse used to e-mail the spam. AOL's system probably would only encourage more viruses/worm designed to make computers email relays.
    Correct. SPF isn't an anti-spam tool. It's an anti-forgery tool. AOL's SPF record in effect says "These are the IP addresses that are authorized to send mail whose FROM: address ends in aol.com. Please take that fact into consideration if you receive mail that says it's from aol.com but doesn't come from one of the authorized IP addresses."
    --
    Prevent email address forgery. Publish SPF records for y
  10. Why this is a big deal by jhunsake · · Score: 5, Informative

    It means that any system administrator can configure their mail transfer agent to bin any spam pretending to come from aol.com with a 100% success rate. And this goes for anyone else publishing an SPF record for your domain.

    SPF is a proposed standard for a domain owner to tell mailers where mail From: that domain may originate. The domain owner publishes a DNS TXT record for their domain with (at the simplest) list of IP addresses. Participating mail transfer agents can then look this record up and make a policy decision on whether the mail is likely to be legitimate. The presence of an SPF record on a domain at present means that while you still can't be sure when you're handling spam, you can be sure when you have a piece of non-spam because the SPF record tells you so.

    SPF is not a wholly original idea (e.g. up "designated mailer protocol"), and certainly not the simplest implementation but the important factor is that its proponent, Meng Wong, is an excellent lobbyer and spokesperson, as well as someone who as the nous to put forward a useful protocol (he founded pobox.com). It's currently at the point where lots of implementation are being written, with the canonical version being Meng's Perl modules. Currently I'm helping to finish the C implementation which will shortly be integrated into qmail and exim.

    The tipping point (I hope) will be when a domain not publishing an SPF record or publishing a globaly permissive one will be considered "obviously" untrustworthy. Combining SPF authorisation with a more traditional "From: domain blacklist" will give spammers a very very hard time indeed forging mail. But AOL publishing a record (we hope) shows the way the wind is blowing: the rest of the world does seem to have to change their mail server configuration to keep mail flowing to AOL.

    So go on, it's dead easy, publish a record for your domain now. Tell people where your mail comes from. Look, there's even a wizard to help you.

    1. Re:Why this is a big deal by kcbrown · · Score: 2, Informative
      SPF is a proposed standard for a domain owner to tell mailers where mail From: that domain may originate.

      No, not "From:". That's in the email header. SPF (and other, similar proposals) tells an MTA which systems mail which originates from the domain in the "From " (notice the lack of a trailing colon) envelope entry may be sent from. The address in the "From: " header line is generated by the MUA, while the address in the "From " envelope line (which is transmitted via the SMTP "MAIL FROM" command) is generated by the MTA.

      This is a very important difference, and is why people who don't understand the difference incorrectly believe SPF will prevent them from sending email as some other address than the domain their machine is on. There's nothing that says that the sender in the envelope and the sender in the headers must be the same thing.

      SPF demands that the sending MTA be configured properly for the receiving MTA to properly verify the inbound message, but I think that's a good thing.

      --
      Use 'slashdot stuff' in the subject line in any email you send me if you want to get past the spam filter.
  11. There is nothing to be cracked here... by dusanv · · Score: 2, Informative

    The receiving mail server just asks the originating domain DNS for the list of allowable IP addresses for originating mail. Then it verified the e-mail it just received came from one of the allowable IP addresses.

    1. Re:There is nothing to be cracked here... by WuphonsReach · · Score: 2, Informative

      Actually, there are a few possible avenues of attack on a domain protected by stringent SPF/RMX records:

      1) hack the DNS records for the domain, add your list of zombie machines to the SPF record (moderate difficulty, watchdog monitoring of the SPF record could detect it quickly)

      2) DoS on the SOA server for the domain so that SPF information can't be retrieved. (difficult, DNS caching would bypass until the TTL expires)

      3) Forge the DNS reply (possible, but very tricky and relies on timing of packets, probably not a practical attack)

      4) Hijack a client PC that is authorized to send mail through one of the authorized SMTP servers (easy, but alert admins of the SMTP servers could quash the outbound mail flood)

      5) Hijack an authorized SMTP server (easy to difficult depending on how well the server is secured, but has the biggest payoff)

      --
      Wolde you bothe eate your cake, and have your cake?
  12. you missunderstand SPF by Kunta+Kinte · · Score: 3, Informative
    Lots of e-businesses generate unique email addresses for different consumer requests, which can then be thrown away, and individuals and mailing list managers (like ezmlm for subscription confirmations) do this too. It works because often the part of the email address after a + sign (or for qmail, a -) is ignored by the mail delivery agent, but can still be used for filtering/sorting mail by the user. Seems to me any DNS-based email address registry has to be smart enough to deal with it.

    The recipient's MTA will check the sender's SPF record. You can auto-generate all the email accounts you'd like, only the domain name portion of the email address is authenticated in SPF.

    In fact that was one of the arguments against SPF, people said that it did not go far enough and actually authenticate users.

    Personally, as someone who has to administer an email server and whose domains are sometimes used in forgeries for spam ( last one was a few days ago ), I'm all for SPF.

    --
    Based on upvotes, Ageism is the only "-ism" Slashdotters care about and think isn't SJW
  13. Re:Doesn't protect against cracked computers by wayne · · Score: 3, Informative
    Yes, but those cracked PCs will not be able to send email claiming to be from my domain to anyone who listens to my very restrictive SPF records. This will help reduce the number of bounces I back from forged sender addresses.

    SPF is just one tool to help tighten up the security of the SMTP system. It lets domain owners say who is authorized to send email using their domain name. This is a useful thing to do, and it allows for other things to build on it. For example, RHSBLs that blacklist domain names instead of IP addresses are much more useful after SPF checking has been done. SPF checking can also help detect phishing schemes.

    --
    SPF support for most open source mail servers can be found at libspf2.
  14. Re:Veri$ign? by thedillybar · · Score: 2, Informative
    ISPs already control who sends mail from where. I know of ISPs who block port 25 incoming & outgoing (except to their SMTP server).

    How is this any different?

    You can work-around either by using VPN or something similar.

    If you don't like the way your ISP handles it, complain or switch ISPs, just like you would now. ISPs aren't regulated. And if they were you'd be complaining about something else. Deal with it.

    SPF should work very well for the time being, much more effective than any algorithm that looks at a message and tries to determine whether or not it's spam.

  15. Re:What about commercial or throwaway accounts? by Alawishes · · Score: 4, Informative

    This is a great feature! I never understood how it would really work until I started using Shadango (based on a recommendation posted on /.)

    See, I generate a disposable ("Spamtrap") account, and post that all over the internet. When the crap gets too unbearable, I just regenerate it. I can't even imagine how I survived without a disposable account in the past.

    Also, and more related to the story, what will happen to sites that let you consolidate all your other accounts? I use Shadango to check my POP/IMAP/Y!/Hotmail/AOL/mail.com accounts (because it filters them, plus I have a bigger quota), but I guess it's just a matter of time until I won't be able to 'send' from those addresses anymore.

    Hmmm... it sucks that spammers have slowly taken away all the freedom that the email

    It's hard to win a fight when you don't know who to swing at.

    Susie Johnson

  16. Re:Still don't get it.... by billh · · Score: 4, Informative
    Seriously. Are you people really getting so much spam every day that the "delete" button just doesn't do it for you?

    New: 2911 Total: 8639

    That is from the last 6 weeks. Less than 1% are real messages (domain renewals).

  17. Re:Some educated opinions on the subject. by gfilion · · Score: 3, Informative

    Before looking at SPF you may want to read what Claus Assmann [theaimsgroup.com], and Wietse Venema [theaimsgroup.com] have to say on the subject.

    You might also want to read what Steve Bellovin (one of the guys who invented USENET among other things) and Eric Raymond have to say about it. They spend a little more time understanding SPF...

    Wired story with Raymond's comments.

    Bellovin's comments in an email to the SPF mailing list.

  18. Re:As usual, D. J. Bernstein has the ACTUAL soluti by gfilion · · Score: 3, Informative

    The idea behind Internet Mail 2000 [cr.yp.to] is obviously correct. Why waste time on DNS-based approaches when we COULD be developing the Solution?

    Because it's not backward compatible.

    SPF is a simple and backward compatible solution to email forgeries. People who don't use it are still able to use email, while people who use it are protected against forgeries.

    Everyone and their brother are reinvented email theses days without realising that you need to improve the existing email system. It's not possible to throw away the existing system.

  19. Re:Testing incoming, or testing outgoing? by gfilion · · Score: 2, Informative

    I've read the article and I can't figure out what the test is. Does this mean that AOL is publishing SPF records (in which case it's old news) or does it mean that AOL is going to start rejecting incoming mail which fails the SPF tests?

    It's the old news.

  20. Re:As usual, D. J. Bernstein has the ACTUAL soluti by Anonymous Coward · · Score: 1, Informative

    Because his solution has flaws which he continues to ignore and nobody is interested in implementing it.

  21. Re:Still don't get it.... by WuphonsReach · · Score: 3, Informative

    Well, in the near-term, SPF won't do anything to slow the quantity of spam. Regardless of what the most die-hard rabid supporters would like everyone to believe.

    SPF is an attempt to stop the practice of domain-forging or "joe-jobbing". Which, for a business domain is important. Right now, anyone can pretend to be joe@mycompany.com and either tarnish our company's name, or simply make life extremely difficult for us when our ISP cuts us off for spamming (when we didn't do it).

    However, it is likely to have some beneficial side-effects like making domain-based whitelisting/blacklisting more effective. It raises the bar one more notch for a spammer (now they have to either find a non-protected domain to forge, route their spam through authorized servers for a domain where it's likely to be noticed and blocked, or register throw-away domains to push their product).

    (And SPF is very similar to what AOL already requires if you want to have your domain whitelisted with them. You're required to list the IP addresses that send outbound e-mail for your domain, anything else gets dumped in the bit-bucket or at least is likely to get tagged as spam by the filters.)

    --
    Wolde you bothe eate your cake, and have your cake?
  22. Re:SPF breaks a lot of things, and if it succeeds. by Alien+Conspiracy · · Score: 2, Informative

    Not true.

    AOL's SPF records 'whitelist' their own servers whilst saying nothing about the rest of the net.

    This means that mail sent from @aol.com addresses via AOL's servers can be treated as authentic by spam filters, whilst any mail sent by other means is treated exactly the same as before (ie maybe forged, maybe not).

  23. Re:DNS??? by WuphonsReach · · Score: 2, Informative

    I don't understand... why can't all email servers just check forward/reverse MX record lookups to help deminish spam. I know that will not end it, but it would drastically help from spoofing email... which is all that AOL's initiative seems to be doing (i.e. not killing it, just preventing their servers from being spoofed).

    Initially, that was my question too... why not just require that outbound e-mail be sent from an IP address listed in an MX record?

    Well...

    1) MX records are designed to specify what IP address will accept mail for a domain

    2) A lot of companies use seperate outbound mail servers that are not capable of receiving e-mail (and thus aren't attached to an MX record).

    Oh, yeah, and have the email servers not accepting relays, and patch the damn home user windows boxes. Instead of AOL blocking ADSL, they just need to block windows '95-ME, 2000 pro, and XP. They are all home systems, not servers. Network packets can show OS footprints, so this is doable.

    Read up on the SMTP protocol, an SMTP server knows *nothing* about the connecting host other then IP address and what the host chooses to identify themselves as in the HELO/EHLO command. (Or by doing a reverse lookup on the IP address, which isn't very informative.) In fact, scanning the connecting host to determine its "footprint" might be considered a misdemeanor/felony under some interpretations of the law.

    Just more media hype, I'll beleive it when I see it. AOL just has to rebutt microsoft (MSN) from stealing more AOL users with their latest news about anti-spam pledge from Gate's.

    AOL has been testing SPF since well before Microsoft/Gate's announcement last week. In fact, AOL already has a program in place where you can whitelist a domain with them and specify what IP addresses are authorized to send outbound e-mail for your domain. They're probably tired of maintaining that list when SPF could store the information in the DNS system and make it easier on everyone.

    --
    Wolde you bothe eate your cake, and have your cake?
  24. Re:Simply Amazed by ivern76 · · Score: 2, Informative

    No, it doesn't break forwarding as long as every hop's SPF is properly defined. The include keyword in SPF lets you specify the mail servers that relay mail for you, and so on.

    Of course, this opens the possibility of extremely long include chains that would keep your DNS busy for ages, but hey...

  25. Re:Simply Amazed by RustyTaco · · Score: 2, Informative

    You're missing something obvious, which is that list messages come from the list server. The cosmetic header From: is still you, but it's From (no :) the list. The FAQ explains it.

    - RustyTaco

  26. Re:Simply Amazed by Tony+Hoyle · · Score: 4, Informative

    SPF is based on the envelope sender not the From address - I suggest you read the FAQ first.

    Yes, you have to change the envelope on each hop, but that's a good thing, as it means that each hop is validated which makes it harder to spam.

  27. Ah, yes, real, bona fide FUD ;) by Anonymous Coward · · Score: 1, Informative

    People through FUD around to mean any sort of bullshit, but, yours is the first real, bona fide FUD in a while :)

    The problem with people of your ilk is that you don't understand the difference between an envelope from and a header from.

    SPF works on the envelope from (you know, as transmitted by the MTA, often using MAIL FROM if we're talking SMTP), not the thing that's listed in the "From:" header of the message.

    When a message is forwarded by a mailing list (or by your MUA), the From: header may belong to someone else but the envelope from is yours... and, of course, that's what's checked against SPF.

    In other words, the list's SPF records will be checked against the list's domains, not your records against your domains.

  28. Re:No Faking Here by Trebonius · · Score: 3, Informative

    Not really.

    If you use the smtp server (with authentication) provided by whoever owns the domain name on your 10-year-old email address, and they set up SPF, you'll be fine.

    SPF doesn't have anything to do with what IP address you connect to the smtp server from. It just validates the smtp server.

    It just means you can't use your own local mail server to send from a domain you don't own.