AOL Tests Sender Permitted From / E-mail Caller ID

securitas writes "ZDNet reports that AOL is testing Sender Permitted From (SPF), 'an antispam filter intended to accurately trace the origin of e-mail messages.' AOL is performing the widescale SPF test with its 33 million subscribers worldwide. The system works by letting recipients use the SPF record to cross-check DNS data associated with AOL's IP addresses and confirm that the message originated from AOL's servers. The system is one of three competing e-mail authentication protocols. The other IP-identifying protocols are the Designated Mailers Protocol (DMP) and Reverse Mail Exchange (RME/RMX). All systems alter the DNS database to let e-mail servers publish the IP addresses that they use to send e-mail."

this is not whitelist.

[man_ls]

This is not a whitelist filter.

It's not any kind of a filter.

It just means that AOL has published SPF records for its mail servers in their DNS entries. Any mail server speaking SPF, receiving mail from AOL.COM, will check the SPF record.

If the SPF record (which will contain the IP addresses of AOL's mail servers) doesn't match the originating IP address of the mail message (as in, a spoofed header) the message is invalid. Then it can be either dropped or bounced or whatever.

If the SPF record matches the initiating IP address (as in the case of a message legitimately sent by the mail server) it's clear and goes through.

Re:this is not whitelist.

[Frater+219]

So, in essence, AOL has decided that it's customers can no longer send mail from their AOL email address, unless they're logged into AOL.

No, they haven't. Here's the current TXT record for aol.com.:

v=spf1 ip4:152.163.225.0/24 ip4:205.188.139.0/24 ip4:205.188.144.0/24 ip4:205.188.156.0/24 ip4:205.188.157.0/24 ip4:205.188.159.0/24 ip4:64.12.136.0/24 ip4:64.12.137.0/24 ip4:64.12.138.0/24 ptr:mx.aol.com ?all

Now, if you knew SPF, you would recognize that the last bit -- ?all -- means that AOL is not stating that AOL-user mail is only legitimate if sent from AOL mail servers. The ?all tag means that hosts that don't match the rest of the SPF record are taken as unknown -- not as failures. That would be -all.

Re:AOL muscle

[FattMattP]

Using muscle to force the Internet into a standard isn't going to work. We need something that *is* a standard, rather than *pushing* a standard upon people.

SPF isn't an AOL thing. It's something created independently and several people, most notably Meng Weng Wong, are working hard to make it a standard. There is an RFC in draft form. Feel free to join the mailing list if you want to participate in its development. AOL is just the largest user at the moment along with several others:

• AOL.com
• AltaVista.com
• DynDNS.org
• LiveJournal.com
• OReilly.com
• Oxford.ac.uk
• PhilZimmermann.com
• Perl.org
• w3.org

Re:Hrm

[GammaTau]

I don't know anyone respectable who uses AOL so I won't ever be able to find out how this works...

Heh. Actually (if I have understood correctly) SPF should prevent anyone from spoofing aol.com as the sender address during the SMTP session. So if a spammer attempts to spoof aol.com and your mail server is SPF-aware, then it would be good for you and AOL because you won't get spam and AOL won't get bounces for the addresses that had problems with delivery (and with spam, problems with delivery are not rare).

At least this is how I have understood it.

Built on existing standard

[richard_za]

A little research showed that it is built on existing standards, namely DNS and SASL SMTP. This should ease it's implementation. But heres some obvious ways to prevent spam.

• If you have a common first name, don't have an email address of the form firstname@domain, you are guaranteed to be hit by a dictionary attack
• Don't publish your email address on the web, make sure any websites you subscribe to hide your email address or use email address hiding technique
• If your on a mailing list make sure that if the archive is available on web that it hides your address
• Use a bayesian mail filter

Re:Doesn't protect against cracked computers

[FattMattP]

The biggest weakness of this system is that it doesn't protect against some user's system sitting on a broadband DSL/Modem line that has a Trojan Horse used to e-mail the spam. AOL's system probably would only encourage more viruses/worm designed to make computers email relays.

Correct. SPF isn't an anti-spam tool. It's an anti-forgery tool. AOL's SPF record in effect says "These are the IP addresses that are authorized to send mail whose FROM: address ends in aol.com. Please take that fact into consideration if you receive mail that says it's from aol.com but doesn't come from one of the authorized IP addresses."

Why this is a big deal

[jhunsake]

It means that any system administrator can configure their mail transfer agent to bin any spam pretending to come from aol.com with a 100% success rate. And this goes for anyone else publishing an SPF record for your domain.

SPF is a proposed standard for a domain owner to tell mailers where mail From: that domain may originate. The domain owner publishes a DNS TXT record for their domain with (at the simplest) list of IP addresses. Participating mail transfer agents can then look this record up and make a policy decision on whether the mail is likely to be legitimate. The presence of an SPF record on a domain at present means that while you still can't be sure when you're handling spam, you can be sure when you have a piece of non-spam because the SPF record tells you so.

SPF is not a wholly original idea (e.g. up "designated mailer protocol"), and certainly not the simplest implementation but the important factor is that its proponent, Meng Wong, is an excellent lobbyer and spokesperson, as well as someone who as the nous to put forward a useful protocol (he founded pobox.com). It's currently at the point where lots of implementation are being written, with the canonical version being Meng's Perl modules. Currently I'm helping to finish the C implementation which will shortly be integrated into qmail and exim.

The tipping point (I hope) will be when a domain not publishing an SPF record or publishing a globaly permissive one will be considered "obviously" untrustworthy. Combining SPF authorisation with a more traditional "From: domain blacklist" will give spammers a very very hard time indeed forging mail. But AOL publishing a record (we hope) shows the way the wind is blowing: the rest of the world does seem to have to change their mail server configuration to keep mail flowing to AOL.

So go on, it's dead easy, publish a record for your domain now. Tell people where your mail comes from. Look, there's even a wizard to help you.