Slashdot Mirror
AOL Tests Sender Permitted From / E-mail Caller ID
securitas writes "ZDNet reports that AOL is testing Sender Permitted From (SPF), 'an antispam filter intended to accurately trace the origin of e-mail messages.' AOL is performing the widescale SPF test with its 33 million subscribers worldwide. The system works by letting recipients use the SPF record to cross-check DNS data associated with AOL's IP addresses and confirm that the message originated from AOL's servers. The system is one of three competing e-mail authentication protocols. The other IP-identifying protocols are the Designated Mailers Protocol (DMP) and Reverse Mail Exchange (RME/RMX). All systems alter the DNS database to let e-mail servers publish the IP addresses that they use to send e-mail."
Do we really want the kind of split-down-the-middle stance on formats that we have to deal with when it comes to DVD burning, VHS vs Betamax, anything like that? No, it only ends up being harmful for everyone in the long run.
I'm reminded of what Microsoft did with IE. All these different DOM objects that aren't part of any standard, which no one can really use because it's not browser-compatible.
Using muscle to force the Internet into a standard isn't going to work. We need something that *is* a standard, rather than *pushing* a standard upon people.
When are companies going to learn?
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
For once I might actually approve of something AOL does. OK I didn't RTFA but it sure looks a lot like whitelist filtering. Here's hoping that others pick up on this idea if it works out! (my dialup had 530 spams in the last month... thank you, Bayes!)
C|N>K
Seriously. Are you people really getting so much spam every day that the "delete" button just doesn't do it for you?
In short, yes.
The biggest weakness of this system is that it doesn't protect against some user's system sitting on a broadband DSL/Modem line that has a Trojan Horse used to e-mail the spam. AOL's system probably would only encourage more viruses/worm designed to make computers email relays.
Of course if all non-business accounts were prevented from hosting an SMTP server that would help solve that problem, but I don't think that would go over very well with the Slashdot crowd. I'm not even sure where I stand on that issue.
Ok, I give up, why you?
I think the problem is larger than the few annoying emails people get everyday. There's two things to consider.
1) Cummatively, spam is not just a headache but can be resource draining. Getting 10 or so a day for ten days if I don't check email leads to 100 emails. It would be one thing if it affected me but I'm not the only one that uses my mail server or ISP. It bogs down the mail server that I use whether it's my work email or my personal one. At work, my company has to dedicate resources to fight spam which costs companies money. My only effective choice right now is to abandon my email address every year so I don't get spam for a while.
2) Spam is not discrimating. Offers that are sexual in nature may be innocuous to me, but for parents that's another matter. They want their kids to learn email but can't do much to protect them from this content besides not use email.
Well, there's spam egg sausage and spam, that's not got much spam in it.
If the SPF record (which will contain the IP addresses of AOL's mail servers) doesn't match the originating IP address of the mail message (as in, a spoofed header) the message is invalid.
So, in essence, AOL has decided that it's customers can no longer send mail from their AOL email address, unless they're logged into AOL.
This does not bode well.
I don't use AOL, but if MY ISP decided that I could no longer use my personal email address while I was at work (or at an internet cafe, or whatever), I'd be pretty pissed.
I would guess my public address gets a hundred spams a day. This would average out to about one every fifteen minutes. I am sitting at my computer all day. Suppose I had the mail client set so an incoming mail has the effect of distracting me, as by say a beep. The effect would be that I am always being distracted from my work. Experimentation shows that even noticing the email counter incrementing distracts me.
I use my inbox as my project list. Everytime I go to my inbox, I would have to delete spam to clean up the inbox, so I could mentally process the project list.
So to me it is worth the $30/year I pay spamcop to filter 99% of the spam out. Thus, I am someone whom spam is costing money.
Um, I thought Bill was going to take care of spam for us?
The _only_ thing I see working that the spam scum will simply never get around is going with whitelisting email address' (much like what Apple's Mail does -- it's not junk if they're in your Address book) -- and authenticating said From: lines with RMX type DNS lookups.
Email!certainly!is!not!what!it!used!to!be
I'd love to bang! a spammer some time -- right up side the head.
Seriously. Are you people really getting so much spam every day that the "delete" button just doesn't do it for you?
Really, now, junk mail is just not that pressing an issue to me. And I can't see why/how it's such a huge issue for anyone else.
Let me explain it to you.
Yes. I personally receive over 5000 spam messages a day. Thanks to the very clever spammers who are getting better at circumventing spam filters, I'm seriously considering moving to a white-list, and even that may not stem the tide. Part of the problem is with false-positives and the fact that people don't know how to write a proper subject line. Sometimes legitimate and very important messages have been contained in messages with subjects and other message body content that can resemble spam.
As a test I have set up e-mail addresses that I have never used or publicized in any way at a number of domains and providers. Guess what? Within days (sometimes hours) spam lands in those mailboxes, too, and based on the user/account names that I set up, I know it's not because of a simple dictionary attack.
Just because you don't personally experience it (consider yourself among the lucky few) doesn't mean that it's not a real problem. FYI, SPF is not (strictly speaking) from AOL. It's just being rolled out on a massive scale by AOL, which should be a good test of the technology.
I don't know if this is the right move, but something has to be done to eradicate this plague and its carriers.
SPF is incredibly broken because it allows ISPs to control who sends mail from where. We should be resisting SPF and all other similar proposals and backing public keys in DNS.
We've been waiting for an anti-spam standard for years now. What do we have? Nothing.
It's about time someone with clout got up and started making decisions.
I have 4 blocklist on my email server, and still we get a ton of spam everyday. My users hate it, I hate but we have to deal with it whilst the IETF works out their political agenda.
PS. I've also been waiting for the Calendar Access Protocol for a while now. Years, where is it? We're on draft 11 now.
Sometimes design by commitee plain sucks; and we just have to admit that.
Based on upvotes, Ageism is the only "-ism" Slashdotters care about and think isn't SJW
The problems with Yahoo's Domainkeys, are as follows:
I think SPF is a far better better proposal for this kind of thing.
SPF support for most open source mail servers can be found at libspf2.
All variants of "Make it computationally expensive to send e-mail!" prevent all mass mailings of all kinds... not just spam. You're tossing out a few babies with the bath water, that's just not a working solution.
/. because most geeks have more processor cycles than dollars, but at least cash has a more stable value over time...
Besides, there's not much stopping Spammers from just buying the processing resources they need. Whatever meaningless task is picked, development would immediately start on making that puzzle easier to solve. You'd start seeing processor chips dedicated to the task...
Being cash-expensive is less popular on
No it wouldn't. Just follow the proper protocol. The "From:" address should be your cable-domain address because that's what you're actually sending from. The "Reply-To:" address can be your dial-up address, because that's where you would like any replies to go.
You're spoofing your "From:" address at the moment, and that's exactly what nobody should be allowed to do for any reason...
That's 3 hours 47 minutes. Yeah, I'd say the "delete" button doesn't just do it for me.
So junk mail is not that pressing an issue to you? Would you like to process mine? Pick out the 38 legitimate emails I did get yesterday.
And to get back on to[pic - the idea doesn't come from AOL - they're probably just the largest ISP to pick up implementing the draft idea.
Recycle PCs and build a wireless community network www.hillsborough.org.nz
I notice that a number of people knocking SPF are looking at it breaking some sort of standard, or that it's an exclusive, it's-the-only-answer technology, ie it's being proposed as a silver bullet.
It's not. SPF just provides one more bit of helpful information -- which IPs email from the sender's domain should really be coming from.
While someone could use SPF in a pure binary decision system that breaks SMTP, it's going to be an incomplete solution. Just like blacklists, whitelists, and bayesian filtering are also incomplete solutions.
However, you start using these things in combination and magic happens.
Example: I use ASSP for server-side spam filtering. ASSP uses bayesian filtering, but also whitelists people you email and uses blacklists.
The blacklist implementation is interesting, however, as when it determines an IP is blacklisted it simply starts off with a higher spam probability in the bayesian stage -- it's not truly blacklisted, just more suspicious.
You could do the same thing with SPF, initially giving a lower spam probability to mailservers with SPF, and when there's more infrastructure using SPF, switching to penalizing non-SPF servers.
Nice thing about this approach: it doesn't require everyone to convert their infrastructure, but it does incentivise legitimate servers to do so without penalty. It doesn't break any standards. Legitimate mail still gets through, but spam suffers.
Stop thinking that all spam solutions have to be single silver bullets. Anti-spam tools can be additive.
One more tool against spam == a good thing.
NO no no no no no. Faking email is fine. People need to learn to NOT TRUST the From field. Legislation gets us nowhere. I mean, viruses are illegal and there are plenty of those. It's illegal to hijack a plane and fly it into a building, but that happened too.
Solution? SIGN YOUR EMAIL. Then the recipient knows that you wrote (or at least signed) the email. Key exchange a problem? Maybe you shouldn't be using email, then.
If all my email were signed, I wouldn't even need a spam filter. I could just trash all non-signed email.
Unfortunately, my friends (except for one) find it too hard to download/buy GPG/PGP and click the "sign" button when they mail me. Oh well, what can be expected of people that are too lazy to hit the shift key after sentences. *sigh*
My other car is first.
So, in essence, AOL has decided that it's customers can no longer send mail from their AOL email address, unless they're logged into AOL.
I remember this used to be the most baffling thing to newcomers to e-mail. Why would a protocol allow you to pretend to be someone else? Why didn't the SMTP server stamp all outgoing mail with the proper domain?
I understand that images are important in e-mail, but if you are capable of receiving yourname@yourjob.com, then theoretically you should be able to connect to the actual yourjob.com mailserver.
The fact that you haven't had to up to this point is a security hole, not a feature.
The ______ Agenda
This is no solution. It stops the load of sending the bodies of spams, but the annoyance of spams still remains.
It also introduces a lot of problems. Unless you just immediately fetch, it tells the sender where you were (IP address) and when at the time you fetch the mail. If the sender's server is down you may not be able to fetch it at all. Response times get slower, again unless we just use this to implement the old pre-send system, in which case we don't get its benefits.
A mixed system (pre-send small mail, post-fetch large or questionable mail) can have some of the benefits but still faces problems. And spam still comes.
Mod me redundant because I say this *every* time somebody whines about this, but:
I don't use AOL, but if MY ISP decided that I could no longer use my personal email address while I was at work (or at an internet cafe, or whatever), I'd be pretty pissed.
So you do what you're already supposed to do in this situation, and set the From line to your personal email address, and the SENDER line to wherever you really are. Mailing lists do this all the time.
Slashdot's token middle-aged housewife
If it doesn't mean "denied", then it must either mean "allowed" or "undefined" - but if that's the case, what's the point in implementing it at all?
One way to use that system would be to combine it with SpamAssassin: a valid mail server gests a null or negative score, unknow get a small positive score so that combined with other rules, the message can be tagged as spam.
I get about 500 spams a week. It gets old, very old. Especially when I use a web interface to check mail while on the road.
I'm very enthusiastic about anything new. The other guys (earthlink, etc) have had absolutely no luck in implementing a real spam solution. I suspect that more money was spent on marketing 'spamblocker' than was spent developing it.
Let's be happy one of the big ISPs have the resources and dedication to, at least, try to slow the spam down. Something has to be done.
Just look how many years it took for these other dolts in the industry to even block port 25 traffic to any SMTP server. So very frustrating to think about.
Ha! This gives spammers exactly what they want. They will know which addresses are "Real" because those users will be _forced_ to connect to the spammer's mail server. Also note that the user's computer will be unable to filter the spam without downloading it... so nothing is solved but everything has to be rewritten.
Also, this will kill the ability migrate your mail to different addresses and will make the accessability of your email depend on _all_ the servers sending you messages being up and accessible at the same time.
Yeah, if AOL is respecting SPF, and someone forges your domain name as part of the return address for spam destined for aol.com, they can know to drop it without bouncing. So it'd help. The spammer's mail server doesn't -- can't -- do anything about it. That's the whole point.
Using a local mailserver is a pointless optimization, adding needless complexity and vulnerability to the email system. Globally, the extra resources used would be negligable. Actually, since most people either don't bother or don't know how to configure their mail client to do what you describe, everyone *already* sends all their mail through their ISP's servers. It hasn't been a tremendous problem so far.
If you want to transfer 50 MB, and you just can't stand the thought of wasting a little precious bandwidth, then you can use another transfer method. Most service providers won't allow 50 MB emails anyway. Use an instant messaging program to transfer it directly, or set up an http server and host it yourself. If your ISP doesn't allow you to do that, that's much worse than requiring you to use their mail servers.
main(c,r){for(r=32;r;) printf(++c>31?c=!r--,"\n":c<r?" ":~c&r?" `":" #");}
Yes, as mattdm points out, this does work.
Bozo spammer, who specializes in sending spam to just AOL as far as I can tell, sends spam to AOL addresses with my domain name in the header as the sender. AOL bounces bad addresses to me. (AOL also bounces all the spam to me when they figure out it is a spam run.)
Very annoying, both from all the bounces, and from some sleaze using my good name.
However, now AOL checks for SPF info in my DNS record. Hmmm.... mail from some_bogus_name@goodguydomain.com isn't coming from a server listed as valid for goodguydomain.com. (It is coming from some hacked cable user's PC.)
AOL cuts off the spam before reading any further, and everyone (except the scummy spammer) is happy. AOL doesn't process the mail, the AOL user doesn't see the junk, and I don't get any bounces.
The spammer's mail server can be registered in many SPF records, but there is no way it will be in the DNS record for my domain, because I control that.
It doesn't really help the user once spammers stop spoofing AOL addresses though, so ultimately it only helps AOL. And is that something we want to support? :P
I really don't think this is going to go very far - primarily because it seems to me that a spammer from say bigisp.com can say he is ANY OTHER CUSTOMER from bigisp.com.
Suppose we have joesixpack as an example - and he has a laptop. At home he connects via his ISP and sends an email to his mom. The letter is received because the from address is valid in his ISP's SPF list. Then he goes to work and tries to send her another email. This time the email will get rejected. So he tries to send it through his ISP's mail server. Since he is not connected to his ISP's system, the email is rejected.
This means that joesixpack has to somehow LOG IN to a server and go through an authentication.
-------
This sort of comes to the nub of the problem. Authentication. If Joesixpack is a good guy - he should be able to send email to anyone - and if he is not a good guy we will find out fairly quicky and we can fine him or pull his priviliges.
The issue is not much different than driving a car actually. It needs to be dealt with in the same way as traffic infractions... perhaps through the police.
One way to implement something that will work is via issuing a certifiation. At the time joesixpack signs up with his ISP - the ISP could act as a CA and certify him as a good guy. They can record his identiy just as they recorded that he paid his bill. At this time they could install a cert for JoeSixpack into his email client - AND - bond it to his machine. There are many ways to bond it - including using a dongle or smartcard. But a practical way would simply bond it to the hard drive. I'm sure ways can be invented so that certs cannot be simply pulled from one machine and stuck into another.
If Joe later abuses his cert - then his ISP can blacklist it and refuse to issue another. Also - the ISP's can trade blacklist information just as banks and businesses trade credit information.
The mail clients can be modified to send the cert and the MTA's could check for and eventually reject any unsigned mail.
As for the ISP's being a trusted CA? Well - we have to trust some people somewhere. The question would really boil down to which ISP's trust which other ISP's and they could cooperatively run their own blacklist.
With a system like this - I would think that an ISP that is shady would find their email services would be in jeopardy of being refused and that should serve to keep the ISP's in line to.
------------
I also think the spamd solution in OpenBSD has a lot of merit. Spamd does not block email. Instead - if the sender is blacklisted - spamd accepts it very very slowly. This creates an incentive for the owner of the mail server sending out the spam to deal with it. With spamd in wide spread usage the problem comes under control in a number of ways.
(1) suzy spammer will find if she runs a spam server that it can't spew very fast - because her IP address and/or domain will end up in the RBL rather quickly and the moment this happens. Receiving MTA's slow to a crawl.
(2) If Suzy spammer tries to send through her ISP's account - the same thing happens but now the ISP has to deal with the problem. No ISP's will want to have a significant number of their IP addresses in an RBL. Since this will pose a significant admin problem - the ISP has a huge incentive to give Suzy spammer the boot.
(3) We have some bad ISP's and these people will find their errant ways are causing themselves grief.
(4) It might encourage ISP's to actually issue static IP's which many of us want anyways. Note we would NOT have nearly the spam problem if static IP addresses were issued.
Seriously. Are you people really getting so much spam every day that the "delete" button just doesn't do it for you?
Yes.
Not to mention that your argument is, of course, the oldest and dumbest of the "doh, I don't wanna see the problem, nanana" kind.
I mean, why should we do something about rape? Nobody I know got raped, so it can't be a huge problem. And seriously, are you being raped so often that just dealing with it doesn't do it for you?
Really, now. Rape is just not thatpressing an issue to me. I can't see why/how it's such a huge issue for anyone else.
Well, sucker, it is. You might be living under a rock or in a box, but essentially everyone dealing with it day-to-day agrees that at least half of the SMTP traffic worldwide is spam. It is a huge problem. If it isn't for you: Be happy, and please step aside while the rest of us go and solve it.
Assorted stuff I do sometimes: Lemuria.org
People assume IM2000 would stop spam because:
1] You don't get a message unless you want to retrieve it
2] The sender has to store the mail not the receiver, so the sender has to pay to store a bajillion messages
This doesn't work because:
1] By seeing the notification, you're already annoyed and have wasted your time.
2] The sender need only store ONE copy of the mail on a customised MTA, not millions - so as long as he has a custom server, he can still spam and use only a few hundre kb of disk space per message type.
3] Retrieval of email would become extremely slow for anyone with large attachments or similar. Connectivity problems would be noticeable to the end user