AOL Tests Sender Permitted From / E-mail Caller ID
securitas writes "ZDNet reports that AOL is testing Sender Permitted From (SPF), 'an antispam filter intended to accurately trace the origin of e-mail messages.' AOL is performing the widescale SPF test with its 33 million subscribers worldwide. The system works by letting recipients use the SPF record to cross-check DNS data associated with AOL's IP addresses and confirm that the message originated from AOL's servers. The system is one of three competing e-mail authentication protocols. The other IP-identifying protocols are the Designated Mailers Protocol (DMP) and Reverse Mail Exchange (RME/RMX). All systems alter the DNS database to let e-mail servers publish the IP addresses that they use to send e-mail."
For once I might actually approve of something AOL does. OK I didn't RTFA but it sure looks a lot like whitelist filtering. Here's hoping that others pick up on this idea if it works out! (my dialup had 530 spams in the last month... thank you, Bayes!)
C|N>K
Seriously. Are you people really getting so much spam every day that the "delete" button just doesn't do it for you?
In short, yes.
The biggest weakness of this system is that it doesn't protect against some user's system sitting on a broadband DSL/Modem line that has a Trojan Horse used to e-mail the spam. AOL's system probably would only encourage more viruses/worm designed to make computers email relays.
Of course if all non-business accounts were prevented from hosting an SMTP server that would help solve that problem, but I don't think that would go over very well with the Slashdot crowd. I'm not even sure where I stand on that issue.
Ok, I give up, why you?
I think the problem is larger than the few annoying emails people get everyday. There's two things to consider.
1) Cummatively, spam is not just a headache but can be resource draining. Getting 10 or so a day for ten days if I don't check email leads to 100 emails. It would be one thing if it affected me but I'm not the only one that uses my mail server or ISP. It bogs down the mail server that I use whether it's my work email or my personal one. At work, my company has to dedicate resources to fight spam which costs companies money. My only effective choice right now is to abandon my email address every year so I don't get spam for a while.
2) Spam is not discrimating. Offers that are sexual in nature may be innocuous to me, but for parents that's another matter. They want their kids to learn email but can't do much to protect them from this content besides not use email.
Well, there's spam egg sausage and spam, that's not got much spam in it.
If the SPF record (which will contain the IP addresses of AOL's mail servers) doesn't match the originating IP address of the mail message (as in, a spoofed header) the message is invalid.
So, in essence, AOL has decided that it's customers can no longer send mail from their AOL email address, unless they're logged into AOL.
This does not bode well.
I don't use AOL, but if MY ISP decided that I could no longer use my personal email address while I was at work (or at an internet cafe, or whatever), I'd be pretty pissed.
Seriously. Are you people really getting so much spam every day that the "delete" button just doesn't do it for you?
Really, now, junk mail is just not that pressing an issue to me. And I can't see why/how it's such a huge issue for anyone else.
Let me explain it to you.
Yes. I personally receive over 5000 spam messages a day. Thanks to the very clever spammers who are getting better at circumventing spam filters, I'm seriously considering moving to a white-list, and even that may not stem the tide. Part of the problem is with false-positives and the fact that people don't know how to write a proper subject line. Sometimes legitimate and very important messages have been contained in messages with subjects and other message body content that can resemble spam.
As a test I have set up e-mail addresses that I have never used or publicized in any way at a number of domains and providers. Guess what? Within days (sometimes hours) spam lands in those mailboxes, too, and based on the user/account names that I set up, I know it's not because of a simple dictionary attack.
Just because you don't personally experience it (consider yourself among the lucky few) doesn't mean that it's not a real problem. FYI, SPF is not (strictly speaking) from AOL. It's just being rolled out on a massive scale by AOL, which should be a good test of the technology.
I don't know if this is the right move, but something has to be done to eradicate this plague and its carriers.
SPF is incredibly broken because it allows ISPs to control who sends mail from where. We should be resisting SPF and all other similar proposals and backing public keys in DNS.
We've been waiting for an anti-spam standard for years now. What do we have? Nothing.
It's about time someone with clout got up and started making decisions.
I have 4 blocklist on my email server, and still we get a ton of spam everyday. My users hate it, I hate but we have to deal with it whilst the IETF works out their political agenda.
PS. I've also been waiting for the Calendar Access Protocol for a while now. Years, where is it? We're on draft 11 now.
Sometimes design by commitee plain sucks; and we just have to admit that.
Based on upvotes, Ageism is the only "-ism" Slashdotters care about and think isn't SJW
The problems with Yahoo's Domainkeys, are as follows:
I think SPF is a far better better proposal for this kind of thing.
SPF support for most open source mail servers can be found at libspf2.
All variants of "Make it computationally expensive to send e-mail!" prevent all mass mailings of all kinds... not just spam. You're tossing out a few babies with the bath water, that's just not a working solution.
/. because most geeks have more processor cycles than dollars, but at least cash has a more stable value over time...
Besides, there's not much stopping Spammers from just buying the processing resources they need. Whatever meaningless task is picked, development would immediately start on making that puzzle easier to solve. You'd start seeing processor chips dedicated to the task...
Being cash-expensive is less popular on
No it wouldn't. Just follow the proper protocol. The "From:" address should be your cable-domain address because that's what you're actually sending from. The "Reply-To:" address can be your dial-up address, because that's where you would like any replies to go.
You're spoofing your "From:" address at the moment, and that's exactly what nobody should be allowed to do for any reason...
NO no no no no no. Faking email is fine. People need to learn to NOT TRUST the From field. Legislation gets us nowhere. I mean, viruses are illegal and there are plenty of those. It's illegal to hijack a plane and fly it into a building, but that happened too.
Solution? SIGN YOUR EMAIL. Then the recipient knows that you wrote (or at least signed) the email. Key exchange a problem? Maybe you shouldn't be using email, then.
If all my email were signed, I wouldn't even need a spam filter. I could just trash all non-signed email.
Unfortunately, my friends (except for one) find it too hard to download/buy GPG/PGP and click the "sign" button when they mail me. Oh well, what can be expected of people that are too lazy to hit the shift key after sentences. *sigh*
My other car is first.
This is no solution. It stops the load of sending the bodies of spams, but the annoyance of spams still remains.
It also introduces a lot of problems. Unless you just immediately fetch, it tells the sender where you were (IP address) and when at the time you fetch the mail. If the sender's server is down you may not be able to fetch it at all. Response times get slower, again unless we just use this to implement the old pre-send system, in which case we don't get its benefits.
A mixed system (pre-send small mail, post-fetch large or questionable mail) can have some of the benefits but still faces problems. And spam still comes.
Mod me redundant because I say this *every* time somebody whines about this, but:
I don't use AOL, but if MY ISP decided that I could no longer use my personal email address while I was at work (or at an internet cafe, or whatever), I'd be pretty pissed.
So you do what you're already supposed to do in this situation, and set the From line to your personal email address, and the SENDER line to wherever you really are. Mailing lists do this all the time.
Slashdot's token middle-aged housewife
AOL didn't create SPF. It is just one of the proposed anti-spoof techniques out there. I am not a big fan of AOL/Time Warner, but I am glad to see them trying this out. Many Internet "standards" are de facto standards, which are later adopted as official, because they work the best. If committee designed standards were always adopted, the "Internet" may have used the OSI (very bad) protocols instead of the cleanly designed TCP/IP, since that at one time was the official standard of the US government, IIRC. Of course it wouldn't be the Internet, as IP stands for Internet Protocol. Like it or not, AOL is a large company that has a big subscriber base. In today's world, in order for any of these standards to take hold, I feel there needs to be prominent early adopters to create the necessary momentum. This is just a test, after all. AOL is not forcing anybody to do anything. AOL is trying this for their self interest, but if SPF works, then that is a good thing, and it benefits everybody who uses it.
How do you think standards come to be?
One day there's no standard and then, POOF, there is?
Standards come into existence by the cooperation of many people deciding to do something together. Which is what's happening with SPF. SPF has been a proposed standard for a while now... AOL is the large adopter that's going to propel SPF to an accepted standard.
Using a local mailserver is a pointless optimization, adding needless complexity and vulnerability to the email system. Globally, the extra resources used would be negligable. Actually, since most people either don't bother or don't know how to configure their mail client to do what you describe, everyone *already* sends all their mail through their ISP's servers. It hasn't been a tremendous problem so far.
If you want to transfer 50 MB, and you just can't stand the thought of wasting a little precious bandwidth, then you can use another transfer method. Most service providers won't allow 50 MB emails anyway. Use an instant messaging program to transfer it directly, or set up an http server and host it yourself. If your ISP doesn't allow you to do that, that's much worse than requiring you to use their mail servers.
main(c,r){for(r=32;r;) printf(++c>31?c=!r--,"\n":c<r?" ":~c&r?" `":" #");}