Slashdot Mirror


AOL Tests Sender Permitted From / E-mail Caller ID

securitas writes "ZDNet reports that AOL is testing Sender Permitted From (SPF), 'an antispam filter intended to accurately trace the origin of e-mail messages.' AOL is performing the widescale SPF test with its 33 million subscribers worldwide. The system works by letting recipients use the SPF record to cross-check DNS data associated with AOL's IP addresses and confirm that the message originated from AOL's servers. The system is one of three competing e-mail authentication protocols. The other IP-identifying protocols are the Designated Mailers Protocol (DMP) and Reverse Mail Exchange (RME/RMX). All systems alter the DNS database to let e-mail servers publish the IP addresses that they use to send e-mail."

17 of 448 comments (clear)

  1. Simply Amazed by inode_buddha · · Score: 3, Insightful

    For once I might actually approve of something AOL does. OK I didn't RTFA but it sure looks a lot like whitelist filtering. Here's hoping that others pick up on this idea if it works out! (my dialup had 530 spams in the last month... thank you, Bayes!)

    --
    C|N>K
  2. Re:Still don't get it.... by pollock · · Score: 4, Insightful

    Seriously. Are you people really getting so much spam every day that the "delete" button just doesn't do it for you?

    In short, yes.

  3. Doesn't protect against cracked computers by h2oliu · · Score: 5, Insightful

    The biggest weakness of this system is that it doesn't protect against some user's system sitting on a broadband DSL/Modem line that has a Trojan Horse used to e-mail the spam. AOL's system probably would only encourage more viruses/worm designed to make computers email relays.

    Of course if all non-business accounts were prevented from hosting an SMTP server that would help solve that problem, but I don't think that would go over very well with the Slashdot crowd. I'm not even sure where I stand on that issue.

    --
    Ok, I give up, why you?
  4. Re:Still don't get it.... by UnknowingFool · · Score: 5, Insightful
    Seriously. Are you people really getting so much spam every day that the "delete" button just doesn't do it for you?

    I think the problem is larger than the few annoying emails people get everyday. There's two things to consider.

    1) Cummatively, spam is not just a headache but can be resource draining. Getting 10 or so a day for ten days if I don't check email leads to 100 emails. It would be one thing if it affected me but I'm not the only one that uses my mail server or ISP. It bogs down the mail server that I use whether it's my work email or my personal one. At work, my company has to dedicate resources to fight spam which costs companies money. My only effective choice right now is to abandon my email address every year so I don't get spam for a while.

    2) Spam is not discrimating. Offers that are sexual in nature may be innocuous to me, but for parents that's another matter. They want their kids to learn email but can't do much to protect them from this content besides not use email.

    --
    Well, there's spam egg sausage and spam, that's not got much spam in it.
  5. Re:this is not whitelist. by schon · · Score: 4, Insightful

    If the SPF record (which will contain the IP addresses of AOL's mail servers) doesn't match the originating IP address of the mail message (as in, a spoofed header) the message is invalid.

    So, in essence, AOL has decided that it's customers can no longer send mail from their AOL email address, unless they're logged into AOL.

    This does not bode well.

    I don't use AOL, but if MY ISP decided that I could no longer use my personal email address while I was at work (or at an internet cafe, or whatever), I'd be pretty pissed.

  6. Re:Still don't get it.... by securitas · · Score: 4, Insightful


    Seriously. Are you people really getting so much spam every day that the "delete" button just doesn't do it for you?
    Really, now, junk mail is just not that pressing an issue to me. And I can't see why/how it's such a huge issue for anyone else.

    Let me explain it to you.

    Yes. I personally receive over 5000 spam messages a day. Thanks to the very clever spammers who are getting better at circumventing spam filters, I'm seriously considering moving to a white-list, and even that may not stem the tide. Part of the problem is with false-positives and the fact that people don't know how to write a proper subject line. Sometimes legitimate and very important messages have been contained in messages with subjects and other message body content that can resemble spam.

    As a test I have set up e-mail addresses that I have never used or publicized in any way at a number of domains and providers. Guess what? Within days (sometimes hours) spam lands in those mailboxes, too, and based on the user/account names that I set up, I know it's not because of a simple dictionary attack.

    Just because you don't personally experience it (consider yourself among the lucky few) doesn't mean that it's not a real problem. FYI, SPF is not (strictly speaking) from AOL. It's just being rolled out on a massive scale by AOL, which should be a good test of the technology.

    I don't know if this is the right move, but something has to be done to eradicate this plague and its carriers.

  7. Re:Veri$ign? by Jeffrey+Baker · · Score: 3, Insightful
    You don't need to have key signing events, because in the case of email public keys, it is assumed that the key will be signed by at least one party other than the subject: their ISP. So if Yahoo! lists your email-signing public key in their DNS, they will have signed it as well.

    SPF is incredibly broken because it allows ISPs to control who sends mail from where. We should be resisting SPF and all other similar proposals and backing public keys in DNS.

  8. in a utopia, yes. by Kunta+Kinte · · Score: 4, Insightful
    Using muscle to force the Internet into a standard isn't going to work. We need something that *is* a standard, rather than *pushing* a standard upon people.

    We've been waiting for an anti-spam standard for years now. What do we have? Nothing.

    It's about time someone with clout got up and started making decisions.

    I have 4 blocklist on my email server, and still we get a ton of spam everyday. My users hate it, I hate but we have to deal with it whilst the IETF works out their political agenda.

    PS. I've also been waiting for the Calendar Access Protocol for a while now. Years, where is it? We're on draft 11 now.

    Sometimes design by commitee plain sucks; and we just have to admit that.

    --
    Based on upvotes, Ageism is the only "-ism" Slashdotters care about and think isn't SJW
  9. Yahoo's DomainKeys breaks things too by wayne · · Score: 4, Insightful
    Yahoo's DomainKeys proposal involves taking a cryptographic hash of the message body *and* headers. It then encrypts the hash with a private key, puts the result in a header with a tag saying where to get the public key to check the resulting message.

    The problems with Yahoo's Domainkeys, are as follows:

    • You complain about bounces, but this system does not verify the envelope from, and therefor will not prevent all those bounces.
    • A spammer who can get an account on your system (think Yahoo here), can send email to another account they control. They then have an email with your signed hash on it, which they can resend all they want.
    • Mailing lists, some email forwarding services, and other systems will add information to both the body and headers of a message. MicroSoft Exchange servers store emails in an internal format and recreate the heasers when they forward it on. *poof*, you now have an invalid hash.
    • Hashing and then using public key encryption to sign the emails is fairly expensive. The keys that you would look up in DNS are going to be fairly large. All-in-all, this is a fairly expensive proposal, and it doesn't really solve any problems.

    I think SPF is a far better better proposal for this kind of thing.

    --
    SPF support for most open source mail servers can be found at libspf2.
  10. Re:Hashcash anyone? by LostCluster · · Score: 4, Insightful

    All variants of "Make it computationally expensive to send e-mail!" prevent all mass mailings of all kinds... not just spam. You're tossing out a few babies with the bath water, that's just not a working solution.

    Besides, there's not much stopping Spammers from just buying the processing resources they need. Whatever meaningless task is picked, development would immediately start on making that puzzle easier to solve. You'd start seeing processor chips dedicated to the task...

    Being cash-expensive is less popular on /. because most geeks have more processor cycles than dollars, but at least cash has a more stable value over time...

  11. Re:I forsee a problem by LostCluster · · Score: 3, Insightful

    No it wouldn't. Just follow the proper protocol. The "From:" address should be your cable-domain address because that's what you're actually sending from. The "Reply-To:" address can be your dial-up address, because that's where you would like any replies to go.

    You're spoofing your "From:" address at the moment, and that's exactly what nobody should be allowed to do for any reason...

  12. Re:Should faking be illegal? by jrockway · · Score: 3, Insightful

    NO no no no no no. Faking email is fine. People need to learn to NOT TRUST the From field. Legislation gets us nowhere. I mean, viruses are illegal and there are plenty of those. It's illegal to hijack a plane and fly it into a building, but that happened too.

    Solution? SIGN YOUR EMAIL. Then the recipient knows that you wrote (or at least signed) the email. Key exchange a problem? Maybe you shouldn't be using email, then.

    If all my email were signed, I wouldn't even need a spam filter. I could just trash all non-signed email.

    Unfortunately, my friends (except for one) find it too hard to download/buy GPG/PGP and click the "sign" button when they mail me. Oh well, what can be expected of people that are too lazy to hit the shift key after sentences. *sigh*

    --
    My other car is first.
  13. Re:As usual, D. J. Bernstein has the ACTUAL soluti by HiKarma · · Score: 3, Insightful

    This is no solution. It stops the load of sending the bodies of spams, but the annoyance of spams still remains.

    It also introduces a lot of problems. Unless you just immediately fetch, it tells the sender where you were (IP address) and when at the time you fetch the mail. If the sender's server is down you may not be able to fetch it at all. Response times get slower, again unless we just use this to implement the old pre-send system, in which case we don't get its benefits.

    A mixed system (pre-send small mail, post-fetch large or questionable mail) can have some of the benefits but still faces problems. And spam still comes.

  14. Re:this is not whitelist. by M.+Silver · · Score: 3, Insightful

    Mod me redundant because I say this *every* time somebody whines about this, but:

    I don't use AOL, but if MY ISP decided that I could no longer use my personal email address while I was at work (or at an internet cafe, or whatever), I'd be pretty pissed.

    So you do what you're already supposed to do in this situation, and set the From line to your personal email address, and the SENDER line to wherever you really are. Mailing lists do this all the time.

    --

    Slashdot's token middle-aged housewife
  15. Re:AOL muscle by dev11 · · Score: 3, Insightful

    AOL didn't create SPF. It is just one of the proposed anti-spoof techniques out there. I am not a big fan of AOL/Time Warner, but I am glad to see them trying this out. Many Internet "standards" are de facto standards, which are later adopted as official, because they work the best. If committee designed standards were always adopted, the "Internet" may have used the OSI (very bad) protocols instead of the cleanly designed TCP/IP, since that at one time was the official standard of the US government, IIRC. Of course it wouldn't be the Internet, as IP stands for Internet Protocol. Like it or not, AOL is a large company that has a big subscriber base. In today's world, in order for any of these standards to take hold, I feel there needs to be prominent early adopters to create the necessary momentum. This is just a test, after all. AOL is not forcing anybody to do anything. AOL is trying this for their self interest, but if SPF works, then that is a good thing, and it benefits everybody who uses it.

  16. Re:AOL muscle by Nevo · · Score: 3, Insightful

    How do you think standards come to be?

    One day there's no standard and then, POOF, there is?

    Standards come into existence by the cooperation of many people deciding to do something together. Which is what's happening with SPF. SPF has been a proposed standard for a while now... AOL is the large adopter that's going to propel SPF to an accepted standard.

  17. Re:this is not whitelist. by Spy+Hunter · · Score: 3, Insightful
    Yes, I still say it is no big deal. A 50 MB attatchment is extremely rare, and vacations to far-away countries where you email people 50 MB attachments are even rarer. Even in this worst-case scenario it will only take a minute or three longer to transfer to the US than to a local mailserver (assuming you have broadband, otherwise your local connection will be the bottleneck anyway).

    Using a local mailserver is a pointless optimization, adding needless complexity and vulnerability to the email system. Globally, the extra resources used would be negligable. Actually, since most people either don't bother or don't know how to configure their mail client to do what you describe, everyone *already* sends all their mail through their ISP's servers. It hasn't been a tremendous problem so far.

    If you want to transfer 50 MB, and you just can't stand the thought of wasting a little precious bandwidth, then you can use another transfer method. Most service providers won't allow 50 MB emails anyway. Use an instant messaging program to transfer it directly, or set up an http server and host it yourself. If your ISP doesn't allow you to do that, that's much worse than requiring you to use their mail servers.

    --
    main(c,r){for(r=32;r;) printf(++c>31?c=!r--,"\n":c<r?" ":~c&r?" `":" #");}