Slashdot Mirror
AOL Tests Sender Permitted From / E-mail Caller ID
securitas writes "ZDNet reports that AOL is testing Sender Permitted From (SPF), 'an antispam filter intended to accurately trace the origin of e-mail messages.' AOL is performing the widescale SPF test with its 33 million subscribers worldwide. The system works by letting recipients use the SPF record to cross-check DNS data associated with AOL's IP addresses and confirm that the message originated from AOL's servers. The system is one of three competing e-mail authentication protocols. The other IP-identifying protocols are the Designated Mailers Protocol (DMP) and Reverse Mail Exchange (RME/RMX). All systems alter the DNS database to let e-mail servers publish the IP addresses that they use to send e-mail."
I've had trouble with spammers doing small runs with my domain name on AOL. Since I've set up SPF, I haven't had a single bounce from AOL-bound spam. It might just be luck, but as far as I can tell, SPF is helping.
Here's a nice way. Before someone can send some mail, he has to get some exponent from mersenne.org which needs double-checking, run the primality test and report the low order 64 bits of the final S_{P-2} value, called a residue. If that value matches the value that mersenne.org expects, then the mail goes through.
Nice deterrent for spam, and as a side-effect one more Mersenne exponent has been double-checked.
Anyone want to buy squares on how long 'til it's cracked?
Sheesh, evil *and* a jerk. -- Jade
Sure I'm libertarian like many other nerds, but I can't think of a good reason to fake email. I want my whitelists to work. A technical solution is always better, though.
-I am an elective eunuch.
Now that this is being backed by AOL, a massively-used service, SPF will be pushed into the forefront, hopefully becoming a more universal standard and dealing a major blow against spam.
This may just be what we've been waiting for.
I suspect that as the big commercial guys get more and more aggressive in breaking email standards in the name of combating spam, the internet will split into different incompatible email groups: the old-fashioned types (which include many university departments still) who use a text console and a program like pine or elm, and the AOL/Hotmail/Yahoo crowd. To some extent it's already happening: I can barely read some messages sent from MS Outlook, they're formatted so badly, and as a result I'm less likely to reply to them.
SPF is broken. It breaks forwarding, unless you want to rewrite the From header at every hop.
Mail signing (what yahoo proposed recently) is a lot closer to working sender verification. It would allow a message to take any number of hops, and still be verified.
--
lds
What will work is a certification that is revolkable. The concept is embodied in public key encryption and certification.
Basically - all we need to do is this. We have a trusted institution like a bank or your local government office issue a digital ID to everyone who wishes to participate... purely voluntary.
Next - those who wish to participate use an email client that refuses to accept anything from anyone who does not have a valid certificate.
Next - we set up a black hole list and the email clients refuse emails from anyone in the blackhole list.
Next - we make this list available to the issuing authorities and if they re-issue we blackhole that authority.
By doing this we create a beuracratic nightmare for our wanna be spammers and everyone else is pretty much free to go on as they have.
I for one will NOT join an opt in list because there are far to many people who have legitimate reasons to contact me. Yet the spammers? well - there are not that many of them... they are really a fringe group actually.
It works well with them for two primary reasons:
1) It is easy to do. You can go to the SPF site and they have a wizard to fill out so you know exactly how to change your DNS, and
2) You can change things over gradually. After you've changed the DNS, you start by aloowing everyone, and then as more people join the system, you implement the protocol slowly.
That last point is particularly good, since the PHB types freak if their email isn't exactly the way that they're used to... and they also freak when implementing new technologies. You can assure them that nothing is changing at first, and that all changes will be made gradually and in steps.
The SPF guys understand that that's necessary, and even have a PHB Executive Summary page.
libertarianswag.com
Using muscle to force the Internet into a standard isn't going to work. We need something that *is* a standard, rather than *pushing* a standard upon people.
Standards don't miraculously appear out of mid-air. Standards are created when one implementation of an idea is chosen over other implementations. Unfortunately, as at least one of your examples shows, we see that its not a
Right now, AOL and several other groups are developing an implementation of a Spam-tracking system. Eventually, one of these systems may win out. If/when it does, a standard is born.
If anyone could force a change to the current email system (unfortunately), it's AOL. If AOL said that beginning 00:00 next Sunday, mail from hosts without valid SPF records would be rejected, major ISPs and corporations would fall immediately into line. Those running their own SMTP servers would either make SPF records or be forced to use their ISP's smarthost.
Call (206) 338-5780 COLLECT for information about a genuine BA, BS, MA, MS, MBA, or Ph.D.
The idea behind Internet Mail 2000 is obviously correct. Why waste time on DNS-based approaches when we COULD be developing the Solution?
I believe along with this, your ISP or employer would also have to set up authenticated SMTP so you could send email through their servers legitimately when you're outside their network. Shame that many places now routinely block outgoing port 25 though...
This actually is the case for my wife and I, who still pay for and use our older dialup ISP's email accounts for both professional and personal reasons, but have been connected to the internet 24/7 via cable for the past few years. We cannot send email out through out email provider's mail server unless we dial in and connect to them directly using one of their dialup lines. Thus, we use the mail server provided by our cable provider to send the mail for us. Of course, if ADSL was available in my building, I would simply subscribe to that via my ISP and it wouldn't be an issue, but it's not... so a system like this would seem to render my wife's and my email accounts unusable.
File under 'M' for 'Manic ranting'
Question on this whole SPF thing.
I'm interested in it but have a slight issue with it at the moment that
I'd like to get resolved.
My domain is: mydomain.com
Customer A is traveling and is using his e-mail of joe@mydomain.com
However, I do IP filtering on my mail server (not SASL AUTH), for my
dial-up pools.
When Customer A is at hotel he must use their mail server to send mail
out, so his mail will be rejected because the hotel mail server isn't
listed in mydomain.com's SPF txt list.
You suggest running SASL AUTH as a work around for this, however in my
experience this creates MORE of a spam problem then not using SPF..
here's why:
On a mail server with over 40,000 users it's relitively easy for someone
with a password cracker to hammer away at common names like 'joe'
'jeffp', etc and try to get some passwords. Once they have a
username/password combo they can happily send e-mail out as that user
through MY mail server, and I can't do anything about them. Doing IP
filtering requires that they are on MY network to send mail through MY
server, thus allowing me to terminate/prosecute/etc the person.
Prevent email address forgery. Publish SPF records for y
Basically - all we need to do is this. We have a trusted institution like a bank or your local government office issue a digital ID to everyone who wishes to participate... purely voluntary.
1) Banks and government as "trusted"? This sounds like a wonderful way for both of them track every e-mail you send with no problem.
2) "Voluntary" will rapidly become mandatory.
No, for e-mail to remain useful and to ensure that those who need it can have privacy it is important that we develop technology that block the spammers while not further infringing on the privacy of users.
Unless of course the preceding message was a troll.
Three Squirrels
Before looking at SPF you may want to read what Claus Assmann, and Wietse Venema have to say on the subject.
If you don't know who these two people are, I seriously hope you're not someone who's making decisions affecting SMTP on the Internet.
AOL has rate limiting implemented server-side. Try to send too many e-mails at one time and your AOL account gets nuked AUTOMATICALLY by a script. If you're getting spam with @aol.com as the origin, it's forged. This is EXACTLY why AOL is implenting SPF - they're probably sick of being associated with spam they are NOT The origin of!
---
DRM is like antifreeze, to the MPAA/RIAA it's sweet, to the consumers it's poison.
My Popfile stats since I last reset it just before Christmas:
Inbox - 175
:(
Invoices - 57
Newsletters - 343
Spam - 20231
Accuracy of 98.73%
Yes, 97% of my email is spam
That's across about 5 ISP accounts and a few domains.
Okay, I've been thinking about this one for a while, but feel free to shoot me down.
When you send someone an email message you initiate a potential financial transaction for a tiny amount of money (say $.5). If the recipient is so inclined they can complete the transaction and "cash in" your $.5. The idea is that people that want to receive email from you will not redeem your offer.
If you send a non-spam email to someone and they decided to be a jerk and cash in then you're only out 5 cents. Of course if you're a spammer and you just sent that email to 200,000 people then you've got a problem.
Obviously this would not be built into SMTP (to preserve compatibility) but would rather be a layer on top that the common email clients would have to handle. There's also some infrastructure details to be worked out like cryptographic method, payment processing (perhaps 1% of the completed transactions go towards the organization handling the payment processing), etc.
I know it just can't be that simple, so why wouldn't idea this work?
The spam problem is real, but it doesn't affect everybody.
It is easy to deal with using standard smtp protocol, but the larger ISPs don't seem to wish to implement the existing methods (smtp-auth plus block all emails not originating at an IP that matches an mx record. If you want to run your own mail server, you better get a (sub)domain. simple blacklists and filters).
There is a drive to monetize email as well, and the arguments for this usually begin with "smtp is broken".
Whitelists are a social-engineering product, as this then limits the number of people contacting people for the first time by email, and will greatly shrink the communities formed on the internet to people your company does work with, people you have met and exchanged email addresses with, and people on subscribed mailing lists. This slows the flow of ideas, and it makes it more possible to track who is comunicating with who.
Most of the proposed "anti-spam" tech also includes something in the lines of a centralized database, often in the form of your whitelist being maintained on your ISP's server. This allows easy mapping of the social network, which, IMHO, is not necessarily a good thing.
Many people think that changes such as these are necessary to "save the internet" because they've bought into the idea that the internet is somhow under threat by the very people who built it, and they are ignorant of the fact that it is mostly these "internet saving" ideas that threaten the usefulness of the network, and are more intended to make the internet more like other media (centrally controlled, corporately censored) and less of the decentralized (publishing/communiocation/colaboration) forum that it is today.
I've read the article and I can't figure out what the test is. Does this mean that AOL is publishing SPF records (in which case it's old news) or does it mean that AOL is going to start rejecting incoming mail which fails the SPF tests?
Presumably, though, you can also start feeding SPF-based data (does it have SPF records? does it match? etc) into SpamAssassin or other clasifiers, and seeing how well they correspond to spam/ham checks.
Not true. If a user with a legitimate aol.com email address sends mail to a mailing list or some other forwarded address that isn't "SPF friendly", their mail could be rejected incorrectly by an spf client. I don't think you can claim 100% success yet.
I don't understand... why can't all email servers just check forward/reverse MX record lookups to help deminish spam. I know that will not end it, but it would drastically help from spoofing email... which is all that AOL's initiative seems to be doing (i.e. not killing it, just preventing their servers from being spoofed).
Oh, yeah, and have the email servers not accepting relays, and patch the damn home user windows boxes. Instead of AOL blocking ADSL, they just need to block windows '95-ME, 2000 pro, and XP. They are all home systems, not servers. Network packets can show OS footprints, so this is doable.
Just more media hype, I'll beleive it when I see it. AOL just has to rebutt microsoft (MSN) from stealing more AOL users with their latest news about anti-spam pledge from Gate's.
"Now, if you knew SPF, you would recognize that the last bit -- ?all"
Hate to sound snide, but if you knew SPF you would recognize that as a transitional setting, which the SPF specs suggest you set a hard cuttoff date around.
SPF's failing, as far as I can tell is that there is no dynamic authentication capability for a client out in space that wants to send mail "from" all of the 20 or so domains that that user had addresses with (e.g. my spamcop, personal, aol, work, oss project and other addresses). I don't want to go hunt down a server that will talk to me for mail origination for EVERY ONE of these domains... I just want a way to tell their servers, "hey, I just sent a message from your domain to joe@example.com, heads up" and have the right thing happen. There should then be a way for a server to say, "heya, I just got mail from your domain to my joe@example.com address... that yoy?" It needs to be message-by-message like this, and if that sounds like a lot of overhead... I GUARANTEE you that it is less than handling bounces for every virus message ever crafted in your name....
Or maybe he owns his own domain? Or maybe he runs a website and HAS to make his address public so that people can contact him regarding his whois record, help about the site, webmaster notices and general correspondance.
I agree, if you're jumbob426@hotmail.com - you shouldn't have much of a probably just creating yet another address. But what if you own your domain and you are erin@klowsky.com? You're now forced OUT of your own email address for your OWN name because of spam.
That's fucked up.
Well, I don't think it's any easier, nor harder for that matter. Every spam comes with a 100% certain way of identifying the spammer - just follow the money trail. Most throwaway domain registrations contain fake data, and the reverse money trail (finding the payer of the registration fee) is harder to follow, and therefore unneeded.
I've been using a single email address for almost 10 years. I've had 7 or 8 ISPs in that time and I've used this address with all of them. In fact, I've never used many of the email addresses that came with the Internet service I've purchased. I currently use this email address with T-Mobile on my Sidekick, with Optimum Online when sending from home and with whatever tier 2 providers my place of business has used for their multiple T-1s.
If SPF takes off, it looks like I'm going to have to switch to an email address on a domain I own just so that I can code an SPF record that will allow me to do exactly what I've been doing since late 1994 -- sending email from various devices. With luck, I'll be able to automate the process of adding a new SMTP server for when I stay in a hotel and use their IP services.
I hardly call this a step forward.
I have discovered a truly marvelous sig, unfortunately the sig limit is too small to contain i