Slashdot Mirror
AOL Tests Sender Permitted From / E-mail Caller ID
securitas writes "ZDNet reports that AOL is testing Sender Permitted From (SPF), 'an antispam filter intended to accurately trace the origin of e-mail messages.' AOL is performing the widescale SPF test with its 33 million subscribers worldwide. The system works by letting recipients use the SPF record to cross-check DNS data associated with AOL's IP addresses and confirm that the message originated from AOL's servers. The system is one of three competing e-mail authentication protocols. The other IP-identifying protocols are the Designated Mailers Protocol (DMP) and Reverse Mail Exchange (RME/RMX). All systems alter the DNS database to let e-mail servers publish the IP addresses that they use to send e-mail."
So what? Microsoft is working on a new secret email technology and they need people to test it. They are paying people for it too! Send this email message to 10 people and receive a check for $50.00 from Microsoft. My friend Tom did it and it really works!
Ruby on Rails Screencast
I don't know anyone respectable who uses AOL so I won't ever be able to find out how this works...
Small potatoes make the steak look bigger.
I've had trouble with spammers doing small runs with my domain name on AOL. Since I've set up SPF, I haven't had a single bounce from AOL-bound spam. It might just be luck, but as far as I can tell, SPF is helping.
Here's a nice way. Before someone can send some mail, he has to get some exponent from mersenne.org which needs double-checking, run the primality test and report the low order 64 bits of the final S_{P-2} value, called a residue. If that value matches the value that mersenne.org expects, then the mail goes through.
Nice deterrent for spam, and as a side-effect one more Mersenne exponent has been double-checked.
For once I might actually approve of something AOL does. OK I didn't RTFA but it sure looks a lot like whitelist filtering. Here's hoping that others pick up on this idea if it works out! (my dialup had 530 spams in the last month... thank you, Bayes!)
C|N>K
Seriously. Are you people really getting so much spam every day that the "delete" button just doesn't do it for you?
In short, yes.
Sure I'm libertarian like many other nerds, but I can't think of a good reason to fake email. I want my whitelists to work. A technical solution is always better, though.
-I am an elective eunuch.
This is not a whitelist filter.
It's not any kind of a filter.
It just means that AOL has published SPF records for its mail servers in their DNS entries. Any mail server speaking SPF, receiving mail from AOL.COM, will check the SPF record.
If the SPF record (which will contain the IP addresses of AOL's mail servers) doesn't match the originating IP address of the mail message (as in, a spoofed header) the message is invalid. Then it can be either dropped or bounced or whatever.
If the SPF record matches the initiating IP address (as in the case of a message legitimately sent by the mail server) it's clear and goes through.
I suspect that as the big commercial guys get more and more aggressive in breaking email standards in the name of combating spam, the internet will split into different incompatible email groups: the old-fashioned types (which include many university departments still) who use a text console and a program like pine or elm, and the AOL/Hotmail/Yahoo crowd. To some extent it's already happening: I can barely read some messages sent from MS Outlook, they're formatted so badly, and as a result I'm less likely to reply to them.
The biggest weakness of this system is that it doesn't protect against some user's system sitting on a broadband DSL/Modem line that has a Trojan Horse used to e-mail the spam. AOL's system probably would only encourage more viruses/worm designed to make computers email relays.
Of course if all non-business accounts were prevented from hosting an SMTP server that would help solve that problem, but I don't think that would go over very well with the Slashdot crowd. I'm not even sure where I stand on that issue.
Ok, I give up, why you?
What will work is a certification that is revolkable. The concept is embodied in public key encryption and certification.
Basically - all we need to do is this. We have a trusted institution like a bank or your local government office issue a digital ID to everyone who wishes to participate... purely voluntary.
Next - those who wish to participate use an email client that refuses to accept anything from anyone who does not have a valid certificate.
Next - we set up a black hole list and the email clients refuse emails from anyone in the blackhole list.
Next - we make this list available to the issuing authorities and if they re-issue we blackhole that authority.
By doing this we create a beuracratic nightmare for our wanna be spammers and everyone else is pretty much free to go on as they have.
I for one will NOT join an opt in list because there are far to many people who have legitimate reasons to contact me. Yet the spammers? well - there are not that many of them... they are really a fringe group actually.
It works well with them for two primary reasons:
1) It is easy to do. You can go to the SPF site and they have a wizard to fill out so you know exactly how to change your DNS, and
2) You can change things over gradually. After you've changed the DNS, you start by aloowing everyone, and then as more people join the system, you implement the protocol slowly.
That last point is particularly good, since the PHB types freak if their email isn't exactly the way that they're used to... and they also freak when implementing new technologies. You can assure them that nothing is changing at first, and that all changes will be made gradually and in steps.
The SPF guys understand that that's necessary, and even have a PHB Executive Summary page.
libertarianswag.com
Don't forget to publish SPF records for your domain if you have the ability to do so. If you have already done so, please register your domain via the validator.
Prevent email address forgery. Publish SPF records for y
Using muscle to force the Internet into a standard isn't going to work. We need something that *is* a standard, rather than *pushing* a standard upon people.
Standards don't miraculously appear out of mid-air. Standards are created when one implementation of an idea is chosen over other implementations. Unfortunately, as at least one of your examples shows, we see that its not a
Right now, AOL and several other groups are developing an implementation of a Spam-tracking system. Eventually, one of these systems may win out. If/when it does, a standard is born.
I think the problem is larger than the few annoying emails people get everyday. There's two things to consider.
1) Cummatively, spam is not just a headache but can be resource draining. Getting 10 or so a day for ten days if I don't check email leads to 100 emails. It would be one thing if it affected me but I'm not the only one that uses my mail server or ISP. It bogs down the mail server that I use whether it's my work email or my personal one. At work, my company has to dedicate resources to fight spam which costs companies money. My only effective choice right now is to abandon my email address every year so I don't get spam for a while.
2) Spam is not discrimating. Offers that are sexual in nature may be innocuous to me, but for parents that's another matter. They want their kids to learn email but can't do much to protect them from this content besides not use email.
Well, there's spam egg sausage and spam, that's not got much spam in it.
If anyone could force a change to the current email system (unfortunately), it's AOL. If AOL said that beginning 00:00 next Sunday, mail from hosts without valid SPF records would be rejected, major ISPs and corporations would fall immediately into line. Those running their own SMTP servers would either make SPF records or be forced to use their ISP's smarthost.
Call (206) 338-5780 COLLECT for information about a genuine BA, BS, MA, MS, MBA, or Ph.D.
Prevent email address forgery. Publish SPF records for y
The idea behind Internet Mail 2000 is obviously correct. Why waste time on DNS-based approaches when we COULD be developing the Solution?
This presents a problem to those of us who have unreasonably short penises.
Seriously. Are you people really getting so much spam every day that the "delete" button just doesn't do it for you?
Really, now, junk mail is just not that pressing an issue to me. And I can't see why/how it's such a huge issue for anyone else.
Let me explain it to you.
Yes. I personally receive over 5000 spam messages a day. Thanks to the very clever spammers who are getting better at circumventing spam filters, I'm seriously considering moving to a white-list, and even that may not stem the tide. Part of the problem is with false-positives and the fact that people don't know how to write a proper subject line. Sometimes legitimate and very important messages have been contained in messages with subjects and other message body content that can resemble spam.
As a test I have set up e-mail addresses that I have never used or publicized in any way at a number of domains and providers. Guess what? Within days (sometimes hours) spam lands in those mailboxes, too, and based on the user/account names that I set up, I know it's not because of a simple dictionary attack.
Just because you don't personally experience it (consider yourself among the lucky few) doesn't mean that it's not a real problem. FYI, SPF is not (strictly speaking) from AOL. It's just being rolled out on a massive scale by AOL, which should be a good test of the technology.
I don't know if this is the right move, but something has to be done to eradicate this plague and its carriers.
SPF is incredibly broken because it allows ISPs to control who sends mail from where. We should be resisting SPF and all other similar proposals and backing public keys in DNS.
It means that any system administrator can configure their mail transfer agent to bin any spam pretending to come from aol.com with a 100% success rate. And this goes for anyone else publishing an SPF record for your domain.
SPF is a proposed standard for a domain owner to tell mailers where mail From: that domain may originate. The domain owner publishes a DNS TXT record for their domain with (at the simplest) list of IP addresses. Participating mail transfer agents can then look this record up and make a policy decision on whether the mail is likely to be legitimate. The presence of an SPF record on a domain at present means that while you still can't be sure when you're handling spam, you can be sure when you have a piece of non-spam because the SPF record tells you so.
SPF is not a wholly original idea (e.g. up "designated mailer protocol"), and certainly not the simplest implementation but the important factor is that its proponent, Meng Wong, is an excellent lobbyer and spokesperson, as well as someone who as the nous to put forward a useful protocol (he founded pobox.com). It's currently at the point where lots of implementation are being written, with the canonical version being Meng's Perl modules. Currently I'm helping to finish the C implementation which will shortly be integrated into qmail and exim.
The tipping point (I hope) will be when a domain not publishing an SPF record or publishing a globaly permissive one will be considered "obviously" untrustworthy. Combining SPF authorisation with a more traditional "From: domain blacklist" will give spammers a very very hard time indeed forging mail. But AOL publishing a record (we hope) shows the way the wind is blowing: the rest of the world does seem to have to change their mail server configuration to keep mail flowing to AOL.
So go on, it's dead easy, publish a record for your domain now. Tell people where your mail comes from. Look, there's even a wizard to help you.
We've been waiting for an anti-spam standard for years now. What do we have? Nothing.
It's about time someone with clout got up and started making decisions.
I have 4 blocklist on my email server, and still we get a ton of spam everyday. My users hate it, I hate but we have to deal with it whilst the IETF works out their political agenda.
PS. I've also been waiting for the Calendar Access Protocol for a while now. Years, where is it? We're on draft 11 now.
Sometimes design by commitee plain sucks; and we just have to admit that.
Based on upvotes, Ageism is the only "-ism" Slashdotters care about and think isn't SJW
Before looking at SPF you may want to read what Claus Assmann, and Wietse Venema have to say on the subject.
If you don't know who these two people are, I seriously hope you're not someone who's making decisions affecting SMTP on the Internet.
The problems with Yahoo's Domainkeys, are as follows:
I think SPF is a far better better proposal for this kind of thing.
SPF support for most open source mail servers can be found at libspf2.
The recipient's MTA will check the sender's SPF record. You can auto-generate all the email accounts you'd like, only the domain name portion of the email address is authenticated in SPF.
In fact that was one of the arguments against SPF, people said that it did not go far enough and actually authenticate users.
Personally, as someone who has to administer an email server and whose domains are sometimes used in forgeries for spam ( last one was a few days ago ), I'm all for SPF.
Based on upvotes, Ageism is the only "-ism" Slashdotters care about and think isn't SJW
AOL has rate limiting implemented server-side. Try to send too many e-mails at one time and your AOL account gets nuked AUTOMATICALLY by a script. If you're getting spam with @aol.com as the origin, it's forged. This is EXACTLY why AOL is implenting SPF - they're probably sick of being associated with spam they are NOT The origin of!
---
DRM is like antifreeze, to the MPAA/RIAA it's sweet, to the consumers it's poison.
No it wouldn't. Just follow the proper protocol. The "From:" address should be your cable-domain address because that's what you're actually sending from. The "Reply-To:" address can be your dial-up address, because that's where you would like any replies to go.
You're spoofing your "From:" address at the moment, and that's exactly what nobody should be allowed to do for any reason...
My Popfile stats since I last reset it just before Christmas:
Inbox - 175
:(
Invoices - 57
Newsletters - 343
Spam - 20231
Accuracy of 98.73%
Yes, 97% of my email is spam
That's across about 5 ISP accounts and a few domains.
New: 2911 Total: 8639
That is from the last 6 weeks. Less than 1% are real messages (domain renewals).
Really, now, junk mail is just not that pressing an issue to me
Oh really, matrophe@sdf.lonestar.org, it's not? I wonder why that is, matrophe@sdf.lonestar.org. Let me tell you something, matrophe@sdf.lonestar.org, sometimes spam starts and you don't know how. It goes like this, matrophe@sdf.lonestar.org: One day you'll check your mail and there will be a single spam e-mail, not addressed to you matrophe@sdf.lonestar.org. Then a week later, it's a couple a day, matrophe@sdf.lonestar.org. And it keeps growing, matrophe@sdf.lonestar.org, until you get a filter like popfile or you just stop using the address matrophe@sdf.lonestar.org.
I hope this cleared it up for you, matrophe@sdf.lonestar.org.
This is no solution. It stops the load of sending the bodies of spams, but the annoyance of spams still remains.
It also introduces a lot of problems. Unless you just immediately fetch, it tells the sender where you were (IP address) and when at the time you fetch the mail. If the sender's server is down you may not be able to fetch it at all. Response times get slower, again unless we just use this to implement the old pre-send system, in which case we don't get its benefits.
A mixed system (pre-send small mail, post-fetch large or questionable mail) can have some of the benefits but still faces problems. And spam still comes.
AOL didn't create SPF. It is just one of the proposed anti-spoof techniques out there. I am not a big fan of AOL/Time Warner, but I am glad to see them trying this out. Many Internet "standards" are de facto standards, which are later adopted as official, because they work the best. If committee designed standards were always adopted, the "Internet" may have used the OSI (very bad) protocols instead of the cleanly designed TCP/IP, since that at one time was the official standard of the US government, IIRC. Of course it wouldn't be the Internet, as IP stands for Internet Protocol. Like it or not, AOL is a large company that has a big subscriber base. In today's world, in order for any of these standards to take hold, I feel there needs to be prominent early adopters to create the necessary momentum. This is just a test, after all. AOL is not forcing anybody to do anything. AOL is trying this for their self interest, but if SPF works, then that is a good thing, and it benefits everybody who uses it.
The idea behind Internet Mail 2000 [cr.yp.to] is obviously correct. Why waste time on DNS-based approaches when we COULD be developing the Solution?
Because it's not backward compatible.
SPF is a simple and backward compatible solution to email forgeries. People who don't use it are still able to use email, while people who use it are protected against forgeries.
Everyone and their brother are reinvented email theses days without realising that you need to improve the existing email system. It's not possible to throw away the existing system.
How do you think standards come to be?
One day there's no standard and then, POOF, there is?
Standards come into existence by the cooperation of many people deciding to do something together. Which is what's happening with SPF. SPF has been a proposed standard for a while now... AOL is the large adopter that's going to propel SPF to an accepted standard.
Well, in the near-term, SPF won't do anything to slow the quantity of spam. Regardless of what the most die-hard rabid supporters would like everyone to believe.
SPF is an attempt to stop the practice of domain-forging or "joe-jobbing". Which, for a business domain is important. Right now, anyone can pretend to be joe@mycompany.com and either tarnish our company's name, or simply make life extremely difficult for us when our ISP cuts us off for spamming (when we didn't do it).
However, it is likely to have some beneficial side-effects like making domain-based whitelisting/blacklisting more effective. It raises the bar one more notch for a spammer (now they have to either find a non-protected domain to forge, route their spam through authorized servers for a domain where it's likely to be noticed and blocked, or register throw-away domains to push their product).
(And SPF is very similar to what AOL already requires if you want to have your domain whitelisted with them. You're required to list the IP addresses that send outbound e-mail for your domain, anything else gets dumped in the bit-bucket or at least is likely to get tagged as spam by the filters.)
Wolde you bothe eate your cake, and have your cake?
Not really.
If you use the smtp server (with authentication) provided by whoever owns the domain name on your 10-year-old email address, and they set up SPF, you'll be fine.
SPF doesn't have anything to do with what IP address you connect to the smtp server from. It just validates the smtp server.
It just means you can't use your own local mail server to send from a domain you don't own.