Slashdot Mirror
AOL Will Not Support Sender-ID
DominoTree writes "America Online said Thursday that it will not support the Microsoft-backed antispam technology called Sender-ID. The online giant cited 'lackluster' industry support and compatibility issues with the anti-spam technology SPF that AOL supports."
I find it quite amusing on how AOL is sometimes caught sleeping with Microsoft (like IE in AOL) yet other times it pretty much pretends like they want nothing to do with them. You'd think that AOL is big enough to where they can honestly tell Microsoft to "Shove It" without any big consequences.
I thought AOL loved blackholing everyone's email from the outside. It already happens over half the time that I reply to an email tech support request from an AOL member. They say I'm not in their address book, so I can't respond despite them having contacted me first.
From reasons of lack of support and lack of backward compatibility. Wow, AOL was (is?) paying attention:
"The online giant cited "lackluster" industry support and compatibility issues with the antispam technology SPF, or Sender Policy Framework, that AOL supports.
AOL's moves come days after the Internet Engineering Task Force standards body voted down the Sender ID proposal. The IETF said Microsoft's decision to keep secret a patent proposal for the technology was unacceptable. Open-source groups also pulled their support of Sender ID, claiming its licensing restrictions were too strict. AOL agreed with the IETF fallout and added its own reasoning.
"AOL has serious technical concerns that Sender ID appears not to be fully, backwardly-compatible with the original SPF specification--a result of recent changes to the protocol and a wholesale change from what was first envisioned in the original Sender ID plan," AOL spokesman Nicholas Graham wrote in an e-mail."
CB_===__-8a90fuds76
free ipod and free gmail!
I think ISP's should take more responsability for their users.
Obviously the spammers, and DoSers have an ISP, and if their ISP were punished by upstream providers for allowing their network to emit this kind of crap, by blocking them until the problems are solved, maybe they'd use some initiative to solve these problems.
I do understand that most DoSers are not the fault of the user, but surely the ISP could notify the user, and force them to do something about it.
All these differing approaches to the same problem. It seems to me like trying to shove oatmeal into a sprung leak.
Maybe it's time to simplify.
dump email all together in the corporate environment and opt instead for a more secure solution based on PKI or kerberos or any other host of security structure.
If some contact absolutely needs to receive something via email, no problem. "We will gladly send you an email, but you just can't send us one. Unless, of course, you wish to send it to an employee's private email adress; we don't accept email internally anymore."
"Sorry mr. corporate contact, you must log in to our site www.dmail.company.com and submit messages that way. We have had too many problems with spam and viruses.
there is a nice, lightweight client you can install if you don't wish to log in every time."
It seems to me it wouldn't be that difficult to use a non-email solution for your corporate mailing needs (like the aforementined dmail which i've been hearing so much about), and if another company's IT department can't handle that light technical strain, then it would seem that IT department needs a wake up call.
where are the flaws in this reasoning?
SPF marks email so that when you get an email that claims it is FROM an AOL member you can tell if it really does or not. It will not prevent AOL from getting Spam but it will prevent you from getting it from AOL or disguised as coming from AOL.
And this doesn't prevent Spam. It prevents job jobs. If a spammer is willing to ID the domain his mail comes from and not spoof he can Spam you all he wants. Course with a legitimate domain name/IP# you can blacklist him too.
Slashdot, home of supporters of free software, free music, and free speech.Except for Moderators that disagree with you.
Speaking as a sys admin myself, I've been on the flip side. They can be real bitches when you get tagged as a spammer by their system.
It took me about a month to get myself straight after I'd been blacklisted. They also "removed" the blacklist, and said it was IP-based, but intermittent errors would pop up for weeks afterwards. joeluser@myhost could send to AOL, but janeluser@myhost could not.
BTW, google for "Jason Smathers" if you want to see how effective they've been.
Ive been on both sides of the issue as well. We changed the names and IPs of our servers. It was the only fast way around it at that time.
Its not always AOL as a company or as sys admins as its also the users hitting the "this is spam" button... even when its clearly not.
Lots of those 'morons' are customers so people need to send mail to AOL.
Reading between the lines it's only a matter of time before AOL stops accepting mail from domains that don't publish SPF records. They already reject mail if your reverse DNS doesn't resolve. They're publishing their own too:Good for them.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
The problem is that MS's terms for licensing their patents to specification implementors specifically forbids any use by GPL or similarly free licenses. See the GPL is MS's biggest enemy and they are trying to kill it on every front. For example, it is against the licensing conditions of Visual Studio 7 to produce GPL'd software with it. How did they manage this? By introducing a new standard C runtime library, MSVCR71.dll, which can only be distributed under MS' terms. Oh. And it won't be distributed with the OS anymore, so anyone using VC7 is forced to comply with the licensing terms of the runtime itself.
So the problem with patents is that MS *is* starting to mobilize them as offensive weapons against open source in general, and the GPL specifically.
All I can say is thank God myself as a small webhost is being backed by such an Internet access giant as AOL is.
:)
I suddenly dont feel so bad for installing AIM to talk to strange women
I feel that what microsoft is looking to punish the witness for what the criminal has done with, although I may be wrong, the intention of profiting off the witness while making the victim feel they, being MS, are trying to helping them out.
IETF really screwed themselves with this post. The patents were posted today by the patent office. http://www.imc.org/ietf-mxcomp/mail-archive/msg048 44.html
and http://appft1.uspto.gov/netahtml/PTO/search-bool.h tml
and type 684020 for Application Serial Number in field1.
Now the IETF engineers have to pretend they are patent lawyers. Of course they couldn't have said that they were rejecting it because people didn't like the license -- the license does all the things that the IETF requires.
Sender ID and SPF can positively prove that a message came from a domain, but can't prove it didn't come from a domain -- they don't stop forgery. The technologies ignored the fundamental architecture of email (store and forward instead of point to point), and in the process left a glaring hole for spammmers to use. How do you forge an email in the Sender ID/SPF world? You pretend that you forwarded it legitimately. In Sender ID with PRA, the spammer simply adds a Resent-From header. In SPF, the spammer makes the Envelope-From something different than the body From:. Both SPF and Sender ID leave these cases for the spam filters to figure out. If the spam filters can't figure it out today, there is no reason to believe they will figure it out tomorrow. We need a crypto solution to solve this correctly. How is domainkeys doing?
"America Online Inc. on Thursday shunned a Microsoft Corp. proposal to help weed out unwanted "spam" e-mail because Internet engineers are reluctant to adopt technology owned by the dominant software company."
What? Since when did AOL reject it just because it's owned by Microsoft?
Link to the article...
For once AOL does something the media should be praising it for, yet they're practically insulting AOL publically...
"...would not adopt Microsoft's SenderID protocol because it has failed to win over experts leery of Microsoft's business practices."
I wonder if I'm the only one getting painfully tired of the way the news media paraphrases and misrepresents peoples'/groups' positions...
I have seen this comment pop up many times, but no one has yet to submit an operable recommendation on how SMTP could be updated to remain a user-to-server and server-to-server protocol without tossing the entire system and saying "nuts" to any semblence of remaining compatible. Therefore, this arguments seems completely flat.
The only partially useful modification is some form of authentication which would certify the origin of the SMTP connection. Just as I can telnet to a POP3 server and make it think I am a real POP3 client, an end user can make an SMTP server believe it is another server.
SPF offers a sleek way of authorizing what machines may deliver mail on behalf of a domain. I could trivialize it by comparing it to a domain owner-controlled authentication system for emails without requiring a central authentication repository or authority.
What is wrong with this implementation? Can you suggest a modification to SMTP that will acheive similar or better results? If not, then drop your argument, that stick, and step back from the dead horse.
It's hardly surprising that some people aren't sure how to feel about AOL sometimes. On one hand, they adopt IE or kill some promising project and get hisses and boos. On the other, they occasionally support or initiate a nifty open source project, or take a position we're prone to like.
Seems to me... and I'm hugely guessing here... that there's two factions in AOL to consider. The tech people, and then marketing/legal/etc. The tech people can sometimes (not always) do some stuff that benefits people, and probably mean well in general in any case. As long as something remains under the radar of the rest of AOL's bunch, and/or results in lots of positive P.R., it lives. But if the legal department or someone panics, well... we all saw what happened to Nullsoft's gnutella implementation, initially. And AOL is kinda flip-flopping where Netscape is concerned, I think.
In this case, the tech guys over there probably pretty much had a lot of sway over the Sender-ID thing. The lawyers, marketing people, et al. have far more important things to worry about, I presume.
Someone here on Slashdot mentioned DomainKeys as an antispam solution.
It won't work!
Cryptography costs time and money to use! Just look how long it takes to bring up a secured webpage (HTTPS)....
Now imagine if the entire World Wide Web was that way....
Not everybody on the internet have the fastest systems available for use. Even then, such systems would be overwhelmed by all the crypto they have to do in order to process email using the DomainKeys system.
Instead of time consuming crypto, why not use fast, simple, effective spam filtering like my approach.
Having finally persuaded my ISP that = (equals) is a valid character in a TXT record I was able to publish my own SPF records.
Based on a sample size of 1 I'd like to suggest that spammers don't joe-job domains with restrictive SPF records. That makes sense. We already know spammers know about (and use) SPF records. It make sense for them not to use a domain that will be blocked by any SPF aware mail recipient.
The fantastic news for me is that instead of 8,000+ bounces from joe-jobs flooding my mail server each day (imagine how many more emails are delivered or blocked by spam filters), since publishing my SPF records that has completely stopped.
Why am I such a target? I notice that the more often I report to SpamCop the more often I am targetted, but the heavy waves seem to have coincided with increased awareness of an anti-spam SMTP filter I wrote. I guess my work got noticed. Just a guess though.
Recycle PCs and build a wireless community network www.hillsborough.org.nz
One I've noticed recently - I've hardly seen an obvious FrontPage site in months. Either people who started building websites which look less "frontpage like" or it's not being used as much.
Is there anyway to calculate the level of Frontpage usage?
What does make a site obviously "frontpage like"? I'm curious to know if I've come accross one.
Not necessarily related, but the last version of FP is a lot better than the previous ones - I guess the MS Frontpage team got tired of being the laughing stock of the web dev community...