Slashdot Mirror
AOL Will Not Support Sender-ID
DominoTree writes "America Online said Thursday that it will not support the Microsoft-backed antispam technology called Sender-ID. The online giant cited 'lackluster' industry support and compatibility issues with the anti-spam technology SPF that AOL supports."
I'm confused.
I find it quite amusing on how AOL is sometimes caught sleeping with Microsoft (like IE in AOL) yet other times it pretty much pretends like they want nothing to do with them. You'd think that AOL is big enough to where they can honestly tell Microsoft to "Shove It" without any big consequences.
Sender ID Framework
As a sys admin for a large hosting provider aols anti spam policy has been great at reducing the amount of crap email being sent through thier servers. Over the years its dropped a massive amount so anything that AOL does to fight spam is a bonus to the world as they are such a large part of the "internet".
;)
Unfortunatly there are thousands of ISPs that dont take SPAM as seriously as what AOL does. Realistically this is something that doesnt come as a suprise to many people that have been following the anti-spam developments closly. You cant blame AOL for having a service that is computer illiterate friendly despite your own experiences.
Everyone has the freedom to choose thier provider. Personally Im never going to use them.. but hey the option is there if you ever do want it. and if you do sign up you can live with less spam
SPF is just as effective as Sender-ID for the general internet and is MUCH easier to implement. I am a consultant for quite a few small non-profits and so far I haven't charged any of them for setting up SPF records since it's generally a 2 minute process to create the record (at the most), and an email or a 2 minute phone call to their DNS provider. Sender-ID would force me to do some actual work which would in turn cost my customers money.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
There is always a better way to solve problems like this, but do you really think MS is going to back down? It'll get implemented just like every other bad idea they've ever had (ie. WinME) and then no one will like it or everyone will complain or (more likely) no one will use it and whatever userbase it does have gets nailed with security holes etc.
It's all about the all mighty buck. If they think this concept will make them more money than it cost to research and implement, you can bet your arse they'll implement it. They really don't care about interoperability either. They could care less if no one outside of the msn.com and hotmail.com domains can use it (or care to). That's one helluva userbase right there. Plus, they can just spout it off as another "Security" or "anti-spam" feature to get people to pay for hotmail premium accounts.
"The object of war is not to die for your country, but to make the other bastard die for his." - Patton
Well, I'm glad that people like it the second time around. Would be good if I got credit up front!
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
"but do you really think MS is going to back down?"
They thought they could ignore the Internet and TCP/IP, but eventually they realized that some things are even bigger than they are.
It's not that it is from MicroSoft, not that it's patented, but that it's patented with a special license and it has unclear specification. The current license does not allow the transfer of the rights to a third party - therefore making it unimplementable on GNU Public Licensed programs. GPL requires that any modifications must be passed on for free (if ever want to pass it on), and MS license doesn't allow copying the source code and the license. Therefore, you can't implement Sender-ID for anyone else but for yourself.
Also that wiggle room around the specification is an alarming thing. MS - with many other companies - have shown that any gaps in the specification can and will be used by companies in competition. Given a chance, suppliers will make their product incompatible with other suppliers' products if they have the market share - thus increasing their market share further.
If we give them the power to choose what programs can deliver mail in the Internet, who are we going to blame but ourselves if they want to (ab)use that power? Instead, if they break an existing standard we can point our finger at them and say that their product does not meet the standard and therefore it's their fault that interoperability fails.
?SYNTAX ERROR
Iv never understood the general anti-aol viewpoint of the slashdot community. Think about it, aol allows computer dumb people to use computers. When computer dumb people use the computers two things happen. They break the computers (which gives you a way to get some extra cash) and they eventualy get better at computers, which makes new slashdoters. Im not ashamed to admit that I at one point I used aol, thankfully those times are over...
I've never been a Mac fan, and I'll probably never buy one, but since it's a completely different non-windows OS, and runs different core software like browsers - it's good for the whole.
The more people that use Macs, the more people that will be browsing web sites without IE, and the more websites that won't rely on IE-only functionality.
Truthfully though, it hasn't been a problem running Mozilla for 98% of the sites I visit. And I don't only visit sites like Slashdot - I go to a lot of sites that the masses visit as well. No browser string faking, no activeX plug-ins. Just straight Mozilla, and it works great.
All we need to do is chisel down those last 2% and we'll be living large.
With all the visible security problems in Windows and IE these days - more and more people are getting sick and tired of it. Some people are seeking alternative Browsers, more every day. It's not the obscure security bugs that people care about or even know about it's the ones that allow spyware to be installed causing them to have to call friends, family, support people and generally have a terrible time using their computers.
So.. GO MACS! And.. GO IE BUGS!
- It's not the Macs I hate. It's Digg users. -
Sender ID and SPF can positively prove that a message came from a domain, but can't prove it didn't come from a domain -- they don't stop forgery. The technologies ignored the fundamental architecture of email (store and forward instead of point to point), and in the process left a glaring hole for spammmers to use. How do you forge an email in the Sender ID/SPF world? You pretend that you forwarded it legitimately. In Sender ID with PRA, the spammer simply adds a Resent-From header. In SPF, the spammer makes the Envelope-From something different than the body From:. Both SPF and Sender ID leave these cases for the spam filters to figure out. If the spam filters can't figure it out today, there is no reason to believe they will figure it out tomorrow. We need a crypto solution to solve this correctly. How is domainkeys doing?
Maybe they could commission Apple to come up with an anti-spam idea. Once its nearly a standard, then MS could usurp it as their own, then it will be a great idea that MS came up with.
I'm afraid it's someone else who must get real. MS, as any other company, is required to extract as much profit as possible from any and all assets it owns, or else shareholders will file a lawsuit. This happens.
Besides, why MS would not do that? They can do it in a smart way - provide Windows users with a free license, and everyone else has to pay $1000 per license. Where will Linux or BSD be there? Who will be using these OSes for mail transfer? Hardly anyone, that's who.
You must look beyond your nose to see the danger, and it must be said "no" while it is still possible.
ideal; model tiny; codeseg; org 100h; start: cli; hlt; ret; ENDS; END start
I'm not exactly a proponent, but I can respond to most of his points;
* SPF breaks pre-delivery forwarding.
SPF doesn't break pre-delivery forwarding at all, you just need to include the machine forwarded to in your SPF record.
post-delivery forwarding is a problem, but at least in theory, it can be solved by only checking SPF records at the first receipt point,
or by having a smart checker that knows about your forwarding.
I.e. if Alice is sending to Bob, then there's a point at which the message leaves Alice's control, and enters Bobs.
Before that point, Alice can adjust her SPF record to include all possible point of egress.
After that point, Bob needs to check based only on the IP that entered his realm of control.
This may be hard for Bob to do, or beyond his understanding, but that doesn't mean it's impossible.
* SPF hijacks existing DNS mechanisms.
Bullshit. SPF uses TXT records.
It's even RFC 1464 compliant, so it won't interfere with other TXT records (unless someone's already created the "v" tag)
It could have been made less likely to collide by using "spf1=" instead, but it doesn't hijack anything.
* SPF gives ISPs a "lock-in" weapon against their customers.
This one baffles me.
If you're using the address bob@example.com, then example.com already has you by the balls.
If you're using bob@vanitiydomain.tld then you are in control of your own SPF record, and can switch it to anything you like.
* SPF is useless for several entire classes of people.
That would be anyone who sends direct-to-mx email from random IPs.
Those people will have to change.
Sorry, sucks to be you.
The percentage of people in this class is very near zero.
* SPF relies upon DNS for security, but DNS isn't a security service.
Yeah, so?
No one said SPF was perfect, they said it was better than what we currently have (nothing.)
Spoofing DNS, while possible, is considerably harder than forging a from address.
If this were really a concern, we'd already have adopted one of the many "secure" dns alternatives.
* SPF is vulnerable to race conditions during database changes.
Yeah, so?
So is email in general.
* SPF creates new categories of third class citizenship.
Sheese - time to break out the tin foil hat.
The purpose is to discriminate against people who forge addresses.
I suppose some people will try and push all kinds of crap into, around, and on to SPF - but it's really innocuous as these things go.
* SPF doesn't actually address unsolicited bulk mail at all.
That is correct.
SPF is a tool against forgeries only.
It doesn't directly prevent email delivery at all.
* SPF hands Verisign its next unwelcome "innovation" on a platter.
If that's the worst thing you can think of for Verisign to do when they have complete control of the DNS system, then I have no respect for your imagination.
Verisign could create SPF records for existing domains.
Verisign could make resolving TXT records a "premium" service which costs money.
Hell, Verisign could just raise the fees for owning a domain name in
Yes, Verisign is an evil monopoly with near total control over the domain name system, and they can fuck you over at any time.
Get over it.
SPF didn't make them that way, nor will it contribute to their general evilness.
-- should you question authority?
One I've noticed recently - I've hardly seen an obvious FrontPage site in months. Either people who started building websites which look less "frontpage like" or it's not being used as much.
Is there anyway to calculate the level of Frontpage usage?
I do not Understand some of the AOL Bashing that goes on here.
AOL develops an "Internet Expereince" for computer Newbies, their service is not for experts, and thats it. They DO dumb down their internet, for reason, because thats exactly what their costomers demand.
The ISP market has a lot of choice, unlike the OS market, and AOL caters for a particular type of market. They are not trying to cater for all users (though their Netscpae Online ISP may be an exception). Those AOL customers whinging that AOL doesnt allow this, AOL doesnt allow that, well thats because what is beign requested is not regarded as important to the average AOL user. The Average usere donesnt know what an SMTP server, iand they do not care about finding out. They just want to send email.
Those moaning about AOL, are free to switch. The majority CHOSE AOL, and are free to switch. Those non-AOL users who are moaning about AOL, again, whats it to do with you? you dont use their services, so why moan?
Secondly, that doesnt mean that AOL is titally unfriendly towards techs, though they do that using other "labels". FOr example, they did sponsor Mozilla, and paid the developers to do a great job in creating our browser, and dont say they got a payoff from Microsoft, because if you look at the figures, AOL still made a monatary loss on the whole Netscape/Mozilla thing. However as a result, we have Mozilla.
When dissolving Netscape, they gave full freedom to Mozilla, transfering copyright, etc. They COULD have been a bitch about it, but they didnt. You can compare their actions to almost like a parent who has a extremely talented child that "outgrew" the rules of the home. Instead of hiding the child, to destroying the child, it let the child go, with some money to help it make its own way.
Also about Netscape, there are somepeople who do NOT trust Mozilla just yet (my parents). Yet they still trust Netscape. Still providing Netscape (another loss to them) is a good thing.
ABout Nullsoft, whatever bad people talk about them, they still were instumental in turning WinAMP into a free (price) product. Ok its not Opensource, but at least we can create puligins and stuff easily, without sellign out to the devil, thanks to its fairly open standards.
I do not recall them going after XMMS either, dispite some similarities between the two.
AOL is not bad, its just different to what we expect, but its not bad, and i do think some of the bashing here is a little unfair. Save it for MS.
Have a nice day!
SPF isn't an AOL technology - it's an open project. The core of the protocol seems to be adding some extended information in your DNS records.
SPF website
Regards,
Denny
Police State UK - news and
I think they've shown they care about interoperability very much: they don't like it, and will do whatever they can to disrupt it. That's shown by, for example, the changes they've made to filesharing to make life difficult for the Samba people; the fact that they not only don't document file formats for key applications, but change them slightly with every new application version; and now Sender-ID, where (apparently by order from BG personally) they insisted on licensing terms calculated to be incompatible with some of the most important free software licenses, including the GPL.
I think you're wrong about the Microsoft decision process - "If...this concept will make them more money...". Sender-ID would not make them any money; I very much doubt that anyone is going to migrate from Linux to Windows just to get the supposed benefits of Sender-ID! That's not what its for. Breaking interoperability is a corporate goal for Microsoft, because interoperability allows competitors to survive.