AOL Bans Mail From DSL-Hosted Servers 925
kmself writes "As first reported at linux-elitists by Aaron Sherman, and with a demonstration of the denial at zIWETHEY, AOL has begun blocking mailservers identified with residential DSL lines as an anti-spam measure, apparently heedless of the huge collateral damage this move imposes (and guess who can't send mail to Mom...). This action was unannounced, and has received virtually no coverage, spare an oblique mention at News.com. It also violates SMTP RFCs, as Aaron points out, not to mention the 'good neighbor' conventions of Internet communications. Mail to AOL's postmaster is also bounced -- this is RFC-ignorant.
I strongly recommend that as a compensatory measure, non-AOL MTAs be configured to deny all incoming mail from AOL's domain."
SMTP connections to HotMail (Score:2, Informative)
Good move (Score:5, Informative)
-adnans
Noticed this earlier (Score:5, Informative)
This link [aol.com] is the general site for AOL's mail issues.
This link [aol.com] is the FAQ that contains some error messages.
This link [aol.com] is to their daemon section that lists error/rejection messages when connecting to their mail daemon.
For those who do not wish to risk goatse.cx links, this is the message one gets when trying to connect from a residential block:
550 - The IP address you're using to connect to AOL is either open to the free relaying of e-mail, is serving as an open proxy, or is a dynamic (residential) IP address. AOL cannot accept further e-mail transactions from your server until either your server is closed to free relaying/proxy, or your ISP removes your IP address from their list of dynamic IP addresses. For additional information, please visit http://postmaster.info.aol.com.
This didn't start April 10th ... (Score:4, Informative)
The original message was received at Thu, 27 Mar 2003 13:35:36 -0600
from dougmc@localhost
----- Transcript of session follows -----
550-The IP address you're using to connect to AOL is either open to the
550-free relaying of e-mail, is serving as an open proxy, or is a dynamic
550-(residential) IP address. AOL cannot accept further e-mail
550-transactions from your server until either your server is closed to free
550-relaying/proxy, or your ISP removes your IP address from their list of
550-dynamic IP addresses. For additional information, please visit
550 http://postmaster.info.aol.com.
Re:I have a great idea for AOL! (Score:3, Informative)
Read about The September that never ended [astrian.net] !
Re:If you want to send mail... (Score:2, Informative)
No, all you need to do is use your ISP provided mail server, or use an alternative mail server not hosted on your DSL line.
After seeing the umpteenth email stroll into my mailbox that was either a spam or a virus, I applaud the move. Virtually every consumer DSL or cable provider have a "no server" clause in their ToS anyway, so this shouldn't be all that big of a deal. The original poster sounds like sour grapes because he can't use what he shouldn't be using to transmit mail anyway.
However, as the original post referenced in the submission noted, I too wonder how AOL determines which IP addresses are dynamically allocated, and which are statically allocated, because business class DSL and cable should be exempt from this policy - those lines usually allow servers.
Open Proxy Madness (Score:4, Informative)
The latest spammer tactic is not to seek out open relays, but open windows proxies, and from there they can initial outbound SMTP connections to legit SMTP servers and send spam.
Already a large number of dialup providers will only allow you to send through their mail server, and a larger number of ISPs user the DUN RBL to block email directly from dialup pools.
This is just more of the same. Your ISP should provide you with SMTP service, use them as a smart host even if you're running your own SMTP server, so it'll offload the requeing/etc from your box to theirs.
DSL and Cable are the new dialup, and should be treated as such, a place where the majority of the customers are clueless idiots who ruin the party for the smart people.
Several ISPs are starting to scan mail servers sending them mail for open proxy/open relay before accepting the mails, expect to see this practive and AOL's solution spread to most ISPs in the near future.
If you want to run a real mail server, perhaps you should get a real internet conenction, like Colocation or T1.
Trivial fix (Score:5, Informative)
Re:"Residential" DSL meaning what, exactly? (Score:3, Informative)
Now as to why people with dynamic IP's are responcible for a VAST ammount of spam (per my spamfilters and thats for over a quarter million domains and no I dont have pretty graphs
Re:SMTP connections to HotMail (Score:2, Informative)
Re:Good move (Score:5, Informative)
SoupIsGood Food
Re:We can always hope (Score:1, Informative)
You want these rights for *YOUR* MTA, right? (Score:5, Informative)
It can be used in ways you like (refusing emails from Verizon's corporate HQ because they refuse to kick their spammers) or in ways you don't like (making it more difficult to send outgoing mail), but I don't see how you can reasonably kick and scream against one and not the other.
Actually, several providers have been refusing email from dial-up pools for a year or more, which is what caused me to decide that I would need to send outbound email through my ISP. IIRC, attbi refused email from my server on my ISDN line over a year ago.
The solution isn't difficult - go dig around on your ISP's website (or call them) and figure out the mailserver that you'd be using if you WEREN'T running your own MTA. Set your mail server to relay outbound emails through them. (See your man pages - it isn't difficult.) There's NO way your ISP's mailserver is going to refuse to accept your email, since if they did, no one not running an MTA could get email out. Sure, you'll have an extra line of headers in your outbound email, but it doesn't seem like such a big deal. Was the location of your mail server a secret anyway?
Of course, if your ISP is a notorious hoster of spammers, you're going to need to find a new ISP. You didn't really want to support those spammers anyway, did you?
Sendmail workaround (Score:2, Informative)
To do this with sendmail use DSoutgoing.isp.net
If you need to authenticate you need to set up a default-auth-info file.
This has made mail delivery far more reliable.
Re:bouncing mail to postmaster? (Score:5, Informative)
Re:No problem (Score:5, Informative)
I've had a few, but in the main, you are correct in saying not much spam comes from aol.com. However, an awful lot of spam *claims* to come from aol.com, even when it actually originates in China, Korea, or some spamhaus in the USA/EU. For this reason refusing mail from aol.com and others may give exceedingly good results with low enough colateral damage to be bearable for some home mail server operators.
Re:heh... (Score:3, Informative)
Is Your IP # Blocked? (Score:2, Informative)
Re:About Time (Score:3, Informative)
Well, now you do, anyway.
- A.P.
Re:Good move (Score:4, Informative)
I have Verizon DSL. Their relay won't let me send mail with any return address other than @verizon.net. That's completely useless, so I don't use it. Are you honestly saying that all broadband customers should restrict their email addresses to those assigned by their bandwidth providers?
No, it's NOT a good move, censors lists and boards (Score:5, Informative)
If I did that, I'd be accused of spamming by my ISP, since I run a VERY high volume mailing list. We have approximately 12 lists; the bigest list has 1,500 subscribers and gets about 100 emails a DAY. We have another major list that's about 500 people and similar volume.
About 90% of incoming SPAM on my box originates from Windows boxes on DSL lines with open relays.
99% of MY spam comes from chinese and eastern european ISPs that don't give a crap what people do with their internet connections. The solution is not blacklisting DSL and cable connections(because, among other things, it's not easy to switch, unlike dialup.) The solution is cutting off bad ISPs from backbones...but that's not likely to happen any time soon, because the backbone providers don't give a crap- every packet is money in their pocket, regardless of what kind of packet it is.
And guess what? If you are getting lots of spam from DSL/Cable users, it's really easy to solve. Report it. If there's a report of spam, the ISP disconnects the customer until they fix it. Imagine how fast people will learn to keep their machine clean if their internet connection goes down. ISPs will whine about the work, but, gee, that's like the gas station attendant whining about having to give directions to people all the time. Comes with the territory, bub.
It's ignorant people like you(who think "since -I- don't need to send mail directly, neither does anyone else!") that cause people like me grief.
We get next to NO money from subscribers to pay for costs- $5 donations here and there. DSL and Cable offer a nice, cheap way to host a mailing list, or a webboard; we don't use very much bandwidth at all, and occasional hiccups aren't a problem, especially given the design of SMTP; if at first you don't succeed, try, try, again. Commercial DSL is just less down bandwidth, slightly more up bandwidth, a 'real' static IP instead of a DHCP-assigned address that basically never changes...and a HELL of a lot more expensive. Oh, and instead of telling you to go screw yourself when you scream at them for your line being down, they -politely- tell you there's nothing they can do(and, by the way, -please- go screw yourself.)
Luckily, we're sucking bandwidth off a hosting company that has graciously allowed the box to sit off their network- but if they tank, we'll be screwed- commercial hosting runs about $90+ or more, and our box isn't rackmountable, so there's another $25-50/mo.
Slowly but surely, the media companies are doing their best to squeeze out other sources of competition- the little guys. Check your Terms of Service/Acceptable Use Policy. My home connection(ATTBI, now Comcast) has banned "messageboards and mailing lists" for years, along with FTP, web, mail, IRC...and specifically states it's an "entertainment service", and I am a "consumer" of that service- ie, sit down, shut up, and be a good little consumer of mass web media. How dare you produce your OWN media...
Re:Good move (Score:4, Informative)
2) Those that do, almost NEVER have one pointing to the domain they claim to be recieving for.
Maybe because that would cost me even more money, and I don't see the need to pay for that, when all I really need is a static IP. If you want to pay for it, though, drop me an email (if you can).
3) All these residential users should be using their ISP as a relay. That's what the ISP is there for.
Except I have to pay for this service too. If I want to host my own domain, I can do it with Linux and an MTA. I don't need to rely on Pacific Bell, and more importantly I don't need to pay them extra for a service I can provide on my own.
4) Since there's no reason for them to need to send it out *not* through the ISP as a relay host, the majority of these users are spammers or just ignorant. In the first case, it's good to block them. In the second, maybe they will get a clue.
Pacific Bell's mail servers have been blacklisted in the past, thanks to these spammers. My IP, however, has never been blacklisted. If I tried to relay out through my ISP's SMTP server, I would have a hard time delivering my email.
I agree with your points, but in reality it is a flawed plan. All it takes is one spammer to get an ISP's mail server blacklisted (and I think we all know how quickly the ISPs react to get themselves removed from the lists). At least with my DSL line, as long as I am (apparently now it's "was") a good citizen, I could send mail to whomever I wanted.
If it comes down to me relaying through my ISP, I'll probably bounce through the server at work. Unfortunately, not everyone has that option.
Re:Good move (Score:4, Informative)
Of course, if you mean you didn't read your TOS and only THINK you are playing just for connectivity, then never mind.
Re:Good move (Score:3, Informative)
True. In fact, Verizon requires that you both use a From address for a domain that they host (such as bellatlantic.net or verizon.net, or a domain you pay them to host) and authenticate with their outgoing relay.
However, for what it's worth, you can put whatever you want as a Reply-To.
No, you did not (Score:5, Informative)
What is possible to do to forge a 'from' address in an email header. Look again at the emails you have in your spam bucket and look at the recived-from: header. I'll bet you $100 they didn't come from anywhere with a '.yahoo.com' at the end.
Excellent point (Score:5, Informative)
I hadn't considered that, but they've got a $1 billion interest in just that area [theregister.co.uk].
Re:ummmm... (Score:5, Informative)
when was teh last time you were outside? (Score:2, Informative)
US Mail is
Selective relaying with sendmail (Score:5, Informative)
My ISP has not shown that its servers are reliable. I like to be able to use mailq to see what's backed up. I'd also like to be able to use my own mailer's parameters for bounces. There's lots of reasons to prefer to use your own mailer instead of your ISP's, even if you technically could use your ISP's. But now, you'll want to relay through your ISP for all the mail that AOL won't accept, while sticking to your own SMTP services for everything else. That's what this document is for.
I encourage people to write corresponding documents for other MTAs. Also, some people can only send mail through their ISP with their ISP-assigned username. It's possible to configure sendmail to adapt AOL-bound mail to have the ISP-assigned sender. That is not discussed in this document; email me if you need it, and I'll write a followup post.
HOWTO: Configuring Sendmail to use your ISP's relay for AOL
This uses the sendmail mailertable feature. The mailertable feature allows you to specify the mailer and relay parameters for individual domains. That's exactly what we need here.
Remember that some ISPs may require you to use your ISP-assigned email address to relay through them. This won't help with that, but there's easy solutions for it. (This sort of thing is where Sendmail rocks.) Email me if you need it, and I'll post a followup.
Re:Privatized mail (Score:2, Informative)
BTW, did you know that the USPS does not take taxpayer money? Not a cent.
Re:Privatized mail (Score:3, Informative)
48 cents in Canada, which is about 31 US cents at current exchange rates.
Try again.
For those of you who think this is okay . . (Score:3, Informative)
1) Although I've never used my ISP's mailservers for outgoing mail, my friends have -- and mail is constantly lost, or delivered hours late.
2) Likewise, my ISP's incoming mail servers are frequently down, losing mail, and full of spam (the address was either harvested or sold, I don't know which. I have evidence of it, but that's another thread). A couple of my own local accounts suffer from spam as well, but I managed to install Spamassassin, which must be too difficult for my ISP.
3) Privacy is a concern with me, and I'd prefer to handle mail transactions myself.
4) I like the reassurance of looking through my Sendmail logs, knowing that an important message was delivered, and if it wasn't, the reason why.
5) Although this is unrelated, my friends often complain of outages when my service is fine. The reason? My ISP's DNS servers are constantly screwed up, yet I run my own.
6) I run majodomo to host a small mailing list of 20 of so members (that moves perhaps 500 messages a month); that's not enough traffic to justify having it hosted somewhere else, and Yahoogroups butchers messages with advertisements. Luckily none of its members use AOL.
7) I check my mail logs often (to make sure nothing unordinary is going on), and do not allow relaying.
Many of us run mail servers simply because our ISPs are unreliable. Many ISPs can't even host a measly 5mb of web space adequately, so I feel weary letting them handle important E-Mails. I wish Speakeasy was available in my area, it would be a no-brainer switch.
You've probably heard the saying, "tolerating excesses in order to preserve freedoms." Well, Spam is an excess -- a very horrible excess. At the same time, enough people use home mail servers for justifiable reasons that outlawing them, or blocking mail from them isn't a logical decision.
And besides, there's other [apple.com] ways to prevent spam [spamassassin.org] without making anyone unhappy. Spamassassin, once configured correctly, nails just about all spam. My university filters spam on my POP account, and I receive maybe one (if that) a month; couple that with Mail App's built in filtering and I haven't actually seen a Spam message in months. The best way to get rid of spammers is to implement solutions that make their efforts ineffective on ANY level, not just by killing off one of their hundreds of other options (AOL's method).
Re:Trivial fix (Score:2, Informative)
echo ":smtp.server.of.your.isp" >
Re:Trivial fix (Score:3, Informative)
http://www.sendmail.org/~ca/email/sm-812.html#812A UTH [sendmail.org]
you put this in your access map: "AuthInfo:smtp.server.of.your.isp "U:foo" "I:foo" "P:bar"" although you might need to know realms and/or mechanisms, too.
next time, at least check to see if it's an easy answer before you get belligerent and sarcastic.
Re:No problem (Score:3, Informative)
Re:It's their network. (Score:2, Informative)
Of course not. In fact, they're downright lying about it.
I've got a free AOL account at the moment, and your question prompted me to go check out the "mail controls" that entails. I've found an option to "allow all email to be delivered to this screen name." This translates to "allow e-mail from all AOL members, e-mail addresses, and domains." (emphasis mine.) This is the default setting.
Does that mean this account is still affected by this email blockage? They're apparently blocking it at the SMTP level, not just failing to deliver it, so, Yep! It sure is.
Re:bouncing mail to postmaster? (Score:5, Informative)
1. Mail bound for postmaster@aol.com is not accepted.
2. They issue a 550 response before the client has a chance to issue a greeting. There are two allowed responses at that point: 554 and 220. 550 is right out.
3. They disconnect before the client issues a "QUIT" command or times out. Also bogus.
AOL is playing a game of chicken here to see how much of the net will blacklist them for breaking the RFCs. Once they smell blood in the water because not enough sites care, they can pretty much start writing their own book....
More reasons why this is necessary: (Score:4, Informative)
Not that anyone will see this, as it's on the second page of comments...
A massive percentage of spam (well over 50%) comes from compromised windows boxes running either trojan software to open ports for spammers to proxy through, software like AnalogX that does the same, or just users who somehow manage to set up a proxy that's open to the world. There's also a big problem with a LOT of the DSL hardware on the market, that allows people to proxy through it transparently, via use of a security hole. Check Bugtraq if you want to find details.
These broadband connections are where the spammers are headed for anonymity. Yeah, sure, there's still a bunch of big-time professional spammers out there who spam away from their often-moving netblocks. That bunch isn't so hard to keep up with.
There's also the problem of Klez and other SMTP aware worms that busily want to send you lots of infected mail. Sure, *nix users don't really care about that, but companies like AOL, with a crapload of less-than-savvy users have to.
It's been this way for 56k dialups for about 3 years or so... but the noise about that only lasted a few weeks, much like this will. If your DSL company can't support your needs, vote with your feet! Switch your service to one that can. If Verizon can offer you service, you can pretty much bet that Covad can too.
(shameless plug: Check out lmi.net for that stuff.. small companies make for better service, and if you need the medium-sized company feel, go with Speakeasy.)
So what if you have a contract... if they can't get your mail to AOL with the right domain, it sounds like grounds to break it to me. =)
Re:No problem (Score:3, Informative)
It covers other countries too, as well as some ISPs (including certain ones that don't give a damn like wannadoo and interbusiness.it)
Re:bouncing mail to postmaster? (Score:3, Informative)
Re:Eathlink does this too. (Score:2, Informative)
Arrgh. RFC821 is way out of date...should have been looking at RFC 2821. But looking at that only seems to strengthen my case:
(implying that if you receive email from a host, that host should either be a mail exchanger for the sender's domain, or the originating host itself)
and
Basically, it looks like the use of source routes is deprecated, and the only situation in which the source route will not be the sender is when it's null -- which should generally only happen when the message is a bounce message of some sort. I'd say in that case it would be acceptable to check the From: line using the same heuristics, even though the RFC says that the SMTP relay should never examine mail headers.
Re:About Time (Score:1, Informative)
You also don't need to set anything up if you're using Unix, sendmail often comes configured in send-only mode.
It is particularly useful if you have a laptop and connect to the net from various places at different times, and don't want to figure out a valid relay at each place separately.
As far as I understand this is not about AOL blocking AOL residential accounts from sending mail directly via SMTP, either, but AOL blocking users of any ISPs that are known to be residential from sending mail directly via SMTP to AOL.
Re:Privatized mail (Score:1, Informative)
I grew up in a town of 231 people. Mail was delivered in town up and down main street only. Not a problem. All the mailboxes for everyone in town were placed on main street in order. If you don't want to do that then you get a PO Box down town. They also run rural routes. They are required to service your mailbox if it is within 1/2 mile of the next nearest mailbox.
Re:Good move (Score:3, Informative)
I - authentication id
P - password
R - realm
M - list of mechanisms delimited by spaces
Or you could RTFM http://www.sendmail.org/m4/smtp_auth.html [sendmail.org]
Re:No, you did not (Score:1, Informative)