AOL Tests Sender Permitted From / E-mail Caller ID 448
securitas writes "ZDNet reports that AOL is testing Sender Permitted From (SPF), 'an antispam filter intended to accurately trace the origin of e-mail messages.' AOL is performing the widescale SPF test with its 33 million subscribers worldwide. The system works by letting recipients use the SPF record to cross-check DNS data associated with AOL's IP addresses and confirm that the message originated from AOL's servers. The system is one of three competing e-mail authentication protocols. The other IP-identifying protocols are the Designated Mailers Protocol (DMP) and Reverse Mail Exchange (RME/RMX). All systems alter the DNS database to let e-mail servers publish the IP addresses that they use to send e-mail."
Big Deal (Score:5, Funny)
Re:Big Deal (Score:2, Funny)
Re:Big Deal (Score:2)
Main Page [microsoft.com]
Image [microsoft.com]
Re:Big Deal (Score:3, Funny)
Re:Big Deal (Score:5, Funny)
I know a guy, higher than entry-level, who sent it to everyone in his 10,000+ employee company. Fired for being clueless. And downing the email system.
Hrm (Score:3, Funny)
Re:Hrm (Score:5, Informative)
Heh. Actually (if I have understood correctly) SPF should prevent anyone from spoofing aol.com as the sender address during the SMTP session. So if a spammer attempts to spoof aol.com and your mail server is SPF-aware, then it would be good for you and AOL because you won't get spam and AOL won't get bounces for the addresses that had problems with delivery (and with spam, problems with delivery are not rare).
At least this is how I have understood it.
Re:Hrm (Score:2)
Re:Hrm (Score:3, Interesting)
Re:Hrm (Score:3, Funny)
Not kidding. Aol has gotten me laid a number of times, and thats AOK with me.
AOL muscle (Score:2, Insightful)
Do we really want the kind of split-down-the-middle stance on formats that we have to deal with when it comes to DVD burning, VHS vs Betamax, anything like that? No, it only ends up being harmful for everyone in the long run.
I'm reminded of what Microsoft did with IE. All these different DOM objects that aren't part of any standard, which no one can really use because it's not browser-compatible.
Using muscle to force the Internet into a standard isn't going to work. We need something that *is* a stan
Re:AOL muscle (Score:5, Interesting)
Standards don't miraculously appear out of mid-air. Standards are created when one implementation of an idea is chosen over other implementations. Unfortunately, as at least one of your examples shows, we see that its not a
Right now, AOL and several other groups are developing an implementation of a Spam-tracking system. Eventually, one of these systems may win out. If/when it does, a standard is born.
Re:AOL muscle (Score:5, Informative)
in a utopia, yes. (Score:5, Insightful)
We've been waiting for an anti-spam standard for years now. What do we have? Nothing.
It's about time someone with clout got up and started making decisions.
I have 4 blocklist on my email server, and still we get a ton of spam everyday. My users hate it, I hate but we have to deal with it whilst the IETF works out their political agenda.
PS. I've also been waiting for the Calendar Access Protocol for a while now. Years, where is it? We're on draft 11 now.
Sometimes design by commitee plain sucks; and we just have to admit that.
Re:AOL muscle (Score:3, Insightful)
Re:AOL muscle (Score:3, Insightful)
One day there's no standard and then, POOF, there is?
Standards come into existence by the cooperation of many people deciding to do something together. Which is what's happening with SPF. SPF has been a proposed standard for a while now... AOL is the large adopter that's going to propel SPF to an accepted standard.
So far, so good (Score:5, Interesting)
Re:So far, so good (Score:3, Funny)
Now waterproof too!
Re:So far, so good (Score:3, Insightful)
Hashcash anyone? (Score:3, Interesting)
Nice deterrent for spam, and as a side-effect one more Mersenne exponent has been double-checked.
Re:Hashcash anyone? (Score:3, Interesting)
Re:Hashcash anyone? (Score:5, Insightful)
Besides, there's not much stopping Spammers from just buying the processing resources they need. Whatever meaningless task is picked, development would immediately start on making that puzzle easier to solve. You'd start seeing processor chips dedicated to the task...
Being cash-expensive is less popular on
Simply Amazed (Score:3, Insightful)
Re:Simply Amazed (Score:4, Interesting)
Mail signing (what yahoo proposed recently) is a lot closer to working sender verification. It would allow a message to take any number of hops, and still be verified.
--
lds
Re:Simply Amazed (Score:2, Informative)
That seems to be by design. [pobox.com] (Not offering an opinion, merely commenting. Seems to me all these schemes will cause much more pain for the small guys than for the big ones.)
Yahoo's DomainKeys breaks things too (Score:5, Insightful)
The problems with Yahoo's Domainkeys, are as follows:
I think SPF is a far better better proposal for this kind of thing.
Re:Simply Amazed (Score:5, Informative)
Yes, you have to change the envelope on each hop, but that's a good thing, as it means that each hop is validated which makes it harder to spam.
Re:Veri$ign? (Score:4, Insightful)
SPF is incredibly broken because it allows ISPs to control who sends mail from where. We should be resisting SPF and all other similar proposals and backing public keys in DNS.
Re:Veri$ign? (Score:3, Informative)
How is this any different?
You can work-around either by using VPN or something similar.
If you don't like the way your ISP handles it, complain or switch ISPs, just like you would now. ISPs aren't regulated. And if they were you'd be complaining about something else. Deal with it.
SPF should work very well for the time being, much more effective than any algorithm
Should faking be illegal? (Score:3, Interesting)
Re:Should faking be illegal? (Score:2)
Faking email is great for practical jokes. Like the time I sent this one girl a message from "god@heaven", with a message "I see your purple toenails, if you don't shape up"... and so on in that line. Silly, and useless, but we both got a good laugh.
Now if you fake an email is should be obviously fake. Faking something from paypal to get someone's account info should be illegal. But do you really want to throw out harmless practical jokes like the above too?
Re:Should faking be illegal? (Score:4, Insightful)
Solution? SIGN YOUR EMAIL. Then the recipient knows that you wrote (or at least signed) the email. Key exchange a problem? Maybe you shouldn't be using email, then.
If all my email were signed, I wouldn't even need a spam filter. I could just trash all non-signed email.
Unfortunately, my friends (except for one) find it too hard to download/buy GPG/PGP and click the "sign" button when they mail me. Oh well, what can be expected of people that are too lazy to hit the shift key after sentences. *sigh*
I'm All For It (Score:3, Interesting)
Now that this is being backed by AOL, a massively-used service, SPF will be pushed into the forefront, hopefully becoming a more universal standard and dealing a major blow against spam.
This may just be what we've been waiting for.
this is not whitelist. (Score:5, Informative)
It's not any kind of a filter.
It just means that AOL has published SPF records for its mail servers in their DNS entries. Any mail server speaking SPF, receiving mail from AOL.COM, will check the SPF record.
If the SPF record (which will contain the IP addresses of AOL's mail servers) doesn't match the originating IP address of the mail message (as in, a spoofed header) the message is invalid. Then it can be either dropped or bounced or whatever.
If the SPF record matches the initiating IP address (as in the case of a message legitimately sent by the mail server) it's clear and goes through.
Re:this is not whitelist. (Score:4, Insightful)
So, in essence, AOL has decided that it's customers can no longer send mail from their AOL email address, unless they're logged into AOL.
This does not bode well.
I don't use AOL, but if MY ISP decided that I could no longer use my personal email address while I was at work (or at an internet cafe, or whatever), I'd be pretty pissed.
Re:this is not whitelist. (Score:2)
My IP block for my personal email server (jkoebel.net) is blocked from relay to just about everywhere by the dynamic IP blocklist. So, I just smarthost it and relay through my ISP's mail server. It's allowed because I'm on their network, and then the message is originating from a more legitimate mail server == no more blocks.
If SPF is implimented client-side it might be better, that would allow messages to be flagged "source does not match the known provider add
Re:this is not whitelist. (Score:5, Interesting)
Re:this is not whitelist. (Score:4, Informative)
Re:this is not whitelist. (Score:4, Informative)
Actually, the default port for SMTP-over-SSL is 465. However, there is also SSL-over-SMTP (aka STARTTLS), where the client connects to the server on port 25, client does an EHLO, server lists STARTTLS as a capability, client issues STARTTLS command, and from that point on both sides communicate over SSL.
Re:this is not whitelist. (Score:5, Informative)
No, they haven't. Here's the current TXT record for aol.com.:
v=spf1 ip4:152.163.225.0/24 ip4:205.188.139.0/24 ip4:205.188.144.0/24 ip4:205.188.156.0/24 ip4:205.188.157.0/24 ip4:205.188.159.0/24 ip4:64.12.136.0/24 ip4:64.12.137.0/24 ip4:64.12.138.0/24 ptr:mx.aol.com ?all
Now, if you knew SPF [pobox.com], you would recognize that the last bit -- ?all -- means that AOL is not stating that AOL-user mail is only legitimate if sent from AOL mail servers. The ?all tag means that hosts that don't match the rest of the SPF record are taken as unknown -- not as failures. That would be -all.
Re:this is not whitelist. (Score:4, Interesting)
Hate to sound snide, but if you knew SPF you would recognize that as a transitional setting, which the SPF specs suggest you set a hard cuttoff date around.
SPF's failing, as far as I can tell is that there is no dynamic authentication capability for a client out in space that wants to send mail "from" all of the 20 or so domains that that user had addresses with (e.g. my spamcop, personal, aol, work, oss project and other addresses). I don't want to go hunt down a server that will talk to me for mail origination for EVERY ONE of these domains... I just want a way to tell their servers, "hey, I just sent a message from your domain to joe@example.com, heads up" and have the right thing happen. There should then be a way for a server to say, "heya, I just got mail from your domain to my joe@example.com address... that yoy?" It needs to be message-by-message like this, and if that sounds like a lot of overhead... I GUARANTEE you that it is less than handling bounces for every virus message ever crafted in your name....
No Faking Here (Score:3, Interesting)
If SPF takes off, it looks like I'm going to have to switch to an emai
Re:No Faking Here (Score:3, Informative)
If you use the smtp server (with authentication) provided by whoever owns the domain name on your 10-year-old email address, and they set up SPF, you'll be fine.
SPF doesn't have anything to do with what IP address you connect to the smtp server from. It just validates the smtp server.
It just means you can't use your own local mail server to send from a domain you don't own.
Re:this is not whitelist. (Score:3, Informative)
What you're supposed to do is use a From: address indicating where you actually are, and a Reply-To: address that indicates where you would like replies to go. What AOL is setting up is the ability to say "That didn't really go through aol.com!" which basically makes aol.com a bad domain name to pick if you're going to spoof and spam.
Besides, any AOL subscr
Re:this is not whitelist. (Score:3, Informative)
Those facilities aside, this isn't your ISP making any such decision of "you can't use your personal email addr
Re:this is not whitelist. (Score:2)
Their domain name, their rules.
If AOL was nice, they would provide SMTP AUTH, SMTP after POP, or the SMTP SUBMISSION protocol so that you could use their official mail servers from anywhere.
Re:this is not whitelist. (Score:3, Insightful)
I remember this used to be the most baffling thing to newcomers to e-mail. Why would a protocol allow you to pretend to be someone else? Why didn't the SMTP server stamp all outgoing mail with the proper domain?
I understand that images are important in e-mail, but if you are capable of receiving yourname@yourjob.com, then theoretically you should be able to connect to
Re:this is not whitelist. (Score:4, Insightful)
I don't use AOL, but if MY ISP decided that I could no longer use my personal email address while I was at work (or at an internet cafe, or whatever), I'd be pretty pissed.
So you do what you're already supposed to do in this situation, and set the From line to your personal email address, and the SENDER line to wherever you really are. Mailing lists do this all the time.
Re:this is not whitelist. (Score:3, Insightful)
Using a local mailserver is a pointless optimization, adding needless complexity and vulnerability to the email system. G
Re:this is not whitelist. (Score:3, Informative)
What about commercial or throwaway accounts? (Score:5, Interesting)
I suspect that as the big commercial guys get more and more aggressive in breaking email standards in the name of combating spam, the internet will split into different incompatible email groups: the old-fashioned types (which include many university departments still) who use a text console and a program like pine or elm, and the AOL/Hotmail/Yahoo crowd. To some extent it's already happening: I can barely read some messages sent from MS Outlook, they're formatted so badly, and as a result I'm less likely to reply to them.
you missunderstand SPF (Score:4, Informative)
The recipient's MTA will check the sender's SPF record. You can auto-generate all the email accounts you'd like, only the domain name portion of the email address is authenticated in SPF.
In fact that was one of the arguments against SPF, people said that it did not go far enough and actually authenticate users.
Personally, as someone who has to administer an email server and whose domains are sometimes used in forgeries for spam ( last one was a few days ago ), I'm all for SPF.
Re:What about commercial or throwaway accounts? (Score:4, Informative)
See, I generate a disposable ("Spamtrap") account, and post that all over the internet. When the crap gets too unbearable, I just regenerate it. I can't even imagine how I survived without a disposable account in the past.
Also, and more related to the story, what will happen to sites that let you consolidate all your other accounts? I use Shadango [shadango.com] to check my POP/IMAP/Y!/Hotmail/AOL/mail.com accounts (because it filters them, plus I have a bigger quota), but I guess it's just a matter of time until I won't be able to 'send' from those addresses anymore.
Hmmm... it sucks that spammers have slowly taken away all the freedom that the email
It's hard to win a fight when you don't know who to swing at.
Susie Johnson
Doesn't protect against cracked computers (Score:5, Insightful)
Of course if all non-business accounts were prevented from hosting an SMTP server that would help solve that problem, but I don't think that would go over very well with the Slashdot crowd. I'm not even sure where I stand on that issue.
A smarthost solution that many of us would accept (Score:2)
Of course if all non-business accounts were prevented from hosting an SMTP server that would help solve that problem, but I don't think that would go over very well with the Slashdot crowd.
As long as ISPs:
Re:Doesn't protect against cracked computers (Score:5, Informative)
Re:Doesn't protect against cracked computers (Score:4, Informative)
SPF is just one tool to help tighten up the security of the SMTP system. It lets domain owners say who is authorized to send email using their domain name. This is a useful thing to do, and it allows for other things to build on it. For example, RHSBLs that blacklist domain names instead of IP addresses are much more useful after SPF checking has been done. SPF checking can also help detect phishing schemes.
this ain't gonna work. (Score:5, Interesting)
Basically - all we need to do is this. We have a trusted institution like a bank or your local government office issue a digital ID to everyone who wishes to participate... purely voluntary.
Next - those who wish to participate use an email client that refuses to accept anything from anyone who does not have a valid certificate.
Next - we set up a black hole list and the email clients refuse emails from anyone in the blackhole list.
Next - we make this list available to the issuing authorities and if they re-issue we blackhole that authority.
By doing this we create a beuracratic nightmare for our wanna be spammers and everyone else is pretty much free to go on as they have.
I for one will NOT join an opt in list because there are far to many people who have legitimate reasons to contact me. Yet the spammers? well - there are not that many of them... they are really a fringe group actually.
You bet :this ain't gonna work. (Score:3, Interesting)
1) Banks and government as "trusted"? This sounds like a wonderful way for both of them track every e-mail you send with no problem.
2) "Voluntary" will rapidly become mandatory.
No, for e-mail to remain useful and to ensure that those who need it can have privacy it is important that we develop technology that block
Get your SPF here (Score:2)
Everybody should start using SPF. No, it's not the perfect solution. Think Saving Private Ryan. SPF is like the guys in the front of the boat who get gunned down when the doors open. But without them, the other guys (other to-be-developed protocols-or-whatever) wouldn't stand a chance..
SPF is good fro the PHBs... (Score:5, Interesting)
1) It is easy to do. You can go to the SPF site [pobox.com] and they have a wizard to fill out so you know exactly how to change your DNS, and
2) You can change things over gradually. After you've changed the DNS, you start by aloowing everyone, and then as more people join the system, you implement the protocol slowly.
That last point is particularly good, since the PHB types freak if their email isn't exactly the way that they're used to... and they also freak when implementing new technologies. You can assure them that nothing is changing at first, and that all changes will be made gradually and in steps.
The SPF guys understand that that's necessary, and even have a PHB Executive Summary [pobox.com] page.
Publish SPF records (Score:5, Informative)
AOL is the Wal*Mart of the Internet. (Score:5, Interesting)
Um, I thought... (Score:3, Insightful)
The _only_ thing I see working that the spam scum will simply never get around is going with whitelisting email address' (much like what Apple's Mail does -- it's not junk if they're in your Address book) -- and authenticating said From: lines with RMX type DNS lookups.
Email!certainly!is!not!what!it!used!to!be
I'd love to bang! a spammer some time -- right up side the head.
As usual, D. J. Bernstein has the ACTUAL solution (Score:5, Interesting)
Re:As usual, D. J. Bernstein has the ACTUAL soluti (Score:4, Insightful)
It also introduces a lot of problems. Unless you just immediately fetch, it tells the sender where you were (IP address) and when at the time you fetch the mail. If the sender's server is down you may not be able to fetch it at all. Response times get slower, again unless we just use this to implement the old pre-send system, in which case we don't get its benefits.
A mixed system (pre-send small mail, post-fetch large or questionable mail) can have some of the benefits but still faces problems. And spam still comes.
Re:As usual, D. J. Bernstein has the ACTUAL soluti (Score:4, Informative)
The idea behind Internet Mail 2000 [cr.yp.to] is obviously correct. Why waste time on DNS-based approaches when we COULD be developing the Solution?
Because it's not backward compatible.
SPF is a simple and backward compatible solution to email forgeries. People who don't use it are still able to use email, while people who use it are protected against forgeries.
Everyone and their brother are reinvented email theses days without realising that you need to improve the existing email system. It's not possible to throw away the existing system.
Serious Flaws in IM2000 (Score:3, Insightful)
1] You don't get a message unless you want to retrieve it
2] The sender has to store the mail not the receiver, so the sender has to pay to store a bajillion messages
This doesn't work because:
1] By seeing the notification, you're already annoyed and have wasted your time.
2] The sender need only store ONE copy of the mail on a customised MTA, not millions - so as long as he has a custom server, he can still spam and use only a few hundre kb of disk space per mes
problem (Score:5, Funny)
Built on existing standard (Score:5, Informative)
I forsee a problem (Score:3, Interesting)
This actually is the case for my wife and I, who still pay for and use our older dialup ISP's email accounts for both professional and personal reasons, but have been connected to the internet 24/7 via cable for the past few years. We cannot send email out through out email provider's mail server unless we dial in and connect to them directly using one of their dialup lines. Thus, we use the mail server provided by our cable provider to send the mail for us. Of course, if ADSL was available in my building, I would simply subscribe to that via my ISP and it wouldn't be an issue, but it's not... so a system like this would seem to render my wife's and my email accounts unusable.
Re:I forsee a problem (Score:4, Insightful)
You're spoofing your "From:" address at the moment, and that's exactly what nobody should be allowed to do for any reason...
Why this is a big deal (Score:5, Informative)
SPF is a proposed standard for a domain owner to tell mailers where mail From: that domain may originate. The domain owner publishes a DNS TXT record for their domain with (at the simplest) list of IP addresses. Participating mail transfer agents can then look this record up and make a policy decision on whether the mail is likely to be legitimate. The presence of an SPF record on a domain at present means that while you still can't be sure when you're handling spam, you can be sure when you have a piece of non-spam because the SPF record tells you so.
SPF is not a wholly original idea (e.g. up "designated mailer protocol"), and certainly not the simplest implementation but the important factor is that its proponent, Meng Wong, is an excellent lobbyer and spokesperson, as well as someone who as the nous to put forward a useful protocol (he founded pobox.com). It's currently at the point where lots of implementation are being written, with the canonical version being Meng's Perl modules. Currently I'm helping to finish the C implementation which will shortly be integrated into qmail and exim.
The tipping point (I hope) will be when a domain not publishing an SPF record or publishing a globaly permissive one will be considered "obviously" untrustworthy. Combining SPF authorisation with a more traditional "From: domain blacklist" will give spammers a very very hard time indeed forging mail. But AOL publishing a record (we hope) shows the way the wind is blowing: the rest of the world does seem to have to change their mail server configuration to keep mail flowing to AOL.
So go on, it's dead easy, publish a record for your domain now. Tell people where your mail comes from. Look, there's even a wizard to help you.
I see a problem here.... (Score:2, Interesting)
I'm interested in it but have a slight issue with it at the moment that
I'd like to get resolved.
My domain is: mydomain.com
Customer A is traveling and is using his e-mail of joe@mydomain.com
However, I do IP filtering on my mail server (not SASL AUTH), for my
dial-up pools.
When Customer A is at hotel he must use their mail server to send mail
out, so his mail will be rejected because the hotel mail server isn't
listed in mydomain.com's SPF txt list.
You suggest running SASL AUT
Some educated opinions on the subject. (Score:3, Interesting)
If you don't know who these two people are, I seriously hope you're not someone who's making decisions affecting SMTP on the Internet.
Re:Some educated opinions on the subject. (Score:4, Informative)
Before looking at SPF you may want to read what Claus Assmann [theaimsgroup.com], and Wietse Venema [theaimsgroup.com] have to say on the subject.
You might also want to read what Steve Bellovin [att.com] (one of the guys who invented USENET among other things) and Eric Raymond have to say about it. They spend a little more time understanding SPF...
Wired story with Raymond's comments. [wired.com]
Bellovin's comments in an email to the SPF mailing list. [listbox.com]
Spam solution... (Score:3, Funny)
Ok, how about all you potential spammers send $6 to my home address:
123 Fake St.
Springfield, Il
12345
United States of America
and U will $ee many monies! No need to spam again!
Sincerely,
Prince Mobutu of the Nigerian Empire.
Silver-bullet solutions (Score:3, Insightful)
It's not. SPF just provides one more bit of helpful information -- which IPs email from the sender's domain should really be coming from.
While someone could use SPF in a pure binary decision system that breaks SMTP, it's going to be an incomplete solution. Just like blacklists, whitelists, and bayesian filtering are also incomplete solutions.
However, you start using these things in combination and magic happens.
Example: I use ASSP for server-side spam filtering. ASSP uses bayesian filtering, but also whitelists people you email and uses blacklists.
The blacklist implementation is interesting, however, as when it determines an IP is blacklisted it simply starts off with a higher spam probability in the bayesian stage -- it's not truly blacklisted, just more suspicious.
You could do the same thing with SPF, initially giving a lower spam probability to mailservers with SPF, and when there's more infrastructure using SPF, switching to penalizing non-SPF servers.
Nice thing about this approach: it doesn't require everyone to convert their infrastructure, but it does incentivise legitimate servers to do so without penalty. It doesn't break any standards. Legitimate mail still gets through, but spam suffers.
Stop thinking that all spam solutions have to be single silver bullets. Anti-spam tools can be additive.
One more tool against spam == a good thing.
Testing incoming, or testing outgoing? (Score:3, Interesting)
Re:Testing incoming, or testing outgoing? (Score:3, Informative)
I've read the article and I can't figure out what the test is. Does this mean that AOL is publishing SPF records (in which case it's old news) or does it mean that AOL is going to start rejecting incoming mail which fails the SPF tests?
It's the old news.
I don't think SPF accomplishes much (Score:3, Insightful)
Suppose we have joesixpack as an example - and he has a laptop. At home he connects via his ISP and sends an email to his mom. The letter is received because the from address is valid in his ISP's SPF list. Then he goes to work and tries to send her another email. This time the email will get rejected. So he tries to send it through his ISP's mail server. Since he is not connected to his ISP's system, the email is rejected.
This means that joesixpack has to somehow LOG IN to a server and go through an authentication.
-------
This sort of comes to the nub of the problem. Authentication. If Joesixpack is a good guy - he should be able to send email to anyone - and if he is not a good guy we will find out fairly quicky and we can fine him or pull his priviliges.
The issue is not much different than driving a car actually. It needs to be dealt with in the same way as traffic infractions... perhaps through the police.
One way to implement something that will work is via issuing a certifiation. At the time joesixpack signs up with his ISP - the ISP could act as a CA and certify him as a good guy. They can record his identiy just as they recorded that he paid his bill. At this time they could install a cert for JoeSixpack into his email client - AND - bond it to his machine. There are many ways to bond it - including using a dongle or smartcard. But a practical way would simply bond it to the hard drive. I'm sure ways can be invented so that certs cannot be simply pulled from one machine and stuck into another.
If Joe later abuses his cert - then his ISP can blacklist it and refuse to issue another. Also - the ISP's can trade blacklist information just as banks and businesses trade credit information.
The mail clients can be modified to send the cert and the MTA's could check for and eventually reject any unsigned mail.
As for the ISP's being a trusted CA? Well - we have to trust some people somewhere. The question would really boil down to which ISP's trust which other ISP's and they could cooperatively run their own blacklist.
With a system like this - I would think that an ISP that is shady would find their email services would be in jeopardy of being refused and that should serve to keep the ISP's in line to.
------------
I also think the spamd solution in OpenBSD has a lot of merit. Spamd does not block email. Instead - if the sender is blacklisted - spamd accepts it very very slowly. This creates an incentive for the owner of the mail server sending out the spam to deal with it. With spamd in wide spread usage the problem comes under control in a number of ways.
(1) suzy spammer will find if she runs a spam server that it can't spew very fast - because her IP address and/or domain will end up in the RBL rather quickly and the moment this happens. Receiving MTA's slow to a crawl.
(2) If Suzy spammer tries to send through her ISP's account - the same thing happens but now the ISP has to deal with the problem. No ISP's will want to have a significant number of their IP addresses in an RBL. Since this will pose a significant admin problem - the ISP has a huge incentive to give Suzy spammer the boot.
(3) We have some bad ISP's and these people will find their errant ways are causing themselves grief.
(4) It might encourage ISP's to actually issue static IP's which many of us want anyways. Note we would NOT have nearly the spam problem if static IP addresses were issued.
Re:Still don't get it.... (Score:4, Insightful)
In short, yes.
Re:Still don't get it.... (Score:5, Insightful)
I think the problem is larger than the few annoying emails people get everyday. There's two things to consider.
1) Cummatively, spam is not just a headache but can be resource draining. Getting 10 or so a day for ten days if I don't check email leads to 100 emails. It would be one thing if it affected me but I'm not the only one that uses my mail server or ISP. It bogs down the mail server that I use whether it's my work email or my personal one. At work, my company has to dedicate resources to fight spam which costs companies money. My only effective choice right now is to abandon my email address every year so I don't get spam for a while.
2) Spam is not discrimating. Offers that are sexual in nature may be innocuous to me, but for parents that's another matter. They want their kids to learn email but can't do much to protect them from this content besides not use email.
Re:Still don't get it.... (Score:2)
3) Signal to Noise or Spam to Legitimate Email ratio. It's increasingly easy for me to accidentally discard or misfilter email from people I know but don't communicate with, regularly. I get >100 spam per day, with varying subjects. If an old friend from school looks me up, it's likely that their email will register as spam.
Re:Still don't get it.... (Score:3, Funny)
Re:Still don't get it.... (Score:2, Insightful)
I use my inbox as my project list. Everytime I go to my inbox, I would have to delete spa
Re:Still don't get it.... (Score:5, Insightful)
Seriously. Are you people really getting so much spam every day that the "delete" button just doesn't do it for you?
Really, now, junk mail is just not that pressing an issue to me. And I can't see why/how it's such a huge issue for anyone else.
Let me explain it to you.
Yes. I personally receive over 5000 spam messages a day. Thanks to the very clever spammers who are getting better at circumventing spam filters, I'm seriously considering moving to a white-list, and even that may not stem the tide. Part of the problem is with false-positives and the fact that people don't know how to write a proper subject line. Sometimes legitimate and very important messages have been contained in messages with subjects and other message body content that can resemble spam.
As a test I have set up e-mail addresses that I have never used or publicized in any way at a number of domains and providers. Guess what? Within days (sometimes hours) spam lands in those mailboxes, too, and based on the user/account names that I set up, I know it's not because of a simple dictionary attack.
Just because you don't personally experience it (consider yourself among the lucky few) doesn't mean that it's not a real problem. FYI, SPF is not (strictly speaking) from AOL. It's just being rolled out on a massive scale by AOL, which should be a good test of the technology.
I don't know if this is the right move, but something has to be done to eradicate this plague and its carriers.
Re:Still don't get it.... (Score:3, Interesting)
Re:Still don't get it.... (Score:2)
alright, i guess i grasp it a little better now. i suppose i would have already a better idea if i were running a commerce site, or at least a moderately well travelled site of any kind. thank the good god of traffic i'm obscure.
now, here's another fun question. why, if this problem has been boiling up for five years now (and it has, hasn't it?) has some group not already tried to quash it?
Re:Still don't get it.... (Score:3, Insightful)
That's 3 hours 47 minutes. Yeah, I'd say the "delete" button doesn't just do it for me.
So junk mail is not that pressing an issue to you? Would you like to process mine? Pick out the 38 legitimate emails I did get yesterday.
And to ge
Re:Still don't get it.... (Score:5, Interesting)
My Popfile stats since I last reset it just before Christmas:
Inbox - 175
:(
Invoices - 57
Newsletters - 343
Spam - 20231
Accuracy of 98.73%
Yes, 97% of my email is spam
That's across about 5 ISP accounts and a few domains.
Re:Still don't get it.... (Score:5, Informative)
New: 2911 Total: 8639
That is from the last 6 weeks. Less than 1% are real messages (domain renewals).
Re:Still don't get it.... (Score:5, Funny)
Oh really, matrophe@sdf.lonestar.org, it's not? I wonder why that is, matrophe@sdf.lonestar.org. Let me tell you something, matrophe@sdf.lonestar.org, sometimes spam starts and you don't know how. It goes like this, matrophe@sdf.lonestar.org: One day you'll check your mail and there will be a single spam e-mail, not addressed to you matrophe@sdf.lonestar.org. Then a week later, it's a couple a day, matrophe@sdf.lonestar.org. And it keeps growing, matrophe@sdf.lonestar.org, until you get a filter like popfile or you just stop using the address matrophe@sdf.lonestar.org.
I hope this cleared it up for you, matrophe@sdf.lonestar.org.
Re:Still don't get it.... (Score:3, Insightful)
I'm very enthusiastic about anything new. The other guys (earthlink, etc) have had absolutely no luck in implementing a real spam solution. I suspect that more money was spent on marketing 'spamblocker' than was spent developing it.
Let's be happy one of the big ISPs have the resources and dedication to, at least, try to slow the spam down. Something has to be done.
Just look how many
Re:Still don't get it.... (Score:4, Informative)
SPF is an attempt to stop the practice of domain-forging or "joe-jobbing". Which, for a business domain is important. Right now, anyone can pretend to be joe@mycompany.com and either tarnish our company's name, or simply make life extremely difficult for us when our ISP cuts us off for spamming (when we didn't do it).
However, it is likely to have some beneficial side-effects like making domain-based whitelisting/blacklisting more effective. It raises the bar one more notch for a spammer (now they have to either find a non-protected domain to forge, route their spam through authorized servers for a domain where it's likely to be noticed and blocked, or register throw-away domains to push their product).
(And SPF is very similar to what AOL already requires if you want to have your domain whitelisted with them. You're required to list the IP addresses that send outbound e-mail for your domain, anything else gets dumped in the bit-bucket or at least is likely to get tagged as spam by the filters.)
Re:Still don't get it.... (Score:3, Insightful)
Yes.
Not to mention that your argument is, of course, the oldest and dumbest of the "doh, I don't wanna see the problem, nanana" kind.
I mean, why should we do something about rape? Nobody I know got raped, so it can't be a huge problem. And seriously, are you being raped so often that just dealing with it doesn't do it for you?
Really, now. Rape is just not thatpressing an issue to me. I can
There is nothing to be cracked here... (Score:3, Informative)
Re:There is nothing to be cracked here... (Score:3, Informative)
1) hack the DNS records for the domain, add your list of zombie machines to the SPF record (moderate difficulty, watchdog monitoring of the SPF record could detect it quickly)
2) DoS on the SOA server for the domain so that SPF information can't be retrieved. (difficult, DNS caching would bypass until the TTL expires)
3) Forge the DNS reply (possible, but very tricky and relies on timing of packets,
You are incorrect (Score:5, Interesting)
Re:DNS??? (Score:3, Informative)
Initially, that was my question too... why not just require that outbound e-mail be sent from an IP address listed in an MX record?
Well...
1) MX records are designed to specify wha