Forgot your password?
typodupeerror
America Online Spam

AOL Will Not Support Sender-ID 269

Posted by CowboyNeal
from the yet-another-one dept.
DominoTree writes "America Online said Thursday that it will not support the Microsoft-backed antispam technology called Sender-ID. The online giant cited 'lackluster' industry support and compatibility issues with the anti-spam technology SPF that AOL supports."
This discussion has been archived. No new comments can be posted.

AOL Will Not Support Sender-ID

Comments Filter:
  • by Anonymous Coward on Thursday September 16, 2004 @11:58PM (#10274062)
    I'm confused.
  • by Chuck Bucket (142633) on Thursday September 16, 2004 @11:59PM (#10274068) Homepage Journal
    It seems this is (almost) universally being voted down, it's time to give up and not implement this. There must be a better way to solve this, and I'm not surprised MS came up with this one!

    CB--->
    • by over_exposed (623791) on Friday September 17, 2004 @12:08AM (#10274119) Homepage
      There is always a better way to solve problems like this, but do you really think MS is going to back down? It'll get implemented just like every other bad idea they've ever had (ie. WinME) and then no one will like it or everyone will complain or (more likely) no one will use it and whatever userbase it does have gets nailed with security holes etc.

      It's all about the all mighty buck. If they think this concept will make them more money than it cost to research and implement, you can bet your arse they'll implement it. They really don't care about interoperability either. They could care less if no one outside of the msn.com and hotmail.com domains can use it (or care to). That's one helluva userbase right there. Plus, they can just spout it off as another "Security" or "anti-spam" feature to get people to pay for hotmail premium accounts.
      • by Alien Being (18488) on Friday September 17, 2004 @12:41AM (#10274255)
        "but do you really think MS is going to back down?"

        They thought they could ignore the Internet and TCP/IP, but eventually they realized that some things are even bigger than they are.
      • by 16K Ram Pack (690082) <tim.almond@gm[ ].com ['ail' in gap]> on Friday September 17, 2004 @05:41AM (#10275066) Homepage
        You are right, they don't back down, but some ideas do seem to fizzle out.

        One I've noticed recently - I've hardly seen an obvious FrontPage site in months. Either people who started building websites which look less "frontpage like" or it's not being used as much.

        Is there anyway to calculate the level of Frontpage usage?

        • One I've noticed recently - I've hardly seen an obvious FrontPage site in months. Either people who started building websites which look less "frontpage like" or it's not being used as much.

          Not necessarily related, but the last version of FP is a lot better than the previous ones - I guess the MS Frontpage team got tired of being the laughing stock of the web dev community...

      • by jellomizer (103300) * on Friday September 17, 2004 @07:47AM (#10275287)
        Actually there is a lot of Microsoft Technology the doesn't make it. There are 5 Different Faits for Microsoft technologies.
        1. Big Seller no matter what: This includes things like Windows, Office and its companions (like MS Project...) Basically Windows x and MS Office are the true money makers for Microsoft that actually gives them the true marketing edge over other companies
        2. Normal Selling Products: These are the Microsoft tools that sell well but are not the only major player and they have to compete directly with other players. Such products are like Microsoft's server tools and applications. While they are popular they are not the only big guy in the field. 20% Market share is actually very good but there are others out there that are just as big as you.
        3. Profetible slow selling products: These products are still making profit but are not getting the reception that wanted or expected. These are things like .NET
        4. Non Profitable but Microsoft forces to keep alive: Things like MSN. These are area that Microsoft knows it must grow at a large cost.
        5. Dismal Failures: These Products never got any form of acceptance in the world. Much like Microsoft Bob.


          1. Microsoft is a big player but most of it products are under rather fair competition with the other big players out there. IBM, Oracle, Unix, Linux, etc... Why do you think Microsoft takes Linux so seriously is because it is in direct competition with Windows market, and is rapidly importing on its main bread and butter. When Linux overtakes windows as a desktop OS, then Open Office will soon take place as the next office suit (Unless MS makes Office for linux in that time frame). And Microsoft will loose its major cash products and will need to resort to (Gasp!) Fair competition with other companies. The Microsoft name will no longer mean Dominance and just will be an other Novel.
      • by njdj (458173) on Friday September 17, 2004 @08:10AM (#10275337)
        If they think this concept will make them more money than it cost to research and implement, you can bet your arse they'll implement it. They really don't care about interoperability either.

        I think they've shown they care about interoperability very much: they don't like it, and will do whatever they can to disrupt it. That's shown by, for example, the changes they've made to filesharing to make life difficult for the Samba people; the fact that they not only don't document file formats for key applications, but change them slightly with every new application version; and now Sender-ID, where (apparently by order from BG personally) they insisted on licensing terms calculated to be incompatible with some of the most important free software licenses, including the GPL.

        I think you're wrong about the Microsoft decision process - "If...this concept will make them more money...". Sender-ID would not make them any money; I very much doubt that anyone is going to migrate from Linux to Windows just to get the supposed benefits of Sender-ID! That's not what its for. Breaking interoperability is a corporate goal for Microsoft, because interoperability allows competitors to survive.

    • by SpeedyG5 (762403) * on Friday September 17, 2004 @01:49AM (#10274444) Homepage
      Maybe they could commission Apple to come up with an anti-spam idea. Once its nearly a standard, then MS could usurp it as their own, then it will be a great idea that MS came up with.
  • by chrispyman (710460) on Friday September 17, 2004 @12:00AM (#10274072)
    I find it quite amusing on how AOL is sometimes caught sleeping with Microsoft (like IE in AOL) yet other times it pretty much pretends like they want nothing to do with them. You'd think that AOL is big enough to where they can honestly tell Microsoft to "Shove It" without any big consequences.
    • by Three Headed Man (765841) <dieter_chen&yahoo,com> on Friday September 17, 2004 @12:06AM (#10274108)
      They really can't. They're just rejecting one technology. If they were to integrate Mozilla into AOL 10, then I'd start to agree with you more.
      • Speaking of which, I don't get it. AOL owns Netscape, what possible reason could they have not to use their own product and use a competitor's instead?! It makes absolutely no sense!

        Also, what does AOL for Mac OS use?
        • by Atrax (249401) on Friday September 17, 2004 @12:29AM (#10274211) Homepage Journal
          > Speaking of which, I don't get it. AOL owns Netscape, what possible reason could they have not to use their own product and use a competitor's instead?! It makes absolutely no sense!

          If they use IE, they get an icon on every OEM windows install. that's a LOT of new customers.
          • by dozer (30790) on Friday September 17, 2004 @12:34AM (#10274232)
            Too bad it appears under the icon for MSN...

            MSN is tied into the OS in a bunch of other places too ("You're running Outlook for the first time! Would you like to set up a free MSN account?").

            Making deals with Microsoft is hard.
          • If they use IE, they get an icon on every OEM windows install. that's a LOT of new customers.

            Is it REALLY a lot of new customers these days? What with all those free coasters and all, I really don't think the desktop icon means that much. There must be something else.

            Like browser mods and and the fact that as we all know, (at least if you know ANYTHING about Windows API and Windows app development), all things in Windows including the browser and the file navigator, they are all "windows". Even Outlook

        • by idiotnot (302133) <sean@757.org> on Friday September 17, 2004 @12:44AM (#10274267) Homepage Journal
          AOL for OSX uses a gecko-based thing, as does (or did for awhile) the Win32 Compuserve client.

          IE on OSX is pretty much dead.
          • by cbreaker (561297) on Friday September 17, 2004 @01:22AM (#10274374) Journal
            I've never been a Mac fan, and I'll probably never buy one, but since it's a completely different non-windows OS, and runs different core software like browsers - it's good for the whole.

            The more people that use Macs, the more people that will be browsing web sites without IE, and the more websites that won't rely on IE-only functionality.

            Truthfully though, it hasn't been a problem running Mozilla for 98% of the sites I visit. And I don't only visit sites like Slashdot - I go to a lot of sites that the masses visit as well. No browser string faking, no activeX plug-ins. Just straight Mozilla, and it works great.

            All we need to do is chisel down those last 2% and we'll be living large.

            With all the visible security problems in Windows and IE these days - more and more people are getting sick and tired of it. Some people are seeking alternative Browsers, more every day. It's not the obscure security bugs that people care about or even know about it's the ones that allow spyware to be installed causing them to have to call friends, family, support people and generally have a terrible time using their computers.

            So.. GO MACS! And.. GO IE BUGS!
            • The only site I've had trouble with in recent memory was a class website that had imbedded powerpoint (and of course the class itself used Windows-only CAD software [SolidEdge], so it sucked all around). But no sites on the actual Internet have had that problem recently.
          • Yes, since it sucks and Microsoft isn't developing it any more...
        • ...AOL owns Netscape, what possible reason could they have not to use their own product and use a competitor's instead?!...

          Perhaps the $750 million payoff [userfriendly.org] had something to do with it.

    • by finkployd (12902) on Friday September 17, 2004 @12:10AM (#10274131) Homepage
      Without consequences? Microsoft has shown time and time again that they are not above intentionally crippling or outright breaking third party apps in running under their OS simply because they don't like the company or are competing with them.

      This isn't tin foil hat stuff, this is computer industry history (Lotus, DR DOS, etc) I'm sure AOL knows it. They will never piss off MS too much.

      Finkployd
    • I find it quite amusing on how AOL is sometimes caught sleeping with Microsoft (like IE in AOL) yet other times it pretty much pretends like they want nothing to do with them.
      Me too!!!
  • by Osrin (599427) * on Friday September 17, 2004 @12:00AM (#10274077) Homepage
    With this single decision AOL will disenfranchise a whole underclass of society.
  • by ScArE2100 (663201) on Friday September 17, 2004 @12:02AM (#10274087) Journal
    Sender ID Framework [microsoft.com]

  • What? (Score:5, Interesting)

    by dtfinch (661405) * on Friday September 17, 2004 @12:02AM (#10274090) Journal
    I thought AOL loved blackholing everyone's email from the outside. It already happens over half the time that I reply to an email tech support request from an AOL member. They say I'm not in their address book, so I can't respond despite them having contacted me first.
    • Re:What? (Score:5, Insightful)

      by LoadWB (592248) * on Friday September 17, 2004 @01:31AM (#10274394) Journal
      Any time I get a C/R when replying to an email which solicited me in the first place, be it support or otherwise, I immediately delete the email and consider the case closed.

      It comes down to knowing the system which you are using. If someone uses a C/R anti-spam system and cannot even be bother to use it correctly, then that person gets nothing in return. I am not spending my time chasing these people down. If and when said person calls, I just explain that I was not able to respond, and he or she needs to contact the ISP to determine the problem.

      You cannot always blame these people, either. There are a number of cases where people refuse to become informed -- they just think it should work with no expendature of effort. But in many cases it is the fault of the ISP which provides whiz-bang services and not a drop of intelligent support, information, guidance, or some combination thereof.

      I have read many times over that C/R systems are broken, brain-dead, and a Band-Aid approach to the problem. The more I encounter these systems and the people using them, the more I agree.
      • Re:What? (Score:3, Interesting)

        by gellenburg (61212)
        I've got to disagree with you on the whole C/R thing.

        Probably since I employ it (ASK, http://www.paganini.net/ask/ [paganini.net]) behind some bayesian filters (ASSP, http://assp.sourceforge.net/ [sourceforge.net]). Considering that my domain receives thousands of UCE/UBE each day, I have no choice but to take militant actions.

        ASSP automatically whitelists everyone I mail to, and sets the TTL to 90 days. So any reply is going to be automatically accepted by ASSP.

        ASK on the other hand is set that if my "key" (in this case, my PGP Key I
        • Re:What? (Score:3, Insightful)

          by virtual_mps (62997)

          I've got to disagree with you on the whole C/R thing.

          Probably since I employ it (ASK, http://www.paganini.net/ask/) behind some bayesian filters (ASSP, http://assp.sourceforge.net/). Considering that my domain receives thousands of UCE/UBE each day, I have no choice but to take militant actions.

          You can do whatever you want with your mail, but I agree with the grandparent--you won't ever see a reply from me. (Or a lot of other people who deal with a lot of email and don't appreciate having their time waste

  • as a sys admin (Score:5, Insightful)

    by Exter-C (310390) on Friday September 17, 2004 @12:03AM (#10274093) Homepage
    As a sys admin for a large hosting provider aols anti spam policy has been great at reducing the amount of crap email being sent through thier servers. Over the years its dropped a massive amount so anything that AOL does to fight spam is a bonus to the world as they are such a large part of the "internet".

    Unfortunatly there are thousands of ISPs that dont take SPAM as seriously as what AOL does. Realistically this is something that doesnt come as a suprise to many people that have been following the anti-spam developments closly. You cant blame AOL for having a service that is computer illiterate friendly despite your own experiences.

    Everyone has the freedom to choose thier provider. Personally Im never going to use them.. but hey the option is there if you ever do want it. and if you do sign up you can live with less spam ;)
    • Re:as a sys admin (Score:4, Interesting)

      by Anonymous Coward on Friday September 17, 2004 @12:49AM (#10274286)
      Speaking as a sys admin myself, I've been on the flip side. They can be real bitches when you get tagged as a spammer by their system.

      It took me about a month to get myself straight after I'd been blacklisted. They also "removed" the blacklist, and said it was IP-based, but intermittent errors would pop up for weeks afterwards. joeluser@myhost could send to AOL, but janeluser@myhost could not.

      BTW, google for "Jason Smathers" if you want to see how effective they've been.
      • Re:as a sys admin (Score:2, Interesting)

        by Exter-C (310390)
        Ive been on both sides of the issue as well. We changed the names and IPs of our servers. It was the only fast way around it at that time.

        Its not always AOL as a company or as sys admins as its also the users hitting the "this is spam" button... even when its clearly not.
        • Re:as a sys admin (Score:4, Informative)

          by LoadWB (592248) * on Friday September 17, 2004 @01:36AM (#10274411) Journal
          postmaster.aol.com offers the "feedback loop" which will inform you of any reports of spam from your system. I have never had the chance to benefit from this, so I cannot personally comment on its usefulness. However, this is supposedly a pro-active way to ensure that such problems do not affect you.

          Admitedly, I am normally not a big fan of such systems... why should I have to take the time to inform an ISP of my existence, intent to send email, etc., right? Well, in this case it makes sense since they are 1) giving me the benefit of the doubt at first, and 2) giving me a way to make sure that doubt never enters into our relationship. Quite useful, I think.

          As an admin myself, I believe this is a useful tool to help find problems in your userbase before they become bigger problems.
          • Re:as a sys admin (Score:3, Insightful)

            by dmeranda (120061)
            I have had a very favorable experience with AOL. We got blacklisted by them once (not because we were intentionally spamming, but that's when spammers first started taking advantage of "bounce" message hacking).

            Anyway after contacting AOL I was able to talk to a postmaster (a real human) on the phone, and he was very pleasant and we worked to resolve the problem within the day. And they also established the feedback loop for us, which actually is a pretty nice service. If for whatever reason spammers ge
    • IIRC they are pretty spammer-friendly.
    • Re:as a sys admin (Score:2, Insightful)

      by ciderpunk (611927)
      I'm a sys admin too,

      Some time ago they blocked our IP, ostensibly for sending spam. I contacted them, and eventually managed to persuade them to unblock it, as we weren't evil spammers, but a student campaigning organization.

      So they insisted on having an address to send service complaints to, which is cool, we don't want to piss people off with spam. I gave them postmaster@ .

      Then I start getting through the occasional service complaint (scomp@aol.com). Unfortunately these babies:

      a. Don't tell you what t
  • by Chuck Bucket (142633) on Friday September 17, 2004 @12:04AM (#10274096) Homepage Journal
    From reasons of lack of support and lack of backward compatibility. Wow, AOL was (is?) paying attention:

    "The online giant cited "lackluster" industry support and compatibility issues with the antispam technology SPF, or Sender Policy Framework, that AOL supports.

    AOL's moves come days after the Internet Engineering Task Force standards body voted down the Sender ID proposal. The IETF said Microsoft's decision to keep secret a patent proposal for the technology was unacceptable. Open-source groups also pulled their support of Sender ID, claiming its licensing restrictions were too strict. AOL agreed with the IETF fallout and added its own reasoning.

    "AOL has serious technical concerns that Sender ID appears not to be fully, backwardly-compatible with the original SPF specification--a result of recent changes to the protocol and a wholesale change from what was first envisioned in the original Sender ID plan," AOL spokesman Nicholas Graham wrote in an e-mail."

    CB_===__-8a90fuds76
  • Good (Score:5, Informative)

    by afidel (530433) on Friday September 17, 2004 @12:04AM (#10274098)
    SPF is just as effective as Sender-ID for the general internet and is MUCH easier to implement. I am a consultant for quite a few small non-profits and so far I haven't charged any of them for setting up SPF records since it's generally a 2 minute process to create the record (at the most), and an email or a 2 minute phone call to their DNS provider. Sender-ID would force me to do some actual work which would in turn cost my customers money.
    • SPF issues (Score:3, Insightful)

      by markv242 (622209)
      Okay, so setting up SPF records aside, have you actually modified their mail servers to do anything with incoming SPF data? As someone who hosts a few domains on a box, I'm very very hesitant to modify Mimedefang to drop messages that fail SPF, because a few people have .forward files on other boxes that point at me. Has anyone solved the .forward problem with SPF yet?
      • Re:SPF issues (Score:3, Informative)

        by afidel (530433)
        Well if they controll the DNS for the origional sending domain it is extremely easy to allow the forwarding server to be authenticated for the origional domain. If not then they are doing something which due to spammers is unfortunatly no longer acceptable to most users. As far as changing recieving behavior, no. But I expect that tools like I Hate Spam and Barricuda which many of my clients use will soon support SPF. The best way to use SPF is to just give messages without an SPF record a high starting sco
    • This is a little OT... I'd actually like to hear a proponent of SPF deal with the complaints made about it here. [tesco.net]

      I myself have no opinion. I haven't admined a mail server in over 2 years and I am woefully not up on this subject.
      • Re:A little OT... (Score:5, Informative)

        by afidel (530433) on Friday September 17, 2004 @12:34AM (#10274230)
        His first major premise is pure BS.

        Ironically: SPF is also a good counter to one objection to IM2000 Internet mail, namely that it involves changing the structure of the mail system. If people sending mail and mail hosting companies are clearly willing to accept the massive structural changes that SPF will entail, they will be willing to accept the smaller structural changes that IM2000 Internet mail will entail.

        For the VAST majority of sites there is NO structural change to the way they do email. For small companies (those most likely to have problems implmenting a new system) SPF is as simple as entering "v=spf1 mx -all" in a TXT record for their domain, that's IT! Even for a mid sized companie with multiple divisions with a couple mail servers and a couple domains implementing SPF was a 10 minute endevor, hell getting proper reverse DNS setup usually takes me several times that long due to the necessity of beating it into yet another ISP's head that yes the customer should get a valid reverse DNS entry and reverse DNS is MUCH less usefull for fighting spam and viruses.
      • Re:A little OT... (Score:5, Informative)

        by AnotherBlackHat (265897) on Friday September 17, 2004 @03:40AM (#10274783) Homepage

        I'd actually like to hear a proponent of SPF deal with the complaints made about it here. [tesco.net]


        I'm not exactly a proponent, but I can respond to most of his points;

        * SPF breaks pre-delivery forwarding.
        SPF doesn't break pre-delivery forwarding at all, you just need to include the machine forwarded to in your SPF record.
        post-delivery forwarding is a problem, but at least in theory, it can be solved by only checking SPF records at the first receipt point,
        or by having a smart checker that knows about your forwarding.

        I.e. if Alice is sending to Bob, then there's a point at which the message leaves Alice's control, and enters Bobs.
        Before that point, Alice can adjust her SPF record to include all possible point of egress.
        After that point, Bob needs to check based only on the IP that entered his realm of control.
        This may be hard for Bob to do, or beyond his understanding, but that doesn't mean it's impossible.

        * SPF hijacks existing DNS mechanisms.
        Bullshit. SPF uses TXT records.
        It's even RFC 1464 compliant, so it won't interfere with other TXT records (unless someone's already created the "v" tag)
        It could have been made less likely to collide by using "spf1=" instead, but it doesn't hijack anything.

        * SPF gives ISPs a "lock-in" weapon against their customers.
        This one baffles me.
        If you're using the address bob@example.com, then example.com already has you by the balls.
        If you're using bob@vanitiydomain.tld then you are in control of your own SPF record, and can switch it to anything you like.

        * SPF is useless for several entire classes of people.
        That would be anyone who sends direct-to-mx email from random IPs.
        Those people will have to change.
        Sorry, sucks to be you.

        The percentage of people in this class is very near zero.

        * SPF relies upon DNS for security, but DNS isn't a security service.
        Yeah, so?
        No one said SPF was perfect, they said it was better than what we currently have (nothing.)
        Spoofing DNS, while possible, is considerably harder than forging a from address.
        If this were really a concern, we'd already have adopted one of the many "secure" dns alternatives.

        * SPF is vulnerable to race conditions during database changes.
        Yeah, so?
        So is email in general.

        * SPF creates new categories of third class citizenship.
        Sheese - time to break out the tin foil hat.
        The purpose is to discriminate against people who forge addresses.
        I suppose some people will try and push all kinds of crap into, around, and on to SPF - but it's really innocuous as these things go.

        * SPF doesn't actually address unsolicited bulk mail at all.
        That is correct.
        SPF is a tool against forgeries only.
        It doesn't directly prevent email delivery at all.

        * SPF hands Verisign its next unwelcome "innovation" on a platter.
        If that's the worst thing you can think of for Verisign to do when they have complete control of the DNS system, then I have no respect for your imagination.
        Verisign could create SPF records for existing domains.
        Verisign could make resolving TXT records a "premium" service which costs money.
        Hell, Verisign could just raise the fees for owning a domain name in .com.
        Yes, Verisign is an evil monopoly with near total control over the domain name system, and they can fuck you over at any time.
        Get over it.

        SPF didn't make them that way, nor will it contribute to their general evilness.

        -- should you question authority?
        • I appreciate you taking the time to respond.
        • * SPF is useless for several entire classes of people. That would be anyone who sends direct-to-mx email from random IPs. Those people will have to change. Sorry, sucks to be you. The percentage of people in this class is very near zero.

          I have to send e-mail with my locally installed postfix or with an authenticating third party mail-server when I am on the go, because my employer doesn't offer SMTP services to the outside world. SPF would mean that I'd have to VPN into the lab everytime I want to send

    • Re:Good (Score:2, Insightful)

      by miley (782806)
      How is it MUCH easier to implement? The sender's DNS record is the same. On the receiving end, the difference between the to is parsing headers to find the 'responsible domain.' The hard part of the implementation is writing all that crazy macro language parsing.
  • by Brightest Light (552357) on Friday September 17, 2004 @12:16AM (#10274152) Journal
    It'd been known early on from Microsoft legal that they would "rather see Sender ID die than back down on their patent claims" [oreillynet.com]. Sender ID is going nowhere.
  • by Ayanami Rei (621112) <`moc.liamg' `ta' `imanayar'> on Friday September 17, 2004 @12:17AM (#10274158) Journal
    Publishing SPF records does exactly what AOL needs. Specifically it reduces the number of joe-jobs directed at its clients. As more mail servers are set up to check these records, the better it gets for them.

    What does implementing Microsoft's Caller-ID have to offer in addition to AOL's subscribers?
    • Joe-job fix (Score:3, Interesting)

      Assuming AOL goes the other way (honouring SPF records published by other domains) then that also stops AOL customers receiving job-jobbed emails (at least from SPF publishing domains). And from a personal perspective (as a regular joe-job victim) I would not longer get thousands of "non-delivery" bounces from AOL servers trying to bounce back undelivered email they had accepted from a forged address.

      Having finally persuaded my ISP that = (equals) is a valid character in a TXT record I was able to publish

  • Responsible ISP (Score:2, Interesting)

    by kn64 (471853)
    I think ISP's should take more responsability for their users.

    Obviously the spammers, and DoSers have an ISP, and if their ISP were punished by upstream providers for allowing their network to emit this kind of crap, by blocking them until the problems are solved, maybe they'd use some initiative to solve these problems.

    I do understand that most DoSers are not the fault of the user, but surely the ISP could notify the user, and force them to do something about it.
    • Re:Responsible ISP (Score:3, Informative)

      by Exter-C (310390)
      Over time there has been a serious increase in the amount of liability an ISP can take for thier user base. This works both ways unfortunatly being an ISP is alreaddy a full time job for most companies with thier support staff over worked and thier system administrators working overtime to fullfill often unreasonable expectations of themselves.

      So adding additional work to ISPs will / could often be the straw that broke the camels back. But at the same time I believe the best way to get ISPs working FOR eve
      • This already happens to some extent already. Real time blacklists have driven several badly run ISP's out of business in my area.

        One issue though is that if you push too hard, it will become *impossible* to make it so that an ISP can accept the risk involved in allowing businesses to run servers on their networks.

        There has to be a balance.

        I run my own email servers which are *extremely* secure. Viruses and spam do *not* eminate from my network. But I am lucky enough to find an ISP which is friendly to
  • by deathcloset (626704) on Friday September 17, 2004 @12:19AM (#10274166) Journal
    All these differing approaches to the same problem. It seems to me like trying to shove oatmeal into a sprung leak.

    Maybe it's time to simplify.

    dump email all together in the corporate environment and opt instead for a more secure solution based on PKI or kerberos or any other host of security structure.

    If some contact absolutely needs to receive something via email, no problem. "We will gladly send you an email, but you just can't send us one. Unless, of course, you wish to send it to an employee's private email adress; we don't accept email internally anymore."

    "Sorry mr. corporate contact, you must log in to our site www.dmail.company.com and submit messages that way. We have had too many problems with spam and viruses.

    there is a nice, lightweight client you can install if you don't wish to log in every time."

    It seems to me it wouldn't be that difficult to use a non-email solution for your corporate mailing needs (like the aforementined dmail which i've been hearing so much about), and if another company's IT department can't handle that light technical strain, then it would seem that IT department needs a wake up call.

    where are the flaws in this reasoning?

    • by Sycraft-fu (314770) on Friday September 17, 2004 @12:57AM (#10274311)
      The response will be "Ok thanks, we'll find another vendor".

      Seriously, for the most part in the corperate world, you need to take all reasonable steps to accomadate those you do bussiness with. If you make it a nightmare, people will up and dump you.

      This even applies to the big guys. Friend of mine works for Rainbird sprinklers. They are by far the biggest name in irrigaton equipment and basically anywhere that does home improvement sells Rainbird.... Except for Walmart.

      The reason isn't because Walmart dumped Rainbird but because Rainbird dumped Walmart. Walmart made it very difficiult for Rainbird to do bussiness with them, demanding sacraficies Rainbird didn't want to make so Rainbird finally just refused to sell to them.

      Well if you are a small company, this is even more true. If Altera told Cisco they'd no longer accept e-mail for anything, I imagine all Cisco routers would start including Xylinx FCPGAs instead.
      • Interesting story, however I'd guess that Rainbird is one of the very VERY few companies that can afford to tell Wally World to piss off. Indeed hundreds or thousands more might live and die by "accomodating"
        • Even the big guys have limits on what they can do. Most companies, not being of Walmart's size, can't go as far and need to be more accomadating.

          If you think something like banning e-mail will work for your bussiness, well go ahead and try, but don't be supprised if no one will deal with you.
        • It's sometimes not just about "affording", it can be about channelling energy that could be better channelled elsewhere.

          A friend of mine worked for a food production company and they reached a point where they worked out they were not making enough company for a retailer. They were making a profit, but really, not much of a profit for the hassle required.

          A lot of companies just seek volume - trade with anyone and everyone you can. Sometimes, some customers aren't worth having. The deal with these people

    • where are the flaws in this reasoning?

      You can't talk like this to your business partners (who pay you). When you fight for contracts and sales you can't just tell the customer "contact me only my way, or go away", because the customer will go away.

    • dump email all together [sic] ....
      where are the flaws in this reasoning?


      1) You aren't a businessman. Don't pretend you are, and certainly don't pretend you know how things should be when running one.

      2) Businesses are there to make money. Thus, the cardinal rule of business is... don't say "no" to money. In any form. If you turn away customers by not being available for them, you are, in effect, saying "no" to money.

      Show me that it won't result in having to say "Sorry mr. corporate contact..." and you mi
    • 1. One major problem is that I want all my outgoing e-mail in ONE place (i.e. app). Whatever that is, it has to be easy to search, so I can find out who I told what. If the people I e-mail have got a different system to me, it makes it 100 times (or however many different organisations I contact) harder to sort out.

      2. What you're essentially proposing is a change to the messaging infrastructure, which is probably a big reason for AOLs rejection.

      3. It would restrict communication to some degree (make

  • I may hate AOL... (Score:3, Insightful)

    by Conspiracy_Of_Doves (236787) on Friday September 17, 2004 @12:22AM (#10274181)
    I may hate AOL, but I have to admit that if they aren't going to support it, then Sender-ID is dead.
  • by aaron240 (618080) on Friday September 17, 2004 @12:23AM (#10274184) Homepage
    When will Microsoft just say, "Oh look, honest interoperability is easier than wrestling for control all the time"? Could that happen? It just makes sooo much sense.
  • by Exter-C (310390) on Friday September 17, 2004 @12:34AM (#10274236) Homepage
    In the end no single solution will work unless the vast majority of servers implement and maintain the solution. There is no use if only AOL or MSN implement a solution for spam. they "may" be 40million users or so but i know personally I dont email anyone @aol.com or @hotmail.com because im a geek and I have geek friends with thier own servers. There needs to be a mass adoption of a good standard to make any difference to the spam problem.
  • by maxdamage (615250) * on Friday September 17, 2004 @01:09AM (#10274341) Journal
    Iv never understood the general anti-aol viewpoint of the slashdot community. Think about it, aol allows computer dumb people to use computers. When computer dumb people use the computers two things happen. They break the computers (which gives you a way to get some extra cash) and they eventualy get better at computers, which makes new slashdoters. Im not ashamed to admit that I at one point I used aol, thankfully those times are over...
    • Should have finished my sudorant in the first post... Where is all the antiaolism coming from? I mean AOL is an ISP, nothing more. The big difference is it actualy gives its subscribers more bang for its buck. It allows all those computer dumb people a way to easly get what they want done in a computer dumb way. Is it the same thing as the whole mac bashing phenominon? They do their best to give computer dumb people a way to use computers, comon. Im hoping its not that. Is it the whole aol chat room stigma
      • by Anonymous Coward
        I think it stems from about 10 years ago when AOL first made the Internet available to their N million subscribers. AOL just "opened the door" and let them all out to play with zero training - most didn't even realize they weren't on AOL's servers.

        The result was that literally overnight there appeared thousands of clueless n00bs with @aol.com addresses.

        It made quite an impression at the time, and you're still seeing the fallout today.
  • by erroneus (253617) on Friday September 17, 2004 @01:12AM (#10274347) Homepage
    Well for better or for worse, if AOL rejects it, that's pretty-much it in my opinion. AOL is probably the most well-known email service on the planet. I wouldn't know who is the biggest or best, but AOL has GOT to be the most famous. Microsoft would have done well to court AOL first... oh well. :)
  • Thanks AOL (Score:2, Interesting)

    by King_of_Crunk (763543)
    All I can say is thank God myself as a small webhost is being backed by such an Internet access giant as AOL is.

    I suddenly dont feel so bad for installing AIM to talk to strange women :)

    I feel that what microsoft is looking to punish the witness for what the criminal has done with, although I may be wrong, the intention of profiting off the witness while making the victim feel they, being MS, are trying to helping them out.
  • by ZuperDee (161571) <zuperdee@yaho[ ]om ['o.c' in gap]> on Friday September 17, 2004 @01:45AM (#10274428) Homepage Journal
    Why not use AMTP [bw.org] instead of all these kludgy SMTP extensions/workarounds?
    • by LoadWB (592248) * on Friday September 17, 2004 @02:07AM (#10274502) Journal
      At first glance, I would say because it requires expensive x509 certs signed by a trusted CA. Many people use self-signed certificates because a $29 cert IS too expensive. Even so, sometimes those $29 certs are not as recognized as the $149 Thawte cert. In any case, certificates can be obtained by spammers, so you wind up with authenticated spam.

      SPF provides for a way to make sure the owner of a domain listed in the envelope from address permits the connecting server to deliver email on behalf of that domain. Unless I misread the draft, AMTP seems to rely wholy upon the conversation between the two servers, and a trivial rDNS/fDNS validation.

      I would like to re-read the spec in a better frame of mind. In the meantime, if my initial analysis is incorrect, please correct me.
  • by miley (782806) on Friday September 17, 2004 @01:46AM (#10274432)
    Sender ID and SPF can positively prove that a message came from a domain, but can't prove it didn't come from a domain -- they don't stop forgery. The technologies ignored the fundamental architecture of email (store and forward instead of point to point), and in the process left a glaring hole for spammmers to use. How do you forge an email in the Sender ID/SPF world? You pretend that you forwarded it legitimately. In Sender ID with PRA, the spammer simply adds a Resent-From header. In SPF, the spammer makes the Envelope-From something different than the body From:. Both SPF and Sender ID leave these cases for the spam filters to figure out. If the spam filters can't figure it out today, there is no reason to believe they will figure it out tomorrow. We need a crypto solution to solve this correctly. How is domainkeys doing?
    • DomainKeys has more going for it than Sender ID and SPF, but it GPG solves all the problems that any of the above three do, plus more. It might take a bit of poking about with GPG on the part of a security expert -- adding a class for "authorized for email" and a non-boolean trust metric -- to make it really complete, but a GPG set up in such a manner beats the pants off of DK, SID, or SPF.

      The main problem with GPG is a lack of (a) mail clients using the standard MIME method of sending GPG emails and (b)
  • by necro2607 (771790) on Friday September 17, 2004 @01:49AM (#10274441)
    "America Online Inc. on Thursday shunned a Microsoft Corp. proposal to help weed out unwanted "spam" e-mail because Internet engineers are reluctant to adopt technology owned by the dominant software company."

    What? Since when did AOL reject it just because it's owned by Microsoft?

    Link to the article [yahoo.com]...

    For once AOL does something the media should be praising it for, yet they're practically insulting AOL publically...

    "...would not adopt Microsoft's SenderID protocol because it has failed to win over experts leery of Microsoft's business practices."

    I wonder if I'm the only one getting painfully tired of the way the news media paraphrases and misrepresents peoples'/groups' positions...
    • Another thing, why don't these news agencies provide links to the press releases that the companies/people in question actually wrote themselves?? Are the news agencies afraid readers might actually learn just a little too much about the real story, or something?

      I mean, they can provide friendly little links after each trademark so you can "tell (spam) your friends", but it's too much work to paste a URL that the writer's probably already got open on their screen, eh?
    • Check out your post's inaccurate paraphrasing of the article... The article was written by Andy Sullivan for Reuters -- not Yahoo.
      • I'm aware of that - I had already anticipated that sort of response but figured it was so obvious no one would need to point it out...

        Whether it's Yahoo News, Reuters or CNN (or any other news agency), they all seem to have an amazing inability to just refer to the true source of the news, as though it's somehow required for them to add their own user-friendly "spin" on the story...
  • by h0p (169526) on Friday September 17, 2004 @02:39AM (#10274605)
    <Microsoft> HEY GUYS I GOT THIS NEW THING CALLED SENDER-ID, YOU SHOULD INSTALL IT. ITS GREAT!
    <anonymous> uhm. Isn't this just like SPF, with patents?
    <spf> :o
    <apache-foundation> We aren't doing it.
    <debian> No dice.
    <ietf> Not in its current state.
    <Microsoft> CMON GUYS ITS WICKED. IT WILL STOP SPAMMERS! WE WON'T USE OUR PATENTS WE SWEAR. WE JUST FILED THEM...IN CASE.
    <AOL> UHM. WE'RE NOT DOING IT EITHER.
    <spf> ohh SNAP!
    <ietf> lol
    <apache-foundation> rofl
    <debian> hahahaha
    <Microsoft> I DON'T GET IT.
    <ietf> we know. :/
  • Schizophrenia (Score:4, Interesting)

    by Mike deVice (769602) on Friday September 17, 2004 @02:54AM (#10274652)

    It's hardly surprising that some people aren't sure how to feel about AOL sometimes. On one hand, they adopt IE or kill some promising project and get hisses and boos. On the other, they occasionally support or initiate a nifty open source project, or take a position we're prone to like.

    Seems to me... and I'm hugely guessing here... that there's two factions in AOL to consider. The tech people, and then marketing/legal/etc. The tech people can sometimes (not always) do some stuff that benefits people, and probably mean well in general in any case. As long as something remains under the radar of the rest of AOL's bunch, and/or results in lots of positive P.R., it lives. But if the legal department or someone panics, well... we all saw what happened to Nullsoft's gnutella implementation, initially. And AOL is kinda flip-flopping where Netscape is concerned, I think.

    In this case, the tech guys over there probably pretty much had a lot of sway over the Sender-ID thing. The lawyers, marketing people, et al. have far more important things to worry about, I presume.

    • Re:Schizophrenia (Score:5, Insightful)

      by SenseiLeNoir (699164) on Friday September 17, 2004 @06:05AM (#10275109)
      I do not Understand some of the AOL Bashing that goes on here.

      AOL develops an "Internet Expereince" for computer Newbies, their service is not for experts, and thats it. They DO dumb down their internet, for reason, because thats exactly what their costomers demand.

      The ISP market has a lot of choice, unlike the OS market, and AOL caters for a particular type of market. They are not trying to cater for all users (though their Netscpae Online ISP may be an exception). Those AOL customers whinging that AOL doesnt allow this, AOL doesnt allow that, well thats because what is beign requested is not regarded as important to the average AOL user. The Average usere donesnt know what an SMTP server, iand they do not care about finding out. They just want to send email.

      Those moaning about AOL, are free to switch. The majority CHOSE AOL, and are free to switch. Those non-AOL users who are moaning about AOL, again, whats it to do with you? you dont use their services, so why moan?

      Secondly, that doesnt mean that AOL is titally unfriendly towards techs, though they do that using other "labels". FOr example, they did sponsor Mozilla, and paid the developers to do a great job in creating our browser, and dont say they got a payoff from Microsoft, because if you look at the figures, AOL still made a monatary loss on the whole Netscape/Mozilla thing. However as a result, we have Mozilla.

      When dissolving Netscape, they gave full freedom to Mozilla, transfering copyright, etc. They COULD have been a bitch about it, but they didnt. You can compare their actions to almost like a parent who has a extremely talented child that "outgrew" the rules of the home. Instead of hiding the child, to destroying the child, it let the child go, with some money to help it make its own way.

      Also about Netscape, there are somepeople who do NOT trust Mozilla just yet (my parents). Yet they still trust Netscape. Still providing Netscape (another loss to them) is a good thing.

      ABout Nullsoft, whatever bad people talk about them, they still were instumental in turning WinAMP into a free (price) product. Ok its not Opensource, but at least we can create puligins and stuff easily, without sellign out to the devil, thanks to its fairly open standards.

      I do not recall them going after XMMS either, dispite some similarities between the two.

      AOL is not bad, its just different to what we expect, but its not bad, and i do think some of the bashing here is a little unfair. Save it for MS.
  • Someone here on Slashdot mentioned DomainKeys [yahoo.com] as an antispam solution.

    It won't work!

    Cryptography costs time and money to use! Just look how long it takes to bring up a secured webpage (HTTPS)....

    Now imagine if the entire World Wide Web was that way....

    Not everybody on the internet have the fastest systems available for use. Even then, such systems would be overwhelmed by all the crypto they have to do in order to process email using the DomainKeys system.

    Instead of time consuming crypto, why not use
  • A Flaw in SPF? (Score:2, Insightful)

    by s7uar7 (746699)
    I've just been using the SPF setup wizard [pobox.com] to generate the SPF TXT addition, and it occured to me that this isn't necessarily going to stop Joe Jobs on small companies.

    My domain and mail is handled by my host, with one mail server sending mail for multiple domains (mine and other people who have an account with the host). The reverse DNS lookup for the mail server give the server's name (myhost.com) and not my domain's (mydomain.com) as it's shared, so mail from mydomain.com only has to come from myhost.
  • by ReidMaynard (161608) on Friday September 17, 2004 @06:45AM (#10275172) Homepage
    I instantly visualized two ugly, fat girls, fighting over the last piece of cake.
  • From the horse mouth (Score:4, Informative)

    by gfilion (80497) on Friday September 17, 2004 @07:22AM (#10275233) Homepage
    Here's a statement from Carl Hutzler, Director, AntiSpam Operations, America Online Mail Operations.


    > We do welcome any statements directly from AOL or any network
    > operations group regarding their plans for Sender ID or CSV. However,
    > we ask that they respect the fact that this is a discussion list and be
    > prepared to answer any technical questions that may arise from their
    > statements.
    >
    > -andy, MARID co-chair

    We remain committed to sender identity technologies.

    We intend to begin beta testing SPF on our inbound systems very soon (weeks
    from now). SPF is low hanging fruit that will benefit AOL and many other
    domains although it will not work for 100% of the mail we receive. But it
    will work for >80% of the mail we receive and that is good enough for a
    first strike.

    We also believe that the best way to secure the 822 FROM address is a
    content signing approach which is out of the scope of this working group. We
    hope to see a new group formed to tackle the issues in this arena.
    DomainKeys, IIM and TEOS are all reasonable technologies in this arena. We
    are sure their will be more which is a good thing for a working group :-)

    We remain committed to other IP based approaches and see a lot of benefit to
    the "newer" CSV idea. AOL already gets >85% of our spam from other ISPs main
    outbound MTAs. SPF, SenderID, and Domainkeys will not change that as this
    mail also uses the legit domain of that local ISP in the 821/822 headers.
    CSV and certain best practice documents (BCPs) shift the responsibility to
    the sending organization for the mess they create through their insecure
    networks and insecure practices (like lack of SMTP AUTH of any form, lack of
    any outbound controls, inability to suspend accounts, insecure web servers,
    etc).

    -Carl

    --
    Carl Hutzler
    Director, AntiSpam Operations
    America Online Mail Operations
    cdhutzler@aol.com
    703.265.5521 work
    703.915.6862 cell


    Ref: http://www.imc.org/ietf-mxcomp/mail-archive/msg049 35.html [imc.org]

Only great masters of style can succeed in being obtuse. -- Oscar Wilde Most UNIX programmers are great masters of style. -- The Unnamed Usenetter

Working...