Forgot your password?
typodupeerror
America Online Spam

AOL Will Not Support Sender-ID 269

Posted by CowboyNeal
from the yet-another-one dept.
DominoTree writes "America Online said Thursday that it will not support the Microsoft-backed antispam technology called Sender-ID. The online giant cited 'lackluster' industry support and compatibility issues with the anti-spam technology SPF that AOL supports."
This discussion has been archived. No new comments can be posted.

AOL Will Not Support Sender-ID

Comments Filter:
  • by chrispyman (710460) on Friday September 17, 2004 @12:00AM (#10274072)
    I find it quite amusing on how AOL is sometimes caught sleeping with Microsoft (like IE in AOL) yet other times it pretty much pretends like they want nothing to do with them. You'd think that AOL is big enough to where they can honestly tell Microsoft to "Shove It" without any big consequences.
  • What? (Score:5, Interesting)

    by dtfinch (661405) * on Friday September 17, 2004 @12:02AM (#10274090) Journal
    I thought AOL loved blackholing everyone's email from the outside. It already happens over half the time that I reply to an email tech support request from an AOL member. They say I'm not in their address book, so I can't respond despite them having contacted me first.
  • by Chuck Bucket (142633) on Friday September 17, 2004 @12:04AM (#10274096) Homepage Journal
    From reasons of lack of support and lack of backward compatibility. Wow, AOL was (is?) paying attention:

    "The online giant cited "lackluster" industry support and compatibility issues with the antispam technology SPF, or Sender Policy Framework, that AOL supports.

    AOL's moves come days after the Internet Engineering Task Force standards body voted down the Sender ID proposal. The IETF said Microsoft's decision to keep secret a patent proposal for the technology was unacceptable. Open-source groups also pulled their support of Sender ID, claiming its licensing restrictions were too strict. AOL agreed with the IETF fallout and added its own reasoning.

    "AOL has serious technical concerns that Sender ID appears not to be fully, backwardly-compatible with the original SPF specification--a result of recent changes to the protocol and a wholesale change from what was first envisioned in the original Sender ID plan," AOL spokesman Nicholas Graham wrote in an e-mail."

    CB_===__-8a90fuds76
  • by Three Headed Man (765841) <dieter_chen@yahoo . c om> on Friday September 17, 2004 @12:06AM (#10274108)
    They really can't. They're just rejecting one technology. If they were to integrate Mozilla into AOL 10, then I'd start to agree with you more.
  • Responsible ISP (Score:2, Interesting)

    by kn64 (471853) on Friday September 17, 2004 @12:19AM (#10274161)
    I think ISP's should take more responsability for their users.

    Obviously the spammers, and DoSers have an ISP, and if their ISP were punished by upstream providers for allowing their network to emit this kind of crap, by blocking them until the problems are solved, maybe they'd use some initiative to solve these problems.

    I do understand that most DoSers are not the fault of the user, but surely the ISP could notify the user, and force them to do something about it.
  • by deathcloset (626704) on Friday September 17, 2004 @12:19AM (#10274166) Journal
    All these differing approaches to the same problem. It seems to me like trying to shove oatmeal into a sprung leak.

    Maybe it's time to simplify.

    dump email all together in the corporate environment and opt instead for a more secure solution based on PKI or kerberos or any other host of security structure.

    If some contact absolutely needs to receive something via email, no problem. "We will gladly send you an email, but you just can't send us one. Unless, of course, you wish to send it to an employee's private email adress; we don't accept email internally anymore."

    "Sorry mr. corporate contact, you must log in to our site www.dmail.company.com and submit messages that way. We have had too many problems with spam and viruses.

    there is a nice, lightweight client you can install if you don't wish to log in every time."

    It seems to me it wouldn't be that difficult to use a non-email solution for your corporate mailing needs (like the aforementined dmail which i've been hearing so much about), and if another company's IT department can't handle that light technical strain, then it would seem that IT department needs a wake up call.

    where are the flaws in this reasoning?

  • by nlinecomputers (602059) on Friday September 17, 2004 @12:25AM (#10274196)
    SPF marks email so that when you get an email that claims it is FROM an AOL member you can tell if it really does or not. It will not prevent AOL from getting Spam but it will prevent you from getting it from AOL or disguised as coming from AOL.

    And this doesn't prevent Spam. It prevents job jobs. If a spammer is willing to ID the domain his mail comes from and not spoof he can Spam you all he wants. Course with a legitimate domain name/IP# you can blacklist him too.
  • by dozer (30790) on Friday September 17, 2004 @12:34AM (#10274232)
    Too bad it appears under the icon for MSN...

    MSN is tied into the OS in a bunch of other places too ("You're running Outlook for the first time! Would you like to set up a free MSN account?").

    Making deals with Microsoft is hard.
  • Re:as a sys admin (Score:4, Interesting)

    by Anonymous Coward on Friday September 17, 2004 @12:49AM (#10274286)
    Speaking as a sys admin myself, I've been on the flip side. They can be real bitches when you get tagged as a spammer by their system.

    It took me about a month to get myself straight after I'd been blacklisted. They also "removed" the blacklist, and said it was IP-based, but intermittent errors would pop up for weeks afterwards. joeluser@myhost could send to AOL, but janeluser@myhost could not.

    BTW, google for "Jason Smathers" if you want to see how effective they've been.
  • Re:as a sys admin (Score:2, Interesting)

    by Exter-C (310390) on Friday September 17, 2004 @12:55AM (#10274303) Homepage
    Ive been on both sides of the issue as well. We changed the names and IPs of our servers. It was the only fast way around it at that time.

    Its not always AOL as a company or as sys admins as its also the users hitting the "this is spam" button... even when its clearly not.
  • by Sycraft-fu (314770) on Friday September 17, 2004 @12:57AM (#10274311)
    The response will be "Ok thanks, we'll find another vendor".

    Seriously, for the most part in the corperate world, you need to take all reasonable steps to accomadate those you do bussiness with. If you make it a nightmare, people will up and dump you.

    This even applies to the big guys. Friend of mine works for Rainbird sprinklers. They are by far the biggest name in irrigaton equipment and basically anywhere that does home improvement sells Rainbird.... Except for Walmart.

    The reason isn't because Walmart dumped Rainbird but because Rainbird dumped Walmart. Walmart made it very difficiult for Rainbird to do bussiness with them, demanding sacraficies Rainbird didn't want to make so Rainbird finally just refused to sell to them.

    Well if you are a small company, this is even more true. If Altera told Cisco they'd no longer accept e-mail for anything, I imagine all Cisco routers would start including Xylinx FCPGAs instead.
  • by bill_mcgonigle (4333) * on Friday September 17, 2004 @01:04AM (#10274327) Homepage Journal
    Who uses AOL to make this worth it? I wouldn't mind seeing AOL be a spam magnet. Why? I don't use it, morons do. If you won't get a decent ISP or email, I think you bring spam upon yourself.

    Lots of those 'morons' are customers so people need to send mail to AOL.

    Reading between the lines it's only a matter of time before AOL stops accepting mail from domains that don't publish SPF records. They already reject mail if your reverse DNS doesn't resolve. They're publishing their own too:
    host -t txt aol.com
    aol.com text "v=spf1 ip4:152.163.225.0/24 ip4:205.188.139.0/24 ip4:205.188.144.0/24 ip4:205.188.156.0/23 ip4:205.188.159.0/24 ip4:64.12.136.0/23 ip4:64.12.138.0/24 ptr:mx.aol.com ?all"
    Good for them.
  • Re:The Problem? (Score:3, Interesting)

    by caseih (160668) on Friday September 17, 2004 @01:04AM (#10274329)
    The problem is that MS's terms for licensing their patents to specification implementors specifically forbids any use by GPL or similarly free licenses. See the GPL is MS's biggest enemy and they are trying to kill it on every front. For example, it is against the licensing conditions of Visual Studio 7 to produce GPL'd software with it. How did they manage this? By introducing a new standard C runtime library, MSVCR71.dll, which can only be distributed under MS' terms. Oh. And it won't be distributed with the OS anymore, so anyone using VC7 is forced to comply with the licensing terms of the runtime itself.

    So the problem with patents is that MS *is* starting to mobilize them as offensive weapons against open source in general, and the GPL specifically.
  • Thanks AOL (Score:2, Interesting)

    by King_of_Crunk (763543) on Friday September 17, 2004 @01:33AM (#10274400) Homepage
    All I can say is thank God myself as a small webhost is being backed by such an Internet access giant as AOL is.

    I suddenly dont feel so bad for installing AIM to talk to strange women :)

    I feel that what microsoft is looking to punish the witness for what the criminal has done with, although I may be wrong, the intention of profiting off the witness while making the victim feel they, being MS, are trying to helping them out.
  • by miley (782806) on Friday September 17, 2004 @01:34AM (#10274404)
    IETF really screwed themselves with this post. The patents were posted today by the patent office. http://www.imc.org/ietf-mxcomp/mail-archive/msg048 44.html and http://appft1.uspto.gov/netahtml/PTO/search-bool.h tml and type 684020 for Application Serial Number in field1. Now the IETF engineers have to pretend they are patent lawyers. Of course they couldn't have said that they were rejecting it because people didn't like the license -- the license does all the things that the IETF requires.
  • by miley (782806) on Friday September 17, 2004 @01:46AM (#10274432)
    Sender ID and SPF can positively prove that a message came from a domain, but can't prove it didn't come from a domain -- they don't stop forgery. The technologies ignored the fundamental architecture of email (store and forward instead of point to point), and in the process left a glaring hole for spammmers to use. How do you forge an email in the Sender ID/SPF world? You pretend that you forwarded it legitimately. In Sender ID with PRA, the spammer simply adds a Resent-From header. In SPF, the spammer makes the Envelope-From something different than the body From:. Both SPF and Sender ID leave these cases for the spam filters to figure out. If the spam filters can't figure it out today, there is no reason to believe they will figure it out tomorrow. We need a crypto solution to solve this correctly. How is domainkeys doing?
  • by necro2607 (771790) on Friday September 17, 2004 @01:49AM (#10274441)
    "America Online Inc. on Thursday shunned a Microsoft Corp. proposal to help weed out unwanted "spam" e-mail because Internet engineers are reluctant to adopt technology owned by the dominant software company."

    What? Since when did AOL reject it just because it's owned by Microsoft?

    Link to the article [yahoo.com]...

    For once AOL does something the media should be praising it for, yet they're practically insulting AOL publically...

    "...would not adopt Microsoft's SenderID protocol because it has failed to win over experts leery of Microsoft's business practices."

    I wonder if I'm the only one getting painfully tired of the way the news media paraphrases and misrepresents peoples'/groups' positions...
  • Re:Better Solution (Score:5, Interesting)

    by LoadWB (592248) * on Friday September 17, 2004 @01:52AM (#10274455) Journal
    I have seen this comment pop up many times, but no one has yet to submit an operable recommendation on how SMTP could be updated to remain a user-to-server and server-to-server protocol without tossing the entire system and saying "nuts" to any semblence of remaining compatible. Therefore, this arguments seems completely flat.

    The only partially useful modification is some form of authentication which would certify the origin of the SMTP connection. Just as I can telnet to a POP3 server and make it think I am a real POP3 client, an end user can make an SMTP server believe it is another server.

    SPF offers a sleek way of authorizing what machines may deliver mail on behalf of a domain. I could trivialize it by comparing it to a domain owner-controlled authentication system for emails without requiring a central authentication repository or authority.

    What is wrong with this implementation? Can you suggest a modification to SMTP that will acheive similar or better results? If not, then drop your argument, that stick, and step back from the dead horse.
  • by miley (782806) on Friday September 17, 2004 @02:03AM (#10274488)
    Check out your post's inaccurate paraphrasing of the article... The article was written by Andy Sullivan for Reuters -- not Yahoo.
  • by 0x0d0a (568518) on Friday September 17, 2004 @02:39AM (#10274603) Journal
    DomainKeys has more going for it than Sender ID and SPF, but it GPG solves all the problems that any of the above three do, plus more. It might take a bit of poking about with GPG on the part of a security expert -- adding a class for "authorized for email" and a non-boolean trust metric -- to make it really complete, but a GPG set up in such a manner beats the pants off of DK, SID, or SPF.

    The main problem with GPG is a lack of (a) mail clients using the standard MIME method of sending GPG emails and (b) lack of a good trust mechanism.
  • Schizophrenia (Score:4, Interesting)

    by Mike deVice (769602) on Friday September 17, 2004 @02:54AM (#10274652)

    It's hardly surprising that some people aren't sure how to feel about AOL sometimes. On one hand, they adopt IE or kill some promising project and get hisses and boos. On the other, they occasionally support or initiate a nifty open source project, or take a position we're prone to like.

    Seems to me... and I'm hugely guessing here... that there's two factions in AOL to consider. The tech people, and then marketing/legal/etc. The tech people can sometimes (not always) do some stuff that benefits people, and probably mean well in general in any case. As long as something remains under the radar of the rest of AOL's bunch, and/or results in lots of positive P.R., it lives. But if the legal department or someone panics, well... we all saw what happened to Nullsoft's gnutella implementation, initially. And AOL is kinda flip-flopping where Netscape is concerned, I think.

    In this case, the tech guys over there probably pretty much had a lot of sway over the Sender-ID thing. The lawyers, marketing people, et al. have far more important things to worry about, I presume.

  • by mikefe (98074) <mfedyk@mik[ ]dyk.com ['efe' in gap]> on Friday September 17, 2004 @03:36AM (#10274773) Homepage
    Damn, does that mean AOL has nine class C ip address blocks they send email from? (look at the previous post -- there are 5 /24 entries and two /23 (which are two class C networks) entries).

    That's a max of 2,277 outgoing mail servers!
  • by iamcf13 (736250) on Friday September 17, 2004 @03:52AM (#10274824) Homepage Journal
    Someone here on Slashdot mentioned DomainKeys [yahoo.com] as an antispam solution.

    It won't work!

    Cryptography costs time and money to use! Just look how long it takes to bring up a secured webpage (HTTPS)....

    Now imagine if the entire World Wide Web was that way....

    Not everybody on the internet have the fastest systems available for use. Even then, such systems would be overwhelmed by all the crypto they have to do in order to process email using the DomainKeys system.

    Instead of time consuming crypto, why not use fast, simple, effective spam filtering like my approach. [cf13.com]

  • Joe-job fix (Score:3, Interesting)

    by waynemcdougall (631415) <slashdot@codeworks.gen.nz> on Friday September 17, 2004 @04:27AM (#10274909) Homepage
    Assuming AOL goes the other way (honouring SPF records published by other domains) then that also stops AOL customers receiving job-jobbed emails (at least from SPF publishing domains). And from a personal perspective (as a regular joe-job victim) I would not longer get thousands of "non-delivery" bounces from AOL servers trying to bounce back undelivered email they had accepted from a forged address.

    Having finally persuaded my ISP that = (equals) is a valid character in a TXT record I was able to publish my own SPF records.

    Based on a sample size of 1 I'd like to suggest that spammers don't joe-job domains with restrictive SPF records. That makes sense. We already know spammers know about (and use) SPF records. It make sense for them not to use a domain that will be blocked by any SPF aware mail recipient.

    The fantastic news for me is that instead of 8,000+ bounces from joe-jobs flooding my mail server each day (imagine how many more emails are delivered or blocked by spam filters), since publishing my SPF records that has completely stopped.

    Why am I such a target? I notice that the more often I report to SpamCop the more often I am targetted, but the heavy waves seem to have coincided with increased awareness of an anti-spam SMTP filter I wrote. I guess my work got noticed. Just a guess though.

  • by lifer_red (724134) on Friday September 17, 2004 @04:47AM (#10274952)

    1. One major problem is that I want all my outgoing e-mail in ONE place (i.e. app). Whatever that is, it has to be easy to search, so I can find out who I told what. If the people I e-mail have got a different system to me, it makes it 100 times (or however many different organisations I contact) harder to sort out.

    2. What you're essentially proposing is a change to the messaging infrastructure, which is probably a big reason for AOLs rejection.

    3. It would restrict communication to some degree (make it harder), and better communication = more trade.

    4. I don't want to have to run 15 different lightweight clients and remember how to use all of their interfaces individually etc!

    However, to develop your idea, you _could_ feasibly do something similar, but instead of requiring an entirely new interface, you could require your contact to digitally sign all future correspondence. This does at least fit into existing systems, while still allowing accurate filtering.

  • by 16K Ram Pack (690082) <tim.almond@g[ ]l.com ['mai' in gap]> on Friday September 17, 2004 @05:41AM (#10275066) Homepage
    You are right, they don't back down, but some ideas do seem to fizzle out.

    One I've noticed recently - I've hardly seen an obvious FrontPage site in months. Either people who started building websites which look less "frontpage like" or it's not being used as much.

    Is there anyway to calculate the level of Frontpage usage?

  • by Anonymous Coward on Friday September 17, 2004 @07:30AM (#10275251)
    What does make a site obviously "frontpage like"? I'm curious to know if I've come accross one.
  • by Jussi K. Kojootti (646145) on Friday September 17, 2004 @07:54AM (#10275306)
    One I've noticed recently - I've hardly seen an obvious FrontPage site in months. Either people who started building websites which look less "frontpage like" or it's not being used as much.

    Not necessarily related, but the last version of FP is a lot better than the previous ones - I guess the MS Frontpage team got tired of being the laughing stock of the web dev community...

  • Re:What? (Score:3, Interesting)

    by gellenburg (61212) <george@ellenburg.org> on Friday September 17, 2004 @08:40AM (#10275481) Homepage Journal
    I've got to disagree with you on the whole C/R thing.

    Probably since I employ it (ASK, http://www.paganini.net/ask/ [paganini.net]) behind some bayesian filters (ASSP, http://assp.sourceforge.net/ [sourceforge.net]). Considering that my domain receives thousands of UCE/UBE each day, I have no choice but to take militant actions.

    ASSP automatically whitelists everyone I mail to, and sets the TTL to 90 days. So any reply is going to be automatically accepted by ASSP.

    ASK on the other hand is set that if my "key" (in this case, my PGP Key ID) appears anywhere in a message to me, it blindly accepts it.

    Considering that my PGP key appears in every one of my messages, as part of my signature, this isn't usually a problem.

    The problem lies in the fact that certain CRM applications like Kana, etc., insist on changing the from-line for each message they send out, and don't include the original message in the reply. How the hell am I supposed to know which address to whitelist when it comes from something like: ?

    I consider THAT to be a broken CRM.

    Simply closing a ticket without working on it shows poor customer service on your part, and you're not helping your company much by doing so.

    How many potential customers have been told by your customers that your company/ service sucks because tech support or customer service was unresponsive?

To be awake is to be alive. -- Henry David Thoreau, in "Walden"

Working...