The online unit of media giant Time Warner last week implemented SPF, or Sender Permitted From, an emerging authentication protocol for preventing email forgeries, or spoofing. The trial involves the company's 33 million subscribers worldwide and is the first large scale test for the protocol, which is being considered by standards groups alongside various other email verification proposals.
"Spoofing of email has become a tremendous issue for the industry, and this allows us to help recipients of AOL email to separate the wheat from the chaff," AOL spokesman Nicholas Graham said on Wednesday.
The endorsement of SPF by the world's largest Internet service provider (ISP) could be critical to the evolution of a long-sought email verification standard and could encourage other major email providers to implement it.
Email spoofing is one of the toughest problems that ISPs and anti-spam companies face, largely because Simple Mail Transfer Protocol (SMTP) -- the method for sending email -- offers no widespread means to detect and verify a sender's identity. Junk mailers typically cover their tracks by hacking into unprotected email servers or open relays, or by falsifying names and email addresses in the email sender field.
As a result, some in the industry have called for an overhaul of SMTP, while others have made a case for SPF and similar protocols to compliment the existing system.
There are currently at least two other competing technical specifications to SPF under review by a subcommittee of the Anti-Spam Research Group of the Internet Research Task Force.
Like SPF, Designated Mailers Protocol and Reverse Mail Exchange are designed to change the Domain Name System (DNS) database so that email servers can publish which Internet Protocol (IP) addresses they use to send mail. ISPs receiving email can instantaneously verify whether an email originates from where it says it does.
For example, an email recipient can look at an SPF record from AOL to ensure that email that appears to originate from one of its servers, for example, bob@aol.com, was actually sent from that address. The recipient can do this by using the SPF record to cross check DNS data associated with AOL's IP addresses.
The system, if successful, would protect email servers and individual address owners from having their addresses falsely suspected of sending spam.
Other efforts have already launched to attack the problem, such as the Trusted Email Open Standard. But so far, they have failed to gain widespread adoption.
In addition, AOL last year forged an alliance with Yahoo, Microsoft and EarthLink to develop and eventually implement such anti-spam technologies. While a joint project has yet to materialise, individual members of the group have begun trials with emerging email authentication systems. Yahoo, for example, began backing Domain Keys, which is a system that uses encryption within email to validate that the sender is legitimate.
Yahoo, AOL and other online service providers have been driven to act against spam because of its mounting toll on one of the most popular activities on the Internet -- email. More than 50 percent of email sent today is unwanted junk, according to anti-spam companies, and the spam volume costs mail providers millions of dollars in hijacked bandwidth and storage, as well as defence measures.
Some industry researchers say the SPF protocol is promising but is not ready for prime time. Steven Bellovin, a member of the Internet Engineering Task Force, has said that among other problems, SPF could bind a sender too closely to DNS records, and as a result, their employers or ISPs.
"While big ISPs may like that, it flies in the face of current [American] public policy -- witness local telephone number portability. Ironically, it will also discourage a current anti-spam strategy used by many: throw-away email addresses for particular purposes," Bellovin wrote in an open criticism of the protocol.
In addition, SPF would not affect an increasingly popular method employed by spammers that involves hijacking another computer through a worm in order to launch spam from that machine. In that case, the spam would be coming from a legitimate source, even though the owner may be unaware of it.
AOL's Graham said that the company is testing the protocol and soliciting the anti-spam community for suggestions on how to improve it. AOL tested the system for several days before it re-implemented it last week with technical improvements, he said.
AOL's Graham said that the company is still committed to its anti-spam allegiances with Yahoo and others.
CNET News.com's Paul Festa contributed to this report.
Talkback
AOL are not only filtering 'anonymous' email, but blocking perfectly legitimate mail also. I use Virgin.net and my brother uses AOL.com. I tried sending a message to him about a job vacancy detailed on www.planetrecruit.com, to which we both subscribe. The message was blocked by AOL (actually by NTL on AOL's behalf, I believe) so it didn't get through. Tests showed it was the URL containing the www.planetrecruit.com that was triggering the block. So I could not send a legitimate message to my brother! Sounds a bit fishy to me and smacks of 1984 and all that. Plus, isn't it illegal to block private emails?
I cannot get any mail through to any AOL email address what so ever and I'm fed up of being told my friends don't want me to get in touch with them.
Aol sucks and stinks
If you can't send email then it is usually because you have an open relay on your server. Details of how to be removed from the AOL block list are listed at their website.
http://postmaster.info.aol.com/faq/mailerfaq.html
I am a domestic violence victim. To trace me, my abuser hired a hacker to intercept the transmission of my emails to third parties. I paid thousands of dollars to elude and relocate again and again. I was given misinformation from ISP and anonymous proxy servers that my iP# was private. They failed to disclose that they only mask the ip# while surfing, but not in the header of emails. Encryption email clients that I used failed to disclose that they don't encrypt the ip# in the header of emails. My abuser repeatedly obtained my ip#. For $35 and an ip#, www.abika.com will disclose the physical location of the compute. There are few email clients that offer both anonymity and encryption. ISP should not block anonymous email. The lives of victims should be more important than spam.
Over a dozen states have a Safe At Home Address Confidentiality Program (ACP) for domestic violence victims. I was in enrolled in three: Florida, New Hampshire and California. ACP does not remail packages and does not remail mail from victims. ACP does not provide remailling of emails. I was traced via a postmark on an envelope I mailed to a third party who disclosed the postmark to my abuser.
ISPs need to establish an ACP program for victims if they are going to block anonymous email.
My abuser obtained my ip# from the header of emails his hired hacker intercepted that I sent to third parties. He also hired investigators to wiretap my phone line to ascertain the local access number I was dialling. The other way he traced my isp was via credit card. The AOL CD and Earthlink CD I obtained permitted payment only by credit card. I paid thousands of dollars to attempt to elude and relocate. uently, I paid thousands of dollars to attempt to elude and relocate. My attempts to elude were foiled despite having someone else sign up for me. Why? Because I used my computer.
I signed up with various isp that allowed payment by money order and no credit check. I was traced by going logging on. ISP fail to disclose that they identify their customer's computers by its mac address. Contrary to popular belief, a mac address is not limited to mac computers. Every computer's modem has a mac address. To successfully elude, I was forced to purchase a new mac address by purchasing a $75 modem dialup card.
If I cannot use anonymous email clients to communicate with my family, friends, physicians and attorneys, I will be traced again and again despite purchasing new mac addresses.
By ISPs preventing anonymous email, ISPs will force victims to use email clients that disclose the ip# in the header of emails. This will in turn disclose the mac adddress. This will force victims to repeatedly purchase new mac addresses.
Cyer tracing and cyber stalking victims.
To continue from prior emails, here is no way to mask ip# from ISP or to mask MAC address on modem of computer. I paid a computer repairman who gave me misinformation that firewalls mask ip# and routers have their own mac address so they mask the computer's mac address. After many foiled attemps to elude, I conducted more research. Firewalls do not mask ip# or mac address. Routers do have their own mac address. However, an employee of Verizon DSL informed me that Verizon can ascertain beyond the router's mac address to the mac address of every computer using their DSL regardless whether the computer is owned by their customer or not.
After paying $600 to elude, I was hesitant to use my computer on my new landlord's new Verizon DSL service. My computer had a new mac address and I needed to wait until i knew whether I successfully eluded. It was a great hardship not being able to use my computer.
For instructions on how to trace a ip# see www.158inc.com/documents/traceviaip.html
Tracing someone via IP By Mastermind. A website by an investigator who refersl a service for investigators to resell to trace ip# in header of emails is http://www.pimall.com/services/email.htm.
Many anonymous email clients and encrypted email clients charge and don't accept money orders. Thus, victims cannot sign up anonymously. Abusers hire investigators and skip tracers. They can easily obtain credit card transactions. Obtaining knowledge of the victim's email client renders it easier to obtain their email address. Skip tracers trace more than people who skipped bail. They are just as good at tracing victims as licensed investigators. Outdated federal statute grants anyone the ability to act as a bounty hunter without being licensed by any government agency.
Much private information is resold by companies who resell to investigators and skip traces. An investigator who I hired to give me advice on how not to be traced advised me that they resell unlisted landline phone numbers for $200, cell phone numbers for $35, detailed monthly cell phone bill which discloses city where outgoing calls, voicemail text messaging, wireless internet log on and incoming calls were made for $200, triangle cell phone between two cell towers within 1/2 of a mile for $600. Now that all new cell phones have a gps microchip, traceable within 50 meters, the price has probably been reduced to trace a cell phone. Radio scanner can easedrop on digital cell phone communications.Like in the movie "Enough", my abuser's third party also interferred with the transmission of my cell phone prohibiting me from making calls despite replacing my cell phone approximately 7 times.
Federal statute grants investigators access to anyone's driving records anywhere in the USA. Federal statute does not prohibit investigators from reselling this information to any individual and to companies who can resell it to anyone.
Likewise, corrupt employees of isp could resell the ip#, mac address, local access number and the telephone number their customers are dialing up from to companies who resell this information to investigators and skip tracers.
http://www.klcconsulting.net developed software to alter the mac address. The software is not user friendly. I do not understand how to use the software. I left phone messages with klc consulting, but have not been able to get through. If anyone can easily explain how to use the software, please email at this site. I will look for your email or include your telehone # and i will can you using telephony.
Any software writers reading this, there is a need for a randomly changing mac address software. I don't know whther klc's software does randomly change the mac address or it the software needs to be rewritten. If it doesn't randomly change mac address, can you please write such a software?
Victims of cyber tracing and cyber stalking need to create a website of how to protect ourselv
AOL is filtering email randomly and badly. Legitimate email does not get delivered. Some of it winds up in a "spam folder" - and is then deleted after a number of days. Other items are not even placed in the spam folder. The senders of this email are not told that their mail was not delivered.
Could you imagine if your mailperson decided to filter your mail at home or office, and threw out some of it. Or delivered it to a garbage can whose existence you were unaware of? Then when you finally become aware of what is going on and you complain you are told to check the garbage can routinely and take out what you want and put it in your own mailbox.
It's outrageous. Someone at AOL should be shot for this. We have lost lots of legit business emails (only finding out weeks/months later) and this has cost us thousands of dollars. I hope someone starts a class action lawsuit about this and that some heads roll.
18.11.04 My NTL emails to all my AOL addresses have been delayed or bounced for over a week. NTL Customer Service phoned me this afternoon to say that the new AOL virus and spam filters are also blocking NTL emails. Is there anything that can be done about this??
AOL are a bunch of losers. We get email enquiries from AOL customers all the time about our health products. When we reply they are always bounced back. These are legitimate single emails. AOL uses a third party filtering company that not even AOL customer service people can contact. They arbitrarily filter out entire ISP domains! In our case, www.allstream.net is probably 75% business customers. It's a total joke. Everyone I meet I tell them to stay away from AOL and their discriminatory internet practices.
AOL is bunch of pricks. This must be their new marketing strategy by making life miserable for everone else. Now that dialup is dying, they must fing ways to stay alive by block legite email servers.
Absolutely, since when does a company dicide what we can or cannot read? I am fed up with aol and all the other overzealous spam filtering companies who are suppressing our means of communication. Let me decide what I want to block.
http://Iraqi-Investments.com