[afnog] Re: AOL rejecting hosts with no rDNS?

Tue Jun 29 12:58:58 EAT 2004

On Tue, 29 Jun 2004, Brian Candler wrote:
> Sure. In other words, that restricts the range of domains which a
> spammer can use for forged envelope senders, but it's only a minor
> inconvenience to the spammer.

Yes, it's a minor inconvenience to the spammer, at first.  It becomes
incrementally more difficult for the spammer if more people publish
and use SPF records.  It might be a significant convenience to the
now-less-easily-forgeable domain.

SPF is not advertised as a solution to spam.  Well maybe you have raised
that as a straw man to shoot down, but no SPF proponents have done so
(as far as I am aware).  It's supposed to help a little, against some
kinds of spam, and I think it will do that.

> In the very best case scenario: all mail sent via AOL will end up with
> @aol.com on the end of the MAIL FROM address. You won't be able to
> distinguish AOL spam from AOL non-spam.

If AOL doesn't care about AOL spam, then this makes no difference.  If
AOL does care about AOL spam (and I think that they do), then this
will be be better than today's situation, because when you get spam
purporting to be from user at aol, it will be more likely to really be from
AOL, and AOL will be better able to cancel the spammers' accounts.

> > Since this is (hypothetically) going through AOL's relays, AOL can
> > impose much stricter limits than are implied by the SPF records.
> 
> Well, they can. But then they will break me (B.Candler at pobox.com), who
> has a legitimate address which I want to use.

If you as an AOL customer want them to allow you to send mail from
B.Candler at pobox.com, then ask them.  If they refuse to implement the
necessary policy database, then cancel your AOL account, or submit
your mail directly to pobox.com's servers (using whatever tunneled and
authenticated mechanisms pobox.com sets up), or tunnel your mail through
a server you control.

If you as a pobox.com customer want them to have SPF records that allow
you to send mail via an AOL dialup IP address, then ask them (BTW, SPF
is sufficiently flexible to allow per-user SPF records, and you could
even use DNS dynamic update to change them on the fly).  If they refuse
to implement the necessary modification to the way they publish SPF
records, then cancel your pobox.com account, or submit your mail in a
way that pobox.com permits.

Their server, their rules.  As a customer of both AOL and pobox.com, you
have to comply with the intersection of both their policies.  Yes, the
existence of SPF might encourage them to make policy changes that make
the intersection smaller, and that will probably inconvenience you, but
you should be able to work around it.

> Then, when I roam to a different ISP, I will need to re-register my
> address in *their* local policy database, and so on.

Sure.  Or tunnel, or whatever.

> However, there are much simpler and far more effective ways of
> reducing joe jobs.

Quite likely.

You seem to be saying "SPF is not a solution to the spam problem", and I
agree.

I am not sure if you are saying "SPF will not help at all against any
kinds of spam", but if you are, then I disagree.

You also seem to be saying that the existence of SPF records will make
like more difficult for you, and I see your point, but I think that what
will really make your life more difficult will be policy changes on the
part of your IP connectivity provider, your mailbox provider, and the
recipients of your email.  These policy changes are reactions to the
spam problem, and only loosely correleted with the existence of SPF.

--apb (Alan Barrett)