back to article AOL Mail locks down email servers to deal with spam tsunami

If you've been getting a lot of spam from AOL emails recently it's not because you've fallen into a time rift and it's the nineties all over again – the company has confirmed that it has been under an intensive spoofing attack. The problems started three days ago when large volumes of email, apparently from AOL Mail's servers …

COMMENTS

This topic is closed for new posts.
  1. jonfr

    Getting spammed

    I've been getting a lot of spam in recent days. They are not from AOL but rather spam-bot registered domains that have no function and no content. The IP address range also suggest an new spam bot network that is currently working overtime pumping out spam emails.

    1. Anonymous Coward
      Anonymous Coward

      Re: Getting spammed

      Who on earth are AOL?! Never heard of em.

      1. Captain Scarlet Silver badge
        Childcatcher

        Re: Getting spammed

        AOL used to make cup mats, in fact best I ever used.

        They should send some more out.

      2. Anonymous Coward
        Anonymous Coward

        Re: Getting spammed

        AOL was "Assholes On Line" if I remember my 1990s acronyms correctly.

        1. TheVogon

          Re: Getting spammed

          Surely it was "Army of Lamers" ?

  2. Grikath

    Wait a moment...

    AOL still [em]exists[/em]?!!

    1. Anonymous Coward
      Anonymous Coward

      Re: Wait a moment...

      People still use AOL???

  3. Shannon Jacobs
    Holmes

    NONE of them are serious about fighting spammers

    If they were, then they would give us effective tools to help disrupt the spammers' business models. If the spammers weren't making money, then they would stop spamming. More concretely, if they knew that a particular email service or provider was going to disrupt their scams, then they would stop using and abusing that email system.

    Imagine that ANY of the big email services offered an integrated anti-spammer system. The obvious design would involve several iterations of analysis and confirmation. Basically, it would allow you to donate a bit of your time and human intelligence to target ALL of the spammers' infrastructure, pursue ALL of the spammers' accomplices, and even help and protect ALL of the spammers' victims. The victims even include the email system itself, and the various corporations whose reputations are abused by the spammers. Less spam = more value for the entire Internet.

    I'm NOT saying that we can convert the spammers into decent human beings. These vicious sociopaths can only be moved under less visible rocks. I'm NOT saying that everyone has to help in fighting the spammers. I'm just saying that there are a LOT of people who dislike spam and only a few suckers who are feeding the spammers. If ANY of the major email providers made it somewhat easier, then the spammers would be more effectively cut away from their money and they would look for 'better' scams.

    One concrete example that especially annoys me: Link shorteners. Easy cure: After a few people have confirmed that the link is a spammer, then the link would be locked down and repointed. Rather than pointing at the website where the spammer is waiting for victims, it would point at some website that would warn or scare the potential victims. The spammers' bait would become poison to the spammers' own scams--but you need some humans in the loop to help out. I don't mind if you want to be a free rider. I'm one of the folks who wants to ride the spammers--all the way into the dirt.

    1. ammabamma
      Meh

      Re: NONE of them are serious about fighting spammers

      > After a few people have confirmed that the link is a spammer, then the link would be locked down and repointed. Rather than pointing at the website where the spammer is waiting for victims, it would point at some website that would warn or scare the potential victims. The spammers' bait would become poison to the spammers' own scams--but you need some humans in the loop to help out.

      Interesting plan, but this is where it all falls down. Just off the top of my head I can think of the following issues:

      1. How do you authenticate the humans helping out?

      2. How do you verify that the site in question is in fact a spam site?

      3. Who makes the rules for the spam/no spam decision?

      4. Who makes the rules to amend those rules?

      5. How do you prevent malicious/mischievous users from gaming the system and marking legitimate sites as spam and spam sites as legitimate?

      In the end would it be any faster than the spam site take-downs already in place?

      1. Shannon Jacobs
        Holmes

        Human intelligence still has some value

        It's really hard to take seriously anyone who defends the spammers. The best possible interpretation is that you're some kind of religious fanatic with "Live and let spam" as one of your commandments. I could answer each of your objections in some detail, except that it's obvious that if you actually read what I wrote (and I have to doubt that), then you certainly didn't think about it.

        Just for the sake of illustrating why it is better to say nothing when you have nothing to say, let me spend a few seconds to consider your first "thoughtful" objection (all sarcasm intended). Do you understand the word "integrated"? Evidently not, so let me explain that word in the original suggestion. Because the system I proposed would be integrated into the email system, the authentication is exactly the same as that which applies to each user of the email system. I will go even farther and say that a good (as distinct from a minimally competent) implementation would consider the history of the reporter. An additional hedge in the particular paragraph you mentioned was "few", but I've already wasted far more keystrokes than your minimalist comment deserved.

        Instead, I'll throw out another example for consideration. This one is slightly more complicated, so please don't strain yourself. Just a caution judging by your previous reply...

        Recently I received a notification from American Express warning me about a new security problem. There was only one minor problem there. I am not now and have never been a customer of American Express.

        This was a quite beautifully done phishing scam. I spent several minutes studying the masking, but I acknowledge that it was done at a level I could not unravel. The cover letter was doing some highly clever JavaScript manipulation, probably playing with the DOM tree, and the main body was actually an embedded and encoded HTML webpage that was intended to run locally. As paranoid as I am, there is some chance I could have clicked on the trigger, especially if it turned out that I was an actual customer of American Express.

        With the anti-spammer mechanism that I am suggesting, the first round of analysis would flag it as a phishing scam, but a later round of analysis should escalate that report to a fairly high level of seriousness. I'd even want to believe that American Express might want to initiate countermeasures to protect their actual customers.

        However, it could go even farther than that. What if the spam included valid personal information? In that case, there might be an actual breech of the company's servers and the actual customers may be part of the mechanism to alert the authorities.

        I'm not saying we can create a perfect world free of spam. I'm saying that spammers (and to a lesser degree, the spam-loving defeatists) deserve a full load of trouble, and I'm eager to help pile it on top of them.

        1. Stevie

          Re: Human intelligence still has some value

          "It's really hard to take seriously anyone who defends the spammers. The best possible interpretation is that you're some kind of religious fanatic with "Live and let spam" as one of your commandments. I could answer each of your objections in some detail, except that it's obvious that if you actually read what I wrote (and I have to doubt that), then you certainly didn't think about it."

          It's even harder to take seriously anyone who blithely tosses off an "easy fix" that demonstrably isn't going to be very easy at all to implement, then responds to adult point-by-point criticism of the idea with that paragraph of froth.

          Actually, most of the points raised by that poster *on the subject of your "easy fix to short-links idea" were thoughts that crossed my mind too. I don't think that his/her bullet points have equal weight or equal threat (drawing a line in the sand as to what is and isn't spam is not so very hard), but having been the one who missed the staff meeting and therefore got volunteered to pull similar rabbits out of the hat a few times in my thirty plus years in IT, I think that you'd have a much harder time "answering in some detail" than you think.

          But if you want to have a go for real, I'll read what you have to say.

          1. Shannon Jacobs
            Holmes

            Re: Human intelligence still has some value

            So are you [Stevie] a spammer or spammer's sock puppet? Or just another loser? The reason I offered the 'kindly' suggestion that the first spammer defender might be a religious fanatic is because that is actually the category of non-economic spam that I think would be relatively difficult to deal with.

            As regards your [Stevie's] reading comprehension problems, I am NOT saying that it would be easy or a trivial thing. I am saying that focusing more efforts on the money side of the spammers' motivations would significantly deter the spammers, reduce the amounts of spam below the current "Live and let spam" levels, and thereby increase the value of email in particular and the value of the Internet in general.

            One aspect of human intelligence is adaptability. ANY effective spam-fighting system has to have room for "Other" or "None of the above" options because the spammers are always going to look for new tricks and scams. I understand that you [Stevie] are probably a loser or quitter (since the spammers are probably too busy spamming to read the Register) and that you accept the spammer's economic argument, which is basically that the marginal cost of another million spams is approximately zero. I prefer the search for a constructive solution focusing on the imbalance between the small number of suckers and the large numbers of people who could stop the suckers--if they had better tools to do so.

            Near as I can tell, there are two reasons why spam continues to be a problem. I've already mentioned the sociopathy of the spammers. The other is defeatist and passive attitudes of people who can't actually imagine doing anything to make the world better.

            (So why don't I do more? Not much of an excuse, but I judge my situation is that I'm sort of locked into a good job that is already helping to make the world better in a different area. If I only had additional time and resources, then I'd gladly tackle this project, too, but...)

            1. jake Silver badge

              Stangely enough, Shannon (was: Re: Human intelligence still has some value)

              AOL has been doing exactly what you are asking for since the late 1990s or early 2000s. Get spam, hit the "this is spam" button. It seems to actually work, to a degree.

              How do I know? I've had an AOL email account from the QLink days. It's the only commercial email account I've ever had that refuses to die. It's supposedly been deleted a dozen(ish) times since 1989. I stopped trying to nuke it in 2004.

              These days, I only use it for two things: It's the account I used to register here on ElReg, and occasionally I get contacted by someone from back in the old days.

              1. Shannon Jacobs
                Holmes

                Re: Stangely enough, Shannon (was: Human intelligence still has some value)

                That is called adaptive Bayesian filtering, and it is pretty much the standard technology used by all of the large email systems.

                The main technical problem is the tradeoff between false positives and false negatives. Essentially there is a limit where you have to trade one kind of mistake for the other. The large-volume email services are able to drive the total error rate below 1%, but the exact value depends on the volume of email and the creativity of the spammers, which is the main human problem (assuming you are willing to grant human status to the spammers, which I sometimes wonder about). In brief, the spammers are constantly studying the how to make their spam look like ham.

                However, my focus is on the economic problem, and from that perspective, the bottom line is that the spammers can clearly live with the filtering. Their profits are still high enough to motivate a whole lot of spam going on, as the song goes. I don't really monitor Microsoft's email these days, but based on Yahoo in two countries and Gmail, the spammers must be making most of their money on false negatives, so the spammers' current weakness is not the filtering, but the delay time before the human victims can respond, either to websites (often via link shorteners) or email dropboxes.

                Filtering has pretty much reached its limits, and we're not going to abandon SMTP, either. It's not that there is a magic solution that will permanently cure the problem, but we need a more adaptive and evolving mechanism.

            2. Stevie

              Re: Human intelligence still has some value

              "So are you [Stevie] a spammer or spammer's sock puppet??"

              You forgot to ask when I stopped beating my wife.

              Sorry. I thought you were an actual systems engineering sort of person with actual ideas on how to get stuck in based on real world know-how and an in-depth understanding of how the internet works and why it works that way.

              I don't have much time for "ideas men/women" or "big picture types". We have too many of them already, as a quick audit of the number of multi-million credit, multi-year aborted system rewrites in the news in the last five years can prove to anyone with the perspicacity to understand what that is saying to them.

              Engineers do. Star Trek script writers talk about doing. Politicians and other idiots think Star Trek is real.

  4. CrosscutSaw

    Lock down?

    They should just shut them down. Who uses AOL anymore?

    1. Anonymous Custard

      Re: Lock down?

      Talktalk's email system sits atop AOL's (you can log into it via their own website or AOLs). Any email that gets delivered to talktalk also sits in an AOL mirror, and can be read/deleted etc separately.

      Whether that makes the situation better or worse I'll leave as an exercise to the reader (speaking as a Talktalk customer who uses the AOL version sometimes as a failsafe backup if I've deleted an email that I then need again).

  5. Anonymous Coward
    Anonymous Coward

    Those who still use this service...

    ...Deserve it! How is this shower still going? How can a company f**k up this bad and still keep customers?! Its amazing...

    1. Ole Juul

      Re: Those who still use this service...

      I would personally never use any such service, but the people who do so deserve better. Many have had the same address for years and don't know a practical way to change. The fact that many of them don't have a clue doesn't mean that the company shouldn't look after them. In fact, quite the contrary.

    2. jake Silver badge

      @AC (was: Re: Those who still use this service...)

      "How can a company f**k up this bad and still keep customers?!"

      I have an AOL account. I am not a customer. I haven't paid money since the QLink days. It's the only commercial account I have ever had that refuses to die.

    3. barque

      Re: Those who still use this service...

      AOL has been surviving by making its numbers look better via layoffs. At this point they have laid off so many people that the few that remain are vastly overworked, and things like this have a much greater impact than they once did. If AOL management had any sense - and that is debatable - they would stop trying to sell kidneys to survive. Instead they pay astronomical salaries to the top execs, who can't come up with a coherent strategy. Its a bit like watching a few rich land barons climb over the dead bodies of their people to grab that one last payoff.

  6. Tree
    Coat

    AOL is better than Google

    America On Line does not track you and sell your information to all kind of wierdos like Gurgle does. This is clearly not an intentional loss of your privacy, but a screwup.

    1. Shannon Jacobs
      Holmes

      Re: AOL is better than Google

      I sometimes have dinner with an old acquaintance and coworker who 'defected' to google. In one of our discussions he (accidentally) caused me to realize that their current motto is "All of your attentions are belonging to the google."

      Having said that, I have to disagree with the post because AOL sincerely wishes that they could do what the google is doing. The underlying business models are pretty much equivalently evil, but the google wins and profits on the execution. Economic success requires both an effective business model and effective implementation. Good quality software from the user's perspective is much less important... The technologies are morally neutral, as the poor joke goes.

    2. Crisp

      Re: America On Line does not track you

      Would you be interested in buying a bridge?

      1. Fatman

        Re: America On Line does not track you

        Would you be interested in buying a bridge?

        or swampland in Florida???

    3. Blackbird74

      Re: AOL is better than Google

      "America On Line does not track you and sell your information to all kind of wierdos like Gurgle does."

      Yes they do. They have used behavioural targeting (including predicitive analytics) through internal systems and external third-parties for many years. No better than any of the others.

      (Edit: typo)

  7. pierce
    Mushroom

    yup. all 7 of the AOL subscribers on one of my email lists got shut out the other day by dmarc policy p=reject.

    so now, yahoo and its clients (att, and all the former babybell legacy domains), hotmail, AND AOL have effectively banned email list servers. "Why, fewer than 2% of our 300 million email users post to mail lists, who cares about those 5 million people!"

  8. Hans 1

    Now this is strange, only yesterday was I handed back a Harry Potter DVD with the following on the back:

    AOL keyword "Harry Potter"

  9. Fonant
    Unhappy

    Website contact forms too.

    Also affects web forms that use the persons entered email address as a simple "From:" address for the message sent out from the web server. If that address is @ a domain that has a strict DMARC policy then mail servers that check DMARC (e.g. Google) will block the messages from being delivered.

    The fix seems to be to use an address belonging to the website for the "From:" address, and adding the person's email address as a "Reply-to:" field. Logically this is more correct, as the email is indeed being sent from the website, but does want the reply to go direct to the person who filled in the form.

    This does mean, of course, that quite possibly the vast majority of website contact forms no longer work for people with @yahoo.com and @aol.com email addresses (and other domains that use these services).

  10. Dr Who

    All the signs are that this is not simple spoofing

    I've been getting spam from AOL users. But it's from people I know and the other addresses on the recipient list are to their genuine contacts. This means their account has been compromised in some way rather than straight forward (and far less serious) spoofing of their email address to send to random recipients.

    1. AJ MacLeod

      Re: All the signs are that this is not simple spoofing

      Yes, I've seen this too over the past week and a bit. Changing the account passwords hasn't made any difference and there's never any spam in their sent folders so I'm not too sure exactly what's been happening.

  11. Anonymous Coward
    Anonymous Coward

    1995

    Those were the days... When internet still was innocent and the viruses could only do so much damage.

  12. Anonymous Coward
    Anonymous Coward

    Block'em.

    incoming mail from @aol.com - blocked.

    outgoing mail to @aol.com - blocked.

    Sorted. Never had problems with spam from them since '95.

    I used to have a collection of CD-aka-cupholders from them, which makes THEM the spammers. No serious business would use AOL, but we warned our clients and providers that we didn't receive or send AOL mail, just in case.

  13. Where not exists

    Regular user

    I'm a regular user of the service. Why? Because the spam blocking is much better than I've found elsewhere. I had been an AOL customer in the mid-90s but got turned off by their failure to block spam. I went to Yahoo and found them to be even worse. I tried Brightmail for a time but found it cumbersome. After that I latched onto Mailblocks which had the right amount of control. In time the company was bought by AOL, so I ended up where I started, but with much better spam blocking. (This is often confirmed by what shows up on my Blackberry but not in my AOL inbox.)

    The thing I find odd though is that nobody is having this conversation about spam from Yahoo or Hotmail accounts, which occurs routinely. One friend had her Yahoo account hacked twice in two weeks. Generally I can expect to receive spam like the item displayed in the related article, from at least one Yahoo user on a monthly basis. Does this not get discussed about the other providers because it happens so routinely?

  14. Stevie

    Bah!

    With all this hate-on for AOL, the company that *really* got the US population en-masse interested in going on-line for fun and profit, I hope we can extend the same "old and therefore defunct and detestable" labeling convention to CompuServe and that jit who keeps trying to tell me how to pronounce "gif".

  15. Trev 2

    AOL probably don't have anyone forwarding mail from say x@domain.com to y@aol.com because in my experience it takes a single AOL end user two clicks of the "spam" button for the entire forwarding server IP to be dropped into a blackhole pretty much forever. Reading lots of forums over the years, this has been happening for many years.

    If mailing lists are still getting through I am *very* amazed as their policy seems to be block everything, deny it's an AOL issue and then AOL subscriber will hopefully not be clued up enough to realise they're lying.

    @AC regarding blocking AOL...did that years ago and no one seemed to notice. :)

    1. Where not exists

      @Trev 2

      Yes, the spam blocking can be a little over-eager. It is trainable however, but it does take some effort, that is you have to log on to your account and flag the items as not spam. I think that whitelisting is supported, but I seldom log on directly, so I'm not sure. (I mostly use a desktop client or a Blackberry.) And occasionally it is so eager that unexpected mail is vaporized without a trace (although I may have noticed it on the BB before it went poof). On the whole though I find it gives me a good balance of delivering the mail I want while blocking the annoyances, while sometimes forcing me to retrieve desired mail from the spam folder.

  16. NileH

    AOL... It's the Model-T Ford of the Internet age: the vehicle that worked, and got the whole of America on the highway.

    ...Good enough to get the masses mobile, but you wouldn't call it 'good' today.

This topic is closed for new posts.

Other stories you might like