[Asrg] SPF, was where the message

[John Glube]

> >They're using it for whitelisting purposes instead of its nominal
> purpose?
> >That's exactly what I'm discussing.
> 
> Every once in a while, AOL fetches the SPF records for senders in
> their whitelist, crunches them to get a set of IP addresses, and then
> puts those IP addresses into their whitelist.  AOL's whitelisting
> process is based on IPs, with the SPF bit merely being a cheap way for
> senders to tell AOL what IPs they use.  They do not use SPF
> per-message, nor as far as I can tell do they make any attempt to
> match up the bounce address on incoming mail to the domain from which
> they got the IP in the whitelist.
> 
> > I think SPF has a bad reputation in some quarters because people
> > think of how it breaks forwarding (etc).
> 
> It could be somewhat useful for whitelisting some kinds of mail.  Too
> bad it's been so egregiously oversold.
> 

Up until the Spring of 2008, AOL was using SPF to
check what AOL called the "SPF_helo" and the
"SPF_822_from." 

We know this because the following headers were
observed in FBL data:

X-AOL-SCOLL-AUTHENTICATION: listenair ; SPF_helo: n

X-AOL-SCOLL-AUTHENTICATION: listenair ; SPF_822_from : n

("n" indicated the test failed. "y" indicated the
test passed.)

My understanding is that the "SPF_helo" check was
based on the perceived value of CSV and that the
"SPF_822 from" was part of the overall effort in
deciding whether to incorporate SID checks. It
was presumed that the data was also used as part
of the reputation analysis that AOL was running
on incoming mail.

I do not know whether AOL is still running these
checks. Investigation shows that AOL dropped the
X-AOL-Scoll-Authentication header sometime in the
summer of 2008.

My recollection from discussions with a former
AOL postmaster shortly after the collapse of
MARID is that AOL felt running an SPF_helo and
SPF_822_from check would be useful information as
part of the overall process of detecting and
blocking the "low hanging" spam.

John Glube