AOL Blocked E-mails From MIT AddressesBy Elizabeth G. Zellner
MIT e-mail users may need to take further measures to authenticate their e-mail in the future because many Internet service providers are tightening their control of unsolicited commercial e-mail, or spam.
America Online blocked all e-mail from MIT addresses from Oct. 16 to Oct. 20 because AOL e-mail accounts were receiving too much spam from MIT servers, said former Vice President for Information Systems James D. Bruce.
Jeffrey I. Schiller, network manager for MIT Information Systems, said that AOL changed its spam threshholds on the night of Oct. 16, resulting in a number of previously-approved e-mail servers being added to AOL’s blacklist.
Schiller said that AOL has an automated system that decides which mail servers it will accept e-mail from, based on a set of predefined criteria such as complaints received, spam reported, and technical issues.
Spam threshold change to blame
When AOL changed its spam thresholds, a number of mail servers were affected, including MIT’s. All mail servers on the AOL blacklist were then unable to send any e-mail to AOL users, said Schiller.
Information Systems first heard about the block when users began complaining that their e-mail was not getting through to AOL users.
Steps have since been taken to see that MIT was added to a permanent whitelist ensuring that AOL will not put MIT on a full block in the future, said Schiller. In addition, the threshholds for spam were reset to their previous levels because of a large number of complaints by MIT and other blocked servers.
Schiller said that if MIT had not managed to reach someone at AOL who knew the full story, the problem probably would have “disappeared as mysteriously as it started” because of the large number of complaints.
Bruce said the MIT system was especially attractive to spammers because of its large bandwidth. Many MIT mailing lists included AOL addresses and thus spam sent through these mailing lists created heavy loads of MIT spam on the AOL server, causing AOL to implement the block.
For its part, MIT agreed to take measures to tighten its e-mail security to make it less susceptible to spammers.
Representatives of AOL did not return repeated requests for comment.
I/S planning switch to SMTP
Theresa M. Regan, director of the Office of Computing Practice, said that Information Systems is planning to implement Simple Mail Transfer Protocol, or SMTP, authentication.
SMTP authentication checks whether the address sending the mail is a legitimate MIT address before sending the e-mail. Thus, in order to send mail with SMTP authentication, a spammer would need legitimate Kerberos credentials, said Schiller.
Regan said that the process to implement SMTP authentication is in the beginning stages right now.
“We don’t want to inconvenience anyone in the MIT community,” said Regan. “So far it looks good and promising.”
Previously, MIT had not implemented security on e-mail that came from MIT servers. Many spammers took advantage of the openness of the e-mail system and used it to send spam mail.
Outlook, Eudora users affected
SMTP authentication is not the default setting for most e-mail clients, though it is possible to configure the current clients to send e-mail with SMTP authentication.
Regan said that Outlook users will be affected by the change, and Eudora users will have to upgrade to version 5.2. Webmail users will not be affected, she said.
“Athena users are affected and the Athena release engineering team is working on developing and deploying a solution,” Regan said.
Schiller said that as an incentive for users to switch to SMTP authentication, Information Systems is beginning to route secure and insecure e-mail through different servers. Users who are not routed through the secure servers may have some of their e-mail blocked by more selective Internet service providers.
MIT addresses blocked by others
AOL is not the first company to block MIT e-mail addresses. Instead, this is just one major event that is part of an ongoing problem.
MIT addresses have been identified as known spammers on the Open Relay Database, a non-profit organization which stores Internet Protocol addressed of verified SMTP relays.
By accessing this list, system administrators are allowed to choose to accept or deny e-mail exchange with servers at these addresses by enabling real-time checking against the list.
However, Schiller said that the database is “so finicky and blocks so much valid e-mail” that it is rarely used and thus it had no effect on the MIT e-mail security policy.
Marissa Vogt contributed to the reporting of this story.