It’s actually been a while since the issue was "resolved", I just haven’t had a
chance yet to post back on it. Now though, it’s snowing outside (in spring), I
have a hot mug of coffee, and my cat is sleeping on the recliner instead of my
keyboard. Let’s get started. First, let’s have a look at AOL’s DNS to see how
they’ve done fixing it up.
$ dig -t txt aol.com
;; ANSWER SECTION:
aol.com. 1942 IN TXT "v=spf1 ptr:mx.aol.com include:spf.constantcontact.com include:aspmx.sailthru.com include:zendesk.com ~all"
aol.com. 1942 IN TXT "spf2.0/pra ptr:mx.aol.com include:spf.constantcontact.com include:aspmx.sailthru.com include:zendesk.com ~all"
It looks like they’ve certainly thoroughly updated their DNS. In application,
their fix should prevent folks from being able to spoof legitemate AOL
accounts, but that’s actually only because of their vendors having their DNS
configured properly. To be extra clear, the reason the problem is fixed is not
because AOL has actually implemented a solid fix. As mentioned earlier in
the technical version section, there are four
qualifiers for the trailing all bit, AOL chose to use the ~, a soft fail.
This will still not disown non-AOL server sending mail as AOL. It will only
"raise suspicion" for those emails. However, thanks to their vendors knowing
what they’re doing (aspmx.sailthru.com and at least), their spf records
actually end with a -all, or a hard fail.
To give a simple overview of how AOL’s DNS works now, they basically include
all of their vendor’s spf records in their own spf record. That means that if
any of their vendors break their own DNS to allow anyone to spoof the vendor,
the "spoofers" can also apoof AOL users because AOL’s DNS is including the
vendor’s bad DNS configuration. In this case though, one of AOL’s vendors
(aspmx.sailthru.com), ends with a '-all, causing AOL’s DNS configuration to
be secure becuase one of their vendors made an alright decision in their
configuration. Dear AOL…
One final thing to note regarding the remainder of the breach.
has confirmed that there was indeed a security breach wherein the attackers
gained access to user’s complete address books (email address, names, physical
mailing addresses, etc) as well as encrypted security questions/answers and
encrypted passwords (gosh I hope they mean hashed instead of encrypted
passwords). I hope that AOL comes out with a detailed report as to how the
attackers gained access to their systems. Given their mishap with DNS (benefit
of the doubt), I hope the hack on their servers wasn’t nearly as obvious. Also
I’d like to know for my own edification. Due to this leak, I have begun
receiving an increased amount of non-AOL spam as if my email address was
released to more spammers. Thanks AOL. I guess though that it was bound to
happen sometime by someone. Why not AOL.. At least I got to learn
how to set up a spam filter for Exim.