AOL imposes stricter email rules to stem spoofing attack

AOL instructs mailbox providers to reject any email allegedly associated with an AOL domain that didn't originate from an AOL server.

Steven Musil Night Editor / News

Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.

Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.

See full bio

Steven Musil

April 22, 2014 10:07 p.m. PT

2 min read

AOL is imposing a stricter email-validation process aimed at stamping down a massive spoofing attack that has plagued users for the past couple of days, the company said Tuesday.

Following a similar move by Yahoo earlier this month, AOL changed its DMARC policy to "reject," meaning that a line of text has been added to its DNS record instructing mailbox providers to reject any email allegedly associated with an AOL domain that didn't originate from an AOL server. Although the header of a spoofed email has been specially crafted to make it appear the message originated from a specific AOL email address, it in fact never crosses AOL's servers.

The change to the email authentication system comes after three days of users complaining of emails that appear to originate from AOL users that contain links to sites with often nefarious intentions such as spreading malware or peddling diet pills.

"This helps to protect AOL Mail users' addresses from unauthorized use," AOL said in a blog post that noted it will also have an unintended impact on some legitimate email senders, such as bulk senders acting on the behalf of AOL addresses.

"We recognize that some legitimate senders will be challenged by this change and forced to update how they send mail and we sincerely regret the inconvenience to you," AOL said in a statement.

The policy change makes it easy for mailbox providers to determine which emails are fakes, but the situation is not always so obvious for email users. Concluding that their accounts had been compromised, many AOL Mail users have taken to Twitter to complain with bewilderment that changing their passwords has not stemmed the tide of spam that appears -- at least to those people on their contact list -- to originate from their account.

However, AOL's email headache may extend beyond spoofing, with some news outlets reporting that some AOL email accounts have been hacked. CNET has contacted AOL for comment and will update this report when we learn more.