From list-managers-owner Fri Dec 1 23:37:32 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id XAA00130; Fri, 1 Dec 2000 23:09:04 -0800 (PST) Received: from plaidworks.com (plaidworks.com [209.239.169.200]) by honor.greatcircle.com (Postfix) with ESMTP id AB9CB17E8C for ; Fri, 1 Dec 2000 23:08:57 -0800 (PST) Received: from [209.239.169.197] (a197.plaidworks.com [209.239.169.197]) by plaidworks.com (8.10.1/8.10.1) with ESMTP id eB27bl212976 for ; Fri, 1 Dec 2000 23:37:48 -0800 Mime-Version: 1.0 Message-Id: Date: Fri, 1 Dec 2000 23:41:16 -0800 To: list-managers@greatcircle.com From: Chuq Von Rospach Subject: FYI - home.com Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: list-managers-owner@GreatCircle.COM Precedence: bulk Just FYI -- we probably all know home.com's been flakey recently. For the last couple of hours, it's been barfing seriously. I'm seeing a large stream of mail being bounced with host-not-found errors fromn inside their SMTP system, so they're seriously unhappy. -- Chuq Von Rospach - Plaidworks Consulting (mailto:chuqui@plaidworks.com) Apple Mail List Gnome (mailto:chuq@apple.com) The vet said it was behavioral, but I prefer to think of it as genetic. It cuts down on the liability -- Get Fuzzy From list-managers-owner Sat Dec 9 00:08:43 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id XAA17088; Fri, 8 Dec 2000 23:49:17 -0800 (PST) Received: from plaidworks.com (plaidworks.com [209.239.169.200]) by honor.greatcircle.com (Postfix) with ESMTP id E883F17EAF for ; Fri, 8 Dec 2000 23:49:10 -0800 (PST) Received: from [209.239.169.197] (a197.plaidworks.com [209.239.169.197]) by plaidworks.com (8.10.1/8.10.1) with ESMTP id eB98J3218345 for ; Sat, 9 Dec 2000 00:19:03 -0800 Mime-Version: 1.0 Message-Id: Date: Sat, 9 Dec 2000 00:22:39 -0800 To: list-managers@greatcircle.com From: Chuq Von Rospach Subject: Is mailback validation still safe? Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: list-managers-owner@GreatCircle.COM Precedence: bulk I somewhat hesitate to bring this up, but I heard of another situation today that seems to fit in, and I think it's time to raise the issue. I'm beginning to think that mailback validation as an anti-spam technique has been beaten. Worse, I think there are now spam systems written that will beat them in an automated way. I will say up front I don't have a smoking gun. If and when I find one, I'll say so. But I'm now beginning to think the spammers have figured out how to beat mailbacks. Someone we know runs a list on egroups. Twice today he was spammed by the porn spammers -- from subscribed accounts. This isn't the first time I've heard of this in the last few weeks, but he's someone I know runs a pretty clean ship. to get hit by two separate porn spammers on the same day, in independent attacks, that raises a real warning flag, because where the porn spammers innovate, everyone else follows. In the last few years, there have been some significant, fundamental changes in the internet (duh). Now that I've spent a few hours thinking like a spammer, I realize these changes make it trivial for a *smart* spammer with some basic resources to circumvent mailbacks. Here's how: First, you get access to some domains -- the key ot mailbacks is that you have to have physical access to the mailback address to finish the confirmation. n today's internet, however -- that isn't a big deal. you register one for yourself, hook yourself up using dynamic DNS while attached via PPP to UUnet or one of the ISPs, and you have a fully functional mailserver. Or if you prefer, simply break into some lameoid's home machine sitting on a cable modem and borrow imstupid.org while he's not paying attention. Either way, you now have a spammer with a set of available domains, which he's either bought, borrowed or stolen, and access to the return mail sent to those domains. this spammer's built a validation-bot. It's fed a list of mailing lists, and it spends all of its time figuring out what MLM it uses (not hard), and subscribing accounts to them. it can send the appropriate subscribe messages, read the confirmations, and send appropriate confirmations. Even better, if the MLM supports nomail, you turn off deliveries, so you don't run the risk of inbound e-mail alerting anyway on imstupid.org (if you think about it, the only thing that has to be on imstupid.org is a set of aliases forwarding to your real machine, and only for the period of time you're setting up the subscriptions. If you're real lucky, you find out you can hack their DNS and set up really.imstupid.org, and send EVERYHTING offsite). The spammer lets his bot run for a while, and tracks the database with which address is subscribed to which list. He can even subscribe multiples from multiple domains if he wants, and let them lie fallow. When you block off one, it falls back and sends from the next. he now owns your list, at least until you figure out what's going on and nuke the subscribed address. But if you think about it, once that validation handshake is complete, there's never ANY further validation. so he can set up temporary shop, validate to his heart's content, and then later on, after all the temporary stuff is safely hidden away, spam from anywhere, safely. Because he knows the address that will get him on the list. If this is true, and it's beginning to look like egroups is a target of one attack, and I've heard rumors of some mailman lists being hit as well, then lists that depend on mailback validation have a problem. And I think there's been a feeling that mailbacks are the one true way of validation to the point where there hasn't been much (if any) thought about improved techniques or alternatives. And if I, having spent four hours on the "how would I do this?" train of thought can find a fairly easy to implement design, so can those that aren't so pure of heart and don't say their prayers at night. This isn't something the "buy a CD for $200" lameoid spammers can do (but I'll bet a really good spammer could build a system to do it taht's turnkey. there's enough wide open hardware out on the net, especially overseas, that you could get a good 6 month run before neough stuff shut you down to make it not worth it...), but the port spammers and gambling spammers and the spammers for hire? it's perfect for them. I've felt for a while that the list community was way too comfortable with mailbacks as "safe and unbeatable". I'm now seeing what I think is evidence that this is no longer true. And I'm afraid that because we have sat back adn not innovated here, we're going to end up behind the eight ball. and I don't see any easy answers if I'm right -- only that if I am wrong, I won't be wrong forever. So I'm throwing it to the list, to see if there's information others have that might corroborate what I think I'm seeing (that you may not have realized for waht it might be), or t poke holes in my analysis, or to start thinking of how to deal with it. There I go, being a troublemaker again... (grin, sort of) thoughts? chuq -- Chuq Von Rospach - Plaidworks Consulting (mailto:chuqui@plaidworks.com) Apple Mail List Gnome (mailto:chuq@apple.com) We're visiting the relatives. Cover us. From list-managers-owner Sat Dec 9 04:34:54 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id EAA23155; Sat, 9 Dec 2000 04:23:41 -0800 (PST) Received: from smtp2.vnet.net (smtp2.vnet.net [166.82.1.32]) by honor.greatcircle.com (Postfix) with ESMTP id B20C717EAF for ; Sat, 9 Dec 2000 04:23:35 -0800 (PST) Received: from katie.vnet.net (katie.vnet.net [166.82.1.7]) by smtp2.vnet.net (8.10.1/8.10.1) with ESMTP id eB9CvFv03761; Sat, 9 Dec 2000 07:57:16 -0500 (EST) Received: from localhost (murr@localhost) by katie.vnet.net (8.9.3+Sun/8.9.1) with ESMTP id HAA29754; Sat, 9 Dec 2000 07:57:15 -0500 (EST) Date: Sat, 9 Dec 2000 07:57:14 -0500 (EST) From: murr rhame To: Chuq Von Rospach Cc: list-managers@GreatCircle.COM Subject: Re: Is mailback validation still safe? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: list-managers-owner@GreatCircle.COM Precedence: bulk On Sat, 9 Dec 2000, Chuq Von Rospach wrote: > Someone we know runs a list on egroups. Twice today he was > spammed by the porn spammers -- from subscribed accounts. If the mailing list or site is a big enough target, and you're able to create an account to process mail-back validations, there's no reason why you couldn't automate a fake validation return process for spamming. > First, you get access to some domains... If they use the methods you mentioned, your only defense would be to blacklist the offensive domains. I can think of a more sinister way to validate using domains that most people wouldn't want to block. > he now owns your list, at least until you figure out what's > going on and nuke the subscribed address. ... On my lists, he would have to submit a few on-topic posts for manual approval before he sent his spam. > So I'm throwing it to the list, to see if there's information > others have that might corroborate what I think I'm seeing > (that you may not have realized for waht it might be), or t > poke holes in my analysis, or to start thinking of how to > deal with it. Your analysis looks reasonable at first glance. As you mentioned, most spammers aren't sophisticated enough to implement the system you propose. Also, some states have written anti-spam laws with teeth. See www.suespammers.org. One fellow in Colorado claims to have collected $13k from spammers (money in hand, not just court awards). - murr - From list-managers-owner Sat Dec 9 08:04:50 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id HAA24656; Sat, 9 Dec 2000 07:52:54 -0800 (PST) Received: from plaidworks.com (plaidworks.com [209.239.169.200]) by honor.greatcircle.com (Postfix) with ESMTP id A31D517EAF for ; Sat, 9 Dec 2000 07:52:49 -0800 (PST) Received: from [209.239.169.197] (a197.plaidworks.com [209.239.169.197]) by plaidworks.com (8.10.1/8.10.1) with ESMTP id eB9GMn226044 for ; Sat, 9 Dec 2000 08:22:49 -0800 Mime-Version: 1.0 Message-Id: Date: Sat, 9 Dec 2000 08:26:25 -0800 To: list-managers@greatcircle.com From: Chuq Von Rospach Subject: more on mailback issues. Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: list-managers-owner@GreatCircle.COM Precedence: bulk Something that came up on the mailman list... At 3:09 AM -0600 12/9/00, Christopher Lindsey wrote: > Yes, this has definitely been troublesome. I've blocked many > commercial sites like findmail.com (egroups) and remarq.com from my > lists because of their secret archiving that displays email addresses > to the public, but at least they don't spam the lists back. But > of course anyone can browse these sites and get addresses to their > heart's content, then forge MAIL FROM: to sneak mail into the lists. Ya know, I hadn't thought of that -- I've wokred at closing off my list archives from the spam harvesters, but I'd never thought of the list archives as a source of addresses to use to spam ONTO the lists. (shudder). That's a real, legitimate issue, because you're basically handing them access. damn. I have to go rethink that again. And I realized, after I posted, that as long as there are free e-mail sites (netscape.net, hotmail, etc), you don't even need to create or hack domains to do this. Over a period of a week, create a thousand email accounts on the various free sites. Then you can set up the mailbots to start using them to subscribe and spam. As admins get accounts nuked by the free sites, simply disable them, move to other ones in your collection, and create some more. Even under the best of circumstances, it'd be tough to impossible for the admins of a place like hotmail to keep ahead of that, and their only real block is an IP block -- and if you have multiple IPs... This charade could go on for a long time. > ) are definitely moving in the right direction with S/MIME > signatures/encryption and X509 user certs, but that still doesn't > stop someone from using throwaway certs to spam several lists or > from harvesting addresses. And it doesn't help the reality that most users can't/won't do this, and it simply means you'll scare away legitimate issues, which is like being so scared of having the cow stolen you weld the barn door shut. The cow doens't get stolen, but it eventually starves to death... > For now I'd say that the best method is a social one; require > references when people want to subscribe to your list. that works if you have active listowners and a small list. Imagine me doing that for a large list with dozens of subscriptions a day -- on my big mailman site, I'd have to hire staff to even START doing that. Not practical, unfortunately. But Murr Rhame on list-managers said something that made me think of a possible answer -- new subscribers automatically go into "hold for approval" mode. it'd be another flag in the user record (like digest or nomail), and when you subscribe, it's turned on. All messages are held for the admin to approve. Once an admin can trust a new account, he turns off the flag and they post without restriction. There are some topics and lists wher ethis would be a good thing to have, because of the incendiary aspects of the topic, or because (in my case) there are problems with trolls.... -- Chuq Von Rospach - Plaidworks Consulting (mailto:chuqui@plaidworks.com) Apple Mail List Gnome (mailto:chuq@apple.com) We're visiting the relatives. Cover us. From list-managers-owner Sat Dec 9 09:19:48 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id JAA25471; Sat, 9 Dec 2000 09:14:53 -0800 (PST) Received: from mail.rev.net (mail.rev.net [206.67.68.8]) by honor.greatcircle.com (Postfix) with ESMTP id 7DC7917EAF for ; Sat, 9 Dec 2000 09:14:48 -0800 (PST) Received: from fantasy (USER3.GVA.NET [216.80.135.7]) by mail.rev.net (8.11.1/8.11.1) with ESMTP id eB9HmPv18384 for ; Sat, 9 Dec 2000 12:48:27 -0500 Message-Id: <200012091748.eB9HmPv18384@mail.rev.net> From: "Bernie Cosell" Organization: Fantasy Farm Fibers To: list-managers@GreatCircle.COM Date: Sat, 9 Dec 2000 12:48:04 -0500 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: more on mailback issues. In-reply-to: X-mailer: Pegasus Mail for Win32 (v3.12c) Sender: list-managers-owner@GreatCircle.COM Precedence: bulk On 9 Dec 2000, at 8:26, Chuq Von Rospach wrote: > Something that came up on the mailman list... > > At 3:09 AM -0600 12/9/00, Christopher Lindsey wrote: > > > Yes, this has definitely been troublesome. I've blocked many > > commercial sites like findmail.com (egroups) and remarq.com from my > > lists because of their secret archiving that displays email addresses > > to the public, but at least they don't spam the lists back. But > > of course anyone can browse these sites and get addresses to their > > heart's content, then forge MAIL FROM: to sneak mail into the lists. > But Murr Rhame on list-managers said something that made me think of > a possible answer -- new subscribers automatically go into "hold for > approval" mode. it'd be another flag in the user record (like digest > or nomail), and when you subscribe, it's turned on. All messages are > held for the admin to approve. Once an admin can trust a new account, > he turns off the flag and they post without restriction. That won't help --- if the spammer just uses the on-list-account to harvest addresses [perhaps even using the archives to get a *bunch* in a hurry] and then just uses suitable forgery to make the spam seem to come from a legit account, you have a hard time figuring out who the actual perp is... /Bernie\ -- Bernie Cosell Fantasy Farm Fibers mailto:bernie@fantasyfarm.com Pearisburg, VA --> Too many people, too few sheep <-- From list-managers-owner Sat Dec 9 09:34:51 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id JAA25563; Sat, 9 Dec 2000 09:25:20 -0800 (PST) Received: from dingo.kanga.nu (w212.z064001167.sjc-ca.dsl.cnc.net [64.1.167.212]) by honor.greatcircle.com (Postfix) with ESMTP id D3CDB17EAF for ; Sat, 9 Dec 2000 09:25:13 -0800 (PST) Received: from (kanga.nu) [127.0.0.1] by dingo.kanga.nu with esmtp (Exim 3.16 #1 (Debian)) id 144oGg-0005dZ-00; Sat, 09 Dec 2000 09:58:42 -0800 To: murr rhame Cc: Chuq Von Rospach , list-managers@GreatCircle.COM Subject: Re: Is mailback validation still safe? In-Reply-To: Message from murr rhame of "Sat, 09 Dec 2000 07:57:14 EST." References: X-face: ?^_yw@fA`CEX&}--=*&XqXbF-oePvxaT4(kyt\nwM9]{]N!>b^K}-Mb9 YH%saz^>nq5usBlD"s{(.h'_w|U^3ldUq7wVZz$`u>MB(-4$f\a6Eu8.e=Pf\ X-image-url: http://www.kanga.nu/~claw/kanga.face.tiff X-url: http://www.kanga.nu/~claw/ Date: Sat, 09 Dec 2000 09:58:42 -0800 Message-ID: <21672.976384722@kanga.nu> From: J C Lawrence Sender: list-managers-owner@GreatCircle.COM Precedence: bulk On Sat, 9 Dec 2000 07:57:14 -0500 (EST) murr rhame wrote: > Your analysis looks reasonable at first glance. As you mentioned, > most spammers aren't sophisticated enough to implement the system > you propose. It only requires one who then sells his code to others. > Also, some states have written anti-spam laws with teeth. See > www.suespammers.org. One fellow in Colorado claims to have > collected $13k from spammers (money in hand, not just court > awards). Given the rate at which porn is moving offshor, especially for indirection sites (cf the Google spams), I don't see this as a long term problem. -- J C Lawrence claw@kanga.nu ---------(*) : http://www.kanga.nu/~claw/ --=| A man is as sane as he is dangerous to his environment |=-- From list-managers-owner Sat Dec 9 09:49:54 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id JAA25541; Sat, 9 Dec 2000 09:22:52 -0800 (PST) Received: from dingo.kanga.nu (w212.z064001167.sjc-ca.dsl.cnc.net [64.1.167.212]) by honor.greatcircle.com (Postfix) with ESMTP id 0552A17EAF for ; Sat, 9 Dec 2000 09:22:45 -0800 (PST) Received: from (kanga.nu) [127.0.0.1] by dingo.kanga.nu with esmtp (Exim 3.16 #1 (Debian)) id 144oEL-0005b9-00; Sat, 09 Dec 2000 09:56:17 -0800 To: Chuq Von Rospach Cc: list-managers@greatcircle.com Subject: Re: Is mailback validation still safe? In-Reply-To: Message from Chuq Von Rospach of "Sat, 09 Dec 2000 00:22:39 PST." References: X-face: ?^_yw@fA`CEX&}--=*&XqXbF-oePvxaT4(kyt\nwM9]{]N!>b^K}-Mb9 YH%saz^>nq5usBlD"s{(.h'_w|U^3ldUq7wVZz$`u>MB(-4$f\a6Eu8.e=Pf\ X-image-url: http://www.kanga.nu/~claw/kanga.face.tiff X-url: http://www.kanga.nu/~claw/ Date: Sat, 09 Dec 2000 09:56:17 -0800 Message-ID: <21522.976384577@kanga.nu> From: J C Lawrence Sender: list-managers-owner@GreatCircle.COM Precedence: bulk On Sat, 9 Dec 2000 00:22:39 -0800 Chuq Von Rospach wrote: > I'm beginning to think that mailback validation as an anti-spam > technique has been beaten. Worse, I think there are now spam > systems written that will beat them in an automated way. I've written on this before to the Mailman lists. I have similar suspicions. Like you I have no smoking guns, but I have a suggestive evidence. > I will say up front I don't have a smoking gun. If and when I find > one, I'll say so. But I'm now beginning to think the spammers have > figured out how to beat mailbacks. Its hardly complex -- just look for key strings in messages coming to an account, and then bounce back messages accordingly. Given someone with minimal scripting knowledge, what, 30 minutes? Four simple patterns will cover 95% of the lists out there. > Someone we know runs a list on egroups. Twice today he was spammed > by the porn spammers -- from subscribed accounts. This isn't the > first time I've heard of this in the last few weeks, but he's > someone I know runs a pretty clean ship. to get hit by two > separate porn spammers on the same day, in independent attacks, > that raises a real warning flag, because where the porn spammers > innovate, everyone else follows. Occam's razor indicates that this could be done equally well thru mail forgery of a blameless member. > he now owns your list, at least until you figure out what's going > on and nuke the subscribed address. But if you think about it, > once that validation handshake is complete, there's never ANY > further validation. so he can set up temporary shop, validate to > his heart's content, and then later on, after all the temporary > stuff is safely hidden away, spam from anywhere, safely. Because > he knows the address that will get him on the list. Bingo. This is one of the base reasons I now hand moderate my main lists. I'm looking hard at going back to a posting_authority setup (members prove themselves worthy of automatic posting (no moderator overview)), but Mailman does not currently lend itself to that model. Yet. (Using approved posted in Mailman is not sufficiently maintainable) > If this is true, and it's beginning to look like egroups is a > target of one attack, and I've heard rumors of some mailman lists > being hit as well, then lists that depend on mailback validation > have a problem. And I think there's been a feeling that mailbacks > are the one true way of validation to the point where there hasn't > been much (if any) thought about improved techniques or > alternatives. When you get down to it this is a question of trust models, and is a susbset of the problem of reputational systems. Its a non-trivial problem. > I've felt for a while that the list community was way too > comfortable with mailbacks as "safe and unbeatable". I'm now > seeing what I think is evidence that this is no longer true. And > I'm afraid that because we have sat back adn not innovated here, > we're going to end up behind the eight ball. and I don't see any > easy answers if I'm right -- only that if I am wrong, I won't be > wrong forever. I'm at the point where I'm willing to lay money on your being not only right, but being visibily demonstrated as right within the next calendar year. We have two problems: 1) Determining that a given member of a list is not a spammer. 2) Determining that a given post is not a SPAM The first can be largely addressed via putting in mechanisms where N moderator approved posts are required before being granted posting authority. Its a barrier to entry technique -- not secure, but certainly not profitable for the spammer in terms of ROI. As a side comment, this is one of the features I'd like to see rolled in the next Mailman design we're discussing (given the model I'm musing, it should be trivial). The second is a horrible nasty problem in this age of mail forgery and the ease of harvesting member addresses from lists (especially once you are a subscriber). Given that a spammer can susbcribe and can then harvest addresses with (presumably) posting authority with no more than a couple hours worth of scripting and a little time waiting while his bot runs, the simple MESSAGE_FROM_XXX_IS_OKAY metric is likely to last no longer. So what's the final solution? I don't think there is an elegant solution without involving presumed non-forgeable proofs of identity (ie public key crypto). Doing that requires a broadscale PKI structure (a horrible problem in and of itself), severe changes in user habits, and a host of other invasive non-trivial changes. Its going to happen tho. TLS/SMTP is just not enough. -- J C Lawrence claw@kanga.nu ---------(*) : http://www.kanga.nu/~claw/ --=| A man is as sane as he is dangerous to his environment |=-- From list-managers-owner Sat Dec 9 10:34:47 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id KAA26099; Sat, 9 Dec 2000 10:19:33 -0800 (PST) Received: from plaidworks.com (plaidworks.com [209.239.169.200]) by honor.greatcircle.com (Postfix) with ESMTP id 5A76B17EAF for ; Sat, 9 Dec 2000 10:19:28 -0800 (PST) Received: from [209.239.169.197] (a197.plaidworks.com [209.239.169.197]) by plaidworks.com (8.10.1/8.10.1) with ESMTP id eB9InO230354; Sat, 9 Dec 2000 10:49:25 -0800 Mime-Version: 1.0 Message-Id: In-Reply-To: <200012091748.eB9HmPv18384@mail.rev.net> References: <200012091748.eB9HmPv18384@mail.rev.net> Date: Sat, 9 Dec 2000 10:49:57 -0800 To: "Bernie Cosell" , list-managers@GreatCircle.COM From: Chuq Von Rospach Subject: Re: more on mailback issues. Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: list-managers-owner@GreatCircle.COM Precedence: bulk At 12:48 PM -0500 12/9/00, Bernie Cosell wrote: >That won't help --- if the spammer just uses the on-list-account to >harvest addresses [perhaps even using the archives to get a *bunch* in a >hurry] and then just uses suitable forgery to make the spam seem to come >from a legit account, you have a hard time figuring out who the actual >perp is... man, you're right. Now I have a headache... (grin, sort of) -- Chuq Von Rospach - Plaidworks Consulting (mailto:chuqui@plaidworks.com) Apple Mail List Gnome (mailto:chuq@apple.com) We're visiting the relatives. Cover us. From list-managers-owner Sat Dec 9 11:19:51 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id LAA26519; Sat, 9 Dec 2000 11:05:49 -0800 (PST) Received: from one.elistx.com (one.elistx.com [209.116.252.130]) by honor.greatcircle.com (Postfix) with ESMTP id 98E3917EAF for ; Sat, 9 Dec 2000 11:05:43 -0800 (PST) Received: from two.elistx.com (two.elistx.com [209.116.254.209]) by eListX.com (PMDF V6.0-24 #44856) with ESMTP id <0G5B00DFJFYNJ8@eListX.com> for list-managers@GreatCircle.COM; Sat, 09 Dec 2000 14:40:00 -0500 (EST) Date: Sat, 09 Dec 2000 14:40:30 -0500 (EST) From: James M Galvin Subject: Re: Is mailback validation still safe? In-reply-to: X-Sender: galvin@two.elistx.com To: Chuq Von Rospach Cc: list-managers@GreatCircle.COM Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Sender: list-managers-owner@GreatCircle.COM Precedence: bulk I'm beginning to think that mailback validation as an anti-spam technique has been beaten. Worse, I think there are now spam systems written that will beat them in an automated way. ... I've felt for a while that the list community was way too comfortable with mailbacks as "safe and unbeatable". I'm now seeing what I think is evidence that this is no longer true. And I'm afraid that because we have sat back adn not innovated here, we're going to end up behind the eight ball. and I don't see any easy answers if I'm right -- only that if I am wrong, I won't be wrong forever. I agree with you in principle but not in practice. In other words, I am absolutely certain that as long as it is free, both in cost and lack of access control, to originate email, spam will always exist. In that context, there is no safe and unbeatable anti-spam technique and I agree with you. However, in practice, as with all undesirable behaviors, there is this cat-and-mouse game between those who practice undesirable behavior and those who seek to ameliorate it. What you're seeing has always been a threat. It was only a matter of time before the spammers figured it out and "got organized" about exploiting it. At issue is service providers who forget they're playing the game. Now I'll make your day with an equally difficult related problem, perhaps worse depending on what MLM system you use. What I'm seeing a lot of (me being eList eXpress ) is forged SMTP MAIL FROM addresses. You see, for access control purposes, that's the address my system uses. What's happening is the domain part of the address in the MAIL FROM and the message headers are themselves equal and do represent legitimate subscribers, but they do not match the source of the message (SMTP peer) and in fact the message is illegitimate. (Of course, more insidious is the fact that this scenario may be completely legitimate, for many reasons left as an exercise to the reader.) In this situation the spammers don't even need an email account. They just need a little tool, which is almost trivial to write in Perl. I think that mailback validation is an important and essential tool in the fight against spam. But neither it nor any technique currently available is sufficient. Security and safety are, and always have been, a full-time job. They are a journey, not a destination, and anyone (especially a service provider) who forgets that is, at best, doomed to relive history; at worst, they will fail. Jim -- The Cure for What (M)ails You: From list-managers-owner Sat Dec 9 12:04:48 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id LAA26952; Sat, 9 Dec 2000 11:54:18 -0800 (PST) Received: from smtp1.vnet.net (smtp1.vnet.net [166.82.1.31]) by honor.greatcircle.com (Postfix) with ESMTP id 8A7EE17EAF for ; Sat, 9 Dec 2000 11:54:12 -0800 (PST) Received: from katie.vnet.net (katie.vnet.net [166.82.1.7]) by smtp1.vnet.net (8.10.1/8.10.1) with ESMTP id eB9KRu918461; Sat, 9 Dec 2000 15:27:56 -0500 (EST) Received: from localhost (murr@localhost) by katie.vnet.net (8.9.3+Sun/8.9.1) with ESMTP id PAA16475; Sat, 9 Dec 2000 15:27:55 -0500 (EST) Date: Sat, 9 Dec 2000 15:27:55 -0500 (EST) From: murr rhame To: Bernie Cosell Cc: list-managers@GreatCircle.COM Subject: Re: more on mailback issues. In-Reply-To: <200012091748.eB9HmPv18384@mail.rev.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: list-managers-owner@GreatCircle.COM Precedence: bulk On Sat, 9 Dec 2000, Bernie Cosell wrote: > > a possible answer -- new subscribers automatically go into "hold for > > approval" mode. > > That won't help --- if the spammer just uses the > on-list-account to harvest addresses [perhaps even using the > archives to get a *bunch* in a hurry] and then just uses > suitable forgery to make the spam seem to come from a legit > account, you have a hard time figuring out who the actual > perp is... If the problem gets really bad, you can use the next level of subscription security, require an application. Ask a few simple questions that show the subscriber has a legitimate interest in the list's topic... This is not practical to automate. If that doesn't stop them, you can always use full moderation, approving every post. Address harvesting can not be stopped by any of these methods. On the other hand, the harvester would only see a small percentage of the subscribers' addresses. In a pinch, you could set up the list for anonymous posting. The more security you add to a list, the more difficult it is for subscribers to use. The bottom line is that you can't prevent a determined spammer from at least collecting some address data from most mailing lists. You can prevent them from posting but this may require a lot of effort... I can't recall a successful "drive by spamming" on any of my lists for the past five years or so. I've seen no credible evidence of address harvesting. - murr - From list-managers-owner Sat Dec 9 12:19:49 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id MAA27115; Sat, 9 Dec 2000 12:04:21 -0800 (PST) Received: from smtp1.vnet.net (smtp1.vnet.net [166.82.1.31]) by honor.greatcircle.com (Postfix) with ESMTP id 8E67D17EAF for ; Sat, 9 Dec 2000 12:04:14 -0800 (PST) Received: from katie.vnet.net (katie.vnet.net [166.82.1.7]) by smtp1.vnet.net (8.10.1/8.10.1) with ESMTP id eB9Kbwi19494; Sat, 9 Dec 2000 15:37:58 -0500 (EST) Received: from localhost (murr@localhost) by katie.vnet.net (8.9.3+Sun/8.9.1) with ESMTP id PAA16894; Sat, 9 Dec 2000 15:37:57 -0500 (EST) Date: Sat, 9 Dec 2000 15:37:57 -0500 (EST) From: murr rhame To: J C Lawrence Cc: Chuq Von Rospach , list-managers@GreatCircle.COM Subject: Re: Is mailback validation still safe? In-Reply-To: <21672.976384722@kanga.nu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: list-managers-owner@GreatCircle.COM Precedence: bulk On Sat, 9 Dec 2000, J C Lawrence wrote: > Given the rate at which porn is moving offshor, especially > for indirection sites (cf the Google spams), I don't see this > as a long term problem. As long as they have US assets, they are subject to US judgments. Does anyone know if spam rates are stable, declining or on the rise? The amount of spam I receive seems to be about the same as it was several years ago. The mix of obscuring techniques seems about the same as well. - murr - From list-managers-owner Sat Dec 9 12:34:46 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id MAA27191; Sat, 9 Dec 2000 12:13:13 -0800 (PST) Received: from smtp1.vnet.net (smtp1.vnet.net [166.82.1.31]) by honor.greatcircle.com (Postfix) with ESMTP id 6F06E17EAF for ; Sat, 9 Dec 2000 12:13:07 -0800 (PST) Received: from katie.vnet.net (katie.vnet.net [166.82.1.7]) by smtp1.vnet.net (8.10.1/8.10.1) with ESMTP id eB9Kkqi20279; Sat, 9 Dec 2000 15:46:52 -0500 (EST) Received: from localhost (murr@localhost) by katie.vnet.net (8.9.3+Sun/8.9.1) with ESMTP id PAA17238; Sat, 9 Dec 2000 15:46:51 -0500 (EST) Date: Sat, 9 Dec 2000 15:46:51 -0500 (EST) From: murr rhame To: J C Lawrence Cc: Chuq Von Rospach , list-managers@GreatCircle.COM Subject: Re: Is mailback validation still safe? In-Reply-To: <21522.976384577@kanga.nu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: list-managers-owner@GreatCircle.COM Precedence: bulk On Sat, 9 Dec 2000, J C Lawrence wrote: > The second is a horrible nasty problem in this age of mail > forgery and the ease of harvesting member addresses from > lists (especially once you are a subscriber). Given that a > spammer can susbcribe and can then harvest addresses with > (presumably) posting authority with no more than a couple > hours worth of scripting and a little time waiting while his > bot runs, the simple MESSAGE_FROM_XXX_IS_OKAY metric is > likely to last no longer. Lyris has a optional feature that requires a subscriber password for posting. The subscriber includes their personal list password at the start of the body of the post. This password is stripped before the post is distributed.... I think I'd just switch to full moderation before I tried this technique. - murr - From list-managers-owner Sat Dec 9 13:34:47 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id NAA27918; Sat, 9 Dec 2000 13:26:48 -0800 (PST) Received: from tomts6-srv.bellnexxia.net (smtp.bellnexxia.net [209.226.175.26]) by honor.greatcircle.com (Postfix) with ESMTP id C00EA17EAF for ; Sat, 9 Dec 2000 13:26:42 -0800 (PST) Received: from b8q7201 ([64.230.83.39]) by tomts6-srv.bellnexxia.net (InterMail vM.4.01.03.00 201-229-121) with SMTP id <20001209220027.DAOC761.tomts6-srv.bellnexxia.net@b8q7201> for ; Sat, 9 Dec 2000 17:00:27 -0500 X-Sender: sharon@pop.listhost.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Sat, 09 Dec 2000 16:59:43 -0500 To: list-managers@GreatCircle.COM From: Sharon Tucci Subject: Re: more on mailback issues. In-Reply-To: References: <200012091748.eB9HmPv18384@mail.rev.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Message-Id: <20001209220027.DAOC761.tomts6-srv.bellnexxia.net@b8q7201> Sender: list-managers-owner@GreatCircle.COM Precedence: bulk At 03:27 PM 12/09/00 -0500, murr rhame wrote: >If the problem gets really bad, you can use the next level of >subscription security, require an application. Ask a few simple >questions that show the subscriber has a legitimate interest in >the list's topic... This is not practical to automate. If that >doesn't stop them, you can always use full moderation, approving >every post. All of the lists we host that have unmoderated posting for even some subscribers require the moderator to approve subscribers before they are added. One of the things some of our list owners have done is ask people to provide their direct ISP address if it is different than the one they want to be subscribed under. They send a test message out to that second address to make sure it is a valid one. One list owner created a nifty script that checks to see if that address is any of a list of about 100 of the more common ISPs. If so, the new subscriber gets an email at that ISP address they have to hit reply to and the address they want to be subscribed under is then added to the list. If the domain is not on this list, the script checks the message headers for the response and if the domain in the message headers match the return address, again it is added. Anything not processed automatically gets logged for the list owner to look at. Sharon Tucci President & CEO Sling Shot Media, LLC http://www.ListHost.net - The List Hosting SpeciaLists 1-613-933-5133 From list-managers-owner Sat Dec 9 14:04:46 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id NAA28146; Sat, 9 Dec 2000 13:52:27 -0800 (PST) Received: from iecc.com (tom.iecc.com [208.31.42.38]) by honor.greatcircle.com (Postfix) with SMTP id 1AD0317EAF for ; Sat, 9 Dec 2000 13:52:22 -0800 (PST) Received: (qmail 23960 invoked from network); 9 Dec 2000 17:26:07 -0500 Received: from tom.iecc.com (208.31.42.38) by mail3.iecc.com with SMTP; 9 Dec 2000 17:26:07 -0500 Date: Sat, 9 Dec 2000 17:26:06 -0500 (EST) From: John R Levine To: Chuq Von Rospach Cc: list-managers@greatcircle.com Subject: Re: Is mailback validation still safe? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: list-managers-owner@GreatCircle.COM Precedence: bulk > I'm beginning to think that mailback validation as an anti-spam > technique has been beaten. Worse, I think there are now spam systems > written that will beat them in an automated way. I can believe it, but only because too many mailback schemes are broken. I run a bunch of autoresponders, and I can't tell you how many of them have "validated" subscriptions to various mailing lists to which some bozo forge subscribed them (typically by giving an address like dummy@dummies.com when a site demanded an e-mail address.) Many schemes seem to take any response with the same subject line as the mailback as a confirmation, which is accidentally spoofed by my autoresponder. You could spoof a scheme like that without even seeing the mailbacks, since they usually have a simple fixed text. For mailbacks to be effective, they need two things: - a key in the confirmation that's not derived (or at least not easily derived) from the e-mail address, so you can be sure that the confirmation is in fact a response to the mailback. - something in the message that won't be inserted by an autoresponder, e.g., instructions to put "yes" in the first line of the response, but make sure the first few lines of the mailback don't contain that word. Click-to-confirm does both of these so long as the confirm URL contains the key. This shouldn't be rocket science, but it's impressive how many people writing mailing list packages appear to know nothing about the reality of the e-mail environment. Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner Finger for PGP key, f'print = 3A 5B D0 3F D9 A0 6A A4 2D AC 1E 9E A6 36 A3 47 From list-managers-owner Sat Dec 9 14:49:56 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id OAA28663; Sat, 9 Dec 2000 14:48:54 -0800 (PST) Received: from plaidworks.com (plaidworks.com [209.239.169.200]) by honor.greatcircle.com (Postfix) with ESMTP id 2ADAC17EBA for ; Sat, 9 Dec 2000 14:48:45 -0800 (PST) Received: from [209.239.169.197] (a197.plaidworks.com [209.239.169.197]) by plaidworks.com (8.10.1/8.10.1) with ESMTP id eB9NIH204924; Sat, 9 Dec 2000 15:18:17 -0800 Mime-Version: 1.0 Message-Id: In-Reply-To: References: <20001209030926.A26087@ncsa.uiuc.edu> Date: Sat, 9 Dec 2000 15:20:08 -0800 To: Vince Sabio , Darrell Fuhriman , Chuq Von Rospach From: Chuq Von Rospach Subject: Re: [Mailman-Developers] FYI -- mailback validations no longer safe? Cc: Christopher Lindsey , Laurie Sefton , Mailman development , Gene Spafford , Mark fletcher , Axel Jessen , list-managers@greatcircle.com Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: list-managers-owner@GreatCircle.COM Precedence: bulk At 5:32 PM -0500 12/9/00, Vince Sabio wrote: >Short of S/MIME and similar measures that most of us would consider >to be extreme (right now, anyway; probably won't be considered >extreme measures for much longer), there is little that the owner of >a large, I've been mulling this over all day, and I have a couple of ideas on it. I'm sure they're not original, but they might open up concepts for MLM authors to consider. my first premise: this has to be "solved" at the MLM level. The real answer is authenticated e-mail addresses, and that implies S/MIME and all of the logistical overhead and development that implies. In practice, for many places, that's simply not an option until SOMEONE figures out how to get AOL to support it, because without AOL, a significant chunk of the audience can't do it, making it worthless (and while individual list admins can tell AOL to take a flying leap, the typical one won't, and many of us can't. So any MLM that comes up with a solution that effectively locks out AOL is a MLM that dies in the marketplace...) my second premise: that we put the onus of managing this first on the MLM software, second on the list admin, and third on the end user. The higher the bar you place between your user base and the list, the fewer will bother jumping over it. And the harder you make it for an admin to be admin, the more likely they are to turn the bloody stuff off, or choose a different MLM. We have to remember we're talking about 'solving' what we see might be an emerging problem, which means we aren't going to have admins beating down our doors screaming FIX THIS. Instead, we have to fix it and keep it from ever BEING that kind of problem, which means the barriers for entry and use have to be kept minimal. either that, or we wait until it does fall apart, and pray we can put it back together quickly. not my idea of fun. I've come up with two ideas that seem promising. First is not new. It's moving the validation from the point of subscription to the posting time (actually, do both). This involves assigning a user an access password, which is attached to the message they want posted. This can be strongly automated, which is good. It only solves the forbge subscriber address part, which means it's not a complete solution, but at least it deals with the most pernicious aspects of all of this, a harvester posting via forged addresses of legitimate subscribers. Passwords can be pulled off a web site, similar to what users do now when they forget a password as most sites with registration, and have it e-mailed to the subscribed address. It's tehn atached via the subject line, first line of the body, x-header, I don't care. the MLM has to be paranoid about stripping these passwords without overswtripping legitimate content, to protect it. At that point, we can at least get back to knowing the user posting the message has access to the e-mail address's mailbox, which is about as secure as we can get with e-mail. They aren't just sucking addresses at random and re-using them. Passowrds, if you want, can time out, and if you really want, the admin can set their length, from one-time to permanent, depending on their paranoia. Second idea puts the onus on the list admin. There is one other identifying piece of info we know about the poster that can't be forged. it is the IP address of the machine that relays the mail to your MLM machine. All of the OTHER received lines can be forged, but the one your server adds to tell you who it got the mail from -- the direct connection -- can't be (or you have bigger problems). In this scheme, then, messages from a user are held for approval, and the list admin has to teach the MLM which IP addresses to acccept mail from with that "From" address. Now, a given "From" address may relay in from more than one address, but the list of those addresses is finite -- so we can build an authentication list for EACH user fairly easily, over time. The admin will be pretty busy early on, but the main work is done by the MLM itself, and the end-user in almost all cases doesn't have ot worry about it. And we can base this on a human teaching a machine "right" and "wrong", using a piece of known-valid data. There are opportunities for automation here, of course, such as automatically validating AOL users where the SMTP relay is an AOL machine, that can help the admin minimize their pain, but you run some risk of opening up some holes. It seems like both approaches will work, both can be done TODAY, without waiting for significant technological advances, client enhancements, maturation of technologies or building of new infrastructures, and they layer ontop of what we already are doing in reasonably non-invasive ways. I think the SMTP-relay authorization (to some degree, a list-specific variation of the SMTP-after-POP email setup...) has some interesting possibilities, and I wonder if there are other pieces of data that we "know" about a user once we get the email that we can use to validate without worrying about their corruption or forging. And yes, I know about TCP spoofing, but frankly, I think if spammers get that sophisticated intheir attacks, it's unlikely anything reasonable will stop them. but I'm willing to try, and I think we solve the cases we can solve, and continue to move forward from there... >busy discussion list can do to protect his list from an attack such >as this. Sure, you could moderate the list, but many of my lists see >50 to 100 posts/day, and the max I've ever had posted to a single >list in one day was more than 450. That's a lot of moderation. Moderation is a tool, but not a solution. I'd have to hire staff to do nothing but moderate my big machine. That's the wrong way to look at this. I'd rather hire staff to find ways to FIX it so we don't have to put human filters in the way. the SMTP-relay IP address is nice, because while there's some pain while you're teaching your server, and it adds SOME continuing overhead to the admin's load due to new users, moving users and network changes within other people's networks -- the primary load is managed by the server, not the admin. And it doesn't impact the end-user or require new user skills or client technologies (or training users to apply passwords ot messages, or... ) -- it's purely server based. >Like Chuq, I shudder at the thought of someone forging subscriber >addresses to spam mailing lists. it's a scary thought. brr. -- Chuq Von Rospach - Plaidworks Consulting (mailto:chuqui@plaidworks.com) Apple Mail List Gnome (mailto:chuq@apple.com) We're visiting the relatives. Cover us. From list-managers-owner Sat Dec 9 15:19:50 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id PAA28911; Sat, 9 Dec 2000 15:07:37 -0800 (PST) Received: from gw.tssi.com (gw.tssi.com [198.147.197.1]) by honor.greatcircle.com (Postfix) with ESMTP id 96F8417EAF for ; Sat, 9 Dec 2000 15:07:31 -0800 (PST) Received: from celery.tssi.com (nolan@celery.tssi.com [198.147.197.6]) by gw.tssi.com (8.10.1/8.10.1) with ESMTP id eB9NfAn18130 for ; Sat, 9 Dec 2000 17:41:11 -0600 Received: (from celery.tssi.com) by celery.tssi.com (8.7.5/8.7.3) id RAA07460 for list-managers@GreatCircle.com; Sat, 9 Dec 2000 17:41:08 -0600 From: Mike Nolan Message-Id: <200012092341.RAA07460@celery.tssi.com> Subject: Re: Is mailback validation still safe? To: list-managers@GreatCircle.com (List Managers) Date: Sat, 9 Dec 2000 17:41:08 -0600 (CST) Reply-To: nolan@tssi.com X-Mailer: ELM [version 2.5 PL3] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: list-managers-owner@GreatCircle.COM Precedence: bulk > Does anyone know if spam rates are stable, declining or on the > rise? The amount of spam I receive seems to be about the same as > it was several years ago. The mix of obscuring techniques seems > about the same as well. I have so many filters on my in-house accounts that I can't tell, but on an account I have on a local ISP spam which I very seldom send e-mail or post to USENET from the spam is increasing. As to Chuq's concerns, I implemented a 3 day waiting period some years ago and more recently went to manual approval of the first few posts. (Actually, manual approval is in effect until I authorize posting.) Yet another technique that I use for another list is to hide the true posting address. In other words, posts to 'listname@domain.name' get rejected, posters must know to send to 'listname-secret@domain.name'. And the '-secret' part is stripped out with a sed filter before the post is handed over to the list software. I suppose it would be possible to use a different 'secret' extension for each authorized poster, though this would become unmanageable with large lists. This also makes replying to posts more of a bother, though. Long term, the best solution may be to use public key encryption keys for authorized posters. But I don't know of any mail programs or mailing list management software that currently support this. It would still require manual authorization of new members, though it would probably be possible to set up an alias to handle the authentication negotiations. -- Mike Nolan From list-managers-owner Sat Dec 9 15:49:46 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id PAA29167; Sat, 9 Dec 2000 15:39:57 -0800 (PST) Received: from smtp1.vnet.net (smtp1.vnet.net [166.82.1.31]) by honor.greatcircle.com (Postfix) with ESMTP id 1984917EAF for ; Sat, 9 Dec 2000 15:39:52 -0800 (PST) Received: from katie.vnet.net (katie.vnet.net [166.82.1.7]) by smtp1.vnet.net (8.10.1/8.10.1) with ESMTP id eBA0DcC12588 for ; Sat, 9 Dec 2000 19:13:38 -0500 (EST) Received: from localhost (murr@localhost) by katie.vnet.net (8.9.3+Sun/8.9.1) with ESMTP id TAA29352 for ; Sat, 9 Dec 2000 19:13:37 -0500 (EST) Date: Sat, 9 Dec 2000 19:13:37 -0500 (EST) From: murr rhame To: list-managers@GreatCircle.COM Subject: Re: Is mailback validation still safe? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: list-managers-owner@GreatCircle.COM Precedence: bulk In my humble opinion, the primary purpose of mailback validation to prevent someone from being subscribed to a mailing list against their will (email bombing). Mailback is still very effective for this purpose. Reducing spam on the list is at best a small side effect of mailback. On the bright side, this subject has sparked a good discussion of security holes and countermeasures. - murr - From list-managers-owner Sat Dec 9 16:19:46 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id QAA29427; Sat, 9 Dec 2000 16:05:26 -0800 (PST) Received: from penguin.postmodern.com (penguin.postmodern.com [216.240.39.2]) by honor.greatcircle.com (Postfix) with ESMTP id 5518A17EAF for ; Sat, 9 Dec 2000 16:05:17 -0800 (PST) Received: (from mcb@localhost) by penguin.postmodern.com (8.11.1/8.11.1-mcb-20001119) id eBA0bpY26823; Sat, 9 Dec 2000 16:37:51 -0800 Date: Sat, 9 Dec 2000 16:37:51 -0800 From: "Michael C. Berch" To: List Managers Subject: Re: Is mailback validation still safe? Message-ID: <20001209163751.A26816@postmodern.com> References: <200012092341.RAA07460@celery.tssi.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <200012092341.RAA07460@celery.tssi.com>; from nolan@celery.tssi.com on Sat, Dec 09, 2000 at 05:41:08PM -0600 Sender: list-managers-owner@GreatCircle.COM Precedence: bulk On 12/09 5:41 PM, Mike Nolan wrote: > > Does anyone know if spam rates are stable, declining or on the > > rise? The amount of spam I receive seems to be about the same as > > it was several years ago. The mix of obscuring techniques seems > > about the same as well. > > I have so many filters on my in-house accounts that I can't tell, but > on an account I have on a local ISP spam which I very seldom send e-mail > or post to USENET from the spam is increasing. On another list I'm on, which is a social/news-discussion list largely composed of people who have been on the Net a quite a while, the subject came up, and the consensus is that after a leveling-off period, spam is definitely on the rise this year. A friend who operates the small ISP I'm a customer of has done some informal monitoring and he concurs, and notes that most spam he sees (in the U.S.) originates from, or passes through, systems outside the U.S. A conjecture is that this is due to a combination of factors, including the "offshore" legal status of those servers, the existence of spam-friendly (due to either greed, or ignorance, or both) ISPs in countries such as Korea, Indonesia, and India, and the hijacking of legitimate commercial and academic systems in countries with less network security sophistication than the US, Canada, EU, and Japan. I have not logged the amount of spam my lists are the target of, but since I see the crud in my mailbox when Majordomo's content filters or non-member-post filter catches it, I'd agree that list-targeted spam is on the rise over the last year. I have not been a victim of mailback spoofing yet, using Majordomo's "auth" tokens, but it is probably a matter of time. -- Michael C. Berch mcb@postmodern.com / mcb@greatcircle.com From list-managers-owner Sat Dec 9 18:04:47 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id RAA00435; Sat, 9 Dec 2000 17:59:24 -0800 (PST) Received: from ma-1.rootsweb.com (ma-1.rootsweb.com [209.192.148.153]) by honor.greatcircle.com (Postfix) with ESMTP id 85D6417EAF for ; Sat, 9 Dec 2000 17:59:18 -0800 (PST) Received: (from twp@localhost) by ma-1.rootsweb.com (8.10.0.Beta10/8.10.0.Beta10) id eBA2Wud32333; Sat, 9 Dec 2000 21:32:56 -0500 (EST) Date: Sat, 9 Dec 2000 21:32:56 -0500 From: Tim Pierce To: murr rhame Cc: list-managers@GreatCircle.COM Subject: Re: Is mailback validation still safe? Message-ID: <20001209213256.A32180@ma-1.rootsweb.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.7us In-Reply-To: Sender: list-managers-owner@GreatCircle.COM Precedence: bulk On Sat, Dec 09, 2000 at 07:13:37PM -0500, murr rhame wrote: > In my humble opinion, the primary purpose of mailback validation > to prevent someone from being subscribed to a mailing list > against their will (email bombing). That's my take on it as well. To the extent that it also discourages spammers from trying to harvest mail coming off of lists, that's nice but is hardly the goal. -- Regards, Tim Pierce RootsWeb.com lead system admonsterator and Chief Hacking Officer From list-managers-owner Sat Dec 9 20:19:48 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id UAA01567; Sat, 9 Dec 2000 20:17:41 -0800 (PST) Received: from dingo.kanga.nu (w212.z064001167.sjc-ca.dsl.cnc.net [64.1.167.212]) by honor.greatcircle.com (Postfix) with ESMTP id 4420017EAF for ; Sat, 9 Dec 2000 20:17:36 -0800 (PST) Received: from (kanga.nu) [127.0.0.1] by dingo.kanga.nu with esmtp (Exim 3.16 #1 (Debian)) id 144yS8-0003Zl-00; Sat, 09 Dec 2000 20:51:12 -0800 To: Chuq Von Rospach Cc: Vince Sabio , Darrell Fuhriman , Christopher Lindsey , Laurie Sefton , Mailman development , Gene Spafford , Mark fletcher , Axel Jessen , list-managers@greatcircle.com Subject: Re: [Mailman-Developers] FYI -- mailback validations no longer safe? In-Reply-To: Message from Chuq Von Rospach of "Sat, 09 Dec 2000 15:20:08 PST." References: <20001209030926.A26087@ncsa.uiuc.edu> X-face: ?^_yw@fA`CEX&}--=*&XqXbF-oePvxaT4(kyt\nwM9]{]N!>b^K}-Mb9 YH%saz^>nq5usBlD"s{(.h'_w|U^3ldUq7wVZz$`u>MB(-4$f\a6Eu8.e=Pf\ X-image-url: http://www.kanga.nu/~claw/kanga.face.tiff X-url: http://www.kanga.nu/~claw/ Date: Sat, 09 Dec 2000 20:51:12 -0800 Message-ID: <13748.976423872@kanga.nu> From: J C Lawrence Sender: list-managers-owner@GreatCircle.COM Precedence: bulk On Sat, 9 Dec 2000 15:20:08 -0800 Chuq Von Rospach wrote: > In practice, for many places, that's simply not an option until > SOMEONE figures out how to get AOL to support it, because without > AOL, a significant chunk of the audience can't do it, making it > worthless (and while individual list admins can tell AOL to take a > flying leap, the typical one won't, and many of us can't. So any > MLM that comes up with a solution that effectively locks out AOL > is a MLM that dies in the marketplace...) Does anyone here have contacts at AOL? I used to know people in their NOC and in their IS team (which doesn't really apply to this end). I'll see if I can't dig them up to see what might be needed to get some basic things done (kinda difficult at this time of year). -- J C Lawrence claw@kanga.nu ---------(*) : http://www.kanga.nu/~claw/ --=| A man is as sane as he is dangerous to his environment |=-- From list-managers-owner Sat Dec 9 20:34:48 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id UAA01476; Sat, 9 Dec 2000 20:07:55 -0800 (PST) Received: from plaidworks.com (plaidworks.com [209.239.169.200]) by honor.greatcircle.com (Postfix) with ESMTP id C77A817EAF for ; Sat, 9 Dec 2000 20:07:49 -0800 (PST) Received: from [209.239.169.197] (a197.plaidworks.com [209.239.169.197]) by plaidworks.com (8.10.1/8.10.1) with ESMTP id eBA4bq212490; Sat, 9 Dec 2000 20:37:52 -0800 Mime-Version: 1.0 Message-Id: In-Reply-To: <20001209163751.A26816@postmodern.com> References: <200012092341.RAA07460@celery.tssi.com> <20001209163751.A26816@postmodern.com> Date: Sat, 9 Dec 2000 20:24:32 -0800 To: "Michael C. Berch" , List Managers From: Chuq Von Rospach Subject: Re: Is mailback validation still safe? Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: list-managers-owner@GreatCircle.COM Precedence: bulk At 4:37 PM -0800 12/9/00, Michael C. Berch wrote: >A friend who >operates the small ISP I'm a customer of has done some informal >monitoring and he concurs, and notes that most spam he sees (in the >U.S.) originates from, or passes through, systems outside the U.S. Agreed. And what I see is more spam that's well-formed, in that it's hard to tell that it's spam other than looking at the content and saying "I say this is spam". it used to be easier to programmatically nuke the low hanging fruit, but that's not true any more. (gads. the concept of "high quality spam" is silly, but...) I am seeing a lot of foreign language spam, also -- but part of that could be happenstance. I see LOTS of spanish language spam, but it so happens that my name/domain (chuqui.com) matches up nicely with the name of the largest open pit copper mine, which happens to be in Chile. so I think I see stuff that is being targetted at them... >ISPs in >countries such as Korea, Indonesia, and India, and the hijacking of >legitimate commercial and academic systems in countries with less >network security sophistication than the US, Canada, EU, and Japan. yah. i've been tempted at times, in all honesty, to simply assume that ANYTHING that is delivered to me that was touched by a copy of an older version of sedndmail is spam, because of the systems that haven't been upgraded. Until something is done to deal with that, the problem is not remotely soluable, but that would require some kind of protocol change to SMTP+, with a lockout of sites that didn't upgrade. I see that chance about as high as the usenet II stuff suddenly succeeding to replace Usenet.... > -- Chuq Von Rospach - Plaidworks Consulting (mailto:chuqui@plaidworks.com) Apple Mail List Gnome (mailto:chuq@apple.com) We're visiting the relatives. Cover us. From list-managers-owner Sat Dec 9 20:49:52 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id UAA01709; Sat, 9 Dec 2000 20:34:47 -0800 (PST) Received: from plaidworks.com (plaidworks.com [209.239.169.200]) by honor.greatcircle.com (Postfix) with ESMTP id 66ED217EAF for ; Sat, 9 Dec 2000 20:34:42 -0800 (PST) Received: from [209.239.169.197] (a197.plaidworks.com [209.239.169.197]) by plaidworks.com (8.10.1/8.10.1) with ESMTP id eBA54X213268; Sat, 9 Dec 2000 21:04:33 -0800 Mime-Version: 1.0 Message-Id: In-Reply-To: <20001210013636.9D1954800C@athene.jamux.com> References: <20001210013636.9D1954800C@athene.jamux.com> Date: Sat, 9 Dec 2000 21:07:32 -0800 To: "John A. Martin" , Chuq Von Rospach From: Chuq Von Rospach Subject: Re: [Mailman-Developers] FYI -- mailback validations no longer safe? Cc: Vince Sabio , Darrell Fuhriman , Christopher Lindsey , Laurie Sefton , Mailman development , Gene Spafford , Mark fletcher , Axel Jessen , list-managers@greatcircle.com Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: list-managers-owner@GreatCircle.COM Precedence: bulk At 8:36 PM -0500 12/9/00, John A. Martin wrote: > CVR> received lines can be forged, but the one your server adds to > CVR> tell you who it got the mail from -- the direct connection -- > CVR> can't be (or you have bigger problems). > >Would you unconditionally accept postings received at your list host >from a backup MX? I'd say it's up to the list admin. that's the advantage of allowing the admin to approve given IP addresses as approved addresses for that email. it can be dealt with on a case by case basis. And if you run into a case where an approved IP is abused, you remvoe it from the approval list and manually moderate those messages. > -- Chuq Von Rospach - Plaidworks Consulting (mailto:chuqui@plaidworks.com) Apple Mail List Gnome (mailto:chuq@apple.com) We're visiting the relatives. Cover us. From list-managers-owner Sat Dec 9 21:34:47 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id VAA02128; Sat, 9 Dec 2000 21:19:50 -0800 (PST) Received: from plaidworks.com (plaidworks.com [209.239.169.200]) by honor.greatcircle.com (Postfix) with ESMTP id E476117EAE for ; Sat, 9 Dec 2000 21:19:45 -0800 (PST) Received: from [209.239.169.197] (a197.plaidworks.com [209.239.169.197]) by plaidworks.com (8.10.1/8.10.1) with ESMTP id eBA5no214142 for ; Sat, 9 Dec 2000 21:49:50 -0800 Mime-Version: 1.0 Message-Id: Date: Sat, 9 Dec 2000 21:37:32 -0800 To: list-managers@greatcircle.com From: Chuq Von Rospach Subject: hotmail.com offline? Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: list-managers-owner@GreatCircle.COM Precedence: bulk looking at my queues, hotmail.com is offline. And I went and did aquick check, both from home and work, and it seems that www.hotmail.com and their DNS is DOA, too. It's completely off the net. -- Chuq Von Rospach - Plaidworks Consulting (mailto:chuqui@plaidworks.com) Apple Mail List Gnome (mailto:chuq@apple.com) We're visiting the relatives. Cover us. From list-managers-owner Sun Dec 10 01:36:46 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id BAA05251; Sun, 10 Dec 2000 01:32:14 -0800 (PST) Received: from mailstore-1.mail.knowledge.com (unknown [213.170.2.69]) by honor.greatcircle.com (Postfix) with ESMTP id 7264817EAE for ; Sun, 10 Dec 2000 01:32:00 -0800 (PST) Received: from async227-12.nas.onetel.net.uk ([212.67.108.227] helo=peterdesktop) by mailstore-1.mail.knowledge.com with asmtp (Exim 3.12 #1) id 1453MQ-0002gr-00; Sun, 10 Dec 2000 10:05:38 +0000 Message-ID: <003201c0628f$5fab96a0$d7a6fea9@knowledge.com> From: "Peter Galbavy" To: , "Chuq Von Rospach" References: Subject: Re: hotmail.com offline? Date: Sun, 10 Dec 2000 09:55:30 -0000 Organization: Knowledge Matters Ltd. MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: list-managers-owner@GreatCircle.COM Precedence: bulk Sorry to be flippant, but "good". Now only yahoo.com and ilk to hope for. My rather bitchy remark has to do with the other threads re spam and list membership, and I will reply there once I catchup with reading all this mail and getting a coffee. Happy Sunday morning folks :-) rgds, -- Peter Galbavy Knowledge Matters Ltd. http://www.knowledge.com/ ----- Original Message ----- From: "Chuq Von Rospach" To: Sent: Sunday, December 10, 2000 5:37 AM Subject: hotmail.com offline? > > looking at my queues, hotmail.com is offline. And I went and did > aquick check, both from home and work, and it seems that > www.hotmail.com and their DNS is DOA, too. It's completely off the > net. > > -- > Chuq Von Rospach - Plaidworks Consulting (mailto:chuqui@plaidworks.com) > Apple Mail List Gnome (mailto:chuq@apple.com) > > We're visiting the relatives. Cover us. > > From list-managers-owner Sun Dec 10 04:55:59 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id EAA08633; Sun, 10 Dec 2000 04:41:41 -0800 (PST) Received: from doorman.chevychase.com (unknown [63.80.219.34]) by honor.greatcircle.com (Postfix) with ESMTP id B4B8117EAE for ; Sun, 10 Dec 2000 04:41:33 -0800 (PST) Received: from kitchen (kitchen.chevychase.com [63.80.219.36]) by doorman.chevychase.com (8.9.3/8.8.7) with SMTP id IAA20365 for ; Sun, 10 Dec 2000 08:15:21 -0500 Message-ID: <006001c062ab$40502de0$24db503f@chevychase.com> Reply-To: "Richard Klein" From: "Richard Klein" To: "List Managers" References: <200012092341.RAA07460@celery.tssi.com> Subject: Spam and Mailback Date: Sun, 10 Dec 2000 08:15:21 -0500 Organization: Chevy Chase Computers, Inc. MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: list-managers-owner@GreatCircle.COM Precedence: bulk I believe that the mail back feature is to prevent someone from being joined to a list without their consent which would fill up their mailbox with unwanted mail. It's an old trick. There used to be hacker programs that you could use to join someone to 60 or more lists at one time. Spam seems to be on the rise. I've recently upgraded my mail server to take advantage of the anti-Spam features. I've spent a lot of time analyzing Spam. The overwhelming majority of Spam originates here but bounces off servers overseas. Denying mail from Japan has cut down my Spam by about 70%. I'm currently working on the other countries that are Spam sympathizers. From list-managers-owner Sun Dec 10 06:34:46 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id GAA09417; Sun, 10 Dec 2000 06:22:25 -0800 (PST) Received: from smtp2.vnet.net (smtp2.vnet.net [166.82.1.32]) by honor.greatcircle.com (Postfix) with ESMTP id 3A27F17EAE for ; Sun, 10 Dec 2000 06:22:19 -0800 (PST) Received: from katie.vnet.net (katie.vnet.net [166.82.1.7]) by smtp2.vnet.net (8.10.1/8.10.1) with ESMTP id eBAEuBF12474; Sun, 10 Dec 2000 09:56:11 -0500 (EST) Received: from localhost (murr@localhost) by katie.vnet.net (8.9.3+Sun/8.9.1) with ESMTP id JAA27287; Sun, 10 Dec 2000 09:56:11 -0500 (EST) Date: Sun, 10 Dec 2000 09:56:11 -0500 (EST) From: murr rhame To: Chuq Von Rospach Cc: list-managers@GreatCircle.COM Subject: Re: Is mailback validation still safe? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: list-managers-owner@GreatCircle.COM Precedence: bulk On Sat, 9 Dec 2000, Chuq Von Rospach wrote: > When someone sends a message to a majordomo site that has it > send you 100 copies of each info file, to be honest, Murr, I > don't think the person bombed really cares about the > semantical difference you're arguing about. So we have one form of mail bombing that we can eliminate completely by using mailback. We have another form of mail bombing that isn't effected on way or the other by using mailbacks. Therefore we can conclude that mailbacks are useless, unsafe, worthless? The logic escapes me. The fact that other abuses are still possible doesn't change that fact that mailback confirmation prevents a common form of mail bombing. The only certain method to eliminate all forms of mailing list server abuse is to eliminate all servers. Not very practical. Mailback confirmation is effective and serves a practical purpose. > I first documented these attacks back in, oh, 1996 or so. But > whatever. This isn't an argument I'll get into. I've had various servers online since 1994. I've never seen an info/confirm attack. My personal experience says it quite rare. A few years ago, I saw lots of attempted subscribe forgeries, especially when some idiot recommended forged subscriptions as a revenge technique in a major computer magazine. Forged subscriptions have been a non-issue since I switched to confirmation required server wide. - murr - From list-managers-owner Sun Dec 10 08:49:45 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id IAA10601; Sun, 10 Dec 2000 08:47:33 -0800 (PST) Received: from plaidworks.com (plaidworks.com [209.239.169.200]) by honor.greatcircle.com (Postfix) with ESMTP id CA90617EAE for ; Sun, 10 Dec 2000 08:47:28 -0800 (PST) Received: from [209.239.169.197] (a197.plaidworks.com [209.239.169.197]) by plaidworks.com (8.10.1/8.10.1) with ESMTP id eBAHHW231256; Sun, 10 Dec 2000 09:17:32 -0800 Mime-Version: 1.0 Message-Id: In-Reply-To: <20001210121823.H32180@ma-1.rootsweb.com> References: <20001210121823.H32180@ma-1.rootsweb.com> Date: Sun, 10 Dec 2000 09:21:08 -0800 To: Tim Pierce , murr rhame From: Chuq Von Rospach Subject: Re: Is mailback validation still safe? Cc: Chuq Von Rospach , list-managers@GreatCircle.COM Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: list-managers-owner@GreatCircle.COM Precedence: bulk At 12:18 PM -0500 12/10/00, Tim Pierce wrote: >Moreover, Chuq is talking about sending someone 1,000 copies of an >info file *once*. Not necessarily. These things are scripted. I've seen evidence that these scripts have been run for periods of time, repeatedly. -- Chuq Von Rospach - Plaidworks Consulting (mailto:chuqui@plaidworks.com) Apple Mail List Gnome (mailto:chuq@apple.com) We're visiting the relatives. Cover us. From list-managers-owner Sun Dec 10 09:04:49 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id IAA10652; Sun, 10 Dec 2000 08:55:18 -0800 (PST) Received: from smtp1.atcominfo.com (unknown [199.106.231.8]) by honor.greatcircle.com (Postfix) with ESMTP id E9A3917EAE for ; Sun, 10 Dec 2000 08:55:13 -0800 (PST) Received: from [10.10.2.202] ([63.219.39.36]) by smtp1.atcominfo.com (Post.Office MTA v3.5.3 release 223 ID# 0-0U10L2S100V35) with ESMTP id com for ; Sun, 10 Dec 2000 09:32:27 -0800 Mime-Version: 1.0 X-Sender: phoffman@mail.imc.org Message-Id: In-Reply-To: References: <200012092341.RAA07460@celery.tssi.com> <20001209163751.A26816@postmodern.com> Date: Sun, 10 Dec 2000 09:28:57 -0800 To: List Managers From: Paul Hoffman / IMC Subject: Re: Is mailback validation still safe? Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: list-managers-owner@GreatCircle.COM Precedence: bulk >At 8:24 PM -0800 12/9/00, Chuq Von Rospach wroteI am seeing a lot of >foreign language spam, also -- but part of that could be >happenstance. It appears to be happenstance, but once on a list, it gets very ugly. I get about 30 spams a day from China to my personal mail account and, thankfully, not to my lists. Others have been bombarded with spam from Argentina, for example. --Paul Hoffman, Director --Internet Mail Consortium From list-managers-owner Sun Dec 10 09:19:47 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id IAA10690; Sun, 10 Dec 2000 08:59:41 -0800 (PST) Received: from ma-1.rootsweb.com (ma-1.rootsweb.com [209.192.148.153]) by honor.greatcircle.com (Postfix) with ESMTP id C728F17EAE for ; Sun, 10 Dec 2000 08:59:33 -0800 (PST) Received: (from twp@localhost) by ma-1.rootsweb.com (8.10.0.Beta10/8.10.0.Beta10) id eBAHXG765802; Sun, 10 Dec 2000 12:33:16 -0500 (EST) Date: Sun, 10 Dec 2000 12:33:16 -0500 From: Tim Pierce To: Chuq Von Rospach Cc: murr rhame , list-managers@GreatCircle.COM Subject: Re: Is mailback validation still safe? Message-ID: <20001210123316.I32180@ma-1.rootsweb.com> References: <20001210121823.H32180@ma-1.rootsweb.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.7us In-Reply-To: Sender: list-managers-owner@GreatCircle.COM Precedence: bulk On Sun, Dec 10, 2000 at 09:21:08AM -0800, Chuq Von Rospach wrote: > At 12:18 PM -0500 12/10/00, Tim Pierce wrote: > > >Moreover, Chuq is talking about sending someone 1,000 copies of an > >info file *once*. > > Not necessarily. These things are scripted. I've seen evidence that > these scripts have been run for periods of time, repeatedly. And? The attacker has to remain vigilant and creates more of an audit trail that can get him whacked. Without mailback validation, he could sign someone up to several thousand mailing lists, sit back and enjoy the fun; even if his account gets nuked, he has the pleasure of knowing that his victim is still getting bombed. I'm with Murr. Mailback validation may not solve every problem in the world, but it is hardly a useless relic of a bygone era, or whatever you are making it out to be. -- Regards, Tim Pierce RootsWeb.com lead system admonsterator and Chief Hacking Officer From list-managers-owner Sun Dec 10 09:34:47 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id IAA10576; Sun, 10 Dec 2000 08:45:04 -0800 (PST) Received: from ma-1.rootsweb.com (ma-1.rootsweb.com [209.192.148.153]) by honor.greatcircle.com (Postfix) with ESMTP id 47B8217EAE for ; Sun, 10 Dec 2000 08:44:56 -0800 (PST) Received: (from twp@localhost) by ma-1.rootsweb.com (8.10.0.Beta10/8.10.0.Beta10) id eBAHINS55512; Sun, 10 Dec 2000 12:18:23 -0500 (EST) Date: Sun, 10 Dec 2000 12:18:23 -0500 From: Tim Pierce To: murr rhame Cc: Chuq Von Rospach , list-managers@GreatCircle.COM Subject: Re: Is mailback validation still safe? Message-ID: <20001210121823.H32180@ma-1.rootsweb.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.7us In-Reply-To: Sender: list-managers-owner@GreatCircle.COM Precedence: bulk On Sun, Dec 10, 2000 at 09:56:11AM -0500, murr rhame wrote: > On Sat, 9 Dec 2000, Chuq Von Rospach wrote: > > > When someone sends a message to a majordomo site that has it > > send you 100 copies of each info file, to be honest, Murr, I > > don't think the person bombed really cares about the > > semantical difference you're arguing about. > > So we have one form of mail bombing that we can eliminate > completely by using mailback. We have another form of mail > bombing that isn't effected on way or the other by using > mailbacks. Therefore we can conclude that mailbacks are useless, > unsafe, worthless? The logic escapes me. The fact that other > abuses are still possible doesn't change that fact that mailback > confirmation prevents a common form of mail bombing. Moreover, Chuq is talking about sending someone 1,000 copies of an info file *once*. Mailbacks prevent maliciously subscribing someone to 1,000 lists, thereby sending them thousands of messages *each day* until they have themselves removed from each list, which almost certainly has to be done one at a time. Only a semantic difference? I don't think so. -- Regards, Tim Pierce RootsWeb.com lead system admonsterator and Chief Hacking Officer From list-managers-owner Sun Dec 10 09:49:46 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id IAA10591; Sun, 10 Dec 2000 08:45:48 -0800 (PST) Received: from plaidworks.com (plaidworks.com [209.239.169.200]) by honor.greatcircle.com (Postfix) with ESMTP id E0AF117EAE for ; Sun, 10 Dec 2000 08:45:43 -0800 (PST) Received: from [209.239.169.197] (a197.plaidworks.com [209.239.169.197]) by plaidworks.com (8.10.1/8.10.1) with ESMTP id eBAHFb230838; Sun, 10 Dec 2000 09:15:38 -0800 Mime-Version: 1.0 Message-Id: In-Reply-To: References: Date: Sun, 10 Dec 2000 09:03:16 -0800 To: murr rhame , Chuq Von Rospach From: Chuq Von Rospach Subject: Re: Is mailback validation still safe? Cc: list-managers@GreatCircle.COM Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: list-managers-owner@GreatCircle.COM Precedence: bulk >Therefore we can conclude that mailbacks are useless, >unsafe, worthless? The logic escapes me. I said I wouldn't get into it, but.. Jeez, Murr, you can be very dense at times. No, I never said that. I never implied that. I never even hinted that. What I did, in fact, hint, is that systems using mailbacks ought to be FIXED to fix this other attack as well. > > I first documented these attacks back in, oh, 1996 or so. But >> whatever. This isn't an argument I'll get into. > >I've had various servers online since 1994. I've never seen an >info/confirm attack. My personal experience says it quite rare. when I was running majordomo on my apple site, I saw them at least weekly. Maybe the mac anti-PC bigots are smarter than your users or something. I think the record I saw was one poor idiot who was hit with over 2000 info files in a four hour period. The answer is quite simple: list servers (and mailbots, and vacation bots and ANYTHING that auto-responds) needs to rate-limit their replies to an address. Wtih a vacation bot it's simple, and the standard vacation program has that feature. With MLM's, it's trickier, but doable. And should be done. but since Murr has never seen this, I guess we needed bother, since if he hasn't seen it, it can't possibl exist. -- Chuq Von Rospach - Plaidworks Consulting (mailto:chuqui@plaidworks.com) Apple Mail List Gnome (mailto:chuq@apple.com) We're visiting the relatives. Cover us. From list-managers-owner Sun Dec 10 11:19:57 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id LAA11984; Sun, 10 Dec 2000 11:10:37 -0800 (PST) Received: from plaidworks.com (plaidworks.com [209.239.169.200]) by honor.greatcircle.com (Postfix) with ESMTP id A94E017EAE for ; Sun, 10 Dec 2000 11:10:31 -0800 (PST) Received: from [209.239.169.197] (a197.plaidworks.com [209.239.169.197]) by plaidworks.com (8.10.1/8.10.1) with ESMTP id eBAJeb201923; Sun, 10 Dec 2000 11:40:37 -0800 Mime-Version: 1.0 Message-Id: In-Reply-To: <20001210121823.H32180@ma-1.rootsweb.com> References: <20001210121823.H32180@ma-1.rootsweb.com> Date: Sun, 10 Dec 2000 11:36:29 -0800 To: Tim Pierce , murr rhame From: Chuq Von Rospach Subject: Re: Is mailback validation still safe? Cc: Chuq Von Rospach , list-managers@GreatCircle.COM Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: list-managers-owner@GreatCircle.COM Precedence: bulk At 12:18 PM -0500 12/10/00, Tim Pierce wrote: > >Only a semantic difference? I don't think so. you explain to the poor guy who's mailbox has exploded how much worse off he could be. I'm sure he'll appreciate your sympathy. -- Chuq Von Rospach - Plaidworks Consulting (mailto:chuqui@plaidworks.com) Apple Mail List Gnome (mailto:chuq@apple.com) We're visiting the relatives. Cover us. From list-managers-owner Sun Dec 10 12:19:46 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id MAA12488; Sun, 10 Dec 2000 12:11:41 -0800 (PST) Received: from gw.tssi.com (gw.tssi.com [198.147.197.1]) by honor.greatcircle.com (Postfix) with ESMTP id 8C97117EAE for ; Sun, 10 Dec 2000 12:11:32 -0800 (PST) Received: from celery.tssi.com (nolan@celery.tssi.com [198.147.197.6]) by gw.tssi.com (8.10.1/8.10.1) with ESMTP id eBAKjPn28806 for ; Sun, 10 Dec 2000 14:45:25 -0600 Received: (from celery.tssi.com) by celery.tssi.com (8.7.5/8.7.3) id OAA23124 for list-managers@GreatCircle.com; Sun, 10 Dec 2000 14:45:22 -0600 From: Mike Nolan Message-Id: <200012102045.OAA23124@celery.tssi.com> Subject: Re: Is mailback validation still safe? To: list-managers@GreatCircle.com (List Managers) Date: Sun, 10 Dec 2000 14:45:22 -0600 (CST) Reply-To: nolan@tssi.com X-Mailer: ELM [version 2.5 PL3] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: list-managers-owner@GreatCircle.COM Precedence: bulk Gee, and here I was thinking that maybe for once we could discuss a substantive topic without resorting to calling each other names. Oh well. > The answer is quite simple: list servers (and mailbots, and vacation > bots and ANYTHING that auto-responds) needs to rate-limit their > replies to an address. Wtih a vacation bot it's simple, and the > standard vacation program has that feature. Rate limiting on the administrative and archive server ends of a MLM sounds like not only a doable but a very worthwhile feature. It would need to be tuneable, of course, especially with regards to archive or info files. One approach to this would be to rate limit non-member addresses differently than list member addresses, I suppose. -- Mike Nolan From list-managers-owner Sun Dec 10 12:34:48 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id MAA12495; Sun, 10 Dec 2000 12:12:38 -0800 (PST) Received: from falcon.prod.itd.earthlink.net (falcon.prod.itd.earthlink.net [207.217.120.74]) by honor.greatcircle.com (Postfix) with ESMTP id AF8CB17EAE for ; Sun, 10 Dec 2000 12:12:33 -0800 (PST) Received: from ee-nt.climber.org (sdn-ar-012casfrMP176.dialsprint.net [158.252.216.178]) by falcon.prod.itd.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id MAA27730; Sun, 10 Dec 2000 12:46:28 -0800 (PST) Message-Id: <5.0.0.25.0.20001210123233.00af0b00@pop.climber.org> X-Sender: eckert@pop.climber.org X-Mailer: QUALCOMM Windows Eudora Version 5.0 Date: Sun, 10 Dec 2000 12:35:56 -0800 To: Chuq Von Rospach From: SRE Subject: Re: Is mailback validation still safe? Cc: list-managers@GreatCircle.COM In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: list-managers-owner@GreatCircle.COM Precedence: bulk At 12:22 AM 12/9/00, Chuq Von Rospach wrote: >But if you think about it, once that >validation handshake is complete, there's never ANY further validation The simple fix is twofold: First, new subscriptions should be moderated by default until the list owner clears the flag and lets them post freely. MORE IMPORTANTLY, if you have a continuing problem with people forging From addresses to bypass "post by nonsubscriber" traps, you configure your MLM to require confirmation FROM THE POSTER before the post goes out. Now the worst that happens is the harvested address gets a few confirmation requests before the spammer gives up. I've done both of these things, after being targeted by a single person with bad intent and persistance, and they work well... if you have the time to moderate new subscribers and explain to people that they need to confirm each post. A hassle, but workable. From list-managers-owner Sun Dec 10 13:04:47 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id MAA12856; Sun, 10 Dec 2000 12:56:37 -0800 (PST) Received: from ripco.com (pop2a.ripco.com [209.100.227.25]) by honor.greatcircle.com (Postfix) with ESMTP id A5DB417EAE for ; Sun, 10 Dec 2000 12:56:32 -0800 (PST) Received: (from dattier@localhost) by ripco.com (8.11.0/8.11.0) id eBALUv404027 for list-managers@GreatCircle.COM; Sun, 10 Dec 2000 15:30:57 -0600 (CST) From: "David W. Tamkin" Message-Id: <200012102130.eBALUv404027@ripco.com> Subject: Re: Is mailback validation still safe? To: list-managers@GreatCircle.COM Date: Sun, 10 Dec 2000 15:30:57 -0600 (CST) In-Reply-To: from "John R Levine" at Dec 09, 2000 05:26:06 PM X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: list-managers-owner@GreatCircle.COM Precedence: bulk John Levine wrote, | This shouldn't be rocket science, but it's impressive how many people | writing mailing list packages appear to know nothing about the reality of | the e-mail environment. I find it more depressing than impressing. It's also unsurprising. Writers of MUAs show again and again that they know next to nothing about email, and those with the strongest marketing outsell those with the best operation. Mailing list management packages go the same way. Most of the cases of forging another's address to bypass moderation or mem- bers-only posting rules that I've heard of involved forging the listowner's address rather than that of a rank-and-file member. That supposedly gets more attention to the post from members, and it defames the list as an entity rather than a single member. Also, such forgeries occur especially on announcement-type lists, where forging a rank-and-file member's address will not accomplish anything (if forgery can be called an accomplishment). From list-managers-owner Sun Dec 10 13:49:49 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id NAA13661; Sun, 10 Dec 2000 13:41:53 -0800 (PST) Received: from mail.rev.net (mail.rev.net [206.67.68.8]) by honor.greatcircle.com (Postfix) with ESMTP id ABA2F17EB6 for ; Sun, 10 Dec 2000 13:41:48 -0800 (PST) Received: from fantasy (USER160.GVA.NET [216.80.135.164]) by mail.rev.net (8.11.1/8.11.1) with ESMTP id eBAMFhs29423 for ; Sun, 10 Dec 2000 17:15:43 -0500 Message-Id: <200012102215.eBAMFhs29423@mail.rev.net> From: "Bernie Cosell" Organization: Fantasy Farm Fibers To: list-managers@GreatCircle.COM Date: Sun, 10 Dec 2000 17:15:39 -0500 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Is mailback validation still safe? In-reply-to: <5.0.0.25.0.20001210123233.00af0b00@pop.climber.org> References: X-mailer: Pegasus Mail for Win32 (v3.12c) Sender: list-managers-owner@GreatCircle.COM Precedence: bulk On 10 Dec 2000, at 12:35, SRE wrote: > MORE IMPORTANTLY, if you have a continuing problem with people forging > From addresses to bypass "post by nonsubscriber" traps, you configure > your MLM to require confirmation FROM THE POSTER before the post goes out. Do posters put up with this? I'd go *nuts* if every time I sent a submission to a mailing list I had to mess around a second time with an 'are you sure' inquiry... I have enough trouble remembering to change my outgoing mail ID so I don't get non-subscriber bounces..:o) /Bernie\ -- Bernie Cosell Fantasy Farm Fibers mailto:bernie@fantasyfarm.com Pearisburg, VA --> Too many people, too few sheep <-- From list-managers-owner Sun Dec 10 14:34:45 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id OAA14129; Sun, 10 Dec 2000 14:32:49 -0800 (PST) Received: from smtp2.vnet.net (smtp2.vnet.net [166.82.1.32]) by honor.greatcircle.com (Postfix) with ESMTP id 96F4E17E8B for ; Sun, 10 Dec 2000 14:32:43 -0800 (PST) Received: from katie.vnet.net (katie.vnet.net [166.82.1.7]) by smtp2.vnet.net (8.10.1/8.10.1) with ESMTP id eBAN6dH16878 for ; Sun, 10 Dec 2000 18:06:39 -0500 (EST) Received: from localhost (murr@localhost) by katie.vnet.net (8.9.3+Sun/8.9.1) with ESMTP id SAA19092 for ; Sun, 10 Dec 2000 18:06:39 -0500 (EST) Date: Sun, 10 Dec 2000 18:06:39 -0500 (EST) From: murr rhame To: list-managers@GreatCircle.COM Subject: Re: Is mailback validation still safe? In-Reply-To: <5.0.0.25.0.20001210123233.00af0b00@pop.climber.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: list-managers-owner@GreatCircle.COM Precedence: bulk On Sun, 10 Dec 2000, SRE wrote: > ... MORE IMPORTANTLY, if you have a continuing problem with > people forging From addresses to bypass "post by > nonsubscriber" traps, you configure your MLM to require > confirmation FROM THE POSTER before the post goes out. This is a good solution... I suspect a personal list password prepended to the body of each post submitted would be easier subscribers to use in the long run. You could set up the software to send back instructions and a copy of their password if they tried to post without a password. - murr - From list-managers-owner Sun Dec 10 14:49:46 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id OAA14267; Sun, 10 Dec 2000 14:46:44 -0800 (PST) Received: from plaidworks.com (plaidworks.com [209.239.169.200]) by honor.greatcircle.com (Postfix) with ESMTP id 40A4317E8B for ; Sun, 10 Dec 2000 14:46:36 -0800 (PST) Received: from [209.239.169.197] (a197.plaidworks.com [209.239.169.197]) by plaidworks.com (8.10.1/8.10.1) with ESMTP id eBANGh207384; Sun, 10 Dec 2000 15:16:43 -0800 Mime-Version: 1.0 Message-Id: In-Reply-To: <200012102045.OAA23124@celery.tssi.com> References: <200012102045.OAA23124@celery.tssi.com> Date: Sun, 10 Dec 2000 15:15:53 -0800 To: nolan@tssi.com, list-managers@GreatCircle.COM (List Managers) From: Chuq Von Rospach Subject: Re: Is mailback validation still safe? Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: list-managers-owner@GreatCircle.COM Precedence: bulk At 2:45 PM -0600 12/10/00, Mike Nolan wrote: >One approach to this would be to rate limit non-member addresses >differently than list member addresses, I suppose. just use a geometric backoff. the more often a person sends a command, the longer you wait to fill it. After it's been quiet for a period of time, reset the timer. That way you don't hose over someone who asks for the info file and immediately trashes it by mistake and asks for another, but you do limit the damage you do if a luser decides to use your system as a guided missile. or actually, the way it's used, a mortar.. -- Chuq Von Rospach - Plaidworks Consulting (mailto:chuqui@plaidworks.com) Apple Mail List Gnome (mailto:chuq@apple.com) We're visiting the relatives. Cover us. From list-managers-owner Sun Dec 10 15:04:46 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id OAA14268; Sun, 10 Dec 2000 14:46:49 -0800 (PST) Received: from plaidworks.com (plaidworks.com [209.239.169.200]) by honor.greatcircle.com (Postfix) with ESMTP id 51BCB17EB6 for ; Sun, 10 Dec 2000 14:46:36 -0800 (PST) Received: from [209.239.169.197] (a197.plaidworks.com [209.239.169.197]) by plaidworks.com (8.10.1/8.10.1) with ESMTP id eBANGi207387; Sun, 10 Dec 2000 15:16:44 -0800 Mime-Version: 1.0 Message-Id: In-Reply-To: <200012102130.eBALUv404027@ripco.com> References: <200012102130.eBALUv404027@ripco.com> Date: Sun, 10 Dec 2000 15:18:42 -0800 To: "David W. Tamkin" , list-managers@GreatCircle.COM From: Chuq Von Rospach Subject: Re: Is mailback validation still safe? Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: list-managers-owner@GreatCircle.COM Precedence: bulk At 3:30 PM -0600 12/10/00, David W. Tamkin wrote: >I find it more depressing than impressing. It's also unsurprising. there are commercial servers out there that don't follow the basic tenets of the RFCs. it's not just the MUA (and in general, MLMs do pretty well) -- but one need only look at, oh, First Class, which insists on sending errors back to the original poster and ignores envelope info (including Errors to), or Lotus, where, god help me, someone decided that the "return receipt" should be a system configured item by the admin. And compound that with the "never upgrade" problem, and it gets even nastier. -- Chuq Von Rospach - Plaidworks Consulting (mailto:chuqui@plaidworks.com) Apple Mail List Gnome (mailto:chuq@apple.com) We're visiting the relatives. Cover us. From list-managers-owner Sun Dec 10 15:19:45 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id PAA14497; Sun, 10 Dec 2000 15:02:36 -0800 (PST) Received: from plaidworks.com (plaidworks.com [209.239.169.200]) by honor.greatcircle.com (Postfix) with ESMTP id F022A17E8B for ; Sun, 10 Dec 2000 15:02:30 -0800 (PST) Received: from [209.239.169.197] (a197.plaidworks.com [209.239.169.197]) by plaidworks.com (8.10.1/8.10.1) with ESMTP id eBANWd208197; Sun, 10 Dec 2000 15:32:40 -0800 Mime-Version: 1.0 Message-Id: In-Reply-To: <200012102215.eBAMFhs29423@mail.rev.net> References: <200012102215.eBAMFhs29423@mail.rev.net> Date: Sun, 10 Dec 2000 15:25:44 -0800 To: "Bernie Cosell" , list-managers@GreatCircle.COM From: Chuq Von Rospach Subject: Re: Is mailback validation still safe? Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: list-managers-owner@GreatCircle.COM Precedence: bulk > > MORE IMPORTANTLY, if you have a continuing problem with people forging >> From addresses to bypass "post by nonsubscriber" traps, you configure >> your MLM to require confirmation FROM THE POSTER before the post goes out. > >Do posters put up with this? I think you could sell the users to accept it. most of them, at least. Any time you "raise the bar" to parcipation some will drop out or go elsewhere, but especially if you do it because you're having a problem, you can convince them to work with you. I think if you turned it on arbitrarily or didn't explain well why they might go crazy or try to hurt you, but it can be justified. I just made one of my lists moderated, because I was tired of the children trashing the furniture. So far, it's working just fine, and not one person has complained -- and even the brats are behaving, which only proves that they CAN when someone is holding a 2x4 at their skull. (the moderation switch was accompanied by a list mom tantrum that was a classic, in the Bull Durham "they're kids. Scare them" motif. Seems to have at least got their attention...). >I have enough trouble remembering to change my >outgoing mail ID so I don't get non-subscriber bounces..:o) another vote for some kind of public key authentification... Someday. (I don't care what your e-mail address is. I care who you are. But theinfrastructure to do that just doesn't exist for the mass audience...) -- Chuq Von Rospach - Plaidworks Consulting (mailto:chuqui@plaidworks.com) Apple Mail List Gnome (mailto:chuq@apple.com) We're visiting the relatives. Cover us. From list-managers-owner Mon Dec 11 15:26:08 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id PAA00211; Mon, 11 Dec 2000 15:18:39 -0800 (PST) Received: by honor.greatcircle.com (Postfix, from userid 1013) id 9A82E17EB6; Mon, 11 Dec 2000 15:18:36 -0800 (PST) Received: from plaidworks.com (plaidworks.com [209.239.169.200]) by honor.greatcircle.com (Postfix) with ESMTP id A086917EAF for ; Sat, 9 Dec 2000 10:30:42 -0800 (PST) Received: from [209.239.169.197] (a197.plaidworks.com [209.239.169.197]) by plaidworks.com (8.10.1/8.10.1) with ESMTP id eB9J0Y230513; Sat, 9 Dec 2000 11:00:34 -0800 Mime-Version: 1.0 Message-Id: In-Reply-To: <21672.976384722@kanga.nu> References: <21672.976384722@kanga.nu> Date: Sat, 9 Dec 2000 11:03:47 -0800 To: J C Lawrence , murr rhame From: Chuq Von Rospach Subject: Re: Is mailback validation still safe? Cc: Chuq Von Rospach , list-managers@GreatCircle.COM Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: list-managers-owner@GreatCircle.COM Precedence: bulk > > Your analysis looks reasonable at first glance. As you mentioned, >> most spammers aren't sophisticated enough to implement the system >> you propose. > >It only requires one who then sells his code to others. yeah -- and the more I look at this, the more I realize just how flimsy mailbacks are. you simply use hotmail.com to subscribe a "sucker" account, and you NEVER post to it. you then read back the incoming mail feed, harvest addresses, and then send back the spam as the legitimate subscribers already posting. Using the uunet.net dialup SMTP hack setup, your spambox wanders around the IP range, using offshore open relays, and sends to its hearts content. That's tough to stop. Once the harvester has that hotmail address on your list, it can grab a new address any time it wants, and there's nothing about that hotmail address to identify it as anything other than your normal lurker. that's trivial to put otgether in a turnkey package. you'd only catch the stupid ones. >Given the rate at which porn is moving offshor, especially for >indirection sites (cf the Google spams), I don't see this as a long >term problem. And how many of us actually have the time or energy to litigate? And even if you do -- and you shut down one or two here or there, that doesn't put a dent in the community doing this. it's a pyhhric victory at best ("our lines were overrun, our army decimated, but we shot the general's horse, sir!") -- Chuq Von Rospach - Plaidworks Consulting (mailto:chuqui@plaidworks.com) Apple Mail List Gnome (mailto:chuq@apple.com) We're visiting the relatives. Cover us. From list-managers-owner Mon Dec 11 15:36:04 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id PAA00297; Mon, 11 Dec 2000 15:19:23 -0800 (PST) Received: by honor.greatcircle.com (Postfix, from userid 1013) id 9105617EB0; Mon, 11 Dec 2000 15:19:17 -0800 (PST) Received: from athene.jamux.com (athene.jamux.com [209.8.89.251]) by honor.greatcircle.com (Postfix) with ESMTP id D725F17EAF for ; Sat, 9 Dec 2000 17:02:49 -0800 (PST) Received: from athene.jamux.com (localhost [127.0.0.1]) by athene.jamux.com (Postfix) with ESMTP id 9D1954800C; Sat, 9 Dec 2000 20:36:36 -0500 (EST) To: Chuq Von Rospach Cc: Vince Sabio , Darrell Fuhriman , Christopher Lindsey , Laurie Sefton , Mailman development , Gene Spafford , Mark fletcher , Axel Jessen , list-managers@greatcircle.com Subject: Re: [Mailman-Developers] FYI -- mailback validations no longer safe? In-reply-to: (Chuq Von Rospach; Sat, 09 Dec 2000 15:20:08 -0800) X-URL: http://www.tux.org/~jam/ X-PGP-Fingerprint: 5F05 15CF 05D2 E8D3 E7FA 8C6A 504B EFD5 BFE2 5F2F X-Attribution: jam Mime-Version: 1.0 (generated by tm-edit 1.5) Content-Type: text/plain; charset=US-ASCII Date: Sat, 09 Dec 2000 20:36:36 -0500 From: "John A. Martin" Message-Id: <20001210013636.9D1954800C@athene.jamux.com> Sender: list-managers-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >>>>> "CVR" == Chuq Von Rospach >>>>> "Re: [Mailman-Developers] FYI -- mailback validations no longer safe?" >>>>> Sat, 9 Dec 2000 15:20:08 -0800 CVR> Second idea puts the onus on the list admin. There is one CVR> other identifying piece of info we know about the poster that CVR> can't be forged. it is the IP address of the machine that CVR> relays the mail to your MLM machine. All of the OTHER CVR> received lines can be forged, but the one your server adds to CVR> tell you who it got the mail from -- the direct connection -- CVR> can't be (or you have bigger problems). Would you unconditionally accept postings received at your list host from a backup MX? Once the SMTP-relay check is deployed the spammer will just relay through one of the target's MX hosts[1]. Checking back through the trace of backup mx hosts could get messy considering the variations in received header fields, no? jam Footnotes: [1] I've noticed senders that get rejected by MTA anti-spam measures try a backup MX host shortly thereafter. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: OpenPGP encrypted mail preferred. See iEYEARECAAYFAjoy3f4ACgkQUEvv1b/iXy8LPgCdFDtLWwICvI9LJEL+dpmXqnqQ c1wAn1Y5liEbzdKzgj2+n8ZtNm8Pvw9T =mMZC -----END PGP SIGNATURE----- From list-managers-owner Tue Dec 12 09:21:05 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id JAA13681; Tue, 12 Dec 2000 09:15:20 -0800 (PST) Received: from smtp.america.net (smtp.america.net [199.170.121.14]) by honor.greatcircle.com (Postfix) with ESMTP id 55D6D17E8B for ; Tue, 12 Dec 2000 09:15:15 -0800 (PST) Received: from Inspiron7000 ([208.144.253.39]) by smtp.america.net (8.9.1/8.9.1) with SMTP id MAA18761 for ; Tue, 12 Dec 2000 12:49:26 -0500 (EST) Message-Id: <4.1.20001212120815.00aeb820@mail.iecc.com> X-Sender: xmargy@mail.iecc.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Tue, 12 Dec 2000 12:15:49 -0500 To: list-managers@GreatCircle.COM From: Margaret Levine Young Subject: Re: Is mailback validation still safe? In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: list-managers-owner@GreatCircle.COM Precedence: bulk Another issue I have with the various schemes to prevent users from using the mailback validation loopholes that y'all have identified: I've got a bunch of novice list managers, and only the site manager (Lance Brown) is technically savvy.We can't require that the list managers do much more than add and delete people, and host the conversations. The spam-fighting has got to be done at the site level. So far, I'm hearing that we should configure all our lists site-wide to require managers to approve the posts of new subscribers for X days (to be determined). Margy Levine Young Coauthor of "The Internet For Dummies" and "Poor Richard's Building Online Communities" . Looking for kids' videos? Check out From list-managers-owner Tue Dec 12 14:36:39 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id OAA16325; Tue, 12 Dec 2000 14:29:31 -0800 (PST) Received: from smtp2.vnet.net (smtp2.vnet.net [166.82.1.32]) by honor.greatcircle.com (Postfix) with ESMTP id B3C1217E8B for ; Tue, 12 Dec 2000 14:29:25 -0800 (PST) Received: from katie.vnet.net (katie.vnet.net [166.82.1.7]) by smtp2.vnet.net (8.10.1/8.10.1) with ESMTP id eBCN3gc09838 for ; Tue, 12 Dec 2000 18:03:43 -0500 (EST) Received: from localhost (murr@localhost) by katie.vnet.net (8.9.3+Sun/8.9.1) with ESMTP id SAA06608 for ; Tue, 12 Dec 2000 18:03:42 -0500 (EST) Date: Tue, 12 Dec 2000 18:03:42 -0500 (EST) From: murr rhame To: list-managers@GreatCircle.COM Subject: Re: Is mailback validation still safe? In-Reply-To: <4.1.20001212120815.00aeb820@mail.iecc.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: list-managers-owner@GreatCircle.COM Precedence: bulk On Tue, 12 Dec 2000, Margaret Levine Young wrote: > So far, I'm hearing that we should configure all our lists > site-wide to require managers to approve the posts of new > subscribers for X days (to be determined). Actually, X moderator approved posts is safer than moderating new subscritions for X days. I doubt you'll find many spammers who are willing to write two or three on-topic posts just to inject one spam to a mailing list. Also, checking a couple of posts from new subscribers will give you the opportunity to catch most newbie mistakes like "me too!" posts, quoting back an entire digest, wildly off-topic posts, posting "stop my subscription" requests, flame bating and such. - murr - From list-managers-owner Wed Dec 13 07:07:16 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id GAA27578; Wed, 13 Dec 2000 06:50:42 -0800 (PST) Received: from smtp.america.net (smtp.america.net [199.170.121.14]) by honor.greatcircle.com (Postfix) with ESMTP id 3A41D17E8B for ; Wed, 13 Dec 2000 06:50:37 -0800 (PST) Received: from Inspiron7000 ([208.144.253.31]) by smtp.america.net (8.9.1/8.9.1) with SMTP id KAA22465 for ; Wed, 13 Dec 2000 10:25:00 -0500 (EST) Message-Id: <4.1.20001213102046.00acf100@mail.iecc.com> X-Sender: xmargy@mail.iecc.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Wed, 13 Dec 2000 10:21:38 -0500 To: list-managers@GreatCircle.COM From: Margaret Levine Young Subject: Re: Is mailback validation still safe? In-Reply-To: References: <4.1.20001212120815.00aeb820@mail.iecc.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: list-managers-owner@GreatCircle.COM Precedence: bulk >Actually, X moderator approved posts is safer than moderating new >subscritions for X days. I doubt you'll find many spammers who >are willing to write two or three on-topic posts just to inject >one spam to a mailing list. Also, checking a couple of posts >from new subscribers will give you the opportunity to catch most >newbie mistakes like "me too!" posts, quoting back an entire >digest, wildly off-topic posts, posting "stop my subscription" >requests, flame bating and such. Yes, good point. Thanks! (We're probably moving our lists to MailMan, and I'll have to check whether it can handle that automagically.) Margy Levine Young Coauthor of "The Internet For Dummies" and "Poor Richard's Building Online Communities" . Looking for kids' videos? Check out From list-managers-owner Wed Dec 13 10:06:55 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id KAA29421; Wed, 13 Dec 2000 10:00:33 -0800 (PST) Received: from dingo.kanga.nu (w212.z064001167.sjc-ca.dsl.cnc.net [64.1.167.212]) by honor.greatcircle.com (Postfix) with ESMTP id 30AA317E8B for ; Wed, 13 Dec 2000 10:00:27 -0800 (PST) Received: from (kanga.nu) [127.0.0.1] by dingo.kanga.nu with esmtp (Exim 3.16 #1 (Debian)) id 146Gjl-0007a8-00; Wed, 13 Dec 2000 10:34:45 -0800 To: Margaret Levine Young Cc: list-managers@GreatCircle.COM Subject: Re: Is mailback validation still safe? In-Reply-To: Message from Margaret Levine Young of "Wed, 13 Dec 2000 10:21:38 EST." <4.1.20001213102046.00acf100@mail.iecc.com> References: <4.1.20001212120815.00aeb820@mail.iecc.com> <4.1.20001213102046.00acf100@mail.iecc.com> X-face: ?^_yw@fA`CEX&}--=*&XqXbF-oePvxaT4(kyt\nwM9]{]N!>b^K}-Mb9 YH%saz^>nq5usBlD"s{(.h'_w|U^3ldUq7wVZz$`u>MB(-4$f\a6Eu8.e=Pf\ X-image-url: http://www.kanga.nu/~claw/kanga.face.tiff X-url: http://www.kanga.nu/~claw/ Date: Wed, 13 Dec 2000 10:34:45 -0800 Message-ID: <29147.976732485@kanga.nu> From: J C Lawrence Sender: list-managers-owner@GreatCircle.COM Precedence: bulk On Wed, 13 Dec 2000 10:21:38 -0500 Margaret Levine Young wrote: >> Actually, X moderator approved posts is safer than moderating new >> subscritions for X days. > Yes, good point. Thanks! (We're probably moving our lists to > MailMan, and I'll have to check whether it can handle that > automagically.) Currently it can't. Rather under the covers I'm working on a process queue based architecture proposal for Mailman v3 that is/will be capable of this. -- J C Lawrence claw@kanga.nu ---------(*) : http://www.kanga.nu/~claw/ --=| A man is as sane as he is dangerous to his environment |=-- From list-managers-owner Wed Dec 20 19:49:13 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id TAA26739; Wed, 20 Dec 2000 19:36:30 -0800 (PST) Received: from www.wordbot.com (unknown [206.111.145.245]) by honor.greatcircle.com (Postfix) with ESMTP id E466D17EC3 for ; Wed, 20 Dec 2000 19:36:24 -0800 (PST) Received: from ellen.mills.edu (ellen.spertus.com [206.111.145.243]) by www.wordbot.com (8.9.3/8.8.7) with ESMTP id VAA24422; Wed, 20 Dec 2000 21:09:33 -0800 Message-Id: <5.0.1.4.0.20001220195622.05bfe9a0@mail.brightmail.com> X-Sender: spertus%mills.edu@mail.brightmail.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Wed, 20 Dec 2000 20:16:09 -0800 To: list-managers@GreatCircle.COM From: Ellen Spertus Subject: How to get reply-all to work Cc: spertus@mills.edu Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: list-managers-owner@GreatCircle.COM Precedence: bulk I am writing a mailing-list manager and am trying to figure out how to set the headers so that: - the client's reply command causes mail to go to the original sender - the client's reply-all command causes mail to go to the original sender and the list I like Dan Bernstein's suggestions re Mail-Follow-Up and Mail-Reply-To (http://cr.yp.to/proto/replyto.html) but don't know if they're actually supported by MUAs. What I'm currently doing is using the original sender as reply-to, the list name as cc, and the recipients as bcc. To prevent infinite regress, the list manager ignores messages sent by itself. This worked fine when I sent the same message to all subscribers. For n subscribers, I would send 1 message with n+1 recipients. The problem is I'm switching to using VERPs (http://cr.yp.to/proto/verp.txt), which require a distinct message for each subscriber. This would require me to send n messages, each with 2 recipients (the real recipient and the list (so reply-all works)). This would cause me to send n wasteful list->list messages, which I would rather avoid. How do other people handle this? Ellen P.S. FYI, the mailing list manager I'm writing (javamlm) is based on ezmlm but provides greater per-user customization and easier programmer extensibility. With its greater power but lesser scalability, it's aimed at communities of thousands (not millions) of users. From list-managers-owner Thu Dec 21 05:37:18 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id FAA04627; Thu, 21 Dec 2000 05:27:34 -0800 (PST) Received: from stmpy-3.cais.net (stmpy-3.cais.net [205.252.14.73]) by honor.greatcircle.com (Postfix) with ESMTP id 4BB3817EAF for ; Thu, 21 Dec 2000 05:27:29 -0800 (PST) Received: from newnt.cais.com ([198.69.129.60]) by stmpy-3.cais.net (8.11.1/8.11.1) with ESMTP id eBLE3Gu27271 for ; Thu, 21 Dec 2000 09:03:16 -0500 (EST) Message-Id: <5.0.2.1.0.20001221083935.00b2a920@pop.cais.com> X-Sender: firschng@pop.cais.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Thu, 21 Dec 2000 08:44:11 -0500 To: List-Managers@GreatCircle.COM From: Dorothy Firsching Subject: eGroups In-Reply-To: <200012100449.UAA01825@honor.greatcircle.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: list-managers-owner@GreatCircle.COM Precedence: bulk What have you folks done to keep eGroups from hijacking your lists? I just received a message from them saying: "You recently submitted a message to several of our groups simultaneously. This is known as "cross-posting". Generally, cross-posting is acceptable at eGroups. However, if you wish to cross-post to groups, you must be a member of those groups. Because you are not a member of the datamine-l group, your cross-posted message was not delivered to the group. If you would like to become a member of this group, please visit http://www.egroups.com/subscribe/datamine-l or send email to datamine-l-subscribe@egroups.com For further assistance, please email support@egroups.com or visit http://www.egroups.com/help" I am not only a member of the datamine-l@nautilus-sys.com, I founded it several years ago and administer it! And my message was, of course, posted, because the list is moderated and I approved it. Their version is "free" and "unmoderated". I went to eGroups and found out the list was founded on October 22, 2000. Has anyone had any success in getting them to stop doing this? Dorothy Firsching Dorothy Firsching CEO Nautilus Systems, Inc. 3867Alder Woods Court Fairfax, VA 22032 From list-managers-owner Thu Dec 21 05:59:52 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id FAA04731; Thu, 21 Dec 2000 05:38:01 -0800 (PST) Received: from sws5.ctd.ornl.gov (sws5.ctd.ornl.gov [160.91.68.105]) by honor.greatcircle.com (Postfix) with SMTP id 388CE17EAF for ; Thu, 21 Dec 2000 05:37:56 -0800 (PST) Received: (qmail 537564 invoked by uid 3995); 21 Dec 2000 14:13:44 -0000 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14914.4119.681881.452416@sws5.ctd.ornl.gov> Date: Thu, 21 Dec 2000 09:13:43 -0500 From: Dave Sill To: list-managers@GreatCircle.COM Subject: Re: How to get reply-all to work In-Reply-To: <5.0.1.4.0.20001220195622.05bfe9a0@mail.brightmail.com> References: <5.0.1.4.0.20001220195622.05bfe9a0@mail.brightmail.com> X-Mailer: VM 6.76 under 21.1 "20 Minutes to Nikko" XEmacs Lucid (patch 2) Organization: Oak Ridge National Lab, Oak Ridge, Tenn., USA X-Face: "p~Q]mg{;e*}YR|)&Q/&Q\*~5UWfZX34;5M wrote: >The problem is I'm switching to using VERPs >(http://cr.yp.to/proto/verp.txt), which require a distinct message for each >subscriber. This would require me to send n messages, each with 2 >recipients (the real recipient and the list (so reply-all works)). This >would cause me to send n wasteful list->list messages, which I would rather >avoid. I think you're missing the distinction between the header of the message and the envelope. When a normal user sends mail, the MTA usually contructs an SMTP envelope based on the header, so they're probably not aware of the distinction. But a list manager is a very different critter. The SMTP envelope(s) it creates from the original message are very little like the header. For example, take a simple person-to-person message: From: joe@tigger To: sue@piglet Subject: Meeting tomorrow blah blah blah... When tigger's MTA sends the message to piglet, it creates an "envelope" via the SMTP MAIL, RCPT, and DATA commands: Envelope: Sender: joe@tigger.example.com Recipient: sue@piglet.example.com Message: From: joe@tigger.example.com To: sue@piglet.example.com Subject: Meeting tomorrow blah blah blah... If joe had BCC'd the message to pat@pooh, then an additional envelope/message pair would have been created: Envelope: Sender: joe@tigger.example.com Recipient: pat@pooh.example.com Message: From: joe@tigger.example.com To: sue@piglet.example.com Subject: Meeting tomorrow blah blah blah... The only difference is the envelope recipient. Now consider what happens with mail to a mailing list. First, the user sends the message to the list manager: From: joe@tigger.example.com To: joes-group@mailhub.example.com Subject: Group meeting tomorrow blah blah blah... That results in an enveleop/message pair like the first example above. Next, the list manager does its stuff: checking the validity of the sender, adding headers/footers to the message, etc., and, finally, it resends the message to the subscribers (sue, pat, etc.). The final result is a set of envelope/message pairs like: Pair 1: Envelope: Sender: joes-group-owner@tigger.example.com Recipient: sue@piglet.example.com Message: From: joe@tigger.example.com To: joes-group@mailhub.example.com Subject: Group meeting tomorrow blah blah blah... Pair 2: Envelope: Sender: joes-group-owner@tigger.example.com Recipient: pat@pooh.example.com Message: From: joe@tigger.example.com To: joes-group@mailhub.example.com Subject: Group meeting tomorrow blah blah blah... etc. I.e., it looks much like the recipients were BCC'd on the original message. Note that only the envelope recipient changes from one pair to the next. The only difference for VERP'd lists is that the envelope sender also changes for each pair. E.g.: Pair 1: Envelope: Sender: joes-group-return-sue=piglet.example.com@tigger.example.com Recipient: sue@piglet.example.com Message: From: joe@tigger.example.com To: joes-group@mailhub.example.com Subject: Group meeting tomorrow blah blah blah... Pair 2: Envelope: Sender: joes-group-return-pat=pooh.example.com@tigger.example.com Recipient: pat@pooh.example.com Message: From: joe@tigger.example.com To: joes-group@mailhub.example.com Subject: Group meeting tomorrow blah blah blah... etc. So the bottom line is that you don't have to send the message to any addresses just because they appear in header of the message--you just need to specify the envelope recipient when you inject the message, rather than letting the mailer construct one from the header. -Dave From list-managers-owner Thu Dec 21 09:20:29 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id JAA06509; Thu, 21 Dec 2000 09:10:18 -0800 (PST) Received: from smtp2.vnet.net (smtp2.vnet.net [166.82.1.32]) by honor.greatcircle.com (Postfix) with ESMTP id 3DC6317EAF for ; Thu, 21 Dec 2000 09:10:13 -0800 (PST) Received: from katie.vnet.net (katie.vnet.net [166.82.1.7]) by smtp2.vnet.net (8.10.1/8.10.1) with ESMTP id eBLHk2L10845 for ; Thu, 21 Dec 2000 12:46:02 -0500 (EST) Received: from localhost (murr@localhost) by katie.vnet.net (8.9.3+Sun/8.9.1) with ESMTP id MAA12616 for ; Thu, 21 Dec 2000 12:46:01 -0500 (EST) Date: Thu, 21 Dec 2000 12:46:00 -0500 (EST) From: murr rhame To: List-Managers@GreatCircle.COM Subject: Re: eGroups In-Reply-To: <5.0.2.1.0.20001221083935.00b2a920@pop.cais.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: list-managers-owner@GreatCircle.COM Precedence: bulk On Thu, 21 Dec 2000, Dorothy Firsching wrote: > What have you folks done to keep eGroups from hijacking your > lists? > > I just received a message from them saying: > > Because you are not a member of the datamine-l group, your > cross-posted message was not delivered to the group. > I am not only a member of the datamine-l@nautilus-sys.com, > I founded it several years ago and administer it! And my > message was, of course, posted, because the list is > moderated and I approved it. Their version is "free" and > "unmoderated". > Has anyone had any success in getting them to stop doing this? There is an eGroups list with the same topic and a similar name as my most popular list. I has never considered their copy a highjacking. Someone just wanted a similar list with a slightly different spin. The alternative list hasn't bothered me in the least. I have made no effort to trademark my list name. I haven't seen a lot of cross-posting. Subscribers are at liberty to post the same material to both lists. If they started to grab material they didn't write themselves and posted it to another forum without the author's permission, I would be upset. How do you know eGroups (the company) is responsible for creating a list with the same topic as yours? It's a huge site, the chances of them having a similar or duplicate list for nearly any topic are pretty high. Have you contacted the list owner of the eGroups list? Try datamine-l-owner@egroups.com. - murr - From list-managers-owner Thu Dec 21 09:50:27 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id JAA06766; Thu, 21 Dec 2000 09:41:43 -0800 (PST) Received: from hostigos.otherwhen.com (unknown [63.103.205.3]) by honor.greatcircle.com (Postfix) with ESMTP id 9BC2817EAF for ; Thu, 21 Dec 2000 09:41:35 -0800 (PST) Received: from mail.otherwhen