Great Circle Associates List-Managers
(October 1997)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: sunyjefferson.edu
From: "Ronald F. Guilmette" <rfg @ monkeys . com>
Date: Sat, 25 Oct 1997 21:23:50 -0700
To: list-managers @ GreatCircle . COM (List Managers)
In-reply-to: Your message of Fri, 24 Oct 1997 10:36:25 -0500. <199710241536.KAA30878@celery.tssi.com>
Reply-to: rfg @ monkeys . com


In message <199710241536.KAA30878@celery.tssi.com>, 
nolan@tssi.com wrote:

>One of my lists had 10 addresses from stumail.sunyjefferson.edu added to it
>this week, 7 of them within a few minutes of each other.
>
>It looks like they all came through a CCmail gateway within that domain.
>
>I've taken them all off my lists on the theory that this was either a
>malicious act on someone's part or some kind of class exercise.  One
>of them returned numerous encoded posts back to my list with the word 
>'UNSCRIBE' as the subject, I took that to be a somewhat clueless attempt 
>to unsubscribe.

Well, now that the topic has been braoched (at least indirectly) there is
something... and issue... that I have been meaning to raise specifically
with the people on this list for awhile now... like ever since I got onto
the list.

I came here in part to chat about spam filtering (a subject which is
obviously as near and dear to the hearts of many on this list as it is
to me) but primarily, I can here to raise one much bigger issue, which
has had me absolutely fuming on two separate occasions in the past two
weeks.

I have not discussed this widely (yet) but two addresses on my company
server system, <sales@e-scrub.com> and also <support@e-scrub.com> have
been subjected to two separate subscription bombing attacks within the
past two week.  Each one involved 84 different mailing lists, essentially
none of which employ a standard subscription confirmation protocol (i.e.
requesting an affirmative E-mail response from the new subscriber, with-
out which the tenative subscription will harmlessly expires of its own
accord).

I am still here, and still on-line, so obviously I was able to survive
these premeditated attacks, but each one was quite disruptive and took
quite a lot of time and effort to cleanup.  Not only did I have to wade
through tons of useless mail to get to my _real_ mail, but I also had
to go around and bug (in some cases several times to people who apparently
don't even speak English and who have no desire to learn) to take me off
of their *&^$#@@&&%#$^& lists.

In the majority of cases, the list admins wrote me back expressing surprise
and saying ``But when you went to this web page and signed up, you were
asking to be on our list!''  (This was _after_ I has sent them all a quite
detailed and elaborate message explaining that my address had been forged,
and that I had been subjected to a subscription bomb.)

In short, the majority of the list admins involved displayed a density
rivaling that of lead.

This fact of course meant that I had my work cut out for me when (in my
always hopeful frame of mind) I attempted to convinve essentially all of
them of my belief that running a list _without_ a subscription validation
protocol which requires a confirmation from the (alleged) new subscriber
was at the very least anti-social, and at worst bordering on criminal.

They all just keep saying ``But it is so easy to go to our web site and
get subsubscribed!''

``Great!'' I said, ``But what if I had just been leaving for a three month
vacation when this subscription bombing was starting?  I would have come
back to a full disk a a crashed server!''

``But this has never happend before!'' they all protested.

``It has happened now!'' I said ``And someone out there with evil intent
now knows about this web page where he/she can go to sign up people to
84 mailing lists at a time almost effortlessly!  So I think you can bet
that although this was the first time, it won't be the last.''

``But making people reply before we finalize their subscriptions would
be a hassel for our legitimate subscribers!'' they all said.

``Swell.'' I said.  ``So you don't mind screwing a few people so long as
your legitimate customers are not inconvenienced.''

Mots of these approximately 84 E-Mail conversations tapered off to nothing,
right about at this point in the conversation.  (Of course in the case of
the French and Brazillian lists I was subscribed to, things never made it
anywhere near this far, because the list admins in question apparently
were unable to read even my original nasty-grams demanding to be taken
off their lists, and thus, only some small scale mailing-bombings of the
relevant admin addresess proved sufficient in these cases to actually
trigger my removal from these particular lists.)

So anyway, I think that this story has made it clear what _my_ feelings
are about mailing lists that do not require active confirmations of sub-
scriptions.  (Basically, I think that running such lists is every bit as
negligent as giving a teenager the keys to the car _and_ to the liquor
cabinet.)  Now I would like to listen to some other people's opinions
on this.

The fundamental question (as far as I am concerned) and the one I would
like to see there be some discussion of here is just this... Is it morally
or ethically defensible to run a mailing list on the net in this day and
age in such a way that it can be abused to cause (or at least contribute
to) potentially massive harm to other individuals or businesses on the net?
If not then why are people still doing it?

P.S.  I actually feel fortunate.  I was only signed up for 84 lists in each
of two separate incidents.  I have recently heard a rumor about one fellow
who had complained about some spam to the spammer's ISP and who subsequently
ended up on THOUSANDS of lists.  This is the kind of thing that could po-
tentially put a small business whose main interactions with its customers
is via E-Mail out of business for good.  I hope we never see that actually
happen.

P.P.S. I used to think that spam and ordinary mail-bombing were bad.  But
I've now had a nice first hand demonstration of the fact that those are
just like so-called Saturday Night Specials (handguns) whereas subscription
bombs, if done on a sufficiently large scale, are more like nuclear weapons
by comparison.  I am serious when I say that I think this sort of thing is
a real threat to essentially everyone on the net.  _Anyone_ could be next.

-- Ron Guilmette, Roseville, California ---------- E-Scrub Technologies, Inc.
-- Deadbolt(tm) Personal E-Mail Filter demo: http://www.e-scrub.com/deadbolt/
-- Wpoison (web harvester poisoning) - demo: http://www.e-scrub.com/wpoison/


Follow-Ups:
References:
Indexed By Date Previous: New Spammer address hard to block, etc!
From: "W. David Samuelsen" <dsam@wasatch.com>
Next: Re: While we are ranting....
From: Vince Sabio <vince@humournet.com>
Indexed By Thread Previous: sunyjefferson.edu
From: Mike Nolan <nolan@celery.tssi.com>
Next: Re: verification II (was: Re: sunyjefferson.edu)
From: David Lundell <delundel@netguide.com>

Google
 
Search Internet Search www.greatcircle.com