In message <199710261904.LAA29943@monkeys.com>, amys@iquest.net wrote:
>On 25 Oct 97 at 21:23, Ronald F. Guilmette wrote:
>
>> I am still here, and still on-line, so obviously I was able to survive
>> these premeditated attacks, but each one was quite disruptive and took
>> quite a lot of time and effort to cleanup. Not only did I have to wade
>> through tons of useless mail to get to my _real_ mail, but I also had
>> to go around and bug (in some cases several times to people who apparently
>> don't even speak English and who have no desire to learn) to take me off
>> of their *&^$#@@&&%#$^& lists.
>
>You know Ron, we are people too and quite frankly, had I received a
>request even remotely worded like that I would have ignored it (for
>your own protection). Why? Because I NEVER subscribe someone to one
>of my lists and I'm assuming that even if you were subscribed against
>your wishes...
Even if?? I was. That's the truth.
>... you received welcome letters that gave you explicit
>instructions on how to unsubscribe.
So do most of the E-mail spams that I get. What's your point?
_My_ point is that I do not believe that it should be incombant upon me
to wade through some convoluted procedure (either web-based or mail based)
...which by the was was different and unique for each of the lists that was
used to subscription bomb me... for dozens and dozens of lists that I never
asked to be on in the first place. Seriously, this is no different that
what most spammers do... They sign you up to _their_ lists and then force
you to jump through _their_ hoops to get off of _their_ *&^$#@@&&%#$^& lists.
And in any case, just because that first ``greeting'' message often (but
not always) gives instructions for getting off the list, that still isn't
terribly useful if I happen to be out of town (either on vacation of on
an extended business trip) at the time the subscription bomb is initiated.
As I mentioned earlier, the excuse that instructions are given for getting
one's self off the list doesn't really wash, given this potentially dis-
asterous possibility.
>Secondly, I don't like being talked to like that.
And I _really_ don't like being subscription bombed with the help of badly
configured mailing lists (and their operators), so that would make us even,
yes?
>On the other hand, I have removed all non-confirming WWW gateways
>that only require you put in an address for the very reason you've
>stated.
Good. I think that is a good first step, and I applaud you for that.
But if you still accept (and finalize) subscriptions based upon a single
(possibly forged) subscription request sent in via _any_ medium (e.g.
E-mail) then your list can still be abused by unscruplous individuals
intent upon causing harm to others.
>> In the majority of cases, the list admins wrote me back expressing surprise
>> and saying ``But when you went to this web page and signed up, you were
>> asking to be on our list!'' (This was _after_ I has sent them all a quite
>> detailed and elaborate message explaining that my address had been forged,
>> and that I had been subjected to a subscription bomb.)
>
>Like somehow they were at fault?
In my opinion, yes. In a court of law, this is what is commonly called
``contributory negligence''. The analogy I used before was giving a
teenager the keys to the car _and_ to the liquor cabinet. Another analogy
might be leaving a box of rocks with a sign on the box saying "drop me"
on a freeway overpass where adolecents may come upon them and think that
it is an exceptionally clever idea to see what happens when a few of the
rocks come into contact with passing windshields.
>If you had the wherewithall to get
>their addresses to send them this "elaborate message"...
It ain't that hard. My MUA (Rand UCI/MH) puts the envelope from address
into a Return-Path: header so that I can easily see where errors are
supposed to be sent.
>... why didn't you just take yourself off their list...
Again, I feel forced to point out that this is ``spammer speak''.
Most people who have ever complained about being spammed have had the
experience (at least once) of having the spammer write back and say
``I don't see why you sent me this complaint. If would have taken you
less time to just follow the directions and get yourself taken off of
our mailing list.''
The bottom line is that I don't do that because I don't just want the
spammers to stop doing what they are doing to _me_... I want them to
stop doing what they are doing to _everybody_. Likewise in the case
of mailing list admins that operate lists that don't require subscription
validation before finalizing subscriptions. Sure, I could just do the
expedient thing and get just _my_ address removed, but that's not the
point. What about the next poor dumb schmuck who gets victimized by
one of these subscriptions bombs?? _You_ may not care about him or his
mailbox or his life or his business, but I do. I don't think that
_anybody_ deserves the kind of enormous hassle that results from these
sorts of subscription boms involving non-validating lists, and I'd like
to see this whole net-wide threat ended.
>...and then send them a message that
>their list is open to this kind of abuse.
Oh swell. Now you are saying that while I am tearing my hair out and
trying to clean up the enormous mess that resulted from a subscription
bomb, you expect me to send not one but _two_ messages for each badly
run lists that is participating in bombing me, just on the theory that
doing so would be more polite in some vague way.
Sorry, but in the heat of battle, my preferred course of action was to
send off _one_ message to each list admin, hoping to kill two birds with
one stone in each case, with the messages saying (in so many words) ``You
and your list are participating in a subscription bombing attack on my
account/server. Please remove me from your list(s) and please also fix
your lists so that they cannot be abused in this same way ever again.''
>I found out quite by
>accident that my smartlist based list had virtually no security in
>this area, which is the reason why I removed it from the LWgate web
>site.
You found out by accident???
Maybe what we need is some sort of big warning lable on the side of
Majordomo, Listserv, and all other mailing list packages saying ``WARNING:
Improper configuration and use of this software can cause serious harm to
your fellow netizens! Proceed with caution!''
See, this is the _real_ issue I am griping about... i.e. the fact that
so many lists admins out there don't even seem to know before they startup
their lists that this kind of abuse is possible or that it _does_ happen.
Of course I also have a serious beef with the lists admins that don't care
even when they _are_ told that their lists can be used to cause harm to
innocent third-parties, and I have a *real* serious beef with mailing list
packages (like one I heard about for Windows NT) that doesn't even offer
the capability of running a lits with a subscription validation protocol.
(One list admin told me that LISTSERV for Windoze NT is in this category.
Can anyone else verify that?)
>> In short, the majority of the list admins involved displayed a density
>> rivaling that of lead.
>
>Probably not. I would imagine they dug in their heels.
Is there any functional difference between these two assertions?
Sounds like we are just saying the same thing in two different ways.
>> This fact of course meant that I had my work cut out for me when (in my
>> always hopeful frame of mind) I attempted to convinve essentially all of
>> them of my belief that running a list _without_ a subscription validation
>> protocol which requires a confirmation from the (alleged) new subscriber
>> was at the very least anti-social, and at worst bordering on criminal.
>
>LISTSERV has a "global" delete feature that allows you to be removed
>from every LISTSERV list, which can be handy in this manner.
I assume that this feature you are talking about operates on a per-site
basis, and no over the entire Internet, correct?
Assuming so, that information comes as little comforrt to me, as I was
being subscription bombed by 84 different lists hosted on 84 different
sites all around the world.
>Any other list that allows commands to be put in the subject (Lyris,
>Smartlist) could have been put in a boilerplate kind of message. So
>if you had put all the -request addresses and one LISTSERV address...
Yes, yes, yes. But you are still missing the point that not only did *I*
want *this* subscription bomb to be terminated, but I also wanted the
*threat* of subscription bombing attacks to be lessened for the sake
of _all_ netizens everywhere and for all time.... not just for today,
but for tomorrow and the next day, and the day after that.
Do you see what I mean? What is the point of me going through the
elaborate exercise of doing what you suggest if the perp (whoever he/she
is) could just turn around and do the same thing to me all over again
the very next week? (And in fact, this is _exactly_ what happened to me.)
You see, you are being short-sighted and just suggesting short-term
methods for dealing with the _symptoms_ of the disease, but you don't
seem to even be thinking about how to cure the disease itself.
>Up until recently, subscription validation was not an issue.
Really? Seem to me that I have been reading about such things for YEARS
now.
>In fact, I would still choose ability to customize, ease of use, easy
>on the resources over subscription validation in searching for a good
>list management package.
See, that's the kind of attitude that irks me. It's kinda like saying
``Screw the public good and the public welfare. It's a lot easier for
me just to dump these barrels of toxic waste into a river over in the
next county... where I personally won't have to deal with the consequences
of that... than it is for me to try to deal with this is a more socially
responsible manner.''
>> They all just keep saying ``But it is so easy to go to our web site and
>> get subsubscribed!''
>
>or take yourself off. When I was using LWGate over half of the
>subscriptions and unsubscribes came through the web.
Yes, but again, this is ``spammer speak''.
It shouldn't be _my_ job to take myself off of lists that I did not ever
request to be on. And I have a srong tendency to try to annoy (to the
maximum extent possible) people who think that they can or should shove
such responsibilities unfairly onto _my_ back. I have plenty of other
stuff to do every day, and I *really* dislike people who (either by acts
of comission or omission) try to create more work for me without paying
me.
>> ``Great!'' I said, ``But what if I had just been leaving for a three month
>> vacation when this subscription bombing was starting? I would have come
>> back to a full disk a a crashed server!''
>
>I'm having a little problem with this argument for obvious reasons.
I see. And what ``obvious reasons'' are those exactly?
Whatever they are, they are _not_ in the least bit obvious to me.
>> ``But this has never happend before!'' they all protested.
>
>Probably not.
It has probably never happened before that anyone has committed murder by
tying someone up and having 3,000 little Radio Shack robots slice them up
into little pieces with X-acto knives either, but it would still be a
crime if it happened.
>> ``Swell.'' I said. ``So you don't mind screwing a few people so long as
>> your legitimate customers are not inconvenienced.''
>
>This is quite alright as long as you remember every time you stand in
>line while someone's check is validated (or their credit card) or you
>are asked to be inconvenienced (like having packages searched) in a
>store. Everyone should be inconvenienced because of the evil intent
>of a few.
I _do_ understand it, and I _do_ accept the reasonable things that we all
have to go through these days because of ``the evil intent of a few''.
I stand and wait patiently for my turn to go through the metal detector
everytime I go to the airport, and sometimes I even thank the attendants
for helping to insure my safety.
>Before you get all upset,...
Oh, its far too late to stop me from doing _that_. I was upset from the
first moment that I realized that I had been subscription bombed.
>... I use confirmation for all lists run on my
>site, and my web site does, too.
Good! You are one of the Good Guys/Gals! I applaud you for taking the
job of list admin seriously, and for doing it in a responsible fashion.
>And trust me, it is a hassle for the legitimate subscribers.
A minor hassle, yes. So are metal detectors at airports, but I for one
am still damn glad that they are there.
>However, it has eliminated the
>bad addresses, subscription errors, and malicious subscribes.
Yes.
>It also requires that the subscriber have their brain engaged when they
>subscribe.
Yes.
>BUT, I don't do it for "you", the victim (or potential
>victim). I do it for me.
Regardless of the reason, I'd like to thank you anyway.
>Running lists is a "hobby" for me. I don't
>get paid for it and I can't be spending hours every day doing a lot
>of hand-holding. And while I would have probably responded to a plea
>of help that you have been maliciously signed onto 84 lists by
>removing you, my response to anything remotely worded that it was my
>fault or responsibility that you were on one of my d*#Q lists would
>have gotten a complaint mailed to YOUR ISP.
Which would have been utterly pointless, because I already know that my
ISP sides with _me_ when it comes to badly run mailing lists.
Anyway, I guess that you and I are just going to have to agree to disagree
about the proper response to a subscription bomb. Personally, I went out
of my way to be as annying as I could be to the admins of all of the lists
that I was subscription-bombed onto that didn't require subscription vali-
dations before finalizing the subscriptions. I felt this was most than
justified because (as I have said) I think that such lists are being run
in a highly anti-social manner.
>After all, there is a
>right and a wrong way to deal with this kind of thing and the way you
>chose to deal with it was, in my opinion, very very wrong. You chose
>to be a jerk about it and yell at the list owner who didn't have
>anything to do with your situation...
Again, I beg to differ. My feeling is that any list admin who sets up a
list in such a way that it does not require an affirmative response from
the (alleged) new subscriber _before_ the subscription is finalized _does_
have a lot to do with the amount of grief and work created by one of these
subscription bombing attacks, and that they are thus guilty of contributory
negligence, and deserve to be chastized for that.
>> So anyway, I think that this story has made it clear what _my_ feelings
>> are about mailing lists that do not require active confirmations of sub-
>> scriptions. (Basically, I think that running such lists is every bit as
>> negligent as giving a teenager the keys to the car _and_ to the liquor
>> cabinet.) Now I would like to listen to some other people's opinions
>> on this.
>
>I would say that most list owners don't have a heck of a lot of
>choice over what list management software they are using and try to do
>the best job they can do with the tools they have as most of them are
>"off site" list owners who are essentially being granted the "gift"
>of resources to run a list.
Granted. But how many list admin software packages these days fail to
include this capability of doing subscription validations via a (required)
return E-mail from the (alleged) new subscriber?
>Most of us are adults and most of us are above average in computer
>ability, as site managers don't have the time or desire to train up
>list owners...
Oh, I'm well aware of that! (I had the audacity to suggest to one Vice
President of a mid-sied ISP that his company should consider trying to
tell the owners of lists run from his site at least the basics about
modern list administration, _and_ about the possibility for abuse of
mailing lists, and he essentially just laughed at me.)
>... so they don't hand out lists to just anybody who wants to run one.
Wrong. Most ISPs these days _do_ give out list creation/management privl-
eges to essentially anybody who asks for them. And if it ain't the ISP
directly doing this, there are also (apparently) great swarms of net-newbies
who have arrived in the past couple of years, many of who are running
their own lists off of their own Windoze dial-up machines.
>> The fundamental question (as far as I am concerned) and the one I would
>> like to see there be some discussion of here is just this... Is it morally
>> or ethically defensible to run a mailing list on the net in this day and
>> age in such a way that it can be abused to cause (or at least contribute
>> to) potentially massive harm to other individuals or businesses on the net?
>> If not then why are people still doing it?
>
>You could ask the same thing about letting *just anyone* have an
>email account.
Indeed, as a vigorous fighter of spam, I _do_ often ask that exact question.
But I am pragmatic enough to realize that (despite what would be best for
the net) there will never be any such thing as an ``E-mail driver's license''.
But I think that mailing lists, especially when considered en mass (i.e.
as in the total sum of all mailing lists now in existance on the net) are
capable of doing far more damage and grief than any single spammer ever
was, so I view this as a more pressing problem.
>> P.S. I actually feel fortunate. I was only signed up for 84 lists in each
>> of two separate incidents. I have recently heard a rumor about one fellow
>> who had complained about some spam to the spammer's ISP and who subsequently
>> ended up on THOUSANDS of lists. This is the kind of thing that could po-
>> tentially put a small business whose main interactions with its customers
>> is via E-Mail out of business for good. I hope we never see that actually
>> happen.
>
>The "average joe" computer user in business is not going to attract
>this kind of ire. It's mainly those of you who are very outspoken
>about spam that have something to be concerned about.
Oh! Well I guess that makes it OK then, right?
What about Satanists or Marxists or Peruvian Rebels? Is it a good idea
for the net to be organized and/or administered in such a way they can
effectively get bombed off the net by a single dedicated lunatic? Maybe
that hasn't happened (yet), but there is nothing to say that it could not
happen, given the present situation with mailing lists.
>So while I sympathize with your plight, you are barking up the wrong
>tree as to who should be "responsible" for dealing with your
>unfortunate mishap.
And when The Dali Lama of Tibet gets bombed off the net by some Chinese
government bureaucrat signing _him_ up for 5,000 mailing lists, and when
he has to give up _his_ old E-mail address for good, you will likewise
shrug your shoulders and say ``Well, that's what you get for being so
controversial.''
I hope that you see what I am driving at.
Yes, you are correct that there is undoubtedly a direct correlation be-
tween being controversial and being subscription bombed.
No, this does not mean that the subscription bombs are the fault of the
victim, or that the victim deserves what happens to him, or that such
things should just be allowed to happen. (It is also no longer acceptable
to just shrug and write off any case of criminal rape by just saying
``Well, you see, she was wearing this really tight short dress...'')
>Commercial list software or list services are
>out of the financial reach of most listowners (which is why running
>lists on university machines is highly desirable as actual costs can
>be buried) and the free list management software is done gratis and
>is not and should not be the developer's primary focus. While I've
>seen security tighten up considerably in the last couple of years,
>the overall philosophy of the internet community is still pretty open.
I don't think this is mostly an issue of what is or isn't available
technology-wise. I think it is mostly a matter of will and of the
acceptance of personal responsibility. Correct me if I'm wrong, but
don't many/most/all of the free list admin packages now include
subscription validation capabilities?? If so, and if people just are
being too lazy to use those capabilities, then _that_ is the problem.
>As the Internet has become more of a commercial entity and less of a
>community entity, and the overall "dumbing down" of the whole process
>of being online, there is going to be more of this kind of thing
>happening. And again, while I deeply sympathize with your situation
>the individual list owners were not part of the problem...
I continue to disagree, respectfully.
-- Ron Guilmette, Roseville, California ---------- E-Scrub Technologies, Inc.
-- Deadbolt(tm) Personal E-Mail Filter demo: http://www.e-scrub.com/deadbolt/
-- Wpoison (web harvester poisoning) - demo: http://www.e-scrub.com/wpoison/
Follow-Ups:
|
|
