Great Circle Associates Majordomo-Users
(July 2003)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Avoiding mailloops
From: susan barnes <s . barnes @ uni-koeln . de>
Date: Fri, 11 Jul 2003 13:34:13 +0200
To: majordomo-users @ greatcircle . com
Cc: Daniel Liston <dliston @ sonny . org>
In-reply-to: <3F0DE118.6070109@sonny.org>
References: <149580000.1057854482@blackbird.rrz.Uni-Koeln.DE> <3F0DE118.6070109@sonny.org>


--On Thursday, July 10, 2003 04:56:40 PM -0500 Daniel Liston <dliston@sonny.org> wrote:

Hello,

> It is local policy here, that anyone creating this kind of loop
> be removed and blacklisted from subscribing to any of our lists
> for a period of one year.  Idle threat, considering how easy it
> is to get and use a different address, but our point gets made.

Well, we did track the person down who started the loop and she was somewhat technically challenged, not doing it on purpose.
(Given that we sent a few thousand emails to their info@ address on two separate occasions and nobody contacted us to find out what is going on, I would guess the above applies to the whole company/domain.)

Just to clarify, the loop was started by a simple subscribe to majordomo, and the subsequent sending of help-files and autoresponder messages. So no mailinglist was involved at that point.


> Considering the query may not have even been from a subscriber,
> this could be considered a weak DOS attack on your system.  You
> might consider leaving the user or their domain listed in your
> access.db file.

It is more like a DOS Attack on both of our systems.
I have told the other side, to exclude majordomo, listserv etc. from autoresponder replys and set a reply-to Header.

However our majordomo does more or less the same thing, when triggerd this way. So a third party could deliberatly cause a DOS-Attack on two systems with one simple email.

I am sure there are other people, who run autoresponders like this.


> Take a look at your majordomo.cf file.  Down at the bottom is a
> majordomo_dont_reply variable that does what it's name says.  You
> might also want to consider a global_taboo_headers expression to
> bounce null senders to the majordomo-owner without being responded
> to.  Using your own example, the expression would look like this;
>
> /^Return-Path: <>/i


This has been suggested, but taboo-headers do only work if the mails go via resend to an actual mailinglist, or am I wrong?
I have added their address into $majordomo_dont_reply, but that is no general solution.

> I would really like to study a sample of the 3000 messages before
> I could offer anything better.  Are they all identical, with the
> exception of date/time stamps?

Yes they are just basically confirmation messages. They do not quote any part of the original mail.(see below, if you want one for yourself ask info@hood.de).

I am not really looking for a solution for this specific case, but to generally avoid such incidents. I think it would be much better if there was a hard limit on how many helpfiles majordomo would send to one specific address, after which any further requests are dropped for a while.


Regards and thanks for your input
Susan Barnes

FYI
This is the full autoresponder mail:
(Return-Path is not empty because I have requested the autoreply to postmaster, the original envelope-sender was <>)

Return-Path: <postmaster-request@mail1.rrz.Uni-Koeln.DE>
Received: from cyrus.rrz.uni-koeln.de ([unix socket])
	by cyrus.rrz.uni-koeln.de (Cyrus v2.1.12-Invoca-RPM-2.1.12-3) with LMTP; Thu, 10 Jul 2003 01:07:04 +0200
X-Sieve: CMU Sieve 2.2
Received: from smtp-out.rrz.uni-koeln.de (smtp-out.rrz.uni-koeln.de [134.95.19.53])
	by cyrus.rrz.uni-koeln.de (8.12.9/8.12.8) with ESMTP id h69N735k024870
	(version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO);
	Thu, 10 Jul 2003 01:07:03 +0200
Received: from mail1.rrz.Uni-Koeln.DE (mail1.rrz.uni-koeln.de [134.95.100.208])
	by smtp-out.rrz.uni-koeln.de (8.12.9/8.12.8) with ESMTP id h69N726W024867;
	Thu, 10 Jul 2003 01:07:02 +0200
Received: from lima01.sserv.de (lima01.sserv.de [217.175.237.250])
	by mail1.rrz.Uni-Koeln.DE (8.12.9/8.12.8) with ESMTP id h69N71Mp001594
	for <postmaster@rrz.uni-koeln.de>; Thu, 10 Jul 2003 01:07:01 +0200 (MEST)
Received: from courier by lima01.sserv.de (Exim 3.22) with local
	for <postmaster@rrz.uni-koeln.de>
	id 19aO1Z-0000Pg-00; Thu, 10 Jul 2003 01:06:57 +0200
From: info@hood.de
To: postmaster@rrz.uni-koeln.de
Subject: Ihre Anfrage an das Hood.de Support-Team
In-Reply-To: <E19aO0V-0000CK-00@lima01.sserv.de>
X-Mail3Admin: Vacation-Autoreply
Message-Id: <E19aO1Z-0000Pg-00@lima01.sserv.de>
Sender: <courier@lima01.sserv.de>
Date: Thu, 10 Jul 2003 01:06:57 +0200
X-Virus-Scanned: by amavisd-new
X-Spam-Report: IN_REP_TO,NO_REAL_NAME
X-Spam-Report: IN_REP_TO,NO_REAL_NAME

Liebe/r Hood.de Nutzer/in,

Ihre Email ist bei uns eingegangen und wird baldmöglichst bearbeitet. Bitte beachten Sie:

Hood.de erhält täglich viele Anfragen an das Support-Team.
Um weiterhin kurze Antwortzeiten zu gewährleisten, können Fragen per Email, welche bereits ausführlich in unserer Online-Hilfe beantwortet sind, nicht berücksichtigt werden.
Dies hilft uns schneller und effektiver zu arbeiten und zu antworten.
Bitte haben Sie dafür Verständnis und schauen Sie sich unsere Hilfethemen genau an. Unsere Hilfe ist einfach und übersichtlich gestaltet und Sie finden schnell eine Antwort auf Ihre meisten Fragen. Wie z.B. auch:
=> Warum kann ich mich nicht mehr einloggen?
=> Warum ist eine Auktion verschwunden?

Hier gelangen Sie direkt zur Hood.de Hilfe:
http://www.hood.de/help/help.cfm?tsid=0&helpID=0
Anfragen ohne Ihren Hood.de Mitgliedsnamen und gegebenenfalls die betreffende Auktionsnummer verzögern eine schnelle Antwort.
Ihre Anfrage kann am schnellsten bearbeitet werden, wenn Sie uns immer unseren gesamten Schriftverkehr zusenden.

Bitte senden Sie eine Anfrage nur einmal.



Wir wünschen weiterhin viel Freude beim Kaufen und Verkaufen auf Hood.de!

Ihr Hood.de Support-Team


Regards
Susan Barnes


Susan Barnes <S.Barnes@rrz.uni-koeln.de>
Zentrum fuer Angewandte Informatik - Universitaetsweiter Service RRZK
Universitaet zu Koeln / Cologne University        - Tel:0221-478-5594


Follow-Ups:
References:
Indexed By Date Previous: Re: Avoiding mailloops
From: Kirk Bailey <idiot1@netzero.net>
Next: Re: Avoiding mailloops
From: Daniel Liston <dliston@sonny.org>
Indexed By Thread Previous: Re: Avoiding mailloops
From: Kirk Bailey <idiot1@netzero.net>
Next: Re: Avoiding mailloops
From: Daniel Liston <dliston@sonny.org>

Google
 
Search Internet Search www.greatcircle.com