Bugtraq mailing list archives
Re: mail storm
From: Valdis.Kletnieks () vt edu (Valdis.Kletnieks () vt edu)
Date: Tue, 13 Aug 1996 11:43:23 -0400
--===_-1_Tue_Aug_13_11:43:22_EDT_1996 Content-Type: text/plain; charset=us-ascii On Mon, 12 Aug 1996 17:56:43 PDT, you said:
Imagine the hacker picks 2n mailing lists, subscribing the i'th to the (i+n)th and the (i+n)th to the i'th, subscribing that person they really don't like to the 0..n-1'th, and finally, forging one message to each of the 0..n-1'th.
At least 1 major mailing list package (LSoft Inc's ListServ) has an option
to "confirm" subscriptions. If you try to subscripe, Listserv sends back
a "magic cookie" 5-digit random number, and you have to send back a second
'OK that_number' to actually complete the subscription (Listserv is very
good about grokking out what is in the message, so you really only need to
hit 'reply' and send it back with most MUA software).
The upshot is that it becomes very hard to "spam" somebody this way, since
you need to be able to catch the reply in order to complete the subscription.
We use it by default on all our lists - mostly to help catch newbies with
misconfigured mail software that generates bogon From: addresses. Listserv
sends the confirm, it bounces, and I get the bounce - but I set up procmail
to shuffle all those off into the "badd-address-lamers' folder ;)
(Tangentially related discussion of other anti-spamming techniques follows)
For the interested, Listserv also contains a number of other anti-spamming
tools, such as cooperation between Listserv sites - if *one* site detects(*)
a spam in progress, it notifies all the OTHER listservers, and for 48 hours,
ALL postings from that source get forwarded to the list owner for verification
before being posted. Also, lists can be configured so that by default,
subscribers can post freely, but non-subscriber postings go to a moderator.
(*) LSoft doesn't divulge the full checks it performs to declare a spam,
but I know that it includes CRC checking of the body to see if "similar"
messages have been posted recently (This code is also used in the 'looping
mail' detector). I can however say that we have not seen a *single* sucessful
spam of the infamous "magazine subscription" posting - regardless of where
it was sent from, or what they modified the preamble/subject to this time...
--
Valdis Kletnieks
Computer Systems Engineer
Virginia Tech
--===_-1_Tue_Aug_13_11:43:22_EDT_1996
Content-Type: application/pgp-signature
-----BEGIN PGP MESSAGE-----
Version: 2.6.2
iQCVAwUBMhCimNQBOOoptg9JAQERbAP5AaU+4OXsDqAZlbBlg5cJwadzxdiAtksP
O57Z5Or5++mrCDBKmdyZJu2cmOMWpqttzYDtAzijV6skL1phs8M+Pw5toeMXBMrV
6r6o9nA7hr/N4aX2bqDnobNkJaN6ihNbYWjNMngAhT3UMQLJQo+RS9Glf/HLFQO9
Cy8yZvPmm7Q=
=4dlL
-----END PGP MESSAGE-----
--===_-1_Tue_Aug_13_11:43:22_EDT_1996--
Current thread:
- Re: Possible bufferoverflow condition in lpr, xterm and xload, (continued)
- Re: Possible bufferoverflow condition in lpr, xterm and xload Ficus Kirkpatrick (Aug 13)
- Re: Possible bufferoverflow condition in lpr, xterm and xload Alexander O. Yuriev (Aug 14)
- Tracking tools? David Miller (Aug 14)
- Re: Tracking tools? Gene Titus (Aug 15)
- Re: Tracking tools? neill (Aug 15)
- Re: Tracking tools? Tracy R. Reed (Aug 15)
- SGI Security Advisory 19960801-01-PX, SGI Security Coordinator (Aug 17)
- CERT Advisory CA-96.19 - Vulnerability in expreserve Pete Ashdown (Aug 15)
- Re: CERT Advisory CA-96.19 - Vulnerability in expreserve Casper Dik (Aug 18)
- Re: Tracking tools? Greg Miller (Aug 15)
- Re: mail storm Valdis.Kletnieks () vt edu (Aug 13)
- Re: mail storm Darrell Fuhriman (Aug 13)
- Re: mail storm Ed Arnold (Aug 14)
- list mail meta-question der Mouse (Aug 13)
- Re: IRIX 5.3 chost Neil J Long (Aug 16)
- Live playback of tcpdump data Ficus Kirkpatrick (Aug 17)