FYI -- mailback validations no longer safe?
I'm passing this along mostly as a FYI, but also as a sanity check. I sent this out to list-managers tonight, to bring up an issue that sort of crystalized this afternoon and made me realize that I think we have the beginnings of a problem in mail list land. Your thoughts are welcome....If I'm right, well, oh, boy. If I'm wrong -- I'd love to find out my idea won't work, but I think it's not only possible, but fairly easy.
I somewhat hesitate to bring this up, but I heard of another situation today that seems to fit in, and I think it's time to raise the issue.
I'm beginning to think that mailback validation as an anti-spam technique has been beaten. Worse, I think there are now spam systems written that will beat them in an automated way.
I will say up front I don't have a smoking gun. If and when I find one, I'll say so. But I'm now beginning to think the spammers have figured out how to beat mailbacks.
Someone we know runs a list on egroups. Twice today he was spammed by the porn spammers -- from subscribed accounts. This isn't the first time I've heard of this in the last few weeks, but he's someone I know runs a pretty clean ship. to get hit by two separate porn spammers on the same day, in independent attacks, that raises a real warning flag, because where the porn spammers innovate, everyone else follows.
In the last few years, there have been some significant, fundamental changes in the internet (duh). Now that I've spent a few hours thinking like a spammer, I realize these changes make it trivial for a *smart* spammer with some basic resources to circumvent mailbacks. Here's how:
First, you get access to some domains -- the key ot mailbacks is that you have to have physical access to the mailback address to finish the confirmation. n today's internet, however -- that isn't a big deal. you register one for yourself, hook yourself up using dynamic DNS while attached via PPP to UUnet or one of the ISPs, and you have a fully functional mailserver. Or if you prefer, simply break into some lameoid's home machine sitting on a cable modem and borrow imstupid.org while he's not paying attention. Either way, you now have a spammer with a set of available domains, which he's either bought, borrowed or stolen, and access to the return mail sent to those domains.
this spammer's built a validation-bot. It's fed a list of mailing lists, and it spends all of its time figuring out what MLM it uses (not hard), and subscribing accounts to them. it can send the appropriate subscribe messages, read the confirmations, and send appropriate confirmations. Even better, if the MLM supports nomail, you turn off deliveries, so you don't run the risk of inbound e-mail alerting anyway on imstupid.org (if you think about it, the only thing that has to be on imstupid.org is a set of aliases forwarding to your real machine, and only for the period of time you're setting up the subscriptions. If you're real lucky, you find out you can hack their DNS and set up really.imstupid.org, and send EVERYHTING offsite).
The spammer lets his bot run for a while, and tracks the database with which address is subscribed to which list. He can even subscribe multiples from multiple domains if he wants, and let them lie fallow. When you block off one, it falls back and sends from the next.
he now owns your list, at least until you figure out what's going on and nuke the subscribed address. But if you think about it, once that validation handshake is complete, there's never ANY further validation. so he can set up temporary shop, validate to his heart's content, and then later on, after all the temporary stuff is safely hidden away, spam from anywhere, safely. Because he knows the address that will get him on the list.
If this is true, and it's beginning to look like egroups is a target of one attack, and I've heard rumors of some mailman lists being hit as well, then lists that depend on mailback validation have a problem. And I think there's been a feeling that mailbacks are the one true way of validation to the point where there hasn't been much (if any) thought about improved techniques or alternatives.
And if I, having spent four hours on the "how would I do this?" train of thought can find a fairly easy to implement design, so can those that aren't so pure of heart and don't say their prayers at night. This isn't something the "buy a CD for $200" lameoid spammers can do (but I'll bet a really good spammer could build a system to do it taht's turnkey. there's enough wide open hardware out on the net, especially overseas, that you could get a good 6 month run before neough stuff shut you down to make it not worth it...), but the port spammers and gambling spammers and the spammers for hire? it's perfect for them.
I've felt for a while that the list community was way too comfortable with mailbacks as "safe and unbeatable". I'm now seeing what I think is evidence that this is no longer true. And I'm afraid that because we have sat back adn not innovated here, we're going to end up behind the eight ball. and I don't see any easy answers if I'm right -- only that if I am wrong, I won't be wrong forever.
So I'm throwing it to the list, to see if there's information others have that might corroborate what I think I'm seeing (that you may not have realized for waht it might be), or t poke holes in my analysis, or to start thinking of how to deal with it.
There I go, being a troublemaker again... (grin, sort of)
thoughts?
chuq
-- Chuq Von Rospach - Plaidworks Consulting (mailto:chuqui@plaidworks.com) Apple Mail List Gnome (mailto:chuq@apple.com)
We're visiting the relatives. Cover us.
I'm passing this along mostly as a FYI, but also as a sanity check. I sent this out to list-managers tonight, to bring up an issue that sort of crystalized this afternoon and made me realize that I think we have the beginnings of a problem in mail list land. Your thoughts are welcome....If I'm right, well, oh, boy. If I'm wrong -- I'd love to find out my idea won't work, but I think it's not only possible, but fairly easy.
Hi Chuq,
Yes, this has definitely been troublesome. I've blocked many commercial sites like findmail.com (egroups) and remarq.com from my lists because of their secret archiving that displays email addresses to the public, but at least they don't spam the lists back. But of course anyone can browse these sites and get addresses to their heart's content, then forge MAIL FROM: to sneak mail into the lists.
I'm not sure what the right thing is to do. MLMs like sympa (
http://listes.cru.fr/sympa/
) are definitely moving in the right direction with S/MIME signatures/encryption and X509 user certs, but that still doesn't stop someone from using throwaway certs to spam several lists or from harvesting addresses. The problem is that when these methods are used for authentication they just prove that the email address sending the stuff is who we think he or she is. But at least you can't forge the source email address to look like it's coming from a list member who is allowed to post (well, it's harder :)
I think that there's an implicit level of trust that has to be honored in mailing list management. Even SASL-based SMTP authentication from ISPs isn't going to prevent throw-away accounts from being used. Until we can get a fingerprint or cornea scan (or even a driver's license) with each mailing list subscription and compare it against a master database (which I'm not advocating), you can't be 100% sure of the users.
For now I'd say that the best method is a social one; require references when people want to subscribe to your list. Ask them which lists they participate on, an example post from another list, etc. But ultimately it becomes a judgement call by the listowner either way.
Just my humble opinion on the matter...
Chris
Christopher Lindsey, Senior System Engineer National Center for Supercomputing Applications (NCSA)
At 3:09 AM -0600 12/9/00, Christopher Lindsey wrote:
Yes, this has definitely been troublesome. I've blocked many commercial sites like findmail.com (egroups) and remarq.com from my lists because of their secret archiving that displays email addresses to the public, but at least they don't spam the lists back. But of course anyone can browse these sites and get addresses to their heart's content, then forge MAIL FROM: to sneak mail into the lists.
Ya know, I hadn't thought of that -- I've wokred at closing off my list archives from the spam harvesters, but I'd never thought of the list archives as a source of addresses to use to spam ONTO the lists. (shudder). That's a real, legitimate issue, because you're basically handing them access.
damn. I have to go rethink that again.
And I realized, after I posted, that as long as there are free e-mail sites (netscape.net, hotmail, etc), you don't even need to create or hack domains to do this. Over a period of a week, create a thousand email accounts on the various free sites. Then you can set up the mailbots to start using them to subscribe and spam. As admins get accounts nuked by the free sites, simply disable them, move to other ones in your collection, and create some more. Even under the best of circumstances, it'd be tough to impossible for the admins of a place like hotmail to keep ahead of that, and their only real block is an IP block -- and if you have multiple IPs... This charade could go on for a long time.
) are definitely moving in the right direction with S/MIME signatures/encryption and X509 user certs, but that still doesn't stop someone from using throwaway certs to spam several lists or from harvesting addresses.
And it doesn't help the reality that most users can't/won't do this, and it simply means you'll scare away legitimate issues, which is like being so scared of having the cow stolen you weld the barn door shut. The cow doens't get stolen, but it eventually starves to death...
For now I'd say that the best method is a social one; require references when people want to subscribe to your list.
that works if you have active listowners and a small list. Imagine me doing that for a large list with dozens of subscriptions a day -- on my big mailman site, I'd have to hire staff to even START doing that. Not practical, unfortunately.
But Murr Rhame on list-managers said something that made me think of a possible answer -- new subscribers automatically go into "hold for approval" mode. it'd be another flag in the user record (like digest or nomail), and when you subscribe, it's turned on. All messages are held for the admin to approve. Once an admin can trust a new account, he turns off the flag and they post without restriction.
There are some topics and lists wher ethis would be a good thing to have, because of the incendiary aspects of the topic, or because (in my case) there are problems with trolls....
-- Chuq Von Rospach - Plaidworks Consulting (mailto:chuqui@plaidworks.com) Apple Mail List Gnome (mailto:chuq@apple.com)
We're visiting the relatives. Cover us.
Apologies if some of this is repeated in other posts, I haven't had a chance to read through everything yet...
Chuq Von Rospach wrote:
At 3:09 AM -0600 12/9/00, Christopher Lindsey wrote:
Yes, this has definitely been troublesome. I've blocked many commercial sites like findmail.com (egroups) and remarq.com from my lists because of their secret archiving that displays email addresses to the public, but at least they don't spam the lists back. But of course anyone can browse these sites and get addresses to their heart's content, then forge MAIL FROM: to sneak mail into the lists.
Ya know, I hadn't thought of that -- I've wokred at closing off my list archives from the spam harvesters, but I'd never thought of the list archives as a source of addresses to use to spam ONTO the lists. (shudder). That's a real, legitimate issue, because you're basically handing them access.
A couple of quick corrections. eGroups no longer archives lists hosted elsewhere, although there are still a few legacy lists. We stopped that about a year ago. I also think that remarq.com has stopped that as well. As for archives, eGroups obscures email addresses to prevent spam harvesting. We never saw an instance of successful spam harvesting of email addresses from the archives because of this.
... snip ...
But Murr Rhame on list-managers said something that made me think of a possible answer -- new subscribers automatically go into "hold for approval" mode. it'd be another flag in the user record (like digest or nomail), and when you subscribe, it's turned on. All messages are held for the admin to approve. Once an admin can trust a new account, he turns off the flag and they post without restriction.
eGroups has had this for quite some time, and many listowners have had success using it.
There are two types of spam problems with lists. One is harvesting of email addresses, the other is sending spam directly to groups. Given the current state of Internet email, neither can be fully addressed. But the good news is that spammers generally are impatient, and are looking for the biggest bang for the buck (most email addresses for least effort). So, subscribing to a group and harvesting email addresses by looking at the messages you receive is not popular with spammers (in our experience). It takes too long and yields too few addresses. The biggest source of spam complaints on eGroups is the case of a spammer subscribing to a bunch of groups and then sending their spam to the groups, which if I understand correctly is what happened to your friend, Chuq. But besides the 'moderate new users' function, and the anti-cross posting features of eGroups, I'm not sure what else you can do to eliminate that problem.
As an aside, I have actually seen software designed to send spam to mailing lists. It comes with a database of hundreds of lists (lots of ONElist/eGroups lists included). It assumes you have subscribed to the lists already. You compose your spam template, and it sends out individual messages to each of the groups. By doing so, it defeats the anti-cross posting feature of eGroups. It was targeted to people who subscribed to the numerous (at the time) 'make money fast' groups on eGroups and elsewhere (basically groups where subscribers spam each other). So it wasn't really a problem for our normal users.
Mark
A couple of quick corrections. eGroups no longer archives lists hosted elsewhere, although there are still a few legacy lists. We stopped that about a year ago. I also think that remarq.com has stopped that as well.
Yes, remarq appears to have stopped now. We still have some NCSA lists (well, at least one) archived at eGroups, but I suspect it's one of those legacy archives since it still has the old subscription information from almost three years ago on it. :)
As for archives, eGroups obscures email addresses to prevent spam harvesting. We never saw an instance of successful spam harvesting of email addresses from the archives because of this.
The addresses are now obscured, but when it was done through findmail the addresses were there for the world to see.
I'm not targeting eGroups or Remarq, but just listing them as examples
of what can happen. In these cases, the two companies started archiving
and then addressed the problems that they had created later. And
that's the whole point -- you can make your server as secure as possible,
hide email addresses in your archives and do anything else imaginable,
but one irresponsible subscriber makes the whole setup worthless.
They just need to setup an archive that doesn't hide email addresses,
and voila...
S/MIME or PGP signatures would of course prevent the addresses being used for spamming, but would still allow direct spam. That's why I use unique email addresses for most lists that I subscribe to; at least then I can track the origins of a spam. Coupled with an MLM that signs outbound messages, I'd be pretty spam-free since I could disregard anything that wasn't signed.
[apologies for double quoting -- I don't remember the original poster]
But Murr Rhame on list-managers said something that made me think of a possible answer -- new subscribers automatically go into "hold for approval" mode. it'd be another flag in the user record (like digest or nomail), and when you subscribe, it's turned on. All messages are held for the admin to approve. Once an admin can trust a new account, he turns off the flag and they post without restriction.
It's a pretty standard feature in MLMs... Even old and crusty majordomo 1.94.x can require subscriber approval.
Chris (who's thinking that maybe we should remove Spaf et al from the Cc: list?)
Christopher Lindsey, Senior System Engineer National Center for Supercomputing Applications (NCSA)
participants (3)
-
Christopher Lindsey
-
Chuq Von Rospach
-
Mark Fletcher