[Mailman-Developers] FYI -- mailback validations no longer safe?

[Chuq Von Rospach]

I'm passing this along mostly as a FYI, but also as a sanity check. I 
sent this out to list-managers tonight, to bring up an issue that 
sort of crystalized this afternoon and made me realize that I think 
we have the beginnings of a problem in mail list land. Your thoughts 
are welcome....If I'm right, well, oh, boy. If I'm wrong -- I'd love 
to find out my idea won't work, but I think it's not only possible, 
but fairly easy.

----



I somewhat hesitate to bring this up, but I heard of another 
situation today that seems to fit in, and I think it's time to raise 
the issue.

I'm beginning to think that mailback validation as an anti-spam 
technique has been beaten. Worse, I think there are now spam systems 
written that will beat them in an automated way.

I will say up front I don't have a smoking gun. If and when I find 
one, I'll say so. But I'm now beginning to think the spammers have 
figured out how to beat mailbacks.

Someone we know runs a list on egroups. Twice today he was spammed by 
the porn spammers -- from subscribed accounts. This isn't the first 
time I've heard of this in the last few weeks, but he's someone I 
know runs a pretty clean ship. to get hit by two separate porn 
spammers on the same day, in independent attacks, that raises a real 
warning flag, because where the porn spammers innovate, everyone else 
follows.

In the last few years, there have been some significant, fundamental 
changes in the internet (duh). Now that I've spent a few hours 
thinking like a spammer, I realize these changes make it trivial for 
a *smart* spammer with some basic resources to circumvent mailbacks. 
Here's how:

First, you get access to some domains -- the key ot mailbacks is that 
you have to have physical access to the mailback address to finish 
the confirmation. n today's internet, however -- that isn't a big 
deal. you register one for yourself, hook yourself up using dynamic 
DNS while attached via PPP to UUnet or one of the ISPs, and you have 
a fully functional mailserver. Or if you prefer, simply break into 
some lameoid's home machine sitting on a cable modem and borrow 
imstupid.org while he's not paying attention. Either way, you now 
have a spammer with a set of available domains, which he's either 
bought, borrowed or stolen, and access to the return mail sent to 
those domains.

this spammer's built a validation-bot. It's fed a list of mailing 
lists, and it spends all of its time figuring out what MLM it uses 
(not hard), and subscribing accounts to them. it can send the 
appropriate subscribe messages, read the confirmations, and send 
appropriate confirmations. Even better, if the MLM supports nomail, 
you turn off deliveries, so you don't run the risk of inbound e-mail 
alerting anyway on imstupid.org (if you think about it, the only 
thing that has to be on imstupid.org is a set of aliases forwarding 
to your real machine, and only for the period of time you're setting 
up the subscriptions. If you're real lucky, you find out you can hack 
their DNS and set up really.imstupid.org, and send EVERYHTING 
offsite).

The spammer lets his bot run for a while, and tracks the database 
with which address is subscribed to which list. He can even subscribe 
multiples from multiple domains if he wants, and let them lie fallow. 
When you block off one, it falls back and sends from the next.

he now owns your list, at least until you figure out what's going on 
and nuke the subscribed address. But if you think about it, once that 
validation handshake is complete, there's never ANY further 
validation. so he can set up temporary shop, validate to his heart's 
content, and then later on, after all the temporary stuff is safely 
hidden away, spam from anywhere, safely. Because he knows the address 
that will get him on the list.

If this is true, and it's beginning to look like egroups is a target 
of one attack, and I've heard rumors of some mailman lists being hit 
as well, then lists that depend on mailback validation have a 
problem. And I think there's been a feeling that mailbacks are the 
one true way of validation to the point where there hasn't been much 
(if any) thought about improved techniques or alternatives.

And if I, having spent four hours on the "how would I do this?" train 
of thought can find a fairly easy to implement design, so can those 
that aren't so pure of heart and don't say their prayers at night. 
This isn't something the "buy a CD for $200" lameoid spammers can do 
(but I'll bet a really good spammer could build a system to do it 
taht's turnkey. there's enough wide open hardware out on the net, 
especially overseas, that you could get a good 6 month run before 
neough stuff shut you down to make it not worth it...), but the port 
spammers and gambling spammers and the spammers for hire? it's 
perfect for them.

I've felt for a while that the list community was way too comfortable 
with mailbacks as "safe and unbeatable". I'm now seeing what I think 
is evidence that this is no longer true. And I'm afraid that because 
we have sat back adn not innovated here, we're going to end up behind 
the eight ball. and I don't see any easy answers if I'm right -- only 
that if I am wrong, I won't be wrong forever.

So I'm throwing it to the list, to see if there's information others 
have that might corroborate what I think I'm seeing (that you may not 
have realized for waht it might be), or t poke holes in my analysis, 
or to start thinking of how to deal with it.

There I go, being a troublemaker again... (grin, sort of)

thoughts?

chuq





-- 
Chuq Von Rospach - Plaidworks Consulting (mailto:chuqui@plaidworks.com)
Apple Mail List Gnome (mailto:chuq@apple.com)

We're visiting the relatives. Cover us.