[Mailman-Developers] FYI -- mailback validations no longer safe?
Chuq Von Rospach
chuqui@plaidworks.com
Sat, 9 Dec 2000 00:22:37 -0800
I'm passing this along mostly as a FYI, but also as a sanity check. I
sent this out to list-managers tonight, to bring up an issue that
sort of crystalized this afternoon and made me realize that I think
we have the beginnings of a problem in mail list land. Your thoughts
are welcome....If I'm right, well, oh, boy. If I'm wrong -- I'd love
to find out my idea won't work, but I think it's not only possible,
but fairly easy.
----
I somewhat hesitate to bring this up, but I heard of another
situation today that seems to fit in, and I think it's time to raise
the issue.
I'm beginning to think that mailback validation as an anti-spam
technique has been beaten. Worse, I think there are now spam systems
written that will beat them in an automated way.
I will say up front I don't have a smoking gun. If and when I find
one, I'll say so. But I'm now beginning to think the spammers have
figured out how to beat mailbacks.
Someone we know runs a list on egroups. Twice today he was spammed by
the porn spammers -- from subscribed accounts. This isn't the first
time I've heard of this in the last few weeks, but he's someone I
know runs a pretty clean ship. to get hit by two separate porn
spammers on the same day, in independent attacks, that raises a real
warning flag, because where the porn spammers innovate, everyone else
follows.
In the last few years, there have been some significant, fundamental
changes in the internet (duh). Now that I've spent a few hours
thinking like a spammer, I realize these changes make it trivial for
a *smart* spammer with some basic resources to circumvent mailbacks.
Here's how:
First, you get access to some domains -- the key ot mailbacks is that
you have to have physical access to the mailback address to finish
the confirmation. n today's internet, however -- that isn't a big
deal. you register one for yourself, hook yourself up using dynamic
DNS while attached via PPP to UUnet or one of the ISPs, and you have
a fully functional mailserver. Or if you prefer, simply break into
some lameoid's home machine sitting on a cable modem and borrow
imstupid.org while he's not paying attention. Either way, you now
have a spammer with a set of available domains, which he's either
bought, borrowed or stolen, and access to the return mail sent to
those domains.
this spammer's built a validation-bot. It's fed a list of mailing
lists, and it spends all of its time figuring out what MLM it uses
(not hard), and subscribing accounts to them. it can send the
appropriate subscribe messages, read the confirmations, and send
appropriate confirmations. Even better, if the MLM supports nomail,
you turn off deliveries, so you don't run the risk of inbound e-mail
alerting anyway on imstupid.org (if you think about it, the only
thing that has to be on imstupid.org is a set of aliases forwarding
to your real machine, and only for the period of time you're setting
up the subscriptions. If you're real lucky, you find out you can hack
their DNS and set up really.imstupid.org, and send EVERYHTING
offsite).
The spammer lets his bot run for a while, and tracks the database
with which address is subscribed to which list. He can even subscribe
multiples from multiple domains if he wants, and let them lie fallow.
When you block off one, it falls back and sends from the next.
he now owns your list, at least until you figure out what's going on
and nuke the subscribed address. But if you think about it, once that
validation handshake is complete, there's never ANY further
validation. so he can set up temporary shop, validate to his heart's
content, and then later on, after all the temporary stuff is safely
hidden away, spam from anywhere, safely. Because he knows the address
that will get him on the list.
If this is true, and it's beginning to look like egroups is a target
of one attack, and I've heard rumors of some mailman lists being hit
as well, then lists that depend on mailback validation have a
problem. And I think there's been a feeling that mailbacks are the
one true way of validation to the point where there hasn't been much
(if any) thought about improved techniques or alternatives.
And if I, having spent four hours on the "how would I do this?" train
of thought can find a fairly easy to implement design, so can those
that aren't so pure of heart and don't say their prayers at night.
This isn't something the "buy a CD for $200" lameoid spammers can do
(but I'll bet a really good spammer could build a system to do it
taht's turnkey. there's enough wide open hardware out on the net,
especially overseas, that you could get a good 6 month run before
neough stuff shut you down to make it not worth it...), but the port
spammers and gambling spammers and the spammers for hire? it's
perfect for them.
I've felt for a while that the list community was way too comfortable
with mailbacks as "safe and unbeatable". I'm now seeing what I think
is evidence that this is no longer true. And I'm afraid that because
we have sat back adn not innovated here, we're going to end up behind
the eight ball. and I don't see any easy answers if I'm right -- only
that if I am wrong, I won't be wrong forever.
So I'm throwing it to the list, to see if there's information others
have that might corroborate what I think I'm seeing (that you may not
have realized for waht it might be), or t poke holes in my analysis,
or to start thinking of how to deal with it.
There I go, being a troublemaker again... (grin, sort of)
thoughts?
chuq
--
Chuq Von Rospach - Plaidworks Consulting (mailto:chuqui@plaidworks.com)
Apple Mail List Gnome (mailto:chuq@apple.com)
We're visiting the relatives. Cover us.