[Mailman-Developers] FYI -- mailback validations no longer safe?
J C Lawrence
claw@kanga.nu
Sat, 09 Dec 2000 10:44:13 -0800
On Sat, 9 Dec 2000 00:22:37 -0800
Chuq Von Rospach <chuqui@plaidworks.com> wrote:
> I'm beginning to think that mailback validation as an anti-spam
> technique has been beaten. Worse, I think there are now spam
> systems written that will beat them in an automated way.
I've written on this before to the Mailman lists. I have similar
suspicions. Like you I have no smoking guns, but I have a
suggestive evidence.
> I will say up front I don't have a smoking gun. If and when I find
> one, I'll say so. But I'm now beginning to think the spammers have
> figured out how to beat mailbacks.
Its hardly complex -- just look for key strings in messages coming
to an account, and then bounce back messages accordingly. Given
someone with minimal scripting knowledge, what, 30 minutes? Four
simple patterns will cover 95% of the lists out there.
> Someone we know runs a list on egroups. Twice today he was spammed
> by the porn spammers -- from subscribed accounts. This isn't the
> first time I've heard of this in the last few weeks, but he's
> someone I know runs a pretty clean ship. to get hit by two
> separate porn spammers on the same day, in independent attacks,
> that raises a real warning flag, because where the porn spammers
> innovate, everyone else follows.
Occam's razor indicates that this could be done equally well thru
mail forgery of a blameless member.
> he now owns your list, at least until you figure out what's going
> on and nuke the subscribed address. But if you think about it,
> once that validation handshake is complete, there's never ANY
> further validation. so he can set up temporary shop, validate to
> his heart's content, and then later on, after all the temporary
> stuff is safely hidden away, spam from anywhere, safely. Because
> he knows the address that will get him on the list.
Bingo. This is one of the base reasons I now hand moderate my main
lists. I'm looking hard at going back to a posting_authority setup
(members prove themselves worthy of automatic posting (no moderator
overview)), but Mailman does not currently lend itself to that
model. Yet. (Using approved posted in Mailman is not sufficiently
maintainable)
> If this is true, and it's beginning to look like egroups is a
> target of one attack, and I've heard rumors of some mailman lists
> being hit as well, then lists that depend on mailback validation
> have a problem. And I think there's been a feeling that mailbacks
> are the one true way of validation to the point where there hasn't
> been much (if any) thought about improved techniques or
> alternatives.
When you get down to it this is a question of trust models, and is a
susbset of the problem of reputational systems. Its a non-trivial
problem.
> I've felt for a while that the list community was way too
> comfortable with mailbacks as "safe and unbeatable". I'm now
> seeing what I think is evidence that this is no longer true. And
> I'm afraid that because we have sat back adn not innovated here,
> we're going to end up behind the eight ball. and I don't see any
> easy answers if I'm right -- only that if I am wrong, I won't be
> wrong forever.
I'm at the point where I'm willing to lay money on your being not
only right, but being visibily demonstrated as right within the next
calendar year.
We have two problems:
1) Determining that a given member of a list is not a spammer.
2) Determining that a given post is not a SPAM
The first can be largely addressed via putting in mechanisms where N
moderator approved posts are required before being granted posting
authority. Its a barrier to entry technique -- not secure, but
certainly not profitable for the spammer in terms of ROI. As a side
comment, this is one of the features I'd like to see rolled in the
next Mailman design we're discussing (given the model I'm musing, it
should be trivial).
The second is a horrible nasty problem in this age of mail forgery
and the ease of harvesting member addresses from lists (especially
once you are a subscriber). Given that a spammer can susbcribe and
can then harvest addresses with (presumably) posting authority with
no more than a couple hours worth of scripting and a little time
waiting while his bot runs, the simple MESSAGE_FROM_XXX_IS_OKAY
metric is likely to last no longer.
So what's the final solution? I don't think there is an elegant
solution without involving presumed non-forgeable proofs of identity
(ie public key crypto). Doing that requires a broadscale PKI
structure (a horrible problem in and of itself), severe changes in
user habits, and a host of other invasive non-trivial changes. Its
going to happen tho. TLS/SMTP is just not enough.
--
J C Lawrence claw@kanga.nu
---------(*) : http://www.kanga.nu/~claw/
--=| A man is as sane as he is dangerous to his environment |=--
On Sat, 9 Dec 2000 00:22:37 -0800
Chuq Von Rospach <chuqui@plaidworks.com> wrote:
> I'm passing this along mostly as a FYI, but also as a sanity
> check. I sent this out to list-managers tonight, to bring up an
> issue that sort of crystalized this afternoon and made me realize
> that I think we have the beginnings of a problem in mail list
> land. Your thoughts are welcome....If I'm right, well, oh, boy. If
> I'm wrong -- I'd love to find out my idea won't work, but I think
> it's not only possible, but fairly easy.
> ----
> I somewhat hesitate to bring this up, but I heard of another
> situation today that seems to fit in, and I think it's time to
> raise the issue.
> I'm beginning to think that mailback validation as an anti-spam
> technique has been beaten. Worse, I think there are now spam
> systems written that will beat them in an automated way.
> I will say up front I don't have a smoking gun. If and when I find
> one, I'll say so. But I'm now beginning to think the spammers have
> figured out how to beat mailbacks.
> Someone we know runs a list on egroups. Twice today he was spammed
> by the porn spammers -- from subscribed accounts. This isn't the
> first time I've heard of this in the last few weeks, but he's
> someone I know runs a pretty clean ship. to get hit by two
> separate porn spammers on the same day, in independent attacks,
> that raises a real warning flag, because where the porn spammers
> innovate, everyone else follows.
> In the last few years, there have been some significant,
> fundamental changes in the internet (duh). Now that I've spent a
> few hours thinking like a spammer, I realize these changes make it
> trivial for a *smart* spammer with some basic resources to
> circumvent mailbacks. Here's how:
> First, you get access to some domains -- the key ot mailbacks is
> that you have to have physical access to the mailback address to
> finish the confirmation. n today's internet, however -- that isn't
> a big deal. you register one for yourself, hook yourself up using
> dynamic DNS while attached via PPP to UUnet or one of the ISPs,
> and you have a fully functional mailserver. Or if you prefer,
> simply break into some lameoid's home machine sitting on a cable
> modem and borrow imstupid.org while he's not paying
> attention. Either way, you now have a spammer with a set of
> available domains, which he's either bought, borrowed or stolen,
> and access to the return mail sent to those domains.
> this spammer's built a validation-bot. It's fed a list of mailing
> lists, and it spends all of its time figuring out what MLM it uses
> (not hard), and subscribing accounts to them. it can send the
> appropriate subscribe messages, read the confirmations, and send
> appropriate confirmations. Even better, if the MLM supports
> nomail, you turn off deliveries, so you don't run the risk of
> inbound e-mail alerting anyway on imstupid.org (if you think about
> it, the only thing that has to be on imstupid.org is a set of
> aliases forwarding to your real machine, and only for the period
> of time you're setting up the subscriptions. If you're real lucky,
> you find out you can hack their DNS and set up
> really.imstupid.org, and send EVERYHTING offsite).
> The spammer lets his bot run for a while, and tracks the database
> with which address is subscribed to which list. He can even
> subscribe multiples from multiple domains if he wants, and let
> them lie fallow. When you block off one, it falls back and sends
> from the next.
> he now owns your list, at least until you figure out what's going
> on and nuke the subscribed address. But if you think about it,
> once that validation handshake is complete, there's never ANY
> further validation. so he can set up temporary shop, validate to
> his heart's content, and then later on, after all the temporary
> stuff is safely hidden away, spam from anywhere, safely. Because
> he knows the address that will get him on the list.
> If this is true, and it's beginning to look like egroups is a
> target of one attack, and I've heard rumors of some mailman lists
> being hit as well, then lists that depend on mailback validation
> have a problem. And I think there's been a feeling that mailbacks
> are the one true way of validation to the point where there hasn't
> been much (if any) thought about improved techniques or
> alternatives.
> And if I, having spent four hours on the "how would I do this?"
> train of thought can find a fairly easy to implement design, so
> can those that aren't so pure of heart and don't say their prayers
> at night. This isn't something the "buy a CD for $200" lameoid
> spammers can do (but I'll bet a really good spammer could build a
> system to do it taht's turnkey. there's enough wide open hardware
> out on the net, especially overseas, that you could get a good 6
> month run before neough stuff shut you down to make it not worth
> it...), but the port spammers and gambling spammers and the
> spammers for hire? it's perfect for them.
> I've felt for a while that the list community was way too
> comfortable with mailbacks as "safe and unbeatable". I'm now
> seeing what I think is evidence that this is no longer true. And
> I'm afraid that because we have sat back adn not innovated here,
> we're going to end up behind the eight ball. and I don't see any
> easy answers if I'm right -- only that if I am wrong, I won't be
> wrong forever.
> So I'm throwing it to the list, to see if there's information
> others have that might corroborate what I think I'm seeing (that
> you may not have realized for waht it might be), or t poke holes
> in my analysis, or to start thinking of how to deal with it.
> There I go, being a troublemaker again... (grin, sort of)
> thoughts?
> chuq
> -- Chuq Von Rospach - Plaidworks Consulting
> (mailto:chuqui@plaidworks.com) Apple Mail List Gnome
> (mailto:chuq@apple.com)
> We're visiting the relatives. Cover us.
> _______________________________________________ Mailman-Developers
> mailing list Mailman-Developers@python.org
> http://www.python.org/mailman/listinfo/mailman-developers
--
J C Lawrence claw@kanga.nu
---------(*) : http://www.kanga.nu/~claw/
--=| A man is as sane as he is dangerous to his environment |=--