[Mailman-Developers] FYI -- mailback validations no longer safe?

Vince Sabio vince@vjs.org
Sat, 9 Dec 2000 17:32:53 -0500

** Sometime around 09:01 -0800 12/09/2000, Darrell Fuhriman sent us:
>Chuq Von Rospach <chuqui@plaidworks.com> writes:
>  > But Murr Rhame on list-managers said something that made me think of a
>  > possible answer -- new subscribers automatically go into "hold for
>  > approval" mode. it'd be another flag in the user record (like digest
>Yes, Lyris does this.  It's a feature I've wanted to add to
>mailman, but haven't had the bandwidth to do it.  It would be
>even nicer if it were smart enough to set a threshold and as soon
>as they've had that many posts approved, the restriction is
>automatically lifted.

Lyris actually uses this method. The list owner selects the number of 
[approved] posts that constitute the probationary period for that 
list, and all new members are subject to moderation for that number 
of approvals. I refer to this as a "semi-moderated" list.

In addition, Lyris supports "spot moderation," where an individual 
can be moderated, either permanently or for X number of posts, by one 
of the list administrators.

>There's a couple other things that Lyris does that would be cool,
>but I can't remember what they are right now.  :)

Another nice feature is text/regex-based filtering; posts can be 
rejected with admin-customized messages based on text strings in the 
messages. This allows flames to be quelled pretty quickly, without 
resorting to moderation. It *could* be used as a spam filter, though 
I must admit that I do not have spam filters in place. All of my 
production lists are semi-moderated and post-by-subscriber-only; 
we've probably been spammed twice in the past 3 years, and each time 
it was by someone who had been posting to the list for long enough to 
get past the newbie-moderation threshold.

I do not personally have any examples of forged-subscriber spam, but 
it is a risk that has bothered me for many years. I date back to the 
days of Kevin Lipsitz and the "Tempting Tear-Outs" spams; Kevin 
targeted primarily mailing lists (vs. individual addresses), and used 
several methods to [attempt to] subvert basic list security. Back 
then, few lists were moderated, even fewer required posts from 
subscribers only, and semi-moderation wasn't even a gleam in anyone's 
eye. Kevin used PAML to attack mailing lists across the 'Net, and he 
largely had full rampage ability on those lists. He was also pretty 
sharp technically (for a dork). A Lipstiz clone today would have his 
work cut out for him, but he could still easily subvert a list with 
much less effort than Chuq's domain-snatching idea:

1. Use PAML (or similar) to subscribe to discussion lists far and 
wide. Automation of subscription confirmations is a snap.

2. Collect mail from those lists, and parse & save addresses of the 
posters; be sure to correlate addresses with mailing lists.

3. For each list, sort the addresses in order of volume; this will 
help identify the prolific posters, thus helping to subvert 
semi-moderated lists.

4. Post via forged smtp mail from *and* header From:.

Short of S/MIME and similar measures that most of us would consider 
to be extreme (right now, anyway; probably won't be considered 
extreme measures for much longer), there is little that the owner of 
a large, busy discussion list can do to protect his list from an 
attack such as this. Sure, you could moderate the list, but many of 
my lists see 50 to 100 posts/day, and the max I've ever had posted to 
a single  list in one day was more than 450. That's a lot of 
moderation. I'd sooner buy a copy of MailShield to protect the server.

Like Chuq, I shudder at the thought of someone forging subscriber 
addresses to spam mailing lists.

- Vince