[Mailman-Users] specific (1) LHS and (2) sender rules to frustrate spam/phishing
Rich Kulawiec
rsk at gsp.org
Fri Jun 29 16:44:43 CEST 2007
Two related suggestions.
(1) LHS (left-hand-side) rules
Any incoming mail message whose putative sender matches:
do-not-reply@
do.not.reply@
donotreply@
no-reply@
no.reply@
noreply@
and which is directed to any of the Mailman standard aliases can
be rejected (not bounced [1]) with SMTP status 550 (extended status
5.7.1) since either:
(a) it's a forgery, therefore there's no point in letting
Mailman attempt to emit a reply -- or even in accepting
the message to begin with.
(a) it's not a forgery, therefore there's no point in trying
to reply to it. (Nor is there any point in permitting it
to subscribe to a list or send any traffic to one.)
Arguably, this could be done in some MTAs by configuring rejection
of those LHS patterns on a per-local-user basis; but I'll argue that
doing this in Mailman itself would be more useful, since many (perhaps
most) sites don't use per-local-user configuration (and perhaps don't
know how). Moreover, any site running multiple mailing lists would
need to set this up for every Mailman alias for every mailing list --
so it seems simpler to handle it inside Mailman itself.
My guess is that this should be a switchable feature, named something
like "reject-noreplies". (Not that I can envision a need to switch it
off, but I think it'd be more conversative to have that option.)
(2) sender rules
Any incoming mail message whose putative sender matches the list below
can also be rejected (SMTP status 550, extended status 5.7.1) because
these addresses will never send traffic to any mailing list nor
subscribe to any mailing list. There's thus no point in expending
the bandwidth/CPU necessary to process them, nor in forwarding them on
to list admins for possible approval -- any message from these addresses
to any Mailman-related address is invariably a phish attempt.
I'm sure this list is incomplete; I built it by looking at incoming
attempts received locally in 2007. It's not meant to be complete,
only illustrative.
Again, this could be done at the MTA level by blocking on a per-local-user
basis, but (as above) I think wiring it into Mailman would make it useful
to people who do not have their MTAs so configured.
And this should probably also be switchable feature, perhaps named
"reject-obvious-phishes".
More comments below this list.
acc-overview at paypal.com
account-update at amazon.com
account.issue at paypal.com
account.protection at ebay.com
account.support at chaseonline.com
account at amazon.com
account at bankofamerica.com
account at capitalone.com
account at chase.com
account at ebay.com
account at paypal.com
accounts at amazon.com
accounts at bscu.org
accounts at chaseonline.com
accounts at downeysavings.com
accounts at mybankfirstunited.com
accounts at paypal.com
accounts at regions.com
accounts at searscard.com
accounts at wellsfargo.com
accounts_support at paypal.com
accountservice at bankofamerica.us
accountupdate at chase.com
admin at bankofhanover.com
admin at paypal.com
administrator at paypal.com
ads at servicecu.org
alertingservice at searscard.com
alertsrobots at bankofamerica.com
assistance at paypal.com
auto-confirm at amazon.com
aw-confirm at ebay.com
aw-confirm at paypal.com
aw.confirm at paypal.com
aw.confirm at regions.com
banking at chase.com
bankofamericaalerts at alerts.bankofamerica.com
bankofamericaalerts at bankofamerica.com
billing at ebay.com
billing at paypal.com
boa at bankofamerica.com
cardpayments at citibank.com
cards at paypal.com
cgi-bin at paypal.com
chase at chase.com
chase at chaseonline.com
chase at notify.chase.com
chase at service.com
chasecardservices at notify.chase.com
chaseco at chase.com
chaseonline at chase.com
chaseonlinealerts at alerts.chase.com
chaseonlinealerts at chase.com
checkout at ebay.com
closed at paypal.com
confirm145 at paypal.com
confirmer at paypals.com
contact at paypal.com
customcare at paypal.com
customecare at paypal.com
customer-service at westernunion.com
customer-services at bankofamerica.com
customer.service at capitalone.com
customer.service at chase.com
customer.support at capitalone.com
customer.support at chase.com
customer.support at paypal.com
customer at bankofamerica.com
customer at paypal.com
customer at redwood-bank.com
customercare at amazon.com
customercare at paypal.com
customers at amazon.com
customerservice at bankofamerica.com
customerservice at paypal.com
customerservice at wachovia.com
customersupport at citibank.co.uk
dncu at dncu.org
do-not-replay at azfcu.org
do-not-replay at chase.com
do-not-replay at xfcu.org
do-not-reply at azfcu.org
do-not-reply at bankofamerica.com
do-not-reply at chase.com
do-not-reply at customers.cacu.net
do-not-reply at germanamericanbancorp.com
do-not-reply at lacapfcu.org
do-not-reply at paypal.com
do-not-reply at regions.com
financial at regions.com
flafstar-bank at security.org
fraud at paypal.com
fraud_help at chase.com
info at azfcu.org
info at bankofamerica.com
info at ebay.com
info at paypal.com
info at westernunion.com
member at ebay.com
member at paypal.com
memsvc at vacu.org
mesage.center at chase.com
message.center at chase.com
message at ebay.com
message at northforkbank.com
messages at ebay.com
militarybankalerts at alerts.bankofamerica.com
militarybankalerts at bankofamerica.com
mychase at chase.com
no-reply at chase.com
no-reply at ebay.com
no-reply at maybank.org
no.reply at ebay.com
no.reply at paypal.com
noreply at bankofamerica.com
noreply at germanamericanbancorp.com
noreply at westernunion.com
notice.alert at bankofamerica.com
notice at azfcu.org
notice at bankofamerica.com
notice at chase.com
notice at chaseonline.com
notice at ebay.com
notice at paypal.com
notice at wellsfargo.com
notices.alert at bankofamerica.com
office at paypal.com
office at westernunion.com
online-banking at chase.com
online-support at online-bankofamerica.com
online-survey at chase.com
online.bank at regions.com
online.banking at regions.com
online.services at wachovia.com
online at bankofamerica.com
online at paypals.com
onlineaccount at capitalone.com
onlinebanking.alert at bankofamerica.com
onlinebanking at alert.bankofamerica.com
onlinebanking at bankofamerica.com
onlinebanking at wellsfargo.com
onlinesecurity at bankofamerica.com
onlinesecurity at wachovia.com
onlineservice at bankofamerica.com
onlineservice at capitalone.com
onlineservice at paypal.com
onlineservice at wachovia.com
onlineservice at wellsfargo.com
onlineservices at bankofamerica.com
onlineservices at wachovia.com
onlinesrvices at wachovia.com
onlinesupport at pafcu.org
onlineupdate at paypal.com
payment at paypal.com
paymentprotector at cuna.org
paypal-acc at paypal.com
paypal-account at paypal.com
paypal-service at paypal.com
paypal at onlinesecure.com
powersellersinfo at ebay.com
privacy at regions.com
pw-confirm at chase.com
renew at azfcu.org
renew at tscu.org
resolution-center at paypal.com
reward at chaseonline.com
reward at downeysavings.com
rewards at chase.com
rewards at westernunion.com
secure-acc at amazon.com
secure-acc at paypal.com
secure-bank at regions.com
secure-cc at capitalone.com
secure-cc at paypal.com
secure-login at chase.com
secure-login at regions.com
secure at boa.com
secure at paypal.com
secure at wachovia.com
secure at watermarkcu.org
secure at wellsfargo.com
security.alert at bankofamerica.com
security at amazon.com
security at baefcu.org
security at bankofamerica.com
security at bankofhanover.com
security at boa.com
security at capitalone.com
security at cefcu.net
security at chase.com
security at comchoicecu.org
security at dncu.org
security at ebay.com
security at ncua.gov
security at paypal.com
security at regions.com
security at security.com
security at transwestcu.com
security at visa.com
security at wellsfargo.com
security_alert at citizensbank.com
service-account at paypal.com
service-bank at regions.com
service.account at capitalone.com
service.customer at paypal.com
service at amazon.com
service at azfcu.org
service at bankofamerica.com
service at bankofamerlca.com
service at bankofhanover.com
service at capitalone.com
service at chase.com
service at chaseonline.chase.com
service at chaseonline.com
service at chesterfieldfcu.net
service at cscu.org
service at downeysavings.com
service at ebay.com
service at mandtbank.com
service at midamericabank.com
service at mybankfirstunited.com
service at ncua.gov
service at paypal.com
service at paypal.it
service at paypals.com
service at regions.com
service at secure.regions.com
service at visa.com
service at wachovia.com
service at wamu.com
service at warrenfcu.com
service at wellsfargo.com
service at westernunion.com
service_banking at chase.com
servicecenter at bankofamerica.us
servicecenter at firstinterstatebank.com
services at bankofamerica.com
services at chesterfieldfcu.net
services at downeysavings.com
services at ebay.com
services at paypal.com
services at watermarkcu.org
sitesecurity at citibank.com
store-news at amazon.com
support at amazon.com
support at capitalone.com
support at chase.com
support at ebay.com
support at flagstar.com
support at online-bankofamerica.com
support at paypal.com
support at wamu.com
support at wellsfargo.com
support at yahoo.com
survery at twcu.org
survey at arizonafederal.org
survey at azfcu.org
survey at bankofhanover.com
survey at cuna.org
survey at downeysavings.com
survey at tyndallcreditunion.com
suspension at ebay.com
unsuspend at paypal.com
update-accounts at paypal.com
update.profile at amazon.com
update at boa.com
update at paypal.com
update at wellsfargo.com
updating at capitalone.com
web-info at cuna.org
web-service at mybankfirstunited.com
webmaster at paypal.com
westernunionalerts at westernunion.com
westernunionresponse at westernunion.com
In both these cases, the check can be carried out by doing some
simple string-matching. The second list will need ongoing (and
careful) maintenance -- and one way to achieve that might be to
enlist the cooperation of the domains in question. However,
note that (a) under-inclusion is no worse than the current
situation and (b) over-inclusion is unlikely given even a modicum
of scrutiny applied to prospective list entries.
---Rsk
[1] The difference between a reject and a bounce: a reject is performed
by emitting the appropriate SMTP status code and closing the connection;
that is, the message is refused while the SMTP connection is open from
the sending side. A bounce is performed by accepting the message
(again, emitting the appropriate SMTP status code), then performing
further processing, deciding not to accept the message, and attemping
to "return" the message to the putative sender. The simplest way
of putting this is "reject good, bounce bad", since bounces invariably
result in outscatter (aka "backscatter"), which is a form of spam,
which in turn will cause sufficiently egregious emitters to be
(correctly) blacklisted. Note as well that various mitigating
strategies designed to blunt the effects of bounce-instead-of-reject
policies lose entirely due to rampant forgery, DNS redirection,
an estimated 100M+ fully-compromised systems, and widespread failure
of end-user ISPs to control outbound SMTP abuse. So saying that it's
immensely preferable to reject rather than bounce is an understatement.
More information about the Mailman-Users
mailing list