[Mailman-Users] specific (1) LHS and (2) sender rules to frustrate spam/phishing

Rich Kulawiec rsk at gsp.org
Fri Jun 29 16:44:43 CEST 2007

Two related suggestions.

(1) LHS (left-hand-side) rules

Any incoming mail message whose putative sender matches:


and which is directed to any of the Mailman standard aliases can
be rejected (not bounced [1]) with SMTP status 550 (extended status
5.7.1) since either:

	(a) it's a forgery, therefore there's no point in letting
	    Mailman attempt to emit a reply -- or even in accepting
	    the message to begin with.
	(a) it's not a forgery, therefore there's no point in trying
	    to reply to it.  (Nor is there any point in permitting it
	    to subscribe to a list or send any traffic to one.)

Arguably, this could be done in some MTAs by configuring rejection
of those LHS patterns on a per-local-user basis; but I'll argue that
doing this in Mailman itself would be more useful, since many (perhaps
most) sites don't use per-local-user configuration (and perhaps don't
know how).  Moreover, any site running multiple mailing lists would
need to set this up for every Mailman alias for every mailing list --
so it seems simpler to handle it inside Mailman itself.

My guess is that this should be a switchable feature, named something
like "reject-noreplies".  (Not that I can envision a need to switch it
off, but I think it'd be more conversative to have that option.)

(2) sender rules

Any incoming mail message whose putative sender matches the list below
can also be rejected (SMTP status 550, extended status 5.7.1) because
these addresses will never send traffic to any mailing list nor
subscribe to any mailing list.  There's thus no point in expending
the bandwidth/CPU necessary to process them, nor in forwarding them on
to list admins for possible approval -- any message from these addresses
to any Mailman-related address is invariably a phish attempt.

I'm sure this list is incomplete; I built it by looking at incoming
attempts received locally in 2007.  It's not meant to be complete,
only illustrative.

Again, this could be done at the MTA level by blocking on a per-local-user
basis, but (as above) I think wiring it into Mailman would make it useful
to people who do not have their MTAs so configured.

And this should probably also be switchable feature, perhaps named

More comments below this list.

	acc-overview at paypal.com
	account-update at amazon.com
	account.issue at paypal.com
	account.protection at ebay.com
	account.support at chaseonline.com
	account at amazon.com
	account at bankofamerica.com
	account at capitalone.com
	account at chase.com
	account at ebay.com
	account at paypal.com
	accounts at amazon.com
	accounts at bscu.org
	accounts at chaseonline.com
	accounts at downeysavings.com
	accounts at mybankfirstunited.com
	accounts at paypal.com
	accounts at regions.com
	accounts at searscard.com
	accounts at wellsfargo.com
	accounts_support at paypal.com
	accountservice at bankofamerica.us
	accountupdate at chase.com
	admin at bankofhanover.com
	admin at paypal.com
	administrator at paypal.com
	ads at servicecu.org
	alertingservice at searscard.com
	alertsrobots at bankofamerica.com
	assistance at paypal.com
	auto-confirm at amazon.com
	aw-confirm at ebay.com
	aw-confirm at paypal.com
	aw.confirm at paypal.com
	aw.confirm at regions.com
	banking at chase.com
	bankofamericaalerts at alerts.bankofamerica.com
	bankofamericaalerts at bankofamerica.com
	billing at ebay.com
	billing at paypal.com
	boa at bankofamerica.com
	cardpayments at citibank.com
	cards at paypal.com
	cgi-bin at paypal.com
	chase at chase.com
	chase at chaseonline.com
	chase at notify.chase.com
	chase at service.com
	chasecardservices at notify.chase.com
	chaseco at chase.com
	chaseonline at chase.com
	chaseonlinealerts at alerts.chase.com
	chaseonlinealerts at chase.com
	checkout at ebay.com
	closed at paypal.com
	confirm145 at paypal.com
	confirmer at paypals.com
	contact at paypal.com
	customcare at paypal.com
	customecare at paypal.com
	customer-service at westernunion.com
	customer-services at bankofamerica.com
	customer.service at capitalone.com
	customer.service at chase.com
	customer.support at capitalone.com
	customer.support at chase.com
	customer.support at paypal.com
	customer at bankofamerica.com
	customer at paypal.com
	customer at redwood-bank.com
	customercare at amazon.com
	customercare at paypal.com
	customers at amazon.com
	customerservice at bankofamerica.com
	customerservice at paypal.com
	customerservice at wachovia.com
	customersupport at citibank.co.uk
	dncu at dncu.org
	do-not-replay at azfcu.org
	do-not-replay at chase.com
	do-not-replay at xfcu.org
	do-not-reply at azfcu.org
	do-not-reply at bankofamerica.com
	do-not-reply at chase.com
	do-not-reply at customers.cacu.net
	do-not-reply at germanamericanbancorp.com
	do-not-reply at lacapfcu.org
	do-not-reply at paypal.com
	do-not-reply at regions.com
	financial at regions.com
	flafstar-bank at security.org
	fraud at paypal.com
	fraud_help at chase.com
	info at azfcu.org
	info at bankofamerica.com
	info at ebay.com
	info at paypal.com
	info at westernunion.com
	member at ebay.com
	member at paypal.com
	memsvc at vacu.org
	mesage.center at chase.com
	message.center at chase.com
	message at ebay.com
	message at northforkbank.com
	messages at ebay.com
	militarybankalerts at alerts.bankofamerica.com
	militarybankalerts at bankofamerica.com
	mychase at chase.com
	no-reply at chase.com
	no-reply at ebay.com
	no-reply at maybank.org
	no.reply at ebay.com
	no.reply at paypal.com
	noreply at bankofamerica.com
	noreply at germanamericanbancorp.com
	noreply at westernunion.com
	notice.alert at bankofamerica.com
	notice at azfcu.org
	notice at bankofamerica.com
	notice at chase.com
	notice at chaseonline.com
	notice at ebay.com
	notice at paypal.com
	notice at wellsfargo.com
	notices.alert at bankofamerica.com
	office at paypal.com
	office at westernunion.com
	online-banking at chase.com
	online-support at online-bankofamerica.com
	online-survey at chase.com
	online.bank at regions.com
	online.banking at regions.com
	online.services at wachovia.com
	online at bankofamerica.com
	online at paypals.com
	onlineaccount at capitalone.com
	onlinebanking.alert at bankofamerica.com
	onlinebanking at alert.bankofamerica.com
	onlinebanking at bankofamerica.com
	onlinebanking at wellsfargo.com
	onlinesecurity at bankofamerica.com
	onlinesecurity at wachovia.com
	onlineservice at bankofamerica.com
	onlineservice at capitalone.com
	onlineservice at paypal.com
	onlineservice at wachovia.com
	onlineservice at wellsfargo.com
	onlineservices at bankofamerica.com
	onlineservices at wachovia.com
	onlinesrvices at wachovia.com
	onlinesupport at pafcu.org
	onlineupdate at paypal.com
	payment at paypal.com
	paymentprotector at cuna.org
	paypal-acc at paypal.com
	paypal-account at paypal.com
	paypal-service at paypal.com
	paypal at onlinesecure.com
	powersellersinfo at ebay.com
	privacy at regions.com
	pw-confirm at chase.com
	renew at azfcu.org
	renew at tscu.org
	resolution-center at paypal.com
	reward at chaseonline.com
	reward at downeysavings.com
	rewards at chase.com
	rewards at westernunion.com
	secure-acc at amazon.com
	secure-acc at paypal.com
	secure-bank at regions.com
	secure-cc at capitalone.com
	secure-cc at paypal.com
	secure-login at chase.com
	secure-login at regions.com
	secure at boa.com
	secure at paypal.com
	secure at wachovia.com
	secure at watermarkcu.org
	secure at wellsfargo.com
	security.alert at bankofamerica.com
	security at amazon.com
	security at baefcu.org
	security at bankofamerica.com
	security at bankofhanover.com
	security at boa.com
	security at capitalone.com
	security at cefcu.net
	security at chase.com
	security at comchoicecu.org
	security at dncu.org
	security at ebay.com
	security at ncua.gov
	security at paypal.com
	security at regions.com
	security at security.com
	security at transwestcu.com
	security at visa.com
	security at wellsfargo.com
	security_alert at citizensbank.com
	service-account at paypal.com
	service-bank at regions.com
	service.account at capitalone.com
	service.customer at paypal.com
	service at amazon.com
	service at azfcu.org
	service at bankofamerica.com
	service at bankofamerlca.com
	service at bankofhanover.com
	service at capitalone.com
	service at chase.com
	service at chaseonline.chase.com
	service at chaseonline.com
	service at chesterfieldfcu.net
	service at cscu.org
	service at downeysavings.com
	service at ebay.com
	service at mandtbank.com
	service at midamericabank.com
	service at mybankfirstunited.com
	service at ncua.gov
	service at paypal.com
	service at paypal.it
	service at paypals.com
	service at regions.com
	service at secure.regions.com
	service at visa.com
	service at wachovia.com
	service at wamu.com
	service at warrenfcu.com
	service at wellsfargo.com
	service at westernunion.com
	service_banking at chase.com
	servicecenter at bankofamerica.us
	servicecenter at firstinterstatebank.com
	services at bankofamerica.com
	services at chesterfieldfcu.net
	services at downeysavings.com
	services at ebay.com
	services at paypal.com
	services at watermarkcu.org
	sitesecurity at citibank.com
	store-news at amazon.com
	support at amazon.com
	support at capitalone.com
	support at chase.com
	support at ebay.com
	support at flagstar.com
	support at online-bankofamerica.com
	support at paypal.com
	support at wamu.com
	support at wellsfargo.com
	support at yahoo.com
	survery at twcu.org
	survey at arizonafederal.org
	survey at azfcu.org
	survey at bankofhanover.com
	survey at cuna.org
	survey at downeysavings.com
	survey at tyndallcreditunion.com
	suspension at ebay.com
	unsuspend at paypal.com
	update-accounts at paypal.com
	update.profile at amazon.com
	update at boa.com
	update at paypal.com
	update at wellsfargo.com
	updating at capitalone.com
	web-info at cuna.org
	web-service at mybankfirstunited.com
	webmaster at paypal.com
	westernunionalerts at westernunion.com
	westernunionresponse at westernunion.com

In both these cases, the check can be carried out by doing some
simple string-matching.  The second list will need ongoing (and
careful) maintenance -- and one way to achieve that might be to
enlist the cooperation of the domains in question.  However,
note that (a) under-inclusion is no worse than the current
situation and (b) over-inclusion is unlikely given even a modicum
of scrutiny applied to prospective list entries.


[1] The difference between a reject and a bounce: a reject is performed
by emitting the appropriate SMTP status code and closing the connection;
that is, the message is refused while the SMTP connection is open from
the sending side.   A bounce is performed by accepting the message
(again, emitting the appropriate SMTP status code), then performing
further processing, deciding not to accept the message, and attemping
to "return" the message to the putative sender.  The simplest way
of putting this is "reject good, bounce bad", since bounces invariably
result in outscatter (aka "backscatter"), which is a form of spam,
which in turn will cause sufficiently egregious emitters to be
(correctly) blacklisted.  Note as well that various mitigating
strategies designed to blunt the effects of bounce-instead-of-reject
policies lose entirely due to rampant forgery, DNS redirection,
an estimated 100M+ fully-compromised systems, and widespread failure
of end-user ISPs to control outbound SMTP abuse.  So saying that it's
immensely preferable to reject rather than bounce is an understatement.

More information about the Mailman-Users mailing list