In <200607190922(_dot_)03453(_dot_)julian(_at_)mehnle(_dot_)net> Julian Mehnle
<julian(_at_)mehnle(_dot_)net> writes:
Andy Bakun wrote:
Can someone take care of this and unsubscribe these addresses, which are
obviously other mailing lists? I only ever sent both of my recent
messages to spf-discuss(_at_)v2(_dot_)listbox(_dot_)com [...]
I must admit it is probably my fault in part. I am continuously monitoring
the weekly subscription reports for all the SPF lists.
Only in part. I used to do a lot more maintenance on the mailing lists
than I've done recently, so I'm also in part at fault. It has also
been a very long time since Meng Weng Wong and Greg Connor have
helped, even though they still could. All the current council members
could also pick up some of the slack, but haven't. *sigh*
Innocent
bystanders' e-mail addresses (such as ...@(service.)paypal.com) are being
subscribed to some of the lists regularly by anonymous idiots thanks to a
vulnerability in the listbox.com software (which I won't go into in
detail). Up to a few days ago, I had always marked those addresses
as "post-only" and "posting denied".
As I discussed with Julian last week, and again today, on IRC, 1) I don't
think that these email addresses are entirely "innocent", and 2) I
don't think they are being subscribed by malicious people, but rather
they are a result of spam.
It is my belief that what is happening is as follows:
1) A spammer harvests the SPF-discuss subscription address from any of
a wide number of places, including ever email sent from this list
and from the openspf.org website. Nothing special about this at
all.
2) The spammer sends email forging the SPF-discuss subscribe address
as the 2821.From: and sends it to another harvested address, in this
case, one of any number of mailing list post addresses, mailing
list subscribe addresses, auto-responders, automated abuse
trackers, etc. Nothing special or unusually malicious about this
either.
Basically, you have:
From: <subscription address for SPF-discuss>
To: <some autoresponder>
Subject: Make Money Fast!
3) This other, broken, mailing list software and/or auto-responders
send a reply back to the forged from address, instead of
recognizing it as spam. These broken programs fail to add things
like the non-standard Precedence: header or other indications that
they are automatic replies. This creates backscatter and is
broken, but nothing special or unusually malicious about it. It
means that they aren't entirely innocent though.
4) When the listbox.com subscription address receives the auto-reply,
it fails to recognize that these messages are not real subscription
requests from humans and send a confirmation message back. Again,
proably at least slightly broken, but detecting all the broken
software out there is hard.
5) These broken mailing lists/auto-responders again fail to recognize
that they shouldn't reply to the confirmation messages. Instead,
they send another reply. In the cases of the two mailing lists I
unsubscribed yesterday, they both sent the rejection messages to
the 2821.From: address instead of the 2822.MAILFROM, they didn't
change the Subject: line, and they echoed either all, or critical
parts of the email back. Again, they didn't do anything to
indicate that the email was auto generated, such as adding the
non-standard Precedence: header.
6) To the listbox software, these emails look very much like a human
doing a confirmation. The listbox confirmation message includes a
nonce/token to verify that the confirmation was received by the
right party, but the auto-responder included that nonce/token in its
reply.
7) We now have a new, bogus, "subscriber" on our mailing list.
There is plenty of blame to go around here.
First and foremost, I blame the spammers for harvesting and forging email
addresses.
The other mailing list software/auto-responder should do a much better
job of filtering the spam, make clear that the response is easily
distinguished from being a human, and recognizing automated replies.
Not much we can do about fixing all the software in the world though.
Ok, finally, I think listbox could do several things.
For starters, I think it could do a better job of recognizing
auto-responses. The backscatter sent to the subscription addresses
almost certainly contained spam and much more text than a typical
legitimate subscription request.
Secondly, the listbox software puts the confirmation nonce/token into
the 2821.From: address, rather than the more typical locations of the
Subject: or in the email body. A lot of auto-responders that change
the Subject: and don't echo the confirmation email body, will still
get tripped up with the nonce/token being in the 2821.From:.
The last reports again made me aware that some other mailing lists had been
maliciously subscribed to spf-discuss, but I have become sick of working
around this stupid Listbox security hole. I'll try notifying the Listbox
staff about it one more time, but if they don't manage to fix it soon, I
hereby propose that we move the lists off the Listbox system.
Personally, I really don't think that moving the mailing lists would
be a good idea.
Running several large mailing lists doesn't sound like much fun to me,
what with people "unsubscribing" by reporting mailing list traffic as
"spam" to their ISP (AOL/Hotmail/Yahoo/etc.) or via spamcop, delivery
problems, mail loops, etc. I really doubt that the number of bogus
subscriptions would go down that much.
I remember when we had the SPF-council and SPF-private lists on
mailman. It was almost impossible for anyone but the person owning
the box to do anything. When that owner moved on from the SPF
project, we were stuck. In contrast, when Meng Weng Wong moved on
from the SPF project, we could still do a lot of list management.
Could things be better? Sure. Do I think things *would* be better if
we moved the mailing lists? I doubt it.
-wayne
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com