LISTSERV - LSTOWN-L Archives - COMMUNITY.EMAILOGY.COM

LSTOWN-L Archives

LISTSERV List Owners' Forum

LSTOWN-L

	LISTSERV Archives
	LSTOWN-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Topic:	[<< First] [< Prev] [Next >] [Last >>]

Re: Media: "Unamailer delivers Christmas grief"

Eric Thomas <[log in to unmask]>

Sat, 28 Dec 1996 20:55:25 +0100

text/plain (61 lines)

From the 1.8c release notes:
 
**********************************************************
* Security: Automatic detection of spoofed subscriptions *
**********************************************************
 
In the last few months, a number  of point and click utilities have begun
to appear on  anonymous FTP servers, allowing mischevious  users to forge
Internet mail on an industrial  scale and subscribe an unfortunate victim
to thousands  of mailing  lists. The resulting  mail onslaught  fills the
victim's mailbox in  minutes, rendering the account  forever unusable. It
also brings the mail server on which  the account is hosted to its knees,
causing, in  some cases,  tens of thousands  of dollars  in consequential
damages as other users of the same system also lose precious e-mail.
 
In  most cases,  the account  ends up  being closed.  Unfortunately, this
usually doubles  the load on the  recipient's mail server, as  a delivery
error needs to  be generated for every message received  from the mailing
list servers. Thus, it is not  uncommon for the service provider to leave
the account  open and simply reconfigure  it in such a  way that incoming
mail  continues  to  be  accepted, but  is  summarily  discarded  without
generating a costly delivery error notification. While it is difficult to
blame  the service  provider  for  wanting to  minimize  impact to  their
customers, the drawback is that the  list owners may never be notified of
the fact that the account was closed. On any large LISTSERV system, there
are likely to  be dozens of these addresses, each  being sent hundreds or
possibly thousands of messages a day which are simply discarded and waste
resources.
 
Until now, the only defence against  this attack was to configure mailing
lists to require subscription confirmation:
 
* Subscription= Open,Confirm
 
LISTSERV will  then send a confirmation  request to the victim,  who does
not reply and thus  is not added to the list. While  this line of defence
is  100% effective,  it  may  not always  be  practical  or desirable  to
configure the list to require confirmation.
 
Starting  with  version  1.8c,  LISTSERV  is now  able  to  detect  these
"spoofed"  subscription   attacks  automatically.   When  more   than  50
subscription requests are received from the  same account in a short time
frame, LISTSERV  automatically undoes  all the subscription  requests and
rejects any  further subscription attempt  for a certain period  of time.
This applies even  to requests that LISTSERV forwarded  to other servers;
LISTSERV will  then send a SIGNOFF  request to the remote  server for the
address in question.  Note that, in some cases, the  subscription may not
be undone,  either because  of a temporary  condition (locked  list, etc)
preventing  LISTSERV from  deleting the  user,  or because  the list  was
configured with "Subscription= By owner" and the owner manually added the
victim after the arrival of the undo request.
 
This  mechanism offers  a  very  good degree  of  protection against  the
adverse effects that dead "spoofed  accounts" can have on the performance
of the LISTSERV host system. It does not, unfortunately, mean that people
no longer have to fear subscription  spoofing, as only LISTSERV lists are
monitored and protected by the "spoof detector". Requests to subscribe to
lists hosted by other mailing list managers are sent directly to the list
managers in question,  and LISTSERV can only act on  the requests that it
does receive.

ATOM RSS1 RSS2

COMMUNITY.EMAILOGY.COM