LISTSERV - LSTOWN-L Archives - COMMUNITY.EMAILOGY.COM

LSTOWN-L Archives

LISTSERV List Owners' Forum

LSTOWN-L

	LISTSERV Archives
	LSTOWN-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Topic:	[<< First] [< Prev] [Next >] [Last >>]

Fwd: Risks of bouncing messages from closed e-mail lists

Mike Yuhas <[log in to unmask]>

Wed, 16 Feb 2000 10:24:43 -0600

text/plain (92 lines)

Hello List Owners:

The following item appeared on the Risks-Forum Digest (also found at
comp.risks), and is forwarded with the author's permission.

Okay, it's a stretch that someone could/would use our Listservs to
deliver spam in bounce messages, but we ought to be aware of the
potential.

How serious is the infinite bounce message loop vulnerability?

Mike Yuhas
List Owner, folkdj-l (hosted at lists.psu.edu)
http://folkradio.org



-----  begin forwarded message  -----


Date: Mon, 14 Feb 2000 12:27:57 -0500
From: Mich Kabay <[log in to unmask]>
Subject: Risks of bouncing messages from closed e-mail lists

I have noticed that a junk e-mailer has taken to using a closed mailing-list
server as a relay for his unauthorized messages.

The scam works like this:

1) Criminal locates a closed mailing list that responds to unauthorized
postings by sending back an automated rejection notice that includes the
original message.

2) Criminal sends junk e-mail to the closed list using the desired
_target's_ e-mail addresses in forged header.

3) Closed list obligingly bounces the original message back to the target's
address.

Authorized users of the closed list do not need to receive a message
informing them that their messages have not been accepted (presumably due to
some oversight or glitch) because they will likely note the absence of their
message on the list anyway.

Unauthorized users of the list do not need to see the text of their message
at all in their electronic rejection note -- a stock reply explaining how to
gain admission to the list is more relevant.

Therefore I recommend that at the very least, administrators for closed
e-mail lists prevent their listserv from sending the _complete text_ of a
bounced message back to the supposed originator.

However, there is a more serious vulnerability here: infinite loops between
two or more closed lists.

If an attacker forges the originating address of a closed list that sends
back automated rejection notes to another closed list that sends back
automated rejection notes, then each forged message will generate a
mailstorm as a function of the speed of the servers in sending bounce
messages to each other.  The chain can be extended to multiple closed-list
servers, causing even more useless traffic and potentially contributing to
denial of service for the legitimate users of the closed lists.

RECOMMENDATIONS:

A) Turn off automated notification of rejection altogether on all closed
lists; or if you feel that the notification messages are important, then

B) Configure the listserv to send back only the title of a rejected message,
not the complete text; or if you feel like addressing the potential
vulnerability head-on,

C) Design a check of a log file so that the listserv for a closed list can
quickly identify a mailstorm and stop it by turning off automated
notification of rejection when it is being abused.

M. E. Kabay, PhD, CISSP, Security Leader, Information Security Group
Adario, Inc., 255 Flood Road, Barre, VT 05641-4060  +1.802.479.7937


------

RISKS-LIST: Risks-Forum Digest  Tuesday 15 February 2000  Volume 20 : Issue 79

    FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

   Reused without explicit authorization under blanket
   permission granted for all Risks-Forum Digest materials.
   The author(s), the RISKS moderator, and the ACM have no
   connection with this reuse.

ATOM RSS1 RSS2

COMMUNITY.EMAILOGY.COM