From the 1.8c release notes:
**********************************************************
* Security: Automatic detection of spoofed subscriptions *
**********************************************************
In the last few months, a number of point and click utilities have begun
to appear on anonymous FTP servers, allowing mischevious users to forge
Internet mail on an industrial scale and subscribe an unfortunate victim
to thousands of mailing lists. The resulting mail onslaught fills the
victim's mailbox in minutes, rendering the account forever unusable. It
also brings the mail server on which the account is hosted to its knees,
causing, in some cases, tens of thousands of dollars in consequential
damages as other users of the same system also lose precious e-mail.
In most cases, the account ends up being closed. Unfortunately, this
usually doubles the load on the recipient's mail server, as a delivery
error needs to be generated for every message received from the mailing
list servers. Thus, it is not uncommon for the service provider to leave
the account open and simply reconfigure it in such a way that incoming
mail continues to be accepted, but is summarily discarded without
generating a costly delivery error notification. While it is difficult to
blame the service provider for wanting to minimize impact to their
customers, the drawback is that the list owners may never be notified of
the fact that the account was closed. On any large LISTSERV system, there
are likely to be dozens of these addresses, each being sent hundreds or
possibly thousands of messages a day which are simply discarded and waste
resources.
Until now, the only defence against this attack was to configure mailing
lists to require subscription confirmation:
* Subscription= Open,Confirm
LISTSERV will then send a confirmation request to the victim, who does
not reply and thus is not added to the list. While this line of defence
is 100% effective, it may not always be practical or desirable to
configure the list to require confirmation.
Starting with version 1.8c, LISTSERV is now able to detect these
"spoofed" subscription attacks automatically. When more than 50
subscription requests are received from the same account in a short time
frame, LISTSERV automatically undoes all the subscription requests and
rejects any further subscription attempt for a certain period of time.
This applies even to requests that LISTSERV forwarded to other servers;
LISTSERV will then send a SIGNOFF request to the remote server for the
address in question. Note that, in some cases, the subscription may not
be undone, either because of a temporary condition (locked list, etc)
preventing LISTSERV from deleting the user, or because the list was
configured with "Subscription= By owner" and the owner manually added the
victim after the arrival of the undo request.
This mechanism offers a very good degree of protection against the
adverse effects that dead "spoofed accounts" can have on the performance
of the LISTSERV host system. It does not, unfortunately, mean that people
no longer have to fear subscription spoofing, as only LISTSERV lists are
monitored and protected by the "spoof detector". Requests to subscribe to
lists hosted by other mailing list managers are sent directly to the list
managers in question, and LISTSERV can only act on the requests that it
does receive.
|