How can a LISTSERV list be protected against forged messages?
Some background information:
A malicious person visits a web site that has a tell-a-friend (hereafter
TAF) service. A TAF service allows users to recommend a product, service,
or web site to other users via e-mail. TAF services often don't confirm
the identity of the user or validate the e-mail addresses being provided
to the automated mailer.
The TAF service asks the person for hir friend's e-mail address, for hir
own e-mail address, and for a brief message to accompany the
auto-generated TAF e-mail. The person supplies the posting-address of a
LISTSERV mailing list as the target address, the e-mail address of a
current subscriber or list owner as the source address, and a brief
inflammatory message, then submits the message to be sent by the TAF
e-mail service.
The message reaches the LISTSERV list server, which checks the From header
against the subscriber roster of the list named in the To header, sees
that the From address is a current subscriber without NOMAIL, and posts it
according to the current moderation policy.
Again, for the question:
How do I reasonably protect my LITSSERV list against this kind of attack?
My goal is to prevent forged messages from being posted to the list. I
understand that some moderation might be necessary, but what is the most
painless way to implement it?
My goal is not to identify the culprit -- sites that host TAF e-mail are
unwilling to disable the service, claiming that there are too few
complaints about it and no way to identify the malicious users even if
they wanted to -- but your advice in that regard is also welcome, as long
as it goes beyond simply tracerouting the IP addresses that appear in the
e-mail headers.
Here's my list's configuration:
long name of mailing list
Review= Owners Subscription= By_Owner
Ack= Msg Language= NOHTML
Notify= Yes Reply-to= List,Respect
Validate= No Default-Options= Repro,Review
Files= No Stats= Normal,Private
Confidential= No X-tags= No
Safe= Yes Attachments= No
Filter= Also,*@*.remarq.com,*@remarq.com
Filter= *@virgilio.it,*@tin.it
[...]
Filter= LISTSERV@*,*@LISTSERV.BROWN.EDU
Notebook= Yes,/srv/listserv/archive/***,Weekly,Public
Daily-Threshold= 100
Mail-Via= Dist2
Auto-Delete=Yes,Full-Auto,Delay(4),Max(100),Probe(28)
Owner= owner1 (owner1's name)
Owner= owner2 (owner2's name)
Owner= owner3 (owner3's name)
Owner= Quiet:
Owner= owner1's alternate e-mail address
Owner= owner2's alternate e-mail address
Owner= owner3's alternate e-mail address
Errors-to= Owners
Send= Private
Moderator= ALL,owner1,owner2,owner3
Editor= owner1,owner2,owner3
Some ideas I've thought of already:
* Close down the list.
Pro: The malicious posts would stop.
Con: All posts would stop.
Undesirable; the list still has useful content and a healthy
amount of traffic.
* Step down as list owner.
Pro: Because the malicious person is conducting an attack against
me and several subscribers standing up for me against the aggressor,
removing the target should mollify hir.
Con: Well behaved, responsible subscribers should not be obligated to
leave the list to restore peace. This action only meets the terrorist's
demands; it deoes not prevent the terror from recurring.
Will consider as a last resort.
* Move the list to another site using different list-management software.
Pro: The other list software might support features such as
confirmation of one's own posts (self-moderation), oor content
filtering (for known TAF service substrings).
Con: Other software does not necesarily have searchable archive and
web interfaces, or they aren't as convenient to use.
Considering this option if solutions involving LISTSERV are not
cost-effective compared to solutions involving the other software.
* Manually moderate all posts.
Pro: Unless self-moderation can be spoofed, this should work.
Con: Impractical due to effort required and delays inherent in
manual moderation. I have briefly tried this and the list's reaction
to delays of up to 3 days between submission and approval was very
negative; conversations could not flow properly or timely. The list
is already set to
Send= Private
Moderator= ALL,owner1,owner2,owner3
Editor= owner1,owner2,owner3
Undesirable.
* Prevent e-mail harvesting by restricting access to the archives.
Pro: This limits the number of current subscriber addresses available
to the impersonator.
Con: The impersonator only needs one victim to terrorize the whole
list, and it appears that the impersonator was/is a subscriber long
enough to collect many e-mail addresses of active subscribers. It is
therefore too late to restrict access to the subscriber list via the
archives. The list is already set to Review= Owners.
Not a solution.
* Require all subscribers to confirm their own posts.
Pro: Seems to be the ideal solution to block someone who does not have
control of the forgery victim's e-mail inbox and can't anticipate the
necessary confirmation ticket to send to LISTSERV.
Con: Active subscribers are encumbered by learning and applying the
self-moderation feature.
Learning to self-moderate seems to be a small price to pay for
preventing this kind of abuse. This is the best solution yet.
Is changing my Send, Moderator, and Editor headers from
Send= Private
Moderator= ALL,owner1,owner2,owner3
Editor= owner1,owner2,owner3
to
Send= Private,Editor,Hold,Confirm
Moderator= ALL,owner1,owner2,owner3
Editor= owner1,owner2,owner3,(LISTNAME)
sufficient to achieve the following?
* Non-subscriber posts are held for review by Moderators.
* Subscribers not set to REVIEW have to confirm their own posts.
* Subscribers set to REVIEW require Moderator confirmation to post.
I don't fully understand the interaction between Moderator and Editor
keywords.
Other sources of information:
* "Molotovs and mailing lists", a 13 Mar 1999 post to LSTOWN-L by
Bob Kosovsky.
http://peach.ease.lsoft.com/scripts/wa.exe?A2=ind9903&L=lstown-l&P=R3278&I=-3
Pro: Describes a very similar situation.
Con: Presents no practical solutions, other than patience.
* "Re: Changing Headers", a 15 Dec 1996 post to LSTOWN-L by
Gary VanderMolen.
http://peach.ease.lsoft.com/scripts/wa.exe?A2=ind9612&L=lstown-l&P=R5397&I=-3
Pro: Warns that list-owner commands can also be forged.
Con: Not specific about the xact means for enabling this feature, but
I'll research http://www.lsoft.com/manuals/.
* "List Keyword reference for LISTSERV 1.8e" - Access keywords
http://www.lsoft.com/manuals/1.8e/sitemgr/listkeyw.html#keyAccess
See above question re: Send, Moderator, and Editor keywords.
* "List Keyword reference for LISTSERV 1.8e" - Security keywords
http://www.lsoft.com/manuals/1.8e/sitemgr/listkeyw.html#keySecurity
Just in case, I'm changing Validate from No to Yes,Confirm.
Pro: Protects more list-owner commands from spoofing.
* "List Keyword reference for LISTSERV 1.8e" - Subscription keywords
http://www.lsoft.com/manuals/1.8e/sitemgr/listkeyw.html#keySubscription
I'll change Subscription from By owner to By_Owner,Confirm.
Pro: Implements double opt-in with list-owner review.
--
Thank you in advance for any advice you can offer,
Michael
|
