Thu, 28 Jul 2005 14:35:32 -0500
|
That is all well and good, but does that not make it vastly easier to
identify the userids on your system. In turn you can use that vastly
smaller list of userids to attempt to brute force passwords on the
mail server, and potentially use it as recon for other nefarious endeavors.
In the world of mailing lists, it is quite common (due to spam) to
have edited or moderated lists. Having lists of this manner will
cause a fundamental problem in the logic of spamcop's spamtrap
functionality. By default, these lists have a series of steps that
allow the listowner to handle the mail with appropriate human
analysis and as such will cause you to accept the email prior to
reject/discard actions.
Say an email with one of the spamtrap address in the from field goes
to a mailing list that is edited/moderated. An email is sent to the
list-owner/moderators to either approve, disapprove, or discard the
email (depending on the mailing list server in use). Additionally,
an email is sent to the from address as well to note that the list
is moderated and that the email has been forwarded to the appropriate
parties for approval. At this point, we have already failed to
reject it quickly enough for Spamcop's tastes. In their mind, we have
accepted the original SMTP transaction, and have
replied/bounced/acknowledged the email. So, spamcop can (and
probably does) blackhole sites that are doing things as the normal
course of business of these lists.
Should you just configure moderated mailing lists in a way that they
do not receive feedback that the mail had been received and the post
is delayed due to the moderation? That could cause more confusion
that what it is worth.
The idea of such spamtrap addresses being used for research and
analysis is great, just in the same way that honeypots are a great
tool. But they do not lend enough untainted data that should be
used in the "judge and jury" decisions that spamcop is creating. If
email reaches an address, they have already prejudged you to be
guilty of something and sentence you to blacklists.
My university recently ended up in the same blacklist recently and
they basically said that we must re-configure our lists to not be so
nice at automatically responding to emails.
--Scott
At 11:54 AM 7/28/2005, Mark R. Williamson wrote:
>At 16:07 +0200 2005-07-28, Eric Thomas wrote:
>>When an innocent site receives mail to an address that does not exist, it is
>>required by Internet standards to bounce it. Strike one.
>
>Rejecting it during the SMTP transaction is an acceptable (some would
>say vastly preferable) alternative.
|
|
|