Hello List Owners: The following item appeared on the Risks-Forum Digest (also found at comp.risks), and is forwarded with the author's permission. Okay, it's a stretch that someone could/would use our Listservs to deliver spam in bounce messages, but we ought to be aware of the potential. How serious is the infinite bounce message loop vulnerability? Mike Yuhas List Owner, folkdj-l (hosted at lists.psu.edu) http://folkradio.org ----- begin forwarded message ----- Date: Mon, 14 Feb 2000 12:27:57 -0500 From: Mich Kabay <[log in to unmask]> Subject: Risks of bouncing messages from closed e-mail lists I have noticed that a junk e-mailer has taken to using a closed mailing-list server as a relay for his unauthorized messages. The scam works like this: 1) Criminal locates a closed mailing list that responds to unauthorized postings by sending back an automated rejection notice that includes the original message. 2) Criminal sends junk e-mail to the closed list using the desired _target's_ e-mail addresses in forged header. 3) Closed list obligingly bounces the original message back to the target's address. Authorized users of the closed list do not need to receive a message informing them that their messages have not been accepted (presumably due to some oversight or glitch) because they will likely note the absence of their message on the list anyway. Unauthorized users of the list do not need to see the text of their message at all in their electronic rejection note -- a stock reply explaining how to gain admission to the list is more relevant. Therefore I recommend that at the very least, administrators for closed e-mail lists prevent their listserv from sending the _complete text_ of a bounced message back to the supposed originator. However, there is a more serious vulnerability here: infinite loops between two or more closed lists. If an attacker forges the originating address of a closed list that sends back automated rejection notes to another closed list that sends back automated rejection notes, then each forged message will generate a mailstorm as a function of the speed of the servers in sending bounce messages to each other. The chain can be extended to multiple closed-list servers, causing even more useless traffic and potentially contributing to denial of service for the legitimate users of the closed lists. RECOMMENDATIONS: A) Turn off automated notification of rejection altogether on all closed lists; or if you feel that the notification messages are important, then B) Configure the listserv to send back only the title of a rejected message, not the complete text; or if you feel like addressing the potential vulnerability head-on, C) Design a check of a log file so that the listserv for a closed list can quickly identify a mailstorm and stop it by turning off automated notification of rejection when it is being abused. M. E. Kabay, PhD, CISSP, Security Leader, Information Security Group Adario, Inc., 255 Flood Road, Barre, VT 05641-4060 +1.802.479.7937 ------ RISKS-LIST: Risks-Forum Digest Tuesday 15 February 2000 Volume 20 : Issue 79 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Reused without explicit authorization under blanket permission granted for all Risks-Forum Digest materials. The author(s), the RISKS moderator, and the ACM have no connection with this reuse.