Ok, thanks - this was a bad example. I'm not really worried about a DOS attach or disk space the autodel files uses - that was just the first thing I thought of when it was suggested that LISTSERV was *supposed* to work this way. What I am worried about is LISTSERV adding e-mail addresses to the autodel file that aren't subscribed to the list in the first place and then the querries I get from those owners wondering why LISTSERV is tracking those people. This jsut started happeing in the last week (or at least that's when I started noticing it) and it seems like something that should be happening all over the LISTSERV world - unless you've all already fixed it and I missed that. :-) It may not come across well in e-mail but I really do appreciate everyone's comments - when I question what you are saying I'm just trying to learn. On Fri, 5 Mar 2004, Valdis Kletnieks wrote: > On Fri, 05 Mar 2004 12:36:04 CST, James Morrill <[log in to unmask]> said: > > But these people aren't subscribe to the list - why should LISTSERV try > > to delete them from a list they aren't subscribed to? This seems like > > a HUGE denial of service hole - if someone could add millions of e-mail > > addresses and have each of my lists try to monitor them to see if they > > should be deleted. > > Note that this is backwards - what you're seeing is lots of bounces each adding > a single record to a file, and keeping count of how many times that address has > been seen. > > So to add millions of e-mail addresses, the attacker would have to pound your > machine with millions(*) of forged bounce messages - at which point the overhead > of actually updating the .AUTODEL file is the *least* of your worries. You get > that sort of volume, you have a DoS hole in any case. > > (*) Yes, I know you can be creative with the contents of an MDN and add multiple > addresses per message - the point is that "just throw it away" is almost the same > resource consumption as "log one address" and "log 100 addresses". > > If you're worried about the disk consumption of the autodel file, consider how > many bytes each record in the autodel takes, and then look at how many lines > got written to the listserv log... ;) > > ==================================================================== James Morrill office: Hale 11, 785-532-4909 www-personal.ksu.edu/~james We see a world of wonder, with a holy fingerprint But we only know a sliver, of the love of God in it. - Hokus Pick ====================================================================