Great Circle Associates List-Managers
(January 1996)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: 3rd party auto-reply mailing list attack
From: Brent @ GreatCircle . COM (Brent Chapman)
Date: Sun, 21 Jan 1996 23:02:47 +0100
To: dmckeon @ swcp . com, list-managers @ GreatCircle . COM

At 1:10 PM 1/21/96, Denis McKeon wrote:
>Brent - I was going to post this, and thought better of it -
>perhaps you would find it useful on the list-managers mailing list.

It's a relevant topic for List-managers.

>This may be an old trick that I've just seen for the first time,
>but one of the mailing lists that I subscribe to just got hit by it.
>For lists that support a subscription request format similar to:
>    subscribe <listname> [<subscriber address>]
>the attack method is to put an auto-replying address into the optional
><subscriber address> location.  Once the auto-replying address is
>subscribed to the mailing list, every message sent to the list results
>in a copy of the auto-reply info-blurb being sent to either all subscribers
>on the list, or to the original sender of the message, depending on what
>header the auto-replyer replies to, and on whether the list-server
>preserves From: and/or Reply-To: headers from the original sender.
>The result is that (all|some of) the list subscribers get apparently
>unsolicited informational blurbs in their inboxes, and blame the auto-replier.
>Possible defenses include:
>1)  mailing list manager software could be configured to ignore and log
>    subscription requests for "info@" and perhaps some other very
>    commonly used auto-replier addresses.

I'm not sure how effective this will be; there are an awful lot of such

>2)  mailing list manager software could be configured to continue
>    automatically processing subscription requests of the form:
>        subscribe <listname>
>    with the sending (From: or envelope) address as the <subscriber address>
>    but to save for manual human processing subscription requests of:
>        subscribe <listname> [<subscriber address>]
>    and requests of:
>        subscribe <listname>
>    where the Reply-To: differs from the sending (From: or envelope) address.

This is what Majordomo does in its standard (recommended) configuration.

>3)  mailing list manager software could be configured to automatically
>    demand confirmation of subscription requests from all subscribers,
>    or from the 3rd party subscription cases in 2), above.  Confirming
>    all subscriptions seems like overkill, but that's up to the list manager.

This would entail some pretty major changes to Majordomo, to have it keep
track of and eventually purge unconfirmed requests.

>There doesn't seem to be much point in trying to defend against
>this form of attack at the point of the auto-replier software.
>Tracing the attacking party might be possible,

Not unless they're particularly stupid.

>but third part subscription requests could be forged,
>perhaps so that they point at a 4th innocent party.


Brent Chapman         | Great Circle Associates    | 1057 West Dana Street
Brent @
 GreatCircle .
 COM | | Mountain View, CA 94041
                   Internet Tutorials from the Experts!

Indexed By Date Previous: Re: Automated replies and mailing lists
From: D . Thomas @ vthrc . uq . edu . au (Danny Thomas)
Next: Re: 3rd party auto-reply mailing list attack
From: Gene Rackow <rackow @ mcs . anl . gov>
Indexed By Thread Previous: Electronic Mailing Lists and Electronic Newsletters
From: Mark Bernkopf <markb @ mail . erols . com>
Next: Re: 3rd party auto-reply mailing list attack
From: Gene Rackow <rackow @ mcs . anl . gov>

Search Internet Search