From: prj@po.cwru.edu (Paul Jarc)
Cc: ding@gnus.org
Subject: Re: new spam functionality added
Date: Wed, 31 Jul 2002 17:35:08 -0400 [thread overview]
Message-ID: <m37kjby40t.fsf@multivac.cwru.edu> (raw)
In-Reply-To: <oyd8z3r4nec.fsf@sam.cs.rice.edu> (Scott A Crosby's message of "31 Jul 2002 16:07:23 -0500")
Scott A Crosby <scrosby@cs.rice.edu> wrote:
> Mailing list maintance functions (including initial requests to
> subscribe, or confirmation requests from web-maintance.) either get
> accepted automatically, (direct route for spam!), or force the
> mailing list admin to deal with the automated 'please reply to me'
> messages..
A well-behaved subscriber would add the MLM address to their whitelist
before subscribing. List admins can feel free to drop confirmation
requests from poorly-behaved subscribers.
> Mailing list messages... Post to a mailing list the first time and
> potentially get tens, hundreds, even thousands of 'please reply to
> me' messages.
I'm fairly certain that's false. TMDA sends its confirmation requests
to the envelope sender, not From:, I think. MLMs rewrite the envelope
sender.
> Now, imagine there's a daemon that autoreplies to such 'please
> reply to me' messages..
Actually, the replies can be automated, even safely, if the
confirmation request includes the entire original message, or a
checksum of it, so the autoconfirmer can verify that the user really
sent the original message.
> Well, just forge the spam to appear to come from a legitimate
> user, and guess what, the bounces go to them, and their client
> helpfully 'authenticates' the spam..
That's why there shouldn't be badly implemented autoconfirmers. But
are there any? Anyway, this is not an argument against TMDA itself.
> (The daemon can't be configured to record every email sent and
> only autoreply to autoreplies to emails the user actually sent.
Sure it can. But recording entire emails themselves wouldn't be the
best way to do it.
> Many times people will use many systems and email servers, but
> only one email address.)
A checksum scheme could still work in such situations.
> For more fun, you may even get mail loops of 'please reply to me'
> messages.
If the confirmation request is sent from a dated address which does
not itself require confirmation, there is no loop.
Of course, if everyone starts using TMDA, spammers will quickly start
guessing dated addresses. But then dated addresses will just evolve
to be a hash of the date and a secret instead of just the date.
> Under the assumption that there *will* be misconfigured clients,
> they'll have to deal with mailing lists that they don't know
> about. either by spamming posters to the list (unacceptable), or
> filtering them out into a seperate folder that the user will have
> to manually check.
I'm not sure what you mean.
> Of course the other option here is to spam from legitimate hosts
> that have been cracked by today's IIS/outlook worm. (Or one of the
> 30,000 *STILL* infected code-red machines.) The cracked systems run
> email servers and reply automatically.
Cracked systems can be abused even without TMDA in the picture.
> TMDA and any other scheme that requires such automated response to
> all sent emails is tragedy of the commons.
TMDA doesn't require that unless you configure it that way.
paul
next prev parent reply other threads:[~2002-07-31 21:35 UTC|newest]
Thread overview: 144+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-07-31 19:24 Ted Zlatanov
2002-07-31 19:54 ` Scott A Crosby
2002-07-31 20:07 ` Ted Zlatanov
2002-07-31 20:14 ` Simon Josefsson
2002-07-31 20:25 ` Josh Huber
2002-07-31 20:34 ` Scott A Crosby
2002-07-31 20:41 ` Josh Huber
2002-07-31 21:03 ` Stainless Steel Rat
2002-07-31 21:08 ` Stainless Steel Rat
2002-07-31 21:12 ` Josh Huber
2002-07-31 21:38 ` Paul Jarc
2002-07-31 23:19 ` David Masterson
2002-07-31 23:08 ` Frank Schmitt
2002-08-01 17:03 ` Josh Huber
2002-08-01 17:38 ` Harry Putnam
2002-08-01 19:16 ` Scott A Crosby
2002-08-01 22:43 ` Harry Putnam
2002-08-05 17:16 ` Per Abrahamsen
2002-08-01 1:25 ` Stainless Steel Rat
2002-08-01 1:33 ` Scott A Crosby
2002-08-01 2:17 ` Stainless Steel Rat
2002-08-01 19:20 ` David Masterson
2002-08-01 20:00 ` Stainless Steel Rat
2002-08-02 23:37 ` Florian Weimer
2002-08-02 23:45 ` Russ Allbery
2002-08-03 10:23 ` Simon Josefsson
2002-08-03 13:47 ` Stainless Steel Rat
2002-08-03 16:01 ` hashcash (was Re: new spam functionality added) Simon Josefsson
2002-08-04 6:55 ` Stainless Steel Rat
2002-08-01 19:17 ` new spam functionality added David Masterson
2002-08-01 19:59 ` Stainless Steel Rat
2002-07-31 21:07 ` Scott A Crosby
2002-07-31 21:35 ` Paul Jarc [this message]
2002-07-31 21:58 ` Josh Huber
2002-07-31 21:47 ` Josh Huber
2002-07-31 21:54 ` Paul Jarc
2002-07-31 22:05 ` Josh Huber
2002-07-31 22:10 ` Paul Jarc
2002-07-31 22:35 ` Scott A Crosby
2002-07-31 23:10 ` Josh Huber
2002-08-01 16:56 ` Paul Jarc
2002-07-31 23:30 ` Alan Shutko
2002-08-01 19:25 ` David Masterson
2002-08-01 19:33 ` Josh Huber
2002-08-01 22:06 ` Scott A Crosby
2002-08-01 22:13 ` Paul Jarc
2002-08-01 22:18 ` Jack Twilley
2002-08-01 22:23 ` TMDA (was: new spam functionality added) Paul Jarc
2002-08-01 22:40 ` Scott A Crosby
2002-08-01 23:29 ` Josh Huber
2002-08-02 2:11 ` Scott A Crosby
2002-08-01 19:34 ` new spam functionality added Ted Zlatanov
2002-08-01 19:39 ` Paul Jarc
2002-08-01 21:38 ` Simon Josefsson
2002-08-23 1:50 ` Ted Zlatanov
2002-08-23 2:42 ` Katsumi Yamaoka
2002-08-23 3:10 ` Ted Zlatanov
2002-12-30 0:10 ` Lars Magne Ingebrigtsen
2002-12-30 2:31 ` Ted Zlatanov
2002-12-30 2:52 ` Lars Magne Ingebrigtsen
2002-12-30 3:13 ` Ted Zlatanov
2002-12-30 3:27 ` Lars Magne Ingebrigtsen
2002-12-30 3:44 ` Ted Zlatanov
2002-12-30 4:12 ` Lars Magne Ingebrigtsen
2002-12-30 4:48 ` Ted Zlatanov
2002-12-30 5:08 ` Lars Magne Ingebrigtsen
2002-12-30 19:03 ` spam.el now supports blackholes by default Ted Zlatanov
2002-12-30 21:41 ` Matt Armstrong
2002-12-30 22:42 ` Ted Zlatanov
2002-12-30 23:38 ` spam.el proposed group parameters Ted Zlatanov
2002-12-31 0:02 ` Lars Magne Ingebrigtsen
2003-01-05 16:58 ` spam.el now supports blackholes by default luis fernandes
2003-01-05 22:07 ` Ted Zlatanov
2003-01-06 2:15 ` Lars Magne Ingebrigtsen
2002-08-02 2:05 ` new spam functionality added Jason R. Mastaler
2002-08-02 3:43 ` Russ Allbery
2002-08-02 4:29 ` Jason R. Mastaler
2002-08-02 4:34 ` Russ Allbery
2002-08-02 16:17 ` TMDA (was: new spam functionality added) Paul Jarc
2002-08-02 21:46 ` Russ Allbery
2002-08-02 21:53 ` Paul Jarc
2002-08-05 17:38 ` Per Abrahamsen
2002-08-05 17:49 ` Paul Jarc
2002-08-05 17:57 ` Simon Josefsson
2002-08-05 20:18 ` David Masterson
2002-08-05 20:46 ` Stainless Steel Rat
2002-08-05 21:50 ` Russ Allbery
2002-08-06 0:43 ` Stainless Steel Rat
2002-08-06 3:04 ` David Masterson
2002-08-06 14:27 ` Stainless Steel Rat
2002-08-06 17:13 ` David Masterson
2002-08-06 17:26 ` David Masterson
2002-08-06 18:08 ` Stainless Steel Rat
2002-08-07 12:02 ` Lloyd Zusman
2002-12-30 0:22 ` Hashcash (was: TMDA) Lars Magne Ingebrigtsen
2003-01-02 18:33 ` Hashcash Simon Josefsson
2003-01-02 19:25 ` Hashcash Lars Magne Ingebrigtsen
2003-01-02 21:01 ` Hashcash Simon Josefsson
2003-01-02 21:05 ` Hashcash Lars Magne Ingebrigtsen
2002-08-05 18:30 ` TMDA (was: new spam functionality added) Stainless Steel Rat
2002-08-05 20:46 ` David Masterson
2002-08-05 21:33 ` Stainless Steel Rat
2002-08-06 3:28 ` David Masterson
2002-08-06 16:02 ` Paul Jarc
2002-08-08 9:21 ` Steinar Bang
2002-08-08 15:34 ` Paul Jarc
2002-08-08 19:57 ` Steinar Bang
2002-08-08 20:17 ` Paul Jarc
2002-08-08 21:30 ` Steinar Bang
2002-08-08 21:35 ` Paul Jarc
2002-08-08 22:27 ` Steinar Bang
2002-08-08 17:26 ` Matt Armstrong
2002-08-08 20:23 ` Steinar Bang
2002-08-09 19:32 ` Matt Armstrong
2002-08-10 9:23 ` Steinar Bang
2002-08-10 17:21 ` Paul Jarc
2002-08-11 8:41 ` Steinar Bang
2002-08-11 14:58 ` Steinar Bang
2002-08-11 8:47 ` Steinar Bang
2002-08-12 16:04 ` Paul Jarc
2002-08-12 21:38 ` Steinar Bang
2002-08-12 22:40 ` Paul Jarc
2002-08-13 9:21 ` Steinar Bang
2002-08-05 20:11 ` David Masterson
2002-08-06 2:15 ` Scott A Crosby
2002-08-06 10:10 ` Per Abrahamsen
2002-08-06 13:20 ` Scott A Crosby
2002-08-06 16:13 ` Per Abrahamsen
2002-08-16 14:23 ` new spam functionality added clemens fischer
2002-08-05 17:07 ` Per Abrahamsen
2002-07-31 20:46 ` Jack Twilley
2002-07-31 21:01 ` Josh Huber
2002-07-31 21:03 ` Simon Josefsson
2002-07-31 21:51 ` David Masterson
2002-07-31 21:08 ` Simon Josefsson
2002-07-31 22:05 ` David Masterson
2002-07-31 23:32 ` Alan Shutko
2002-08-01 17:00 ` Paul Jarc
2002-08-05 18:07 ` Simon Josefsson
2002-08-05 18:23 ` TMDA (was: new spam functionality added) Paul Jarc
2002-08-05 23:41 ` Simon Josefsson
2002-08-06 10:27 ` Per Abrahamsen
2002-08-06 15:57 ` Paul Jarc
2002-07-31 20:35 ` new spam functionality added Ted Zlatanov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m37kjby40t.fsf@multivac.cwru.edu \
--to=prj@po.cwru.edu \
--cc=ding@gnus.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).