This item in comp.risks is of interest to list-managers.
| Newsgroups: comp.risks
| Subject: Risks Digest 20.79
| Date: 15 Feb 2000 21:54:25 -0800
| Message-ID: <[EMAIL PROTECTED]>
|
| This issue is archived at <URL:http://catless.ncl.ac.uk/Risks/20.79.html>
|
| Date: Mon, 14 Feb 2000 12:27:57 -0500
| From: Mich Kabay <[EMAIL PROTECTED]>
| Subject: Risks of bouncing messages from closed e-mail lists
|
| I have noticed that a junk e-mailer has taken to using a closed mailing-list
| server as a relay for his unauthorized messages.
|
| The scam works like this:
|
| 1) Criminal locates a closed mailing list that responds to unauthorized
| postings by sending back an automated rejection notice that includes the
| original message.
|
| 2) Criminal sends junk e-mail to the closed list using the desired
| _target's_ e-mail addresses in forged header.
|
| 3) Closed list obligingly bounces the original message back to the target's
| address.
|
| Authorized users of the closed list do not need to receive a message
| informing them that their messages have not been accepted (presumably due to
| some oversight or glitch) because they will likely note the absence of their
| message on the list anyway.
|
| Unauthorized users of the list do not need to see the text of their message
| at all in their electronic rejection note -- a stock reply explaining how to
| gain admission to the list is more relevant.
|
| Therefore I recommend that at the very least, administrators for closed
| e-mail lists prevent their listserv from sending the _complete text_ of a
| bounced message back to the supposed originator.
|
| However, there is a more serious vulnerability here: infinite loops between
| two or more closed lists.
|
| If an attacker forges the originating address of a closed list that sends
| back automated rejection notes to another closed list that sends back
| automated rejection notes, then each forged message will generate a
| mailstorm as a function of the speed of the servers in sending bounce
| messages to each other. The chain can be extended to multiple closed-list
| servers, causing even more useless traffic and potentially contributing to
| denial of service for the legitimate users of the closed lists.
|
| RECOMMENDATIONS:
|
| A) Turn off automated notification of rejection altogether on all closed
| lists; or if you feel that the notification messages are important, then
|
| B) Configure the listserv to send back only the title of a rejected message,
| not the complete text; or if you feel like addressing the potential
| vulnerability head-on,
|
| C) Design a check of a log file so that the listserv for a closed list can
| quickly identify a mailstorm and stop it by turning off automated
| notification of rejection when it is being abused.
|
| M. E. Kabay, PhD, CISSP, Security Leader, Information Security Group
| Adario, Inc., 255 Flood Road, Barre, VT 05641-4060 +1.802.479.7937
|
| [NOTE the push-pull duality between a mailstorm and a maelstrom.
| A mailstorm pushes things in, whereas a maelstrom pulls them in. PGN]
--
Joe Smith MCI WorldCom, On-Net Design/Impl, Product Technical Support
UNIX and Tech Sup: TYMNET Network, Xstream Packet Services (Public X.25)
<[EMAIL PROTECTED]> 2560 N 1st St, MS-5046/746, San Jose, CA 95131
Voice: 408-533-6220 = vnet 854-6220 Fax: 408-533-6702 = vnet 854-6702
