Changing mailing list subscription process

Changing mailing list subscription process

[Robin H. Johnson]

[-- Attachment #1: Type: text/plain, Size: 1713 bytes --]

Presently, we have been suffering some spam attacks against some of the
Gentoo mailing lists, because of spammers using auto-responders.

Here's how they are conducting the attack:

1. Spammer forges a mail from $LIST+subscibe@gentoo.org, sending it to
   an auto-responder.
2. Lists sends a confirmation mail to the auto-responder.
3. Auto-responder sends mail, with intact confirmation data back to the
   confirmation address (in Reply-To).
4. Auto-responder is now subscribed to the mailing list.
5. Spammer forges a mail from the auto-responder, to the normal mailing
   list address.

I tried adding a specific Reply-To address in the header of the list
text/ file, but it's made to part of the mail body instead of the
header.

Here's what I wanted to do, but isn't taken:
--- original/sub-confirm	2008-05-29 20:42:06.000000000 +0000
+++ spamproof/sub-confirm	2008-05-29 21:28:51.000000000 +0000
@@ -1,4 +1,5 @@
 Subject: Confirm subscription to $listaddr$
+Reply-To: DO NOT REPLY <devnull@localhost.invalid>
 
 Hi, this is the mlmmj program managing the mailinglist
 
@@ -16,8 +17,8 @@
 your address. Secondly it makes sure someone else did not try and
 subscribe your emailaddress without your permission.
 
-Your mailer may automatically reply to the confirmation address when you hit
-the reply button.
+Due to repeat spam abuse, you must copy the $confaddr$ in your mail client
+manually. Just hitting reply will not deliver to a valid location.
 
 The subject and the body of the mail can be anything.

-- 
Robin Hugh Johnson
Gentoo Linux Developer & Infra Guy
E-Mail     : robbat2@gentoo.org
GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85

[-- Attachment #2: Type: application/pgp-signature, Size: 329 bytes --]

Re: Changing mailing list subscription process

[Chris Webb]

"Robin H. Johnson" <robbat2@gentoo.org> writes:

>  Subject: Confirm subscription to $listaddr$
> +Reply-To: DO NOT REPLY <devnull@localhost.invalid>

This probably ought to be a 'cancel subscription' address rather than an
invalid address. Mail with invalid addresses in the headers is quite likely
to get rejected or scored very poorly by spam filters. (I think we outright
reject on invalid envelope sender or invalid domain in From: but ignore
Reply-To: unless there's a syntax error. However, other ISPs may be
stricter.)

Best wishes,

Chris.

Re: Changing mailing list subscription process

[Benny Pedersen]

On Fri, May 30, 2008 01:09, Robin H. Johnson wrote:
> Presently, we have been suffering some spam attacks against some of the
> Gentoo mailing lists, because of spammers using auto-responders.

could this not be solved by using envelope dsn sender <> ?


Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098

Re: Changing mailing list subscription process

[Christian Laursen]

"Robin H. Johnson" <robbat2@gentoo.org> writes:

> Presently, we have been suffering some spam attacks against some of the
> Gentoo mailing lists, because of spammers using auto-responders.
>
> Here's how they are conducting the attack:
>
> 1. Spammer forges a mail from $LIST+subscibe@gentoo.org, sending it to
>    an auto-responder.
> 2. Lists sends a confirmation mail to the auto-responder.
> 3. Auto-responder sends mail, with intact confirmation data back to the
>    confirmation address (in Reply-To).
> 4. Auto-responder is now subscribed to the mailing list.
> 5. Spammer forges a mail from the auto-responder, to the normal mailing
>    list address.

I have an old mail from this list that has been marked as "important"
for a long time but I haven't had the time to do anything about it
yet.

The relevant part of it:

> Perhaps adding "Precedence: bulk" to the confirmation mails would take
> care of this problem. My guess would be, that the paypal
> auto-responder will then ignore the mails.

I think this would solve your problem too. At least as long as the
auto-responders in question are not completely broken.

-- 
Christian Laursen

Re: Changing mailing list subscription process

[Robin H. Johnson]

[-- Attachment #1: Type: text/plain, Size: 1533 bytes --]

On Fri, May 30, 2008 at 01:23:59PM +0100, Chris Webb wrote:
> "Robin H. Johnson" <robbat2@gentoo.org> writes:
> >  Subject: Confirm subscription to $listaddr$
> > +Reply-To: DO NOT REPLY <devnull@localhost.invalid>
> This probably ought to be a 'cancel subscription' address rather than an
> invalid address. Mail with invalid addresses in the headers is quite likely
> to get rejected or scored very poorly by spam filters. (I think we outright
> reject on invalid envelope sender or invalid domain in From: but ignore
> Reply-To: unless there's a syntax error. However, other ISPs may be
> stricter.)
I've played with a variety of addresses for routing to /dev/null, when
we started putting Reply-To on emails that the Gentoo Bugzilla sends
out. Amongst the bits tried: '/dev/null@localhost',
'noreply@localhost'. Having the '.invalid' on the end turned out to be
important because there are some MTAs that simply reject the mail for
not having at least one dot in the host side of the email string.

The point of using an invalid domain, is to have any response NOT
traverse the entire internet and cause backscatter.

Using an unsub address in the Reply-To part would also be bad I think,
as that may allow some attacks to unsubscribe people.

In either case, mlmmj doesn't let you set a Reply-To header at the
moment for the sub/unsub mails.

-- 
Robin Hugh Johnson
Gentoo Linux Developer & Infra Guy
E-Mail     : robbat2@gentoo.org
GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85

[-- Attachment #2: Type: application/pgp-signature, Size: 329 bytes --]

Re: Changing mailing list subscription process

[Robin H. Johnson]

[-- Attachment #1: Type: text/plain, Size: 732 bytes --]

On Fri, May 30, 2008 at 04:51:50PM +0200, Benny Pedersen wrote:
> On Fri, May 30, 2008 01:09, Robin H. Johnson wrote:
> > Presently, we have been suffering some spam attacks against some of the
> > Gentoo mailing lists, because of spammers using auto-responders.
> could this not be solved by using envelope dsn sender <> ?
In what way? We can't capture what the spammer used to talk to the
auto-responder unfortunately. From the perspective of the list system,
the auto-responder is a perfectly valid request for subscription, with
matching envelope and From:.

-- 
Robin Hugh Johnson
Gentoo Linux Developer & Infra Guy
E-Mail     : robbat2@gentoo.org
GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85

[-- Attachment #2: Type: application/pgp-signature, Size: 329 bytes --]

Re: Changing mailing list subscription process

[Thomas Goirand]

Robin H. Johnson wrote:
> Presently, we have been suffering some spam attacks against some of the
> Gentoo mailing lists, because of spammers using auto-responders.
> 
> Here's how they are conducting the attack:
> 
> 1. Spammer forges a mail from $LIST+subscibe@gentoo.org, sending it to
>    an auto-responder.
> 2. Lists sends a confirmation mail to the auto-responder.
> 3. Auto-responder sends mail, with intact confirmation data back to the
>    confirmation address (in Reply-To).

IMHO, your auto-responder is broken. Any good auto-responder should
detect a mailing list and should ignore every message from it. With
courier-maildrop, it's done like this:

if ( ! /^Precedence: (bulk|list|junk)/ && \
     ! /^List-Id:/ && \
     ! /^List-Unsubscribe:/ && \
     ! /^Return-Path:.*<#@\[\]>/ && \
     ! /^Return-Path:.*<>/ && \
     ! /^From:.*MAILER-DAEMON/ && \
     ! /^X-ClamAV-Notice-Flag: *YES/ && \
     ! /^Content-Type:.*message\/delivery-status/ && \
     ! /^Subject:.*Delivery Status Notification/ && \
     ! /^Subject:.*Undelivered Mail Returned to Sender/ && \
     ! /^Subject:.*Delivery failure/ && \
     ! /^Subject:.*Message delay/ && \
     ! /^Subject:.*Mail Delivery Subsystem/ && \
     ! /^Subject:.*Mail System Error.*Returned Mail/ && \
     ! /^X-Spam-Flag: YES/ )
{
   [... autoresponder code ...]

> I tried adding a specific Reply-To address in the header of the list
> text/ file, but it's made to part of the mail body instead of the
> header.

You should have tuned "customheaders", is it what you did? Because this
always worked for me, when dealing with the Reply-To: header...

Thomas

Re: Changing mailing list subscription process

[Robin H. Johnson]

[-- Attachment #1: Type: text/plain, Size: 1206 bytes --]

On Sat, May 31, 2008 at 02:29:42AM +0800, Thomas Goirand wrote:
> > 3. Auto-responder sends mail, with intact confirmation data back to the
> >    confirmation address (in Reply-To).
> IMHO, your auto-responder is broken. Any good auto-responder should
> detect a mailing list and should ignore every message from it. With
> courier-maildrop, it's done like this:
The auto-responder isn't mine. It's any auto-responder on the internet
that a spammer cares to use. Until I specifically blocked them, the most
abused ones were the Google AdWords and the PayPal addresses. Now they
are finding other auto-responders, including those that don't respect
'Precedence: bulk'.

> > I tried adding a specific Reply-To address in the header of the list
> > text/ file, but it's made to part of the mail body instead of the
> > header.
> You should have tuned "customheaders", is it what you did? Because this
> always worked for me, when dealing with the Reply-To: header...
customheaders is NOT added to administrative emails by mlmmj.

-- 
Robin Hugh Johnson
Gentoo Linux Developer & Infra Guy
E-Mail     : robbat2@gentoo.org
GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85

[-- Attachment #2: Type: application/pgp-signature, Size: 329 bytes --]

Re: Changing mailing list subscription process

[Chris Webb]

"Robin H. Johnson" <robbat2@gentoo.org> writes:

> I've played with a variety of addresses for routing to /dev/null, when
> we started putting Reply-To on emails that the Gentoo Bugzilla sends
> out. Amongst the bits tried: '/dev/null@localhost',
> 'noreply@localhost'. Having the '.invalid' on the end turned out to be
> important because there are some MTAs that simply reject the mail for
> not having at least one dot in the host side of the email string.

Sure, I can believe that. In fact, I am certain there are also MTAs out
there that will reject if the Reply-To: domain isn't valid with either an MX
record or an A record---I've encountered them.

Our own MTA is configured to do this with From: although it ignores
Reply-To: at present. Users at these sites will be completely unable to
subscribe to or unsubscribe from your lists if you go ahead and start
emitting confirmation emails with invalid Reply-To addresses.

I think the only correct configuration here that won't break things for some
of your users is to use the (genuinely routeable)

  blackhole@gentoo.org

and bin to /dev/null when they're delivered to you.

> The point of using an invalid domain, is to have any response NOT
> traverse the entire internet and cause backscatter.

There's no backscatter in the configuration I described. The autoreplies
would be directed to an (auto-processed) address in your own domain not to
random third parties, unlike what happens with spam backscatter from MTAs
that bounce after accepting a message.

> Using an unsub address in the Reply-To part would also be bad I think,
> as that may allow some attacks to unsubscribe people.

Yes, an unsub address as Reply-To: isn't a good idea but a 'cancel
outstanding confirmation request' address is fine. This just answers 'no' to
the 'do you want to subscribe?' question without changing the membership
list at all.

> In either case, mlmmj doesn't let you set a Reply-To header at the
> moment for the sub/unsub mails.

True.

Cheers,

Chris.

Re: Changing mailing list subscription process

[Mads Martin Joergensen]

* Robin H. Johnson <robbat2@gentoo.org> [May 30. 2008 01:09]:
> Here's how they are conducting the attack:
> 
> 1. Spammer forges a mail from $LIST+subscibe@gentoo.org, sending it to
>    an auto-responder.
> 2. Lists sends a confirmation mail to the auto-responder.
> 3. Auto-responder sends mail, with intact confirmation data back to the
>    confirmation address (in Reply-To).
> 4. Auto-responder is now subscribed to the mailing list.
> 5. Spammer forges a mail from the auto-responder, to the normal mailing
>    list address.
> 
> I tried adding a specific Reply-To address in the header of the list
> text/ file, but it's made to part of the mail body instead of the
> header.

So what exactly would help you--I would be glad to cook up a patch to
test some things for you, but I need to know exactly what you want (yes,
I'm getting old and lazy--too lazy to figure it out myself :)

BTW, wouldn't ezmlm be prone to the same attacks?

-- 
Mads Martin Joergensen, http://mmj.dk
"Why make things difficult, when it is possible to make them cryptic
 and totally illogical, with just a little bit more effort?"
                                 -- A. P. J.

Re: Changing mailing list subscription process

[Robin H. Johnson]

[-- Attachment #1: Type: text/plain, Size: 1969 bytes --]

On Mon, Jun 02, 2008 at 11:55:33PM +0200, Mads Martin Joergensen wrote:
> * Robin H. Johnson <robbat2@gentoo.org> [May 30. 2008 01:09]:
> > Here's how they are conducting the attack:
> > 
> > 1. Spammer forges a mail from $LIST+subscibe@gentoo.org, sending it to
> >    an auto-responder.
> > 2. Lists sends a confirmation mail to the auto-responder.
> > 3. Auto-responder sends mail, with intact confirmation data back to the
> >    confirmation address (in Reply-To).
> > 4. Auto-responder is now subscribed to the mailing list.
> > 5. Spammer forges a mail from the auto-responder, to the normal mailing
> >    list address.
> > 
> > I tried adding a specific Reply-To address in the header of the list
> > text/ file, but it's made to part of the mail body instead of the
> > header.
> 
> So what exactly would help you--I would be glad to cook up a patch to
> test some things for you, but I need to know exactly what you want (yes,
> I'm getting old and lazy--too lazy to figure it out myself :)
Presently, the listtexts (eg sub-confirm) only provide the Subject
header. Even if you add 'Precedence: bulk', it gets placed in the body
of the mail. So first step would be supporting mail headers in list
text templates either directly, or with a customadminheaders control.

The normal customheaders is not suitable for admin mails, as it may
contain headers that you only want on real messages.

Secondly, we need to change how the reply-to is built for the various
emails. Instead of passing -R to mlmmj-send, we must move the build to
the templates.  So ALL existing templates would need this addition to
maintain the existing behavior:
Reply-To: $confaddr$

> BTW, wouldn't ezmlm be prone to the same attacks?
Yes it would. Ditto anything else that sets Reply-To.

-- 
Robin Hugh Johnson
Gentoo Linux Developer & Infra Guy
E-Mail     : robbat2@gentoo.org
GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85

[-- Attachment #2: Type: application/pgp-signature, Size: 329 bytes --]

Re: Changing mailing list subscription process

[Morten K. Poulsen]

On Tue, 2008-06-03 at 22:08 -0700, Robin H. Johnson wrote:
> Presently, the listtexts (eg sub-confirm) only provide the Subject
> header. Even if you add 'Precedence: bulk', it gets placed in the body
> of the mail.

Yes, the templates are for translatable text.

> So first step would be supporting mail headers in list
> text templates either directly,

I don't like that.

> or with a customadminheaders control.

Way better.

> The normal customheaders is not suitable for admin mails, as it may
> contain headers that you only want on real messages.

True.

> Secondly, we need to change how the reply-to is built for the various
> emails. Instead of passing -R to mlmmj-send, we must move the build to
> the templates.  So ALL existing templates would need this addition to
> maintain the existing behavior:
> Reply-To: $confaddr$

Well, Reply-To header is not a translatable text, so it should not be in
the translation file.

Anyway, what would you change the Reply-To header of subscription
confirmation mails to, in order to let human users choose "Reply" in
their MUAs to subscribe, but not let robots do the same?

Morten

Re: Changing mailing list subscription process

[Robin H. Johnson]

[-- Attachment #1: Type: text/plain, Size: 1719 bytes --]

On Wed, Jun 04, 2008 at 08:58:44AM +0200, Morten K. Poulsen wrote:
> On Tue, 2008-06-03 at 22:08 -0700, Robin H. Johnson wrote:
> > Presently, the listtexts (eg sub-confirm) only provide the Subject
> > header. Even if you add 'Precedence: bulk', it gets placed in the body
> > of the mail.
> Yes, the templates are for translatable text.
Is the common name of a mailing list not translatable?

> > or with a customadminheaders control.
> Way better.
The only downside in this is no different custom headers per different
types of admin mails.

At the risk of complexity then:
$LISTDIR/control/customheaders/$MAILTYPE

> > Secondly, we need to change how the reply-to is built for the various
> > emails. Instead of passing -R to mlmmj-send, we must move the build to
> > the templates.  So ALL existing templates would need this addition to
> > maintain the existing behavior:
> > Reply-To: $confaddr$
> Well, Reply-To header is not a translatable text, so it should not be in
> the translation file.
Reply-To: "$REALNAME$" <$listaddr>
REALNAME is translatable.

> Anyway, what would you change the Reply-To header of subscription
> confirmation mails to, in order to let human users choose "Reply" in
> their MUAs to subscribe, but not let robots do the same?
I'm specifically making it so that users have to copy the correct reply
address out of the body of the email.

Just hitting Reply and then Send in their MUA will deliberately no
longer be sufficient. (But I'm sure better idiots will be invented, such
is life).

-- 
Robin Hugh Johnson
Gentoo Linux Developer & Infra Guy
E-Mail     : robbat2@gentoo.org
GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85

[-- Attachment #2: Type: application/pgp-signature, Size: 329 bytes --]