Great Circle Associates List-Managers
(October 1999)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: spammers and list confirmations
From: "Tom Neff" <tneff @ panix . com>
Date: Thu, 14 Oct 1999 10:02:31 -0400
To: <List-Managers @ GreatCircle . COM>
Cc: "John R Levine" <johnl @ iecc . com>
Importance: Normal
In-reply-to: <Pine . BSI . 3 . 91 . 991013203150 . 28405E-100000 @ ivan . iecc . com>

John R Levine [mailto:johnl @
 iecc .
 com] wrote:
>Tom Neff wrote:
>> "script confirms" prohibitively difficult.  Every week I get more
>> "legitimate" joins on my lists, from addresses that are clearly address
>> bots.
>Do they deal with and acknowledge confirmations?  If so, what kind of
>challenge do you do?

I have two challenge systems:
 * one is Web based, with a cookie that the server remembers.
 * The other is stock Majordomo confirm, with the stateless hash.

The Web based challenge system does not get abused by spammers, primarily
because it's hand-rolled and they have little motive or opportunity to
reverse engineer it.  Of course if I offered it to the world and it became
popular, they would hack it in a week.

The stock MJ confirm is only good for catching users with bad mail setups,
e.g. their configured From: address is wrong.  Spammers have script driven
"confirms" in regular use.  I can't say I'm surprised, as I could hack one
together in an hour if I needed it :)

> * The web kind, with a URL in the confirmation message that you click to
> confirm.

Unfortunately, these are, if anything, easier to script, since detecting the
URL in the message body is fairly trivial.

What I would like to see is a confirm-request message that VARIES in
quasi-unpredictable ways that make it still easy for an actual human to read
it, do what it says and confirm the signup -- but remarkably difficult for a
script driven procmail filter to accomplish the same thing.

The way to do it would be to employ some of the same tricks that people do
to avoid having their addresses spammed in email lists and web pages these
days: "To send me mail, remove the HIPPOPOTAMUS and change the last Q to a
3..." etc.  There would be a randomly selected message template from a suite
of many of them, each containing a different English language explanation of
how to confirm.

For example, one might say

  If you  D O  N O T  want to join XYZ-L, send mail to 209urwe0dfj @
 xyz-l .
or click on the URL .
  If you  D O  want to join, look in the list below and send email to the
address you find next to the flower name:

	buffalo ..... 3043if30if @
 xyz-l .
 com ..... penny
	apple ..... 094g4305gi4 @
 xyz-l .
 com ..... quince
	tulip ..... 457fy33847fh3 @
 xyz-l .
 com ..... marigold
	sedan ..... 4e43f9345f @
 xyz-l .
 com ..... truck

Getting a hit or a message at any of the decoy addresses would invalidate
the join.

Indexed By Date Previous: Re: Idiot of the hour
From: Steve Bergeon <sbergeon @ encephalon . com>
Next: Re: Idiot of the hour
From: "Chris McEwen" <socrates @ sprintmail . com>
Indexed By Thread Previous: Re: spammers and list confirmations
From: Aumont - Comite Reseaux des Universites <Serge . Aumont @ cru . fr>
Next: Re: spammers and list confirmations
From: Chuq Von Rospach <chuqui @ plaidworks . com>

Search Internet Search