Great Circle Associates List-Managers
(October 1999)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: spammers and list confirmations
From: Chuq Von Rospach <chuqui @ plaidworks . com>
Date: Thu, 14 Oct 1999 10:38:12 -0700
To: "Tom Neff" <tneff @ panix . com>, <List-Managers @ GreatCircle . COM>
Cc: "John R Levine" <johnl @ iecc . com>
In-reply-to: <NDBBJKCMHNMHFBODBONDMEKOCBAA . tneff @ panix . com>
References: <NDBBJKCMHNMHFBODBONDMEKOCBAA . tneff @ panix . com>

At 10:02 AM -0400 10/14/99, Tom Neff wrote:

The Web based challenge system does not get abused by spammers, primarily
because it's hand-rolled and they have little motive or opportunity to
reverse engineer it.  Of course if I offered it to the world and it became
popular, they would hack it in a week.

Not if you did it right -- which is to NOT do what majordomo did, and send it out with a pre-defined hash default that nobody changes (or few change). As long as every site is required to set up their own hash value, it'd be very hard for a spammer to hack into it, even with access to the source. (a good way to do this is similar to how PHP does it, by asking folks to type in random characters until it gets "enough")

The stock MJ confirm is only good for catching users with bad mail setups,
e.g. their configured From: address is wrong.  Spammers have script driven
"confirms" in regular use.  I can't say I'm surprised, as I could hack one
together in an hour if I needed it :)

so change the hash values in Then they can script it, but it won't validate the AUTH line.

Unfortunately, these are, if anything, easier to script, since detecting the
URL in the message body is fairly trivial.

but we get back to the issue, which is that of verification. If the user can't use the URL to validate without getting a cookie via email, and that cookie can't be reversed engineered, it doesn't matter if they can get to the URL and script it. Teh weakness in MJ is that the hashes are well-known, so a hacker can make some basic assumptions to circumvent that "return a cookie" part.

heck, by carrying state on the address like MJ2 and Majordomo's 1.53.4 version of the confirmation keys does, you can literally use one time keys, and so it doesn't what the hackers try.

of many of them, each containing a different English language explanation of
how to confirm.

That's the rub. At some level, the more you assume they're fluent in english, the more you're going to run into issues. The hackers, especially, don't worry about fluency when they attack someone. As my lists have internationalized, I've gotten really sensitive to this issue -- even if the content is english, you can't really assume the the users are technically savvy or can decipher stuff like:

For example, one might say

  If you  D O  N O T  want to join XYZ-L, send mail to 209urwe0dfj @
xyz-l .
or click on the URL .
  If you  D O  want to join, look in the list below and send email to the
address you find next to the flower name:

Better to use a one-time key, keep state of it, and make it as simple as humanly possible for the end user.
Chuq Von Rospach - Plaidworks Consulting (mailto:chuqui @
plaidworks .
Apple Mail List Gnome (mailto:chuq @
apple .

What was that?
   French horns...

Indexed By Date Previous: Re: Idiot of the hour
From: "Chris McEwen" <socrates @ sprintmail . com>
Next: Re: spammers and list confirmations
From: Jeremy Blackman <loki @ maison-otaku . net>
Indexed By Thread Previous: Re: spammers and list confirmations
From: "Tom Neff" <tneff @ panix . com>
Next: Re: spammers and list confirmations
From: Russ Allbery <rra @ stanford . edu>

Search Internet Search