Great Circle Associates List-Managers
(October 1999)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: spammers and list confirmations
From: Russ Allbery <rra @ stanford . edu>
Date: 14 Oct 1999 16:05:41 -0700
To: List-Managers @ GreatCircle . COM
In-reply-to: Chuq Von Rospach's message of "Thu, 14 Oct 1999 10:38:12 -0700"
References: <NDBBJKCMHNMHFBODBONDMEKOCBAA . tneff @ panix . com> <v04210101b42bc0a6712d @ plaidworks . com>

Chuq Von Rospach <chuqui @
 plaidworks .
 com> writes:
> At 10:02 AM -0400 10/14/99, Tom Neff wrote:

>> The stock MJ confirm is only good for catching users with bad mail
>> setups, e.g. their configured From: address is wrong.  Spammers have
>> script driven "confirms" in regular use.  I can't say I'm surprised, as
>> I could hack one together in an hour if I needed it :)

> so change the hash values in majordomo.cf. Then they can script it, but
> it won't validate the AUTH line.

They can still script it for every list on your server.  All they need is
one return from a subscribe and knowledge of the hashing algorithm; I
think DJB has the mathematical details somewhere.  The Majordomo hash
function isn't cryptographically strong.

You could replace it with one that is, of course.

-- 
Russ Allbery (rra @
 stanford .
 edu)         <URL:http://www.eyrie.org/~eagle/>


References:
Indexed By Date Previous: Re: spammers and list confirmations
From: Russ Allbery <rra @ stanford . edu>
Next: Re: spammers and list confirmations
From: Tim Pierce <twp @ rootsweb . com>
Indexed By Thread Previous: Re: spammers and list confirmations
From: Chuq Von Rospach <chuqui @ plaidworks . com>
Next: MDaemon mis-behaviour?
From: Aideen McConville <amcc @ uk . research . att . com>

Google
 
Search Internet Search www.greatcircle.com