suse security list - another heaven for spam bots
Dear all, We are all grinding today under loads of spam. I was not among the amused as I received the first spam directed to my private E-mail address which, until today, was also my subscription address to the SuSE security list (it has not been published anywhere else). Apparently, a grave mistake. This list with all its messages is archived with the complete headers, mirrored and searchable throughout the net. That of course also attracts the dirty spam bots. In my opinion there should be at least one BIG warning in the subscription confirmation message alerting the user that this list is archived and his E-mail address therefore open to the entire public. I was not aware of this fact as I subscribed. Just a hint. Best regards, Philippe Wiede Megapublic [r], Inc. Gemsberg 11, 4051 Basel, Switzerland www.megapublic.com
* PW (subscribed@megapublic.com) [020521 09:10]:
This list with all its messages is archived with the complete headers, mirrored and searchable throughout the net. That of course also attracts the dirty spam bots.
Yes, the headers are visable. We don't use the header from though, we use the envelope from. No one can see your envelope from except you and the list admin. If you are that concerned about your address being taken by spammers then munge your header from since we ignore it and that's what shows in the archives. As for spam bots, I block about 5 ips per week that ignore the robots.txt file on lists.suse.com. I have no control over the other archives. -- -ckm
In my opinion there should be at least one BIG warning in the subscription confirmation message alerting the user that this list is archived and his E-mail address therefore open to the entire public. I was not aware of this fact as I subscribed.
1) This warning would not be very effective. Besides, it applies to all and every mailing list you subscribe to. To be clear: assume that every mailing list gets archived, and these archives are online to the general public. 2) You are also missing another important point: spammers are subscribed to at least suse-linux-e (funny that the spam rolled in 2 min after I posted), in other words you must assume spammers are subscribed to every mailing list. Countermeasures are few. Forget protecting the archives as it doesn't deal with 2) above. I find the only useful and practical thing is to use a bogus email address in From:, as Christopher mentioned. Unfortunately, ezmlm seems to be the only list server which can handle that. For this reason I consider mailman, majordomo, etc. to be substandard in this day and age. Using throwaway email addresses and changing them every 2 weeks is simply not practical because of the high overhead involved in unsubscribing/resubscribing (dealing with the passwords and bla bla). Volker -- Volker Kuhlmann is possibly list0570 with the domain in header http://volker.orcon.net.nz/ Please do not CC list postings to me.
* V K wrote on Wed, May 22, 2002 at 14:02 +1200:
In my opinion there should be at least one BIG warning in the subscription confirmation message alerting the user that this list is archived and his E-mail address therefore open to the entire public. I was not aware of this fact as I subscribed.
How many spam mails did you received? 10? 100? I don't think this is a big issue. Try to delete them... If you have 10.000 or more, we can start discussing it here...
Countermeasures are few. Forget protecting the archives as it doesn't deal with 2) above. I find the only useful and practical thing is to use a bogus email address in From:, as Christopher mentioned.
Well, I use my address in many mailing lists, many postings and whereever else. But I receive a very few spam postings a day only. So I do not understand your problem. I don't like bogus email addresses at all, and I assume your configuration may clash with other spamfilters that detected you mail as spam or so. I think the largest problem of spam is the filtering, BTW... You can use dedicated addresses for each service, i.e. VK-Mar-2002-suse-linue@domain.com and change this email when it receives to much spam (just block/delete the alias from the server). But I think this is much more work that deleting a few spam mails.
Using throwaway email addresses and changing them every 2 weeks is simply not practical because of the high overhead involved in unsubscribing/resubscribing (dealing with the passwords and bla bla).
Isn't the envelope checked only? So it should work as long as the envelope remains constant. I think this should be possible to configure. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
Hi Steffen ...
is a big issue. Try to delete them... If you have 10.000 or more, we can start discussing it here... Right You are :)
Well, I use my address in many mailing lists, many postings and whereever else. But I receive a very few spam postings a day only. So I do not understand your problem. I don't like bogus email addresses at all, and I assume your configuration may clash with other spamfilters that detected you mail as spam or so. I think the largest problem of spam is the filtering, BTW... You can use dedicated addresses for each service, i.e. I concur with all you said. The "spam traffic" come from, through or because of this list is virtually nill. The work load to change adresses on a regular (or not so regular) base would be enough to get a yeti groaning :)
A little filtering (and doing it by hand) shuold suffice. cu Wolfgang
Is it proven, that the spammer got the mail address from the mailing list? Lately I came across the following note in the FAQ mail from test-list@suse.com, see the last sentence. Q2. Envelope from? Header from? All I want to do is post a message to one of your mailing lists! Why is this so complicated? I don't have trouble subscribing to other mailinglists. A2. The header from is probably what you think of as the "from"; e.g. From: foo@bar.com It is contained in DATA portion of the mail (that's the part of the mail that you, as a user, write). The envelope from is written by your mail transport agent, or MTA. That's the thing that your mail client hands the message you just wrote off to to have it delivered. An envelope from looks like this: From foo@bar.com Fri Mar 1 12:59:36 2002 This is who your MTA, in the words of RFC 822bis, says "the author(s) of the message, that is, the mailbox(es) of the person(s) or system(s) responsible for the writing of the message.'' The mailing list software we use (ezmlm+idx) takes the envelope from as the address to subscribe when you email some-subscribe@suse.com. Other mailing list software might use the header from. Other mailing lists might also send bounces back to the list, allow vacation messages to be posted, make it trivial to subscribe someone else to a list without their knowledge, etc. There are lots of good technical reasons why the envelope from is used (which you can read all about at the author's site: http://cr.yp.to/immhf.html) but a big benefit for you is that since the envelope from isn't displayed in list postings¹ and the header from is ignored you can set your header from to be whatever you want. This means that you can use your main email address for the list and, if you mung the address, you won't need to worry about it being harvested by an an evil spammer. In other words, you are encouraged rot13, reverse, GPG encrypt, or do whatever to your header from (*except* leave it unqualified) and it won't affect your subscription at all. The whole, complete FAQ list is available by sending a mail to test-list-faq@suse.com So for me it seems to be given, that no one can abuse mail addresses or not? Mit freundlichen Grüssen Comptek informatik AG Reinhardt Klippel ________________________________ Comptek informatik AG Poststrasse 9 CH-6300 Zug Tel. ++41 +41 720 20 90 Fax ++41 +41 720 20 99 http://www.comptek.ch ________________________________ At 14:02 22.05.2002 +1200, V K wrote:
In my opinion there should be at least one BIG warning in the subscription confirmation message alerting the user that this list is archived and his E-mail address therefore open to the entire public. I was not aware of this fact as I subscribed.
1) This warning would not be very effective. Besides, it applies to all and every mailing list you subscribe to. To be clear: assume that every mailing list gets archived, and these archives are online to the general public.
2) You are also missing another important point: spammers are subscribed to at least suse-linux-e (funny that the spam rolled in 2 min after I posted), in other words you must assume spammers are subscribed to every mailing list.
Countermeasures are few. Forget protecting the archives as it doesn't deal with 2) above. I find the only useful and practical thing is to use a bogus email address in From:, as Christopher mentioned. Unfortunately, ezmlm seems to be the only list server which can handle that. For this reason I consider mailman, majordomo, etc. to be substandard in this day and age.
Using throwaway email addresses and changing them every 2 weeks is simply not practical because of the high overhead involved in unsubscribing/resubscribing (dealing with the passwords and bla bla).
Volker
-- Volker Kuhlmann is possibly list0570 with the domain in header http://volker.orcon.net.nz/ Please do not CC list postings to me.
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
anyway suse should restart their mail servers or have a deep look into them ! yesterday i unsuscribed from that list. today i still get that mails :(((( that really sux !!!! On Mittwoch, Mai 22, 2002, at 04:19 Uhr, Comptek informatik AG - R. Klippel wrote:
Is it proven, that the spammer got the mail address from the mailing list?
Lately I came across the following note in the FAQ mail from test- list@suse.com, see the last sentence.
Q2. Envelope from? Header from? All I want to do is post a message to one of your mailing lists! Why is this so complicated? I don't have trouble subscribing to other mailinglists. A2. The header from is probably what you think of as the "from"; e.g. From: foo@bar.com It is contained in DATA portion of the mail (that's the part of the mail that you, as a user, write). The envelope from is written by your mail transport agent, or MTA. That's the thing that your mail client hands the message you just wrote off to to have it delivered. An envelope from looks like this: From foo@bar.com Fri Mar 1 12:59:36 2002 This is who your MTA, in the words of RFC 822bis, says "the author(s) of the message, that is, the mailbox(es) of the person(s) or system(s) responsible for the writing of the message.'' The mailing list software we use (ezmlm+idx) takes the envelope from as the address to subscribe when you email some-subscribe@suse.com. Other mailing list software might use the header from. Other mailing lists might also send bounces back to the list, allow vacation messages to be posted, make it trivial to subscribe someone else to a list without their knowledge, etc. There are lots of good technical reasons why the envelope from is used (which you can read all about at the author's site: http://cr.yp.to/immhf.html) but a big benefit for you is that since the envelope from isn't displayed in list postings¹ and the header from is ignored you can set your header from to be whatever you want. This means that you can use your main email address for the list and, if you mung the address, you won't need to worry about it being harvested by an an evil spammer. In other words, you are encouraged rot13, reverse, GPG encrypt, or do whatever to your header from (*except* leave it unqualified) and it won't affect your subscription at all.
The whole, complete FAQ list is available by sending a mail to test-list-faq@suse.com
So for me it seems to be given, that no one can abuse mail addresses or not?
Mit freundlichen Grüssen Comptek informatik AG
Reinhardt Klippel
________________________________ Comptek informatik AG Poststrasse 9 CH-6300 Zug Tel. ++41 +41 720 20 90 Fax ++41 +41 720 20 99 http://www.comptek.ch ________________________________
At 14:02 22.05.2002 +1200, V K wrote:
In my opinion there should be at least one BIG warning in the subscription confirmation message alerting the user that this list is archived and his E-mail address therefore open to the entire public. I was not aware of this fact as I subscribed.
1) This warning would not be very effective. Besides, it applies to all and every mailing list you subscribe to. To be clear: assume that every mailing list gets archived, and these archives are online to the general public.
2) You are also missing another important point: spammers are subscribed to at least suse-linux-e (funny that the spam rolled in 2 min after I posted), in other words you must assume spammers are subscribed to every mailing list.
Countermeasures are few. Forget protecting the archives as it doesn't deal with 2) above. I find the only useful and practical thing is to use a bogus email address in From:, as Christopher mentioned. Unfortunately, ezmlm seems to be the only list server which can handle that. For this reason I consider mailman, majordomo, etc. to be substandard in this day and age.
Using throwaway email addresses and changing them every 2 weeks is simply not practical because of the high overhead involved in unsubscribing/resubscribing (dealing with the passwords and bla bla).
Volker
-- Volker Kuhlmann is possibly list0570 with the domain in header http://volker.orcon.net.nz/ Please do not CC list postings to me.
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Yes I can feel with you, but how can you be shure, that the spammer got your mail from the list?? I mean, you can't argue, that unsubscribing will/should stop the spammer or do I understand something wrong? Here you may find further help http://spamcop.net/ Its helps you finding out from where the spam came and whom to contact for complaining. It already helped me a lot. Mit freundlichen Grüssen Comptek informatik AG Reinhardt Klippel ________________________________ Comptek informatik AG Poststrasse 9 CH-6300 Zug Tel. ++41 +41 720 20 90 Fax ++41 +41 720 20 99 http://www.comptek.ch ________________________________ At 17:58 22.05.2002 +0200, silverbox wrote:
anyway suse should restart their mail servers or have a deep look into them
! yesterday i unsuscribed from that list.
today i still get that mails :((((
that really sux !!!! On Mittwoch, Mai 22, 2002, at 04:19 Uhr, Comptek informatik AG - R. Klippel wrote:
Is it proven, that the spammer got the mail address from the mailing list?
Lately I came across the following note in the FAQ mail from test- list@suse.com, see the last sentence.
Q2. Envelope from? Header from? All I want to do is post a message to one of your mailing lists! Why is this so complicated? I don't have trouble subscribing to other mailinglists. A2. The header from is probably what you think of as the "from"; e.g. From: foo@bar.com It is contained in DATA portion of the mail (that's the part of the mail that you, as a user, write). The envelope from is written by your mail transport agent, or MTA. That's the thing that your mail client hands the message you just wrote off to to have it delivered. An envelope from looks like this: From foo@bar.com Fri Mar 1 12:59:36 2002 This is who your MTA, in the words of RFC 822bis, says "the author(s) of the message, that is, the mailbox(es) of the person(s) or system(s) responsible for the writing of the message.'' The mailing list software we use (ezmlm+idx) takes the envelope from as the address to subscribe when you email some-subscribe@suse.com. Other mailing list software might use the header from. Other mailing lists might also send bounces back to the list, allow vacation messages to be posted, make it trivial to subscribe someone else to a list without their knowledge, etc. There are lots of good technical reasons why the envelope from is used (which you can read all about at the author's site: http://cr.yp.to/immhf.html) but a big benefit for you is that since the envelope from isn't displayed in list postings¹ and the header from is ignored you can set your header from to be whatever you want. This means that you can use your main email address for the list and, if you mung the address, you won't need to worry about it being harvested by an an evil spammer. In other words, you are encouraged rot13, reverse, GPG encrypt, or do whatever to your header from (*except* leave it unqualified) and it won't affect your subscription at all.
The whole, complete FAQ list is available by sending a mail to test-list-faq@suse.com
So for me it seems to be given, that no one can abuse mail addresses or not?
Mit freundlichen Grüssen Comptek informatik AG
Reinhardt Klippel
________________________________ Comptek informatik AG Poststrasse 9 CH-6300 Zug Tel. ++41 +41 720 20 90 Fax ++41 +41 720 20 99 http://www.comptek.ch ________________________________
At 14:02 22.05.2002 +1200, V K wrote:
In my opinion there should be at least one BIG warning in the subscription confirmation message alerting the user that this list is archived and his E-mail address therefore open to the entire public. I was not aware of this fact as I subscribed.
1) This warning would not be very effective. Besides, it applies to all and every mailing list you subscribe to. To be clear: assume that every mailing list gets archived, and these archives are online to the general public.
2) You are also missing another important point: spammers are subscribed to at least suse-linux-e (funny that the spam rolled in 2 min after I posted), in other words you must assume spammers are subscribed to every mailing list.
Countermeasures are few. Forget protecting the archives as it doesn't deal with 2) above. I find the only useful and practical thing is to use a bogus email address in From:, as Christopher mentioned. Unfortunately, ezmlm seems to be the only list server which can handle that. For this reason I consider mailman, majordomo, etc. to be substandard in this day and age.
Using throwaway email addresses and changing them every 2 weeks is simply not practical because of the high overhead involved in unsubscribing/resubscribing (dealing with the passwords and bla bla).
Volker
-- Volker Kuhlmann is possibly list0570 with the domain in header http://volker.orcon.net.nz/ Please do not CC list postings to me.
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Mit freundlichen Grüssen Comptek informatik AG Reinhardt Klippel ________________________________ Comptek informatik AG Poststrasse 9 CH-6300 Zug Tel. ++41 +41 720 20 90 Fax ++41 +41 720 20 99 http://www.comptek.ch ________________________________
anyway suse should restart their mail servers or have a deep look into them
! yesterday i unsuscribed from that list.
today i still get that mails :((((
that really sux !!!! Cheeze...
You contracted some spam, not aids. People are trying to help and improve matters in mutual dialogue. It would not hurt to be polite and take at least some effort in responding. And of course to adhere to the rule of quoting only the relevant passages, so that you do not "spam" the list, so to speak. And then, I agree with others who considered the topic as being off-topic. Peter
Hi, On 22 May 2002 at 23:10, Peter van den Heuvel wrote:
the list, so to speak. And then, I agree with others who considered the topic as being off-topic.
to me this is not OT. There is no other solution than having the real addresses in the archives, because that is the way this thing works. I get messages on an allmost regular base requesting informations related to messages I sent more than one year ago to some lists. It would be at least suboptimal if people had to subscribe to a list to ask who sent this message more than one year ago, and on some lists it would cause massive noise. The only acceptable solution is to create an e-mail address specifically for one or more lists, and killfile all messages that do not come from the list(s). But I have to agree that this information should be somewhere on SuSEs ML page. mike
* Thomas Michael Wanka (Tom@Wanka.at) [020523 03:09]:
to me this is not OT.
As someone else pointed out, unless we're talking about millions of spams it is off topic for a security list.
There is no other solution than having the real addresses in the archives, because that is the way this thing works.
No, that's not the way this thing works as explained earlier. You can can set your header from (i.e., the only one anyone else will ever see) to whatever you want. You can even leave it null and become 'undisclosed-receipients' if you want to. -- -ckm
* silverbox (silverbox@mac.com) [020522 08:59]:
anyway suse should restart their mail servers or have a deep look into them
Oh my.
! yesterday i unsuscribed from that list.
today i still get that mails :((((
that really sux !!!!
Uhm, then you didn't unsubscribe. That's OK, you get automatically unsubscribed at 2:00 CET anyway. -- -ckm
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Sorry, if this email is felt OT by you. It's rather about
spam than security - but as the discussion was going on anyway,
I though I might as well share my ideas and measures.
Hiding your email-address is not the right thing to do anyway, IMO.
Blocking spamming mail-servers is what really helps.
And each spam-mail received contains valuable information - the IP of
the final mail-server the spammer managed to use for distribution.
Hence I allways use an open email-address and when I receive spam-mail,
I'm happy, because I can add the sender to our company-internal block-
list und thus improve our anti-spam measures. Using a script behind
an internally setup email-address, I simply have to forward the spam-mail
as an attachment to this script - the script then checks that the mail
is pgp-signed by me, extracts the IP of the spamming server, and voila,
one more spammer is blocked.
So instead of complaining about incoming spam, I simply use the information
to polish up our anti-spam measures. Aikido-attitude, turning the attackers
energy against himself.
For your convenience I attach the script, adopt it to your needs and
configuration and from then on enjoy each incoming spam rather as an help
than an hindrance. If you like that attitude, that is.
Greetings
Michael
- - - --
Michael Zimmermann (Vegaa Safety and Security for Internet Services)
participants (11)
-
Christopher Mahmood
-
Christopher Mahmood
-
Comptek informatik AG - R. Klippel
-
Michael Zimmermann
-
Peter van den Heuvel
-
PW
-
silverbox
-
Steffen Dettmer
-
Thomas Michael Wanka
-
V K
-
Wolfgang Leithner