The Monday 2004-10-25 at 18:16 +0200, Christian Boltz wrote:
Am Montag, 25. Oktober 2004 15:57 schrieb Carlos E. R.: [several theories how to avoid autoresponder subscriptions]
Notice that it is easy for anyone to subscribe any autoresponder: because the confirmation email will be answered by the autoresponder, and it will get subscribed. Thus, the confirmation email method is not valid any longer on its own: it has to be suplemented with a method to force human intervention by the subscriber.
OK, this could be avoided by removing the Reply-To header.
But there is no Reply-To header [...] hold on, the confirmation emails do have a Reply-To header, one created on the fly so that the responder can be identified.
But I wonder wyh the autoresponder problem only exists on this list (from those I read, including suse-linux with 100-200 mails daily which would be a more interesting target for autoresponders ;-)
Me too. :-o Not only that, but out of office replies are common here; right now I'm getting one from ROtt@nordit.de - in german, which I do not understand.
So maybe it's not this easy for autoresponders ;-)
How the bots are getting in could be checked by saving both the subscription email, and the confirmation email, for later checking if necesary.
You really believe that autoresponders subscribe theirself?
They might, a pissed employee, for example.
I think, if someone wants to subscribe an autoresponder intentionally, he will subscribe with a "normal" adress and, after subscribing, forward all mails from this adress to the autoresponder adress. And if the autoresponder in on another domain, it's very hard to track :-(
But we should avoid writing more mails in this thread than the autoresponders ;-)
X-) Well, if it gives the administrators ideas on how to clear this, I think we are welcome ;-) Yes, there is a way for anybody, including virus, to get any autoresponder address subscribed. I told it on this thread, but I'll repeat for clarification. Notice that I can send an email with a from address claiming to be you, for example (its terribly easy! That's why gpg signatures are interesting). If such a person, or virus, happens to email to listaddress-subscribe, with a from address set to paradise@custhelp.com, the suse list server will dutifully send a confirmation email, not to the person that really sent the email, but to paradise@custhelp.com, who being an autoresponder will autorespond: and hey presto! they are subscribed. But I wonder what on earth are the people at paradise@custhelp.com (are you reading?) think they are doing. Because their system must be registering all the email from the list as requests for help! By the way, notice the way their autorespond is set up: | |[===> Please enter your reply below this line <===] | |[===> Please enter your reply above this line <===] | You have to answer them putting your text inside those lines. Such a simple device, which is used by several such customer help email systems, serves the purpose of automatically cleaning spam and virus responses. -- Cheers, Carlos Robinson