[vox] Re: spam control: send email to confirm

Sam Peterson vox@lists.lugod.org
Wed, 25 Jun 2003 15:37:44 -0700 

On Wednesday, Jun 25 2003, Micah J. Cowan spake thus:
> Mike, thanks for your very insightful comments.
> 
> On Wed, Jun 25, 2003 at 03:00:51PM -0400, Mike Simons wrote:
> >   One minor problem is this kind of system in wide deployment could be
> > used as a DDOS on a particular person... spam a batch of thousands of 
> > people who you know have a system like this, forge some target's real 
> > email address as the sender, suddenly that one person has thousands of
> > junk email messages saying "confirm me" in their inbox.
> 
> This sort of thing can be a real problem, especially if the
> confirmation autobots become much more widespread. It could be
> possible to verify that the e-mail address makes sense with the trace
> headers (I've been on at least one mailing list that did this).

This whole thread brings up something that just makes me shudder.
This happened to a friend of mine at work, take a look at:

http://e-newsletters.internet.com/

Someone put her email address into the form, checked *every* box and
hit submit.  She was absolutely deluged with confirmation emails.  Not
enough to be a DOS, but enough to be a PITA.  I was shocked at the
insidiously evil nature of the act.  We tried our best to track down
who did it, sending email to abuse@internet.com.  They gave us the IP
address which was from UOP's IP address range.  Jumping up and down on
abuse@uop.edu didn't prove fruitful however.

After this whole incident, a very unsettling thought hit me.  Because
of this web page, it would be trivally easy to write a Perl or Python
script that would automatically submit information to this site.  It
would also be trivially easy to write a script that pulls all of UCD's
email addresses from ldap.ucdavis.edu via anonymous access.

See where this is going?

Put the two together and that's a very deadly combination.  Perpetrate
it from a wireless network and the attacker might never be caught.  I
live in fear something like this is just waiting to happen.

> The problem with this is that there are a lot of people who send
> using a from e-mail that is for permanent use, using an MTA provided
> by their ISP which is less permanent. In these cases, the mail
> address will fail the test, and they'll never get a confirmation
> message. Too many cases for this to be really viable, IMO.

Exactly.

> Something which wouldn't prevent this abuse (but could make it less
> effective), would be to keep a temporary record of confirmation
> requests sent out recently, and not resend them to the same address
> for a given period.

The above website I believe has just such a safe guard, but I still
think that's a horribly ineffective defense.

> The downside to that would be if the confirmation request got lost en
> route, the autobot would have no way of knowing this. But this seems
> an acceptable cost.

I believe the above website uses a timed cache, so after a while you
can try again.

> 
> >   Another minor problem is if two people both have a similar system
> > in operation they may not ever see each other's email... because
> > ===
> > person A sends a real email to person B,
> > person B's auto-system sends a "confirm you exist first" email to person A,
> > person A's auto-system sends a "confirm you exist first" email to person B,
> >   [hopefully deadlock, worst case mail loop between two auto-systems]
> > ===
> > 
> > ... if person A's auto-system is very smart and does whatever B's
> > auto-system is asking for in the contents of it's "confirm you exist"
> > message then A's original mail would get through.
> 
> A's system doesn't necessarily have to be too terribly smart for this
> to work: especially if the confirm bots standardize on procedure.
> 
> The common e-mail confirmation request expects some random string in
> the Subject line or the message body. So if confirmation bots make a
> habit of including the subject line and original message, similar to
> what most mail readers do when you hit the "Reply" button, then we
> should be okay.

One hopes :-).  I view autoresponses in general as basically evil.

-- 
----------------------------------------------------------------------
| sam -- Programmer I                                                |
| University of California, Davis : Hart Interdisciplinary Programs  |
| GPG Fingerprint: 4F08 E33E 92A2 EA88 CE75  75DC D84C 6046 0240 515F|
----------------------------------------------------------------------