[Mailman-Developers] FYI -- mailback validations no longer safe?

Christopher Lindsey lindsey@ncsa.uiuc.edu
Sat, 9 Dec 2000 03:09:26 -0600 

> I'm passing this along mostly as a FYI, but also as a sanity check. I 
> sent this out to list-managers tonight, to bring up an issue that 
> sort of crystalized this afternoon and made me realize that I think 
> we have the beginnings of a problem in mail list land. Your thoughts 
> are welcome....If I'm right, well, oh, boy. If I'm wrong -- I'd love 
> to find out my idea won't work, but I think it's not only possible, 
> but fairly easy.

Hi Chuq,

   Yes, this has definitely been troublesome.   I've blocked many
   commercial sites like findmail.com (egroups) and remarq.com from my
   lists because of their secret archiving that displays email addresses
   to the public, but at least they don't spam the lists back.  But
   of course anyone can browse these sites and get addresses to their
   heart's content, then forge MAIL FROM: to sneak mail into the lists.

   I'm not sure what the right thing is to do.  MLMs like sympa (

      http://listes.cru.fr/sympa/

   ) are definitely moving in the right direction with S/MIME
   signatures/encryption and X509 user certs, but that still doesn't
   stop someone from using throwaway certs to spam several lists or
   from harvesting addresses.  The problem is that when these methods
   are used for authentication they just prove that the email address
   sending the stuff is who we think he or she is.  But at least you
   can't forge the source email address to look like it's coming from
   a list member who is allowed to post (well, it's harder :)

   I think that there's an implicit level of trust that has to be honored
   in mailing list management.  Even SASL-based SMTP authentication from
   ISPs isn't going to prevent throw-away accounts from being used.
   Until we can get a fingerprint or cornea scan (or even a driver's
   license) with each mailing list subscription and compare it against
   a master database (which I'm not advocating), you can't be 100%
   sure of the users.

   For now I'd say that the best method is a social one; require
   references when people want to subscribe to your list.  Ask them which
   lists they participate on, an example post from another list, etc.
   But ultimately it becomes a judgement call by the listowner either way.

   Just my humble opinion on the matter...

Chris

----------------------------------------------------------------------
Christopher Lindsey, Senior System Engineer
National Center for Supercomputing Applications (NCSA)