[Mailman-Developers] Yet another weird-a$$ potential attack problem...

[Chuq Von Rospach]

Oh, man. This is my week for weird stuff.

I've just finished tracking down and nuking a subscriber with a really
noxious mailbot. The situation was that anyone posting to one of my lists
would get a reply back from <major new york financial company name deleted>
acknowledging the email. Needless, this was rather irritating to people.

I finally had to address probe the entire list, because the mailbot was
coming back from a domain that wasn't subscribed to the list (of course),
and the mailbot successfully removed every piece of identifying information
from the email except the subject line. It finally turned out to be a
person's alumni email address (why are these things always problems?) at
<major east coast engineering school university that should turn out people
who know better delete> forwarding to his account at <yada yada etc>.

I deleted it, banned the address, and sent him mail announcing him as the
winner of the "you're the stupid mailbot winner!" message explaining why he
was a dead man. (he responded this morning. It started with "why didn't you
contact me?" and went downhill from there....)

But another list user brought up an interesting point, and I want to throw
it out here to see if it's a problem we should worry about.

Since the mailbot responds to the given address with the subject line more
or less intact, it seems to me like we have a hole in the mail-back
validation system in this specific situation. Imagine this scenario:

- I get mad at <company.com>.

- I notice they have a braindead mailbot saying "thank you for e-mailing
<company.com>. We want you to know we got your message regarding 'foo'".

- I decide to mailbomb <company.com>

- I forge a bunch of subscribe requests to a lists on a mailman server, all
coming from <address@company.com>, asking to subscribe. I start with root,
abuse, ftp, admin, ceo, all -- have fun, it's cheap and easy.

- All of these go to mailman, which sends back the confirmation message with
the confirmation token in it.

- this mailbot gets a copy and sends back it's "thanks for mailing us..." --
and includes the subject line, which includes the token.

- which, AFAIKT, confirms the subscription, making the attack successful.
Now you have a bunch of folks who got the confirmation message out of
nowhere, but the confirmation message says to reply or nothing will happen.
They odn't reply, but they'll find themselves subscribed anyway, because the
mailbot confirmed the subscription FOR them. And now they're pissed at us,
the list server owners.

Now, part of me wants to respond "your own damn fault for running such a
braindead mailbot in such a stupid way", but at the same time, I don't think
mailman should allow for attacks even if it requires braindeadness on the
part of the IS people on the other domain (in this case, I'm not sure the IS
people are to blame, I think it's the corporate lawyers).

The question  I'm bringing up is, I guess, is this something mailman needs
to worry about? Should it require that the returned token come from the
address being subscribed? (or does it already? In this case, it came from a
generic mailbot address @ that domain. An address which, fwiw, bounces if
you mail to it. Grimace.). I realize that the "reply to confirm" is easy for
users, but does it leave us open to abuse in other ways? Should we make some
cahnge to the process that requires a person to do something?

I don't have a good answer for any of this. I'm not even sure we should
consider it a problem. But since I've identified it as a possible security
flaw, I want to throw it out and let everyone chew on it.

What do folks think about this? I'm worried about setting up mailman to
allow for attacks on people or sites, even if it's a limited set of sites
set up a specific way (shades of ORBZ and the Lotus Notes domino bug...). On
the other hand, IS it their fault for building a stupid tool? Or is that no
excuse to not protect ourselves from stupidity?


-- 
Chuq Von Rospach, Architech
chuqui@plaidworks.com -- http://www.chuqui.com/

No! No! Dead girl, OFF the table! -- Shrek