Announcement

Collapse
No announcement yet.

The Increasing Problem Of FOSS Mailing List Flooding Attacks

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • The Increasing Problem Of FOSS Mailing List Flooding Attacks

    Phoronix: The Increasing Problem Of FOSS Mailing List Flooding Attacks

    This is a guest post by Tom Li, a Phoronix reader wishing to share his views on the increasing problems of free/open-source software public mailing lists being flooded with spam and other garbage. There are some extreme situations where there can be "flooding attacks" of list subscribers receiving thousands of mailing list messages per day from attackers. Tom is hoping the open-source community can come up with better solutions to fend off this problem...

    http://www.phoronix.com/scan.php?pag...-Flood-Attacks

  • #2
    Some other CAPTCHA than Google's reCaptcha would give better privacy. This may or may not be a problem depending on the mailing list in question. Certainly something like upstream GNU Mailman needs to have spam control options that do not depend on a 3ed party server. GNU mailman is used for many kinds of mailing lists. Using a Google product to control spam subscriptions to say, a mailing list for activists trying to stop a vivisection laboratory could be really dangerous. At the very least Google themselves could find themselves looking at a subpeona in that case.

    Comment


    • #3
      SMTP is outdated protocol and it's users are digging the hole )
      It'll need to be replaced with something more useful very soon.

      Comment


      • #4
        Originally posted by edmon View Post
        SMTP is outdated protocol and it's users are digging the hole )
        It'll need to be replaced with something more useful very soon.
        That's been true for a long time. I still have to deal with it from time to time though.

        Comment


        • #5
          Originally posted by Luke View Post
          Some other CAPTCHA than Google's reCaptcha would give better privacy. This may or may not be a problem depending on the mailing list in question. Certainly something like upstream GNU Mailman needs to have spam control options that do not depend on a 3ed party server. GNU mailman is used for many kinds of mailing lists. Using a Google product to control spam subscriptions to say, a mailing list for activists trying to stop a vivisection laboratory could be really dangerous. At the very least Google themselves could find themselves looking at a subpeona in that case.
          Google's reCaptcha also provides practically free annotations for OCR.

          Don't believe me? The really blurry/messed up text is the real captcha. The obvious text is for you to annotate. Try entering the exact text for the real captcha and garbage for the obvious text. Obviously this won't effect them since they probably do some kind of verification/post-processing. You shouldn't do this with ill intent. But it is curious indeed!

          Having been faced with needing annotations (but not for OCR), I think Google gets theirs way too easily. If their services weren't so popular, they'd be in the same boat as everyone else who needs annotations.

          Comment


          • #6
            So, this is the old email problem.

            Step 1 is "are you using the existing anti-spam features of email?". E.g.:
            - Check the sender SPF record to ensure that the remote client is allowed to send email from that domain (RFC 7208)
            - Check that the sender is using mutually authenticated TLS for the SMTP connection (STARTTLS)
            - Check the certificate matches the sender domain. Check if it publicly trusted or alternatively check the TLSA record with DNSSEC (DANE for Email)

            Step 2 is now "this appears to be a genuine email address". So:
            - Check the whitelisting services SpamHaus, etc.
            - Switch on basic rate limiting for new accounts


            Step 3 is stuff that PostMan probably wouldn't support, such as user reputation (don't allow email addresses that don't have reputation to do multiple posts), or appoint moderation for the first N mails.

            Ultimately, if you want to allow arbitrary people to post on your mailing list, you'll need manual moderators of course. Spam is easy to ignore, trolls not so much.

            Comment


            • #7
              I once had my e-mail address blacklisted by muse-sequencer.org mailing list for rejecting spam. I do use postgrey, SpamAssassin, and RBL rejection among other things. And even then, I do get spam coming from the mailing list.

              Doesn't mailing addressing system need to be updated to address spam? Or does SMTP suck?

              Comment


              • #8
                An additional problem with reCaptcha is this: When connecting to a site via Tor, you get unsolvable foreign language CAPTCHA's that usually cannot be solved by directly figuring out the distorted characters without reference to the rest of the text, which is in a language you cannot read. Whenever I encounter a foreign language reCAPTCHA on a site I must connect to with Tor, I consider the site broken beyond use, close the window, and do not return. I do not tolerate reCAPTCHA's use on any website I control.

                Comment


                • #9
                  I'm the submitter of the news.

                  It seems I didn't explain some details, it's a bit misleading, thus the problem described in that news is not the real problem. Such attacks are different from any other spam. For example, if you want to subscript GnuPG mailing list, you need to click the "subscription" button and type your email on the webpage, then you'll recieve a confirmation mail from the list server. Normally, you'll end up your subscription by clicking the link leads to a confirmation webpage.

                  Attackers could use this "subscription confirmation" feature to start a flooding attack. Once it starts, victims will recieve tons of emails says "Would you like to subscription GnuPG? If yes, click here to confirm". The core idea of such attack is, using a legal and valid mail server to send tons of emails to a address. Such attack is very low-cost, because the attackers are not even required to have a mail server; hard to filter, because these confirmation mails from the lists are legal and valid mails, if can't be simply classified as spams. And you can be a victim even if you don't know what is a mailing list at all! Attacker change legal FOSS mail servers to something like a botnet.

                  I'd like to clear the news to remind the FOSS community to be aware of such problem.

                  Comment


                  • #10
                    Originally posted by biergaizi View Post
                    Once it starts, victims will recieve tons of emails says "Would you like to subscription GnuPG? If yes, click here to confirm".
                    That's pretty easy to fix - instead of getting the server to send the first email, first add a web-page message with "Please send an email with 'Subscribe' to this mailing list to confirm". You can do a similar thing with "forgotten password". Then follow the existing pattern - so server replies with standard change password/welcome email.

                    Comment

                    Working...
                    X