Announcement

Collapse
No announcement yet.

The Increasing Problem Of FOSS Mailing List Flooding Attacks

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • rdnetto
    replied
    Originally posted by toyotabedzrock View Post
    I would suggest you move away from mailing lists. It has always perplexed me why such an inefficient system is used. The system is great for bots and bad for end users.

    I'd say its due to a combination of network effects and the need for a completely decentralized system, not to mention the desire to allow developers to use whatever tools they prefer. I've found the easiest way to consume them is with an NTP client and Gmane, which is itself a recognition that the current design could use some work.

    I don't think we're going to see anyone moving away from them until a suitable alternative exists. My personal suspicion is that it will involve a replacement for (or extension to) Git which not only decentralizes the source code, but also the associated issue tracking, discussions, etc. (Think Github/Bitbucket, but completely decentralized and with threaded conversations.)

    Leave a comment:


  • sloth77
    replied
    Originally posted by OneTimeShot View Post

    Seriously, go and read RFC 7208. In order to act as a mail-server for a domain (and have your mail received by people who use gmail or anything), your outgoing mail-server *must* be identified in the domain's TXT record. Then you need to have a certificate as well (although that's a little less critical). If you forget to do this, not only will nothing you send ever arrive, but your domain will get permanently blacklisted within a couple of days.
    Yeah, that's actually not true in practice. We (the company I work for) have been successfully running our own domain mailserver for over a decade without a TXT record in our DNS records, OR a certificate. We regularly send to gmail and other accounts and have not had a single instance of bounced or unreceived emails due to RFC 7208.

    Leave a comment:


  • toyotabedzrock
    replied
    Originally posted by Luke View Post
    An additional problem with reCaptcha is this: When connecting to a site via Tor, you get unsolvable foreign language CAPTCHA's that usually cannot be solved by directly figuring out the distorted characters without reference to the rest of the text, which is in a language you cannot read. Whenever I encounter a foreign language reCAPTCHA on a site I must connect to with Tor, I consider the site broken beyond use, close the window, and do not return. I do not tolerate reCAPTCHA's use on any website I control.
    Only if the site uses IP to determine language. But many use the browser language instead. Google doesn't for some reason.

    Leave a comment:


  • toyotabedzrock
    replied
    I would suggest you move away from mailing lists. It has always perplexed me why such an inefficient system is used. The system is great for bots and bad for end users.

    Leave a comment:


  • OneTimeShot
    replied
    Originally posted by biergaizi View Post

    Another issue is that it was very common for FOSS developers to use a forwarding-only mail address (@gnu.org, @fedoraproject.org, etc) to receive mails, and let another mail server/provider to send mails, and calm mails are from that address. Strict DNS checks break people's workflow by preventing people to do it.
    Seriously, go and read RFC 7208. In order to act as a mail-server for a domain (and have your mail received by people who use gmail or anything), your outgoing mail-server *must* be identified in the domain's TXT record. Then you need to have a certificate as well (although that's a little less critical). If you forget to do this, not only will nothing you send ever arrive, but your domain will get permanently blacklisted within a couple of days.

    None of the stuff you describe works any more, because as you say it's open to abuse.

    Leave a comment:


  • stqn
    replied
    I don?t understand how people can still use mailing lists.

    Leave a comment:


  • biergaizi
    replied
    Originally posted by OneTimeShot View Post

    See my previous post. Modern email has protection against this (DNS based authentication).
    Another issue is that it was very common for FOSS developers to use a forwarding-only mail address (@gnu.org, @fedoraproject.org, etc) to receive mails, and let another mail server/provider to send mails, and calm mails are from that address. Strict DNS checks break people's workflow by preventing people to do it.

    Leave a comment:


  • OneTimeShot
    replied
    Originally posted by biergaizi View Post
    SMTP allows senders to make up any email address, attacks could use a script to call "sendmail" to do that
    See my previous post. Modern email has protection against this (DNS based authentication).

    Leave a comment:


  • biergaizi
    replied
    Originally posted by OneTimeShot View Post

    That's pretty easy to fix - instead of getting the server to send the first email, first add a web-page message with "Please send an email with 'Subscribe' to this mailing list to confirm". You can do a similar thing with "forgotten password". Then follow the existing pattern - so server replies with standard change password/welcome email.
    Yes, that's a good way to fix the problem and I'll suggest GNU Mailman developers to do that. But actually, it is not a complete fix. SMTP allows senders to make up any email address, attacks could use a script to call "sendmail" to do that, but at least attacks are not able to flood even without a mail server by just using HTTP POST.
    Last edited by biergaizi; 11 May 2015, 03:51 AM.

    Leave a comment:


  • OneTimeShot
    replied
    Originally posted by biergaizi View Post
    Once it starts, victims will recieve tons of emails says "Would you like to subscription GnuPG? If yes, click here to confirm".
    That's pretty easy to fix - instead of getting the server to send the first email, first add a web-page message with "Please send an email with 'Subscribe' to this mailing list to confirm". You can do a similar thing with "forgotten password". Then follow the existing pattern - so server replies with standard change password/welcome email.

    Leave a comment:

Working...
X