The Increasing Problem Of FOSS Mailing List Flooding Attacks
Written by Tom Li in Free Software on 10 May 2015 at 01:45 PM EDT. 18 Comments
FREE SOFTWARE --
This is a guest post by Tom Li, a Phoronix reader wishing to share his views on the increasing problems of free/open-source software public mailing lists being flooded with spam and other garbage. There are some extreme situations where there can be "flooding attacks" of list subscribers receiving thousands of mailing list messages per day from attackers. Tom is hoping the open-source community can come up with better solutions to fend off this problem.

Recently, I have received a large amount of subscription confirmation emails. These mails are from public mailing lists, especially lists of Free and Open Source Projects, included but not limited to OpenBSD, FreeBSD, GNU Project, Ubuntu, CentOS, and Qt. The "subscribers" are from multiple IP addresses. After I shared my experience to social networks, I have found more than 10 victims of the same attack, included a famous Chinese tech-blog writer. One of us received more than 10k email for 24 hours. Some of our emails have already stopped operating and refusing all new incoming emails.

Mailing Lists play a very important role for communication in FOSS projects. Daily development heavily depends on them. Common programs send a confirmation mail after users commit a subscription to prevent unexpected spamming.

But since thousands of lists exist, flooding by sending confirmation mails is possible. These mailing lists are usually powered by GNU Mailman, without any rate limit by default, also provides a shortcut to scripts automation. All the attacks need, is just sending POST requests.

The GNOME Foundation faced the same problem last year, they solved it by adding reCAPTCHA to GNU Mailman running on FreeDesktop.org. But, there are still many lists without any protection, e.g Fedora Project. I urge GNU Mailman developers/webmasters to add a rate limit for their subscriptions to a same email address.

If this method is used widely, such low-cost attacks will serious waste system resource of FOSS projects, and preventing many people and organization to use email. If such mail is classified as spam, all developers' normal communication will be affected.

Have you had much of a problem with this? How many open-source mailing lists are you subscribed to? Let us know by commenting on this article in the forums.
Related News
Popular News This Week