On Fri, Feb 16, 2001 at 11:40:37AM -0500, [EMAIL PROTECTED] wrote:
> After several email exchanges, Brian Muha <[EMAIL PROTECTED]> has
> stopped Stefan's vacation message. He did this even though he disagrees
> with these two statements I (repeatedly) made:
> 1. Vacation messages should not be sent in response to mailing
> list mail.
Best practices: No response to anything with precedence "bulk"
or "list" or similar. Really, anything with a precedence less than
"first-class" (0) should not be responded to. List (for sendmail at
least) defaults to -30 while Bulk defaults to -60.
> 2. Vacation messages should not be sent in response to one's own
> vacation messages.
Vacation messages should not be sent in response to ANY vacation
messages or any other form of autoresponder or delivery status notification.
3) Vacation programs should never send more than one reply to
a specific address.
An actually occurance... Two individuals (officers at an army base)
were warned about missuse of vacation programs. A certain non-com (the
one that warned them) noticed two vacation responses to a meeting notice
that he sent out. He then proceeded to forge in a message to one from the
other. They came back to over 8,000 messages in their mailboxes and both
mailboxes had locked out, over quota. Of course the screaming match
with each blaming the other was something worth selling tickets to. :-)
I think there are a couple of other "best practices" written down,
but I can't find the document right now.
> He believes the right fix is to remove the Reply-to header, and does not
> accept my statement that this only hides the problem (b spamming individual
> users as opposed to the entire mailing list).
Another correct response is to remove the user from the list. We do
this on the list service we run with 70 lists and over 50,000 subscribers.
We do a monthly flush and anyone caught with vacation programs responding
to any "Precedence: list" messages are removed unconditionally. This
should be in addition to notifying them to fix their problem (which
we do as a part of our auto-unsubscribe bot).
In any case, it is his problem to solve because, unsolved, it leaves
him and the user wide open to denial of service attacks.
When I post to a mailing list, I often get numerous vacation replies.
The temptation is very strong to pull a similar trick to what that other
person pulled. If I see more than one reply from a given individual, I
then KNOW that he's vulnerable to this kind of attack. I'll often let the
sysadmin know about the problem. I occasionally get back an irrate
message from inexperienced sysadmins and then I simply let them know that
I will make their vulnerablity known publicly and let the chips fall
where they may. Smart ones wise up real quick.
Brian, is this the sort of thing you want your users advertising?
That your system can be attacked by tying accounts against one another
in a vacation program food fight? That's in YOUR lap to solve, not the
mailing list. That's YOUR vulnerability and YOUR misconfiguration.
Even if this listed removed the Reply-To header, someone with a mischievous
nature could easily take this account out with one simple, carefully
crafted message. If he's lucky (and considering your attitude toward
this misconfiguration, he probably will be) your system will not be
equiped to handle this onslaught and his mailbox won't be the only
thing blown off the face of the earth.
> /r$
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
Mike
--
Michael H. Warfield | (770) 985-6132 | [EMAIL PROTECTED]
(The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
