> [Original Message]
> From: NoOp <[EMAIL PROTECTED]>
> To: <[email protected]>
> Date: 10/4/2008 9:53:23 PM
> Subject: [users] Re: openoffice.org - Malicious Third-Party Subscription
>
> On 10/04/2008 09:01 PM, Barbara Duprey wrote:
> > comments inline...
>
> As are mine.
>
> >
> > NoOp wrote:
> >> On 10/04/2008 04:35 PM, Barbara Duprey wrote:
> >>
> >>
> >>> In a related post, I asked what people thought about just eliminating
> >>> the "goodbye" confirmation. I don't think malicious unsubscribes are
> >>> either likely or particularly harmful, and it would be much easier to
> >>> deal with malicious subscribes. The unsubscribe process could send a
> >>> message, but not require response, and that would mean that once the
> >>> subscription account was known, anybody could do the unsubscribe. So
> >>> when we got one of these "please unsubscribe me" posts, we could just
do
> >>> it, or tell an apparently unsubscribed OP to look at a full message
> >>> header to identify the subscriber, then use the
> >>> [EMAIL PROTECTED] to unsubscribe. Haven't
> >>> heard any response to that idea yet.
> >>>
> >>
> >> I think that is not a good idea. Without the "goodbye" confirmation
> >> anyone could possibly unsubscribe you, or anyone else on the list.
> >>
> >
> > Understood, and it would be annoying, but not really harmful. An
> > unwanted subscription (or a bunch of them), however, can cause real
> > difficulty. Maybe the technique mentioned earlier here (defining a
mimic
> > account to the offender's on the victim's email client, sending an
> > unsubscribe, and confirming it as if from the offending subscribed
> > account) will work, and maybe not. If not, it appears to be very
> > difficult to unsubscribe because the victim does not have access to the
> > subscribed account to confirm the unsubscribe.
>
> Actually it would be more than annoying and create havoc across this
> mail list.
>
> >> Malicious subscribes can only occur if someone has control of an
account
> >> and can respond to the "you have subscribed" confirmation email. If
> >> someone has control of the email account and is using it to subscribe
it
> >> to mailing lists it is already too late; the email account has been
> >> already compromised, and should be discarded or the user should have
the
> >> email account password reset & monitored by the email account provider.
> >>
> > The situation we're dealing with here is that someone created an actual
> > gmail account and used it to subscribe to a number of lists, providing
> > any required confirmations, and then redirected all incoming traffic to
> > the chosen target, whose mail is now filling up and interfering with
his
> > business. The target email account was not itself compromised, and the
> > problem account is still out there with the guilty party apparently
> > frequently changing the password. No special knowledge of the target
> > account was needed, just its mailto name.
>
> The fact that Chuck has someone that is forwarding emails from this list
> to his sbcglobal.net account is not the problem of the users on this
> list. It's a problem with him and whoever maliciously is forwarding the
> emails to him.
>
> It is however a problem of the list manager in that it has never been
> easy to communicate with a live person/moderator/manager of this list.
> For instance; there is _no_ obvious address/person/email that even we,
> as valid subscribers to this list, can write to to complain about a
> Chuck. Yes, we can also try to view the mailing list pages for some
> contact information but in the end we'll not find one - I've not, and
> I've been on this list since 2007 (I think).
>
> Luckily I use gmane for this and many, many other lists, and wonder why
> anyone still would use an actual email list subscription when they can
> use a gmane or other nntp newsreader subscription instead.
>
> [snips]
> >>
> >> 1. First off he should take the issue to the provider of the
> >> [EMAIL PROTECTED] account (Google) and file an abuse request
that
> >> all email from that account stop forwarding to his sbcglobal account.
> >>
> >
> > Yes, and he's been advised of this. Don't know if he's done it, or how
> > responsive Google is to this kind of request.
> >> 2. He should simply log into his AT&T (sbcglobal.net) account and
> >> blacklist [EMAIL PROTECTED] and and tag [EMAIL PROTECTED]
> >> as spam. Note my posting address; I have an sbcglobal.net account so I
> >> know how easy it is to block emails from any particular email address.
> >>
> >
> > His initial description of the problem didn't mention the gmail
account;
> > I'm not sure if this is a true forwarding, with the sender clearly
> > identified, or if the sender appears to be the list because of the way
> > Google handles list traffic. Maybe somebody who uses gmail can respond
> > with more info here. In any case, though, what about people who have to
> > pay by the message? Doesn't the message still get transmitted and have
> > to be paid for, even if it is immediately discarded? (I know that's not
> > the case with sbcglobal.net, but it could happen to somebody else.)
>
> Again, it doesn't matter from this list perspective. Chuck should have
> just used the tools provided to him by his ISP to block any further
> emails from this list and the [EMAIL PROTECTED] account.
>
> We are not responsible for the ignorance of someone that does not use
> the tools provided by their ISP to block unwanted email. Chuck stated
> "this emailer where I have been forwarded hundreds of lists" and I
> initially took that to mean that he's been subscribed to hundreds of
> mail lists. A Google on Chuck seems to indicate that he probably meant
> that he's received hundreds of emails from this list. If that is the
> case, then again, he easily could have used the tools that his ISP
> provides to him to block/delete the unwanted messages.
>
> [snip]
> >
> > His sbcglobal.net account was not subscribed. All his messages went
> > through "moderator for [email protected]" -- attempting to
> > unsubscribe that just got a message that it wasn't subscribed and
> > therefore couldn't be unsubscribed. I do kind of wonder why the
> > moderator let so many through, though.
>
> Good point. Now can you find the information to complain to the list
> moderator/adminstor... If you can I'll give you a gold star :-)
>
> The point boils down to the fact that none of us, many have been here
> for quite some time, even know how to complain regarding our own list.
> It's a double-edged sword; there seems to be no
> [EMAIL PROTECTED] type of address for those on the list to
> report a Chuck (or others of recent), nor is there any such address for
> the Chuck's of the world that have a problem with the OOo list and can't
> seem to get out of the loop.
>
> I seem to recall some logged issues regarding this but can't recall the
> issue numbers. I'm sure that if you search the list for similar posts
> we'll find previous posts by me, you, others regarding this same issue.
> We'll also not find someone from OOo that has ever stepped up and waved
> a hand saying "I'm the person resonsible for this list - if you have
> problems contact me, and by the way, my project page is...).
>
> Perhaps it's just time to get mad and demand that OOo provide a single
> contact for this list. It's the largest and most obvious list on OOo for
> both experienced and new users alike. Example:
>
> http://www.openoffice.org/
> http://support.openoffice.org/index.html
> Users Mail List (Subscribe / Archives)
> OpenOffice.org Project community support provided by a network of
> hundreds of experienced users. You must be subscribed to post messages.
>
> Reminding users on this list that it was/is our desire to have posters
> subscribe... but who was the fool that created that link without linking
> first to a web page describing the lists, the fact that the subscriber
> will receive emails from this list etc., etc?
>
> The rest of your response is appreciated, but snipped. It it _not_
> advisable to have _any_ standard mail list forgo the appropriate
> subscribe and unsubscribe checks that have been proven to be effective
> over time. Those checks and balances have been put in place for a
> reason; one reason is the malicious subscribe and unsubscribe of list
> users.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
