lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Sun Feb 12 19:22:20 2006
From: vtlists at wyae.de (Volker Tanger)
Subject: Google creates SPAM haven

Adam Laurie <adam.laurie@...bunker.net> wrote:

> J.A. Terranson wrote:
> > On Sat, 11 Feb 2006, Stan Bubrouski wrote:
> >confirmation, >Google just blindly subscribes you when anyone
> >requests it, I'm >assuming, since I didn't subscribe to any of the
> >hacker or porn groups >I have to keep removing myself from.  
> 
> Errr... this is precisely my point. I'm not using google. Someone else
> is using google to spam me.
> 
> Allowing automatic subscription of 3rd party addresses to public
> mailing  lists goes against all best practice and set a very dangerous
> precedent,  and they really should know better. 

Well, non-verified mailing lists are prone to self-DoSing: if two or
more of these lists accidentally subscribe to each other, they'd create
an instant mailstorm, and the weakest server will give in first.

"In the early days" (when mailing lists often were implemented with
/etc/alias instead of software) this happened all too often. One mail
address bouncing caused the bounce to appear back on the mailing list
which caused the bounce's bounce to appear on the mailing list, which
caused...

Two or more (different) bounces caused a bounce avalance - and with the
comparatively slow servers at that time (two-digit MHz - if you had a
big iron) a DoS was not too far off.

While bounce-handling of current software prevents BOUNCES to cause a
mail storm, automated repliers (Out-of-Office messages - especially
ill-configured or ill-designed ones) still cause grief for mailing list
admins. I've seen a "multi-language" OoO accidentally DoSing a mailing
list as that one sent out multiple messages for each mail coming in -
one OoO-Reply for each of the three languages. Wheeee - mailstorm!

If now mailing lists are accidentally cross-subscribed (which is not
possible with most current double-opt-in mailing list software) you have
the same problem.

And with Google's server- and bandwidth-power such a mailstorm probably
will be VERY bad, accecting quite a lot of the internet mail
infrastructure, unless the lists are very small.

*sigh*

So no lesson was learnt in the last 10 years?

Bye

Volker


-- 

Volker Tanger    http://www.wyae.de/volker.tanger/
--------------------------------------------------
vtlists@...e.de                    PGP Fingerprint
378A 7DA7 4F20 C2F3 5BCC  8340 7424 6122 BB83 B8CB

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ