Welcome to nanog

Now seems an appropriate time to mention this paper by Dan Bernstein the
author of qmail and ezmlm (EZ mailing list manager).


It discusses Mailing list abuse (like what we are seeing now), and types
of email abuse.

The topics of paper include:

False subscription requests
Subscription cookie prediction
Filter dodging
Autoresponder loops
Unathorized relaying
Unathorized bouncing
False unsubscription requests
False bounces

This section seems most appropriate now:


An attacker can subscribe one mailing list to another. Cookies don't help,
since every subscriber to the target mailing list---including the
attacker's accomplice---receives a copy of the confirmation request.

An attacker can subscribe ten mailing lists to each other. This will
create a tsunami of mail, destroying all the mailing lists. Advanced loop
prevention mechanisms such as Delivered-To don't help, since a message can
pass through ten mailing lists in millions of different ways without

I propose (1) adding a Mailing-List field to every outgoing confirmation
message, (2) adding a Mailing-List field to every distributed message, and
(3) refusing to distribute messages that already contain Mailing-List

This provides a two-pronged defense to cross-subscription. First, it isn't
possible to cross-subscribe lists, since the confirmation message will
bounce from the target list. Second, users aren't hurt even if lists are
somehow cross-subscribed, since a message distributed from one list will
bounce from all the rest.

Sublists have to behave a bit differently. Every mailing list has to set
the envelope sender on outgoing messages; a sublist checks that it is
receiving a message from its parent list's envelope sender.

Again the paper is by Dan Bernstein.

Dax Kelson
Internet Connect, Inc.