l i n u x - u s e r s - g r o u p - o f - d a v i s
Next Meeting:
July 7: Social gathering
Next Installfest:
Latest News:
Jun. 14: June LUGOD meeting cancelled
Page last updated:
2003 Jun 25 14:38

The following is an archive of a post made to our 'vox mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox] spam control: send email to confirm
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox] spam control: send email to confirm

Mike, thanks for your very insightful comments.

On Wed, Jun 25, 2003 at 03:00:51PM -0400, Mike Simons wrote:
>   One minor problem is this kind of system in wide deployment could be
> used as a DDOS on a particular person... spam a batch of thousands of 
> people who you know have a system like this, forge some target's real 
> email address as the sender, suddenly that one person has thousands of
> junk email messages saying "confirm me" in their inbox.

This sort of thing can be a real problem, especially if the
confirmation autobots become much more widespread. It could be
possible to verify that the e-mail address makes sense with the trace
headers (I've been on at least one mailing list that did this). The
problem with this is that there are a lot of people who send using a
from e-mail that is for permanent use, using an MTA provided by their
ISP which is less permanent. In these cases, the mail address will
fail the test, and they'll never get a confirmation message. Too many
cases for this to be really viable, IMO.

Something which wouldn't prevent this abuse (but could make it less
effective), would be to keep a temporary record of confirmation
requests sent out recently, and not resend them to the same address
for a given period.

The downside to that would be if the confirmation request got lost en
route, the autobot would have no way of knowing this. But this seems
an acceptable cost.

>   Another minor problem is if two people both have a similar system
> in operation they may not ever see each other's email... because
> ===
> person A sends a real email to person B,
> person B's auto-system sends a "confirm you exist first" email to person A,
> person A's auto-system sends a "confirm you exist first" email to person B,
>   [hopefully deadlock, worst case mail loop between two auto-systems]
> ===
> ... if person A's auto-system is very smart and does whatever B's
> auto-system is asking for in the contents of it's "confirm you exist"
> message then A's original mail would get through.

A's system doesn't necessarily have to be too terribly smart for this
to work: especially if the confirm bots standardize on procedure.

The common e-mail confirmation request expects some random string in
the Subject line or the message body. So if confirmation bots make a
habit of including the subject line and original message, similar to
what most mail readers do when you hit the "Reply" button, then we
should be okay.

>   I don't think spam is a simple problem.

Huh! Seems simple enough to spammers :-D

vox mailing list

LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
O'Reilly and Associates
For numerous book donations.