[mailop] signup form abuse

2016-05-24 Thread Vick Khera 
As an ESP, we host mailing list signup forms for many customers. Of late,
it appears they have been getting pounded on with fraudulent signups for
real addresses. Sometimes the people confirm by clicking the confirmation
link in the message and we are left scratching our heads as to why they
would do that. Mostly they get ignored and sometimes they come back as spam
complaints.

One opinion I got regarding this was that people were using bots to sign up
to newsletter lists other bot-driven email addresses at gmail, yahoo, etc.,
to make those mailboxes look more real before they became "weaponized" for
use in sending junk. That does not seem to be entirely what is happening
here...

Today we got a set of complaints for what appears to be a personal email
address at a reasonably sized ISP. The complaint clearly identified the
messages as a signup confirmation message and chastised us for not having
the form protected by a CAPTCHA. Of course, they blocked some of our IPs
for good measure :( They characterized it as a DDoS.

What are the folks on this fine list doing about this kind of abuse? We do
have ability to turn on CAPTCHA for our customers, but often they have
nicely integrated the signup forms into their own web sites and making it
work for those is pretty complicated. If I enabled CAPTCHA naively, the
subscribers would have to click the submit form twice and then click the
confirm on the email. The UX for that sucks, but such is the cost of
allowing jerks on the internet...

Rate limiting doesn't seem to be useful since the forms are being submitted
at low rates and from a wide number of IP addresses.

I look forward to hearing what others here are doing.
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-24 Thread Michael Wise via mailop 
Are these IP addresses on CBL?
Are these addresses in a larger pool, like a Nigerian coffee shop?
At some point, you should have a CAPTCHA, and also possibly a list of ranges of 
known bad actors.

We’ve been so concerned about issues from bad IPs on port 25, that many of us 
have neglected noticing bad connections on port 443.

Aloha,
Michael.
--
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Got the Junk Mail Reporting 
Tool ?

From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Vick Khera
Sent: Tuesday, May 24, 2016 10:18 AM
To: mailop@mailop.org
Subject: [mailop] signup form abuse

As an ESP, we host mailing list signup forms for many customers. Of late, it 
appears they have been getting pounded on with fraudulent signups for real 
addresses. Sometimes the people confirm by clicking the confirmation link in 
the message and we are left scratching our heads as to why they would do that. 
Mostly they get ignored and sometimes they come back as spam complaints.

One opinion I got regarding this was that people were using bots to sign up to 
newsletter lists other bot-driven email addresses at gmail, yahoo, etc., to 
make those mailboxes look more real before they became "weaponized" for use in 
sending junk. That does not seem to be entirely what is happening here...

Today we got a set of complaints for what appears to be a personal email 
address at a reasonably sized ISP. The complaint clearly identified the 
messages as a signup confirmation message and chastised us for not having the 
form protected by a CAPTCHA. Of course, they blocked some of our IPs for good 
measure :( They characterized it as a DDoS.

What are the folks on this fine list doing about this kind of abuse? We do have 
ability to turn on CAPTCHA for our customers, but often they have nicely 
integrated the signup forms into their own web sites and making it work for 
those is pretty complicated. If I enabled CAPTCHA naively, the subscribers 
would have to click the submit form twice and then click the confirm on the 
email. The UX for that sucks, but such is the cost of allowing jerks on the 
internet...

Rate limiting doesn't seem to be useful since the forms are being submitted at 
low rates and from a wide number of IP addresses.

I look forward to hearing what others here are doing.
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-24 Thread Franck Martin via mailop 
Not new story, people have devised systems to avoid the creation of such
accounts:
http://bits.blogs.nytimes.com/2013/04/05/fake-twitter-followers-becomes-multimillion-dollar-business/?_r=0

You could for instance use data from http://www.e-hawk.net/ (I'm not
endorsing them, just a company that tries to fill that need, there are
others, do due diligence) to trust (or not) that the signing up is from a
legit person and if not increase the challenge level (CAPCHA and others).

On Tue, May 24, 2016 at 11:18 AM, Michael Wise via mailop  wrote:

> Are these IP addresses on CBL?
>
> Are these addresses in a larger pool, like a Nigerian coffee shop?
>
> At some point, you should have a CAPTCHA, and also possibly a list of
> ranges of known bad actors.
>
>
>
> We’ve been so concerned about issues from bad IPs on port 25, that many of
> us have neglected noticing bad connections on port 443.
>
>
>
> Aloha,
>
> Michael.
>
> --
>
> *Michael J Wise* | Microsoft | Spam Analysis | "Your Spam Specimen Has
> Been Processed." | Got the Junk Mail Reporting Tool
>  ?
>
>
>
> *From:* mailop [mailto:mailop-boun...@mailop.org] *On Behalf Of *Vick
> Khera
> *Sent:* Tuesday, May 24, 2016 10:18 AM
> *To:* mailop@mailop.org
> *Subject:* [mailop] signup form abuse
>
>
>
> As an ESP, we host mailing list signup forms for many customers. Of late,
> it appears they have been getting pounded on with fraudulent signups for
> real addresses. Sometimes the people confirm by clicking the confirmation
> link in the message and we are left scratching our heads as to why they
> would do that. Mostly they get ignored and sometimes they come back as spam
> complaints.
>
>
>
> One opinion I got regarding this was that people were using bots to sign
> up to newsletter lists other bot-driven email addresses at gmail, yahoo,
> etc., to make those mailboxes look more real before they became
> "weaponized" for use in sending junk. That does not seem to be entirely
> what is happening here...
>
>
>
> Today we got a set of complaints for what appears to be a personal email
> address at a reasonably sized ISP. The complaint clearly identified the
> messages as a signup confirmation message and chastised us for not having
> the form protected by a CAPTCHA. Of course, they blocked some of our IPs
> for good measure :( They characterized it as a DDoS.
>
>
>
> What are the folks on this fine list doing about this kind of abuse? We do
> have ability to turn on CAPTCHA for our customers, but often they have
> nicely integrated the signup forms into their own web sites and making it
> work for those is pretty complicated. If I enabled CAPTCHA naively, the
> subscribers would have to click the submit form twice and then click the
> confirm on the email. The UX for that sucks, but such is the cost of
> allowing jerks on the internet...
>
>
>
> Rate limiting doesn't seem to be useful since the forms are being
> submitted at low rates and from a wide number of IP addresses.
>
>
>
> I look forward to hearing what others here are doing.
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
>
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-24 Thread Jay Hennigan 

On 5/24/16 10:17 AM, Vick Khera wrote:

As an ESP, we host mailing list signup forms for many customers. Of
late, it appears they have been getting pounded on with fraudulent
signups for real addresses. Sometimes the people confirm by clicking the
confirmation link in the message and we are left scratching our heads as
to why they would do that. Mostly they get ignored and sometimes they
come back as spam complaints.

One opinion I got regarding this was that people were using bots to sign
up to newsletter lists other bot-driven email addresses at gmail, yahoo,
etc., to make those mailboxes look more real before they became
"weaponized" for use in sending junk. That does not seem to be entirely
what is happening here...


The appearance of the confirmation email makes a big difference. If it 
looks like an advertisement with lots of graphics, hidden tracking bugs, 
etc. it's likely to be viewed as abuse and used by bad guys to harass 
innocents.


I'm very pleasantly (and rarely) surprised with list confirmations that 
look like this:


* A single small logo for branding or no graphics at all
* No advertising
* A statement like "On [date] at [time] [timezone] you or someone 
claiming to be you requested to subscribe to [list] from IP address 
[IP]. To confirm your request, click [link]. If you didn't make this 
request, do nothing and you will not hear from us again. To report 
abuse, [do whatever].


Of course that's assuming that the ESP bothers to confirm subscriptions 
at all.


One extremely annoying new trend is websites that grey out after a few 
seconds and present a popup demanding an email address. This irritation 
is likely to result in the masses supplying an email address, any email 
address, just to stop the annoyance. I've resisted the temptation to 
complete them all with "abuse@". So far, I'm using 
"nob...@example.com".


--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-24 Thread Michael Wise via mailop 

We're still seeing cases where a malicious actor, typically in Eastern Europe, 
will try and sign up a target email address for thousands of lists all at once, 
flooding their mailbox with confirmation traffic , perhaps to hide some other 
nefarious issues.

If we could standardize the confirmation messages, at some point, it might be 
possible to install some sort of circuit-breaker for this kind of abuse, but 
until then ... we're tending to relegate all confirmations to Junk (not Spam) 
status, simply out of preservation of the customer's INBOX usefulness.

Aloha,
Michael.
-- 
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Got the Junk Mail Reporting Tool ?

-Original Message-
From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Jay Hennigan
Sent: Tuesday, May 24, 2016 12:07 PM
To: mailop@mailop.org
Subject: Re: [mailop] signup form abuse

On 5/24/16 10:17 AM, Vick Khera wrote:
> As an ESP, we host mailing list signup forms for many customers. Of 
> late, it appears they have been getting pounded on with fraudulent 
> signups for real addresses. Sometimes the people confirm by clicking 
> the confirmation link in the message and we are left scratching our 
> heads as to why they would do that. Mostly they get ignored and 
> sometimes they come back as spam complaints.
>
> One opinion I got regarding this was that people were using bots to 
> sign up to newsletter lists other bot-driven email addresses at gmail, 
> yahoo, etc., to make those mailboxes look more real before they became 
> "weaponized" for use in sending junk. That does not seem to be 
> entirely what is happening here...

The appearance of the confirmation email makes a big difference. If it looks 
like an advertisement with lots of graphics, hidden tracking bugs, etc. it's 
likely to be viewed as abuse and used by bad guys to harass innocents.

I'm very pleasantly (and rarely) surprised with list confirmations that look 
like this:

* A single small logo for branding or no graphics at all
* No advertising
* A statement like "On [date] at [time] [timezone] you or someone claiming to 
be you requested to subscribe to [list] from IP address [IP]. To confirm your 
request, click [link]. If you didn't make this request, do nothing and you will 
not hear from us again. To report abuse, [do whatever].

Of course that's assuming that the ESP bothers to confirm subscriptions at all.

One extremely annoying new trend is websites that grey out after a few seconds 
and present a popup demanding an email address. This irritation is likely to 
result in the masses supplying an email address, any email address, just to 
stop the annoyance. I've resisted the temptation to complete them all with 
"abuse@". So far, I'm using "nob...@example.com".

--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse 
Internet Service  -  
https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.impulse.net%2f&data=01%7c01%7cmichael.wise%40microsoft.com%7c2c9259b781d94431ff5f08d384077b48%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=XqQx5DefhhEvuhrne%2f%2bwyze%2fZIC1qFuQ30xW1nlBCv4%3d
Your local telephone and internet company - 805 884-6323 - WB6RDV

___
mailop mailing list
mailop@mailop.org
https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fchilli.nosignal.org%2fcgi-bin%2fmailman%2flistinfo%2fmailop&data=01%7c01%7cmichael.wise%40microsoft.com%7c2c9259b781d94431ff5f08d384077b48%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=DZ0W0hpqF8Pi8yHeS8HhODOAH0wdt%2bzXkgsH6iQ5bG4%3d
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-24 Thread Vladimir Dubrovin via mailop 

You definitely need anti-bot protection because currently you produce
bounce SPAM and may be used for targeted SPAM / DDoS, especially if you
reflect some user input (e.g. First name / last name). Currently, bots
of this kind do not bother to emulate user behavior and checking user
have visited form page before submitting the form in the same session
with reasonable interval between two requests is enough in most cases to
distinguish real user from bot without requiring CAPTCHA. In future you
may be required to implement CAPTCHA or some other form of stronger
protection.

Most requests of this kind come from hosting network. Because usually
you do not expect real user's request from this kind of network, you can
blacklist hosting networks entirely. There is a risk to loose small
fractions of users who use VPS for proxy/VPN connections.

Vick Khera пишет:
> As an ESP, we host mailing list signup forms for many customers. Of
> late, it appears they have been getting pounded on with fraudulent
> signups for real addresses. Sometimes the people confirm by clicking
> the confirmation link in the message and we are left scratching our
> heads as to why they would do that. Mostly they get ignored and
> sometimes they come back as spam complaints.
>
> One opinion I got regarding this was that people were using bots to
> sign up to newsletter lists other bot-driven email addresses at gmail,
> yahoo, etc., to make those mailboxes look more real before they became
> "weaponized" for use in sending junk. That does not seem to be
> entirely what is happening here...
>
> Today we got a set of complaints for what appears to be a personal
> email address at a reasonably sized ISP. The complaint clearly
> identified the messages as a signup confirmation message and chastised
> us for not having the form protected by a CAPTCHA. Of course, they
> blocked some of our IPs for good measure :( They characterized it as a
> DDoS.
>
> What are the folks on this fine list doing about this kind of abuse?
> We do have ability to turn on CAPTCHA for our customers, but often
> they have nicely integrated the signup forms into their own web sites
> and making it work for those is pretty complicated. If I enabled
> CAPTCHA naively, the subscribers would have to click the submit form
> twice and then click the confirm on the email. The UX for that sucks,
> but such is the cost of allowing jerks on the internet...
>
> Rate limiting doesn't seem to be useful since the forms are being
> submitted at low rates and from a wide number of IP addresses.
>
> I look forward to hearing what others here are doing.
>
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop


-- 
Vladimir Dubrovin
@Mail.Ru
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-24 Thread Jay Hennigan 

On 5/24/16 12:26 PM, Michael Wise wrote:


We're still seeing cases where a malicious actor, typically in Eastern Europe, 
will try and sign up a target email address for thousands of lists all at once, 
flooding their mailbox with confirmation traffic , perhaps to hide some other 
nefarious issues.


I wonder what the point is. How does the bad guy monetize it, or is it a 
coordinated attack against a specific victim? What other nefarious 
issues? Making the address useless or burying some other mail in the 
midst of the junk would seem to be a possibility.


If an attack against a specific victim, it would seem that unconfirmed 
marketing lists would be a more effective weapon than a bunch of random 
confirmation messages.


It kind of sounds like back in the college frat days of pranking someone 
by signing them up to Columbia Record Club and tons of bill-me-later 
magazine subscriptions, but that was usually aimed at a specific 
individual and watching the fallout was the fun part.


--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-24 Thread Michael Wise via mailop 
I suspect it's the hiding angle, but it's hard to tell.
It does seem to be someone offering a, "Service" out of Eastern Europe.
If the lists were unconfirmed, we'd block them; so the attack needs to use 
confirmed lists, and just bombard the target with what is, at least in theory, 
unblockable traffic.

I know it gave me serious pause when I first saw it, and I didn't have a solid 
answer for it, except to junk the confirmation emails.
If someone has a better idea how to keep mailinglist software like MailMan from 
being co-opted into such an attack, I would LOVE to hear it.

Aloha,
Michael.
-- 
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Got the Junk Mail Reporting Tool ?

-Original Message-
From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Jay Hennigan
Sent: Tuesday, May 24, 2016 2:17 PM
To: mailop@mailop.org
Subject: Re: [mailop] signup form abuse

On 5/24/16 12:26 PM, Michael Wise wrote:
>
> We're still seeing cases where a malicious actor, typically in Eastern 
> Europe, will try and sign up a target email address for thousands of lists 
> all at once, flooding their mailbox with confirmation traffic , perhaps to 
> hide some other nefarious issues.

I wonder what the point is. How does the bad guy monetize it, or is it a 
coordinated attack against a specific victim? What other nefarious issues? 
Making the address useless or burying some other mail in the midst of the junk 
would seem to be a possibility.

If an attack against a specific victim, it would seem that unconfirmed 
marketing lists would be a more effective weapon than a bunch of random 
confirmation messages.

It kind of sounds like back in the college frat days of pranking someone by 
signing them up to Columbia Record Club and tons of bill-me-later magazine 
subscriptions, but that was usually aimed at a specific individual and watching 
the fallout was the fun part.

--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net
Impulse Internet Service  -  
https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.impulse.net%2f&data=01%7c01%7cmichael.wise%40microsoft.com%7c98fa4e609de6466c4a5808d38419df8e%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=JTW%2bYkkIsBAp15Rua5%2fwIxLAiJdCzS24d%2bca1lbEUxU%3d
Your local telephone and internet company - 805 884-6323 - WB6RDV

___
mailop mailing list
mailop@mailop.org
https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fchilli.nosignal.org%2fcgi-bin%2fmailman%2flistinfo%2fmailop&data=01%7c01%7cmichael.wise%40microsoft.com%7c98fa4e609de6466c4a5808d38419df8e%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=tGm%2bAZDhKeZr8Exd8L3cxf03f3NXELOn1tf%2bmF%2bIlEg%3d
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Yahoo! issues for a while today?

2016-05-24 Thread Frank Bulk 
We saw a few messages backed up with our email server logging these items:
Site yahoo.com (63.250.192.46) said in response to MAIL FROM (451
4.3.2 Internal error reading data)
Site yahoo.com (98.136.216.25) said after data sent: 451 Resources
temporarily not available - Please try again later [#4.16.5].
Site yahoo.com (98.138.112.37) said in response to MAIL FROM (451
4.3.2 Internal error reading data)
Site yahoo.com (66.196.118.35) said after data sent: 451 Resources
temporarily not available - Please try again later [#4.16.5].
Site yahoo.com (63.250.192.46) said in response to MAIL FROM (451
4.3.2 Internal error reading data)
Site yahoo.com (98.138.112.32) said after data sent: 451 Resources
temporarily not available - Please try again later [#4.16.5].

It started at 6:42 am (Central) and the last log was 5:03 pm (Central), but
it was most pronounced between 1 to 3 pm.

Anyone else see this?

Frank


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Yahoo! issues for a while today?

2016-05-24 Thread Jim Popovitch 
On Tue, May 24, 2016 at 6:21 PM, Frank Bulk  wrote:
> We saw a few messages backed up with our email server logging these items:
> Site yahoo.com (63.250.192.46) said in response to MAIL FROM (451
> 4.3.2 Internal error reading data)
> Site yahoo.com (98.136.216.25) said after data sent: 451 Resources
> temporarily not available - Please try again later [#4.16.5].
> Site yahoo.com (98.138.112.37) said in response to MAIL FROM (451
> 4.3.2 Internal error reading data)
> Site yahoo.com (66.196.118.35) said after data sent: 451 Resources
> temporarily not available - Please try again later [#4.16.5].
> Site yahoo.com (63.250.192.46) said in response to MAIL FROM (451
> 4.3.2 Internal error reading data)
> Site yahoo.com (98.138.112.32) said after data sent: 451 Resources
> temporarily not available - Please try again later [#4.16.5].
>
> It started at 6:42 am (Central) and the last log was 5:03 pm (Central), but
> it was most pronounced between 1 to 3 pm.
>
> Anyone else see this?


Yep, but they have all cleared

(Times are UTC)
May 24 12:12:08 svr5 postfix/smtp[10932]: 3A9D73DA43: host
mta7.am0.yahoodns.net[98.138.112.33] said: 451 4.3.2 Internal error
reading data (in reply to MAIL FROM command)
May 24 12:12:16 svr5 postfix/smtp[10927]: 56FD13DADF: host
mta5.am0.yahoodns.net[98.136.217.203] said: 451 4.3.2 Internal error
reading data (in reply to MAIL FROM command)
May 24 12:12:22 svr5 postfix/smtp[10934]: CD4123DB39: host
mx-apac.mail.gm0.yahoodns.net[106.10.166.52] said: 451 4.3.2 Internal
error reading data (in reply to MAIL FROM command)
May 24 16:56:19 svr5 postfix/smtp[30822]: 3C3DF3DA1B: host
mta5.am0.yahoodns.net[98.138.112.35] said: 451 4.3.2 Internal error
reading data (in reply to MAIL FROM command)
May 24 16:56:19 svr5 postfix/smtp[30820]: 9297D3DA01: host
mta5.am0.yahoodns.net[66.196.118.35] said: 451 4.3.2 Internal error
reading data (in reply to MAIL FROM command)
May 24 16:56:26 svr5 postfix/smtp[30820]: 66D133D981: host
mta7.am0.yahoodns.net[98.136.217.202] said: 451 4.3.2 Internal error
reading data (in reply to MAIL FROM command)
May 24 16:56:26 svr5 postfix/smtp[30825]: AD44E3DA03:
to=<***@yahoo.com>,
relay=mta6.am0.yahoodns.net[98.136.217.202]:25, delay=5.2,
delays=0.01/2.9/2.2/0.07, dsn=4.3.2, status=deferred (host
mta6.am0.yahoodns.net[98.136.217.202] said: 451 4.3.2 Internal error
reading data (in reply to MAIL FROM command))
May 24 16:56:35 svr5 postfix/smtp[30822]: 19F8B3DABA: host
mta7.am0.yahoodns.net[66.196.118.36] said: 451 4.3.2 Internal error
reading data (in reply to MAIL FROM command)
May 24 16:56:35 svr5 postfix/smtp[30822]: 19F8B3DABA:
to=<***@yahoo.com>, relay=mta5.am0.yahoodns.net[98.138.112.37]:25,
delay=3.8, delays=0.01/3.1/0.63/0.07, dsn=4.3.2, status=deferred (host
mta5.am0.yahoodns.net[98.138.112.37] said: 451 4.3.2 Internal error
reading data (in reply to MAIL FROM command))


-Jim P.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-24 Thread Robert Mueller 

> I wonder what the point is. How does the bad guy monetize it, or is it a 
> coordinated attack against a specific victim? What other nefarious 
> issues? Making the address useless or burying some other mail in the 
> midst of the junk would seem to be a possibility.
> 
> If an attack against a specific victim, it would seem that unconfirmed 
> marketing lists would be a more effective weapon than a bunch of random 
> confirmation messages.

We saw this happen a while back:

https://blog.fastmail.com/2014/04/10/when-two-factor-authentication-is-not-enough/

About a month ago, our hostmas...@fastmail.fm account suddenly wound up
subscribed to hundreds of mailing lists. All these mailing lists failed
to use double or confirmed opt-in, so someone was simply able to enter
the email address into a form and sign us up, no confirmation required.
This really is poor practice, but it's still pretty common out there. A
special shout-out goes to government and emergency response agencies in
the USA for their non-confirmation signup on mailing lists. Thanks guys.

The upshot was that the hostmaster address was receiving significant
noise. Rob Mueller (one of our directors) wasted (so we thought) a bunch
of his time removing us from those lists one by one, being very careful
to check that none of the 'opt-out' links were actually phishing
attempts. This turns out to have been time very well spent.

-- 
Rob Mueller
r...@fastmail.fm

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-24 Thread TR Shaw 
You might want to checkout e-hawk.net as Franck suggested. Or checkout others 
in area. 

> On May 24, 2016, at 9:53 PM, Robert Mueller  wrote:
> 
> 
>> I wonder what the point is. How does the bad guy monetize it, or is it a 
>> coordinated attack against a specific victim? What other nefarious 
>> issues? Making the address useless or burying some other mail in the 
>> midst of the junk would seem to be a possibility.
>> 
>> If an attack against a specific victim, it would seem that unconfirmed 
>> marketing lists would be a more effective weapon than a bunch of random 
>> confirmation messages.
> 
> We saw this happen a while back:
> 
> https://blog.fastmail.com/2014/04/10/when-two-factor-authentication-is-not-enough/
> 
> About a month ago, our hostmas...@fastmail.fm account suddenly wound up
> subscribed to hundreds of mailing lists. All these mailing lists failed
> to use double or confirmed opt-in, so someone was simply able to enter
> the email address into a form and sign us up, no confirmation required.
> This really is poor practice, but it's still pretty common out there. A
> special shout-out goes to government and emergency response agencies in
> the USA for their non-confirmation signup on mailing lists. Thanks guys.
> 
> The upshot was that the hostmaster address was receiving significant
> noise. Rob Mueller (one of our directors) wasted (so we thought) a bunch
> of his time removing us from those lists one by one, being very careful
> to check that none of the 'opt-out' links were actually phishing
> attempts. This turns out to have been time very well spent.
> 
> -- 
> Rob Mueller
> r...@fastmail.fm
> 
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-24 Thread Dave Warren 

On 2016-05-24 15:17, Jay Hennigan wrote:

On 5/24/16 12:26 PM, Michael Wise wrote:


We're still seeing cases where a malicious actor, typically in 
Eastern Europe, will try and sign up a target email address for 
thousands of lists all at once, flooding their mailbox with 
confirmation traffic , perhaps to hide some other nefarious issues.


I wonder what the point is. How does the bad guy monetize it, or is it 
a coordinated attack against a specific victim? What other nefarious 
issues? Making the address useless or burying some other mail in the 
midst of the junk would seem to be a possibility.


If an attack against a specific victim, it would seem that unconfirmed 
marketing lists would be a more effective weapon than a bunch of 
random confirmation messages. 


I could see this type of attack being useful when the bad actor desires 
to suppress a legitimate message. For example, if I were to spoof a 
message from the finance director to a subordinate to send corporate 
financial information out to a third party, I might want to disrupt the 
finance director's email temporarily to ensure that the subordinate's 
attempt to confirm the request is not seen.


I might do so again after compromising the corporate bank account so 
that wire transfer confirmations are not seen and acted upon in a timely 
fashion.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-24 Thread Dave Warren 

On 2016-05-24 15:30, Michael Wise via mailop wrote:

If someone has a better idea how to keep mailinglist software like MailMan from 
being co-opted into such an attack, I would LOVE to hear it.


I think the obvious approach would be to move back to 
listname-subscr...@example.com requests, but require subscription 
requests to either have valid SPF, DKIM, or some matching of 
MX/rDNS/something to indicate it might be legitimate.


But of course this would require users to actually want to join lists 
enough to take action, and we can't have friction.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop