Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Google creates SPAM haven
From: Volker Tanger <vtlists () wyae de>
Date: Sun, 12 Feb 2006 20:22:10 +0100

Adam Laurie <adam.laurie () thebunker net> wrote:

J.A. Terranson wrote:
On Sat, 11 Feb 2006, Stan Bubrouski wrote:
confirmation, >Google just blindly subscribes you when anyone
requests it, I'm >assuming, since I didn't subscribe to any of the
hacker or porn groups >I have to keep removing myself from.  

Errr... this is precisely my point. I'm not using google. Someone else
is using google to spam me.

Allowing automatic subscription of 3rd party addresses to public
mailing  lists goes against all best practice and set a very dangerous
precedent,  and they really should know better. 

Well, non-verified mailing lists are prone to self-DoSing: if two or
more of these lists accidentally subscribe to each other, they'd create
an instant mailstorm, and the weakest server will give in first.

"In the early days" (when mailing lists often were implemented with
/etc/alias instead of software) this happened all too often. One mail
address bouncing caused the bounce to appear back on the mailing list
which caused the bounce's bounce to appear on the mailing list, which

Two or more (different) bounces caused a bounce avalance - and with the
comparatively slow servers at that time (two-digit MHz - if you had a
big iron) a DoS was not too far off.

While bounce-handling of current software prevents BOUNCES to cause a
mail storm, automated repliers (Out-of-Office messages - especially
ill-configured or ill-designed ones) still cause grief for mailing list
admins. I've seen a "multi-language" OoO accidentally DoSing a mailing
list as that one sent out multiple messages for each mail coming in -
one OoO-Reply for each of the three languages. Wheeee - mailstorm!

If now mailing lists are accidentally cross-subscribed (which is not
possible with most current double-opt-in mailing list software) you have
the same problem.

And with Google's server- and bandwidth-power such a mailstorm probably
will be VERY bad, accecting quite a lot of the internet mail
infrastructure, unless the lists are very small.


So no lesson was learnt in the last 10 years?




Volker Tanger    http://www.wyae.de/volker.tanger/
vtlists () wyae de                    PGP Fingerprint
378A 7DA7 4F20 C2F3 5BCC  8340 7424 6122 BB83 B8CB
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]