D. J. Bernstein
Abuse of Internet e-mail
False subscription requests
Do you run a mailing list? Do you accept subscription requests for free?
An attacker can forge a subscription request from a victim,
Then God@heaven.af.mil will receive unwanted mail from your list.
If the attacker forges subscription requests to hundreds of
high-volume mailing lists,
God@heaven.af.mil will be flooded with mail.
Subscription cookie prediction
Some mailing list managers, notably majordomo 1.94,
they send a confirmation number
to the subscription address in response to each subscription request.
The subscriber has to send a reply containing the same confirmation number.
Unfortunately, majordomo 1.94's cookies are insecure.
The attacker's accomplice can subscribe to the mailing list,
receiving a cookie in return;
the attacker can then easily figure out the correct cookie for
(I gave the details of the system
as an extra-credit problem on an in-class cryptography midterm in March 1997;
several students, under time pressure, figured out how to break it.)
An attacker can subscribe one mailing list to another.
Cookies don't help,
since every subscriber to the target mailing list---including
the attacker's accomplice---receives a copy of the confirmation request.
An attacker can subscribe ten mailing lists to each other.
This will create a tsunami of mail,
destroying all the mailing lists.
Advanced loop prevention mechanisms such as Delivered-To don't help,
since a message can pass through ten mailing lists in millions of
different ways without looping.
(1) adding a Mailing-List field to every outgoing confirmation message,
(2) adding a Mailing-List field to every distributed message,
(3) refusing to distribute messages that already contain Mailing-List fields.
This provides a two-pronged defense to cross-subscription.
First, it isn't possible to cross-subscribe lists,
since the confirmation message will bounce from the target list.
Second, users aren't hurt even if lists are somehow cross-subscribed,
since a message distributed from one list will bounce from all the rest.
Sublists have to behave a bit differently.
Every mailing list has to set the envelope sender on outgoing messages;
a sublist checks that it is receiving a message from its
parent list's envelope sender.
Does your mailing list restrict messages distributed to the subscribers?
If you're using majordomo with sendmail,
you probably have an unfiltered ``outgoing'' alias.
An attacker can send mail directly to that alias,
bypassing your restrictions.
Do you have an address that replies to any incoming message?
An attacker can create a loop by forging a message to your
autoresponder from another autoresponder.
Does your SMTP server accept messages for any destination?
An attacker can feed you thousands of remote addresses
and let you do the work of sending a message to all of those addresses.
Legitimate mail delivery can be delayed for hours or even days.
Even if you don't allow relaying,
your server is required to send a bounce message
to the envelope sender address
if a delivery attempt fails permanently.
An attacker can feed you thousands of messages,
listing target names as the envelope sender addresses,
and let you do the work of sending bounces to those names.
Similar comments apply to autoresponders of all types.
False unsubscription requests
Have you subscribed to a mailing list?
An attacker who finds out your subscription address can
forge an unsubscription request and kick you off the list.
Perhaps the mailing list will send you a warning notice,
but an attacker can destroy that notice in a variety of ways.
Do you kick subscribers off your mailing list after several bounces?
An attacker can forge bounce messages.
Unsolicited commercial e-mail
Do you accept e-mail from strangers for free?
An attacker can send you e-mail that wastes your time.
For every message,
you're gambling that reading the message will be worthwhile;
unsolicited commercial e-mail takes advantage of your gamble.