D. J. Bernstein
Internet mail

Abuse of Internet e-mail

False subscription requests

Do you run a mailing list? Do you accept subscription requests for free? An attacker can forge a subscription request from a victim, say God@heaven.af.mil. Then God@heaven.af.mil will receive unwanted mail from your list. If the attacker forges subscription requests to hundreds of high-volume mailing lists, God@heaven.af.mil will be flooded with mail.

Subscription cookie prediction

Some mailing list managers, notably majordomo 1.94, support cookies: they send a confirmation number to the subscription address in response to each subscription request. The subscriber has to send a reply containing the same confirmation number.

Unfortunately, majordomo 1.94's cookies are insecure. The attacker's accomplice can subscribe to the mailing list, receiving a cookie in return; the attacker can then easily figure out the correct cookie for God@heaven.af.mil. (I gave the details of the system as an extra-credit problem on an in-class cryptography midterm in March 1997; several students, under time pressure, figured out how to break it.)


An attacker can subscribe one mailing list to another. Cookies don't help, since every subscriber to the target mailing list---including the attacker's accomplice---receives a copy of the confirmation request.

An attacker can subscribe ten mailing lists to each other. This will create a tsunami of mail, destroying all the mailing lists. Advanced loop prevention mechanisms such as Delivered-To don't help, since a message can pass through ten mailing lists in millions of different ways without looping.

I propose (1) adding a Mailing-List field to every outgoing confirmation message, (2) adding a Mailing-List field to every distributed message, and (3) refusing to distribute messages that already contain Mailing-List fields.

This provides a two-pronged defense to cross-subscription. First, it isn't possible to cross-subscribe lists, since the confirmation message will bounce from the target list. Second, users aren't hurt even if lists are somehow cross-subscribed, since a message distributed from one list will bounce from all the rest.

Sublists have to behave a bit differently. Every mailing list has to set the envelope sender on outgoing messages; a sublist checks that it is receiving a message from its parent list's envelope sender.

Filter dodging

Does your mailing list restrict messages distributed to the subscribers? If you're using majordomo with sendmail, you probably have an unfiltered ``outgoing'' alias. An attacker can send mail directly to that alias, bypassing your restrictions.

Autoresponder loops

Do you have an address that replies to any incoming message? An attacker can create a loop by forging a message to your autoresponder from another autoresponder.

Unauthorized relaying

Does your SMTP server accept messages for any destination? An attacker can feed you thousands of remote addresses and let you do the work of sending a message to all of those addresses. Legitimate mail delivery can be delayed for hours or even days.

Unauthorized bouncing

Even if you don't allow relaying, your server is required to send a bounce message to the envelope sender address if a delivery attempt fails permanently. An attacker can feed you thousands of messages, listing target names as the envelope sender addresses, and let you do the work of sending bounces to those names. Similar comments apply to autoresponders of all types.

False unsubscription requests

Have you subscribed to a mailing list? An attacker who finds out your subscription address can forge an unsubscription request and kick you off the list. Perhaps the mailing list will send you a warning notice, but an attacker can destroy that notice in a variety of ways.

False bounces

Do you kick subscribers off your mailing list after several bounces? An attacker can forge bounce messages.

Unsolicited commercial e-mail

Do you accept e-mail from strangers for free? An attacker can send you e-mail that wastes your time. For every message, you're gambling that reading the message will be worthwhile; unsolicited commercial e-mail takes advantage of your gamble.