Re: Subscription bomb tracing - feature request.

From: Brian Mueller (bmuellerat_private)
Date: Wed Jan 05 2000 - 09:51:05 PST

Next message: Pug Bainter: "Re: Flaw in 3c59x.c or in Kernel?"

Previous message: William R. Lorenz: "FW: Flaw in 3c59x.c or in Kernel?"
Maybe in reply to: Alan Brown: "Subscription bomb tracing - feature request."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Most systems have some option to log the IP address and/or hostname of the
attacker.  However it has been my exprience that when someone really wants
to "attack" someone they will use one of the _very_ few email systems which
still do not verify the user (i.e. no HELO and they accept anything you send
them).  It wouldn't be too hard for an attacker to use one of these such
systems to make it seem that the request came from satan.hell.hot
(666.666.666.666) or some-such.

Also, I have a mailing list which I wrote in PHP3.  It logs the applicants
IP address and Hostname to the database when it receives a request, along
with a randomly generated, unique 8 digit ID number.  When someone signs-up
for the list a confirmation mail is sent to them.  At the bottom of this
confirmation message is a short disclaimer/legal notice along with
information on how to report abuse using the 8 digit number.  I personally
want to centralize all abuse cases with myself.  The user reports abuse
based on the 8 digit number and I look that up in the database to find out
where the user was added from.  In this way I can do much more than just
stop a single user, I can see if a set of IP's is attacking often - and ban
them, etc.  I think this is the best setup because the burden shouldn't be
placed on the user to find out who the abuser is.

B

----- Original Message -----
From: "Alan Brown" <alanat_private>
To: <BUGTRAQat_private>
Sent: Monday, January 03, 2000 9:15 PM
Subject: Subscription bomb tracing - feature request.


> There have been quite a few subscribe bombs tossed around recently.
>
> While it's nice to see that most mailing list admins use confirm
> requests now, it would be a great help if the confirm requests contained
> at least the headers of the original request, to aid victims in tracing
> their attacker(s).
>
> One attack recently notified to ORBS attempted to sign the victim up to
> 26,000 different lists via insecure email relays.
>
> The confirmation requests alone constituted a fairly substantial denial
> of service attack, as did the huge number of bounces the victim got.
>
> I've only ever seen one mailing list which actually showed where the
> signup request came from. Times are still changing and adding an audit
> trail would make life easier all round.
>
> AB

Next message: Pug Bainter: "Re: Flaw in 3c59x.c or in Kernel?"
Previous message: William R. Lorenz: "FW: Flaw in 3c59x.c or in Kernel?"
Maybe in reply to: Alan Brown: "Subscription bomb tracing - feature request."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:26:43 PDT