Log in

No account? Create an account
New type of spammer. Help? - brad's life — LiveJournal [entries|archive|friends|userinfo]
Brad Fitzpatrick

[ website | bradfitz.com ]
[ userinfo | livejournal userinfo ]
[ archive | journal archive ]

New type of spammer. Help? [Jul. 1st, 2006|11:27 am]
Brad Fitzpatrick
[Tags|, ]

A spammer (bot?) just hit all of Danga's mailing lists.

So what, you say?

They're members-only mailing lists. You can't post to it unless you go through this ridiculous process of verifying your email address. So it joined them all first (GNU Mailman), and then spammed them all. :-(

Any solution I can think of sucks:

-- ban this email from each list. 7 identical operations. Until the next email address.
-- ban the spammer's domain from my mail server. (shit, what's the postfix config again? Hate mail) Until the domain name changes.
-- make the mailing list fully moderated. I'm not responsible/available enough for that. Kills community/discussion too.


Page 1 of 2
<<[1] [2] >>
[User Picture]From: newscane
2006-07-01 06:42 pm (UTC)
What about setting user mod bits on, then manually turning it off for the users you know are legit? That way, when a new address joins the list, it will be moderated. When the user sends its first email, you'll know, and if it's legit, you approve it, and turn off the mod bit. If someone else decides to join all seven lists and spam them, you'll still get the 7 mod notification emails, but it won't go out to the list.
(Reply) (Thread)
[User Picture]From: scosol
2006-07-03 06:40 am (UTC)
yeah- that's what yahoo groups does- athe first few messages from any new sign-up are moderated, then they automatically go to open-post once their first few posts get approved-
(Reply) (Parent) (Thread)
[User Picture]From: dakus
2006-07-01 06:45 pm (UTC)
Ban anyone that joins X number of lists in a short period of time?
(Reply) (Thread)
[User Picture]From: mart
2006-07-01 07:15 pm (UTC)

There are only six lists in total, so there's not much wriggle-room there.

(Reply) (Parent) (Thread) (Expand)
[User Picture]From: antihope
2006-07-01 06:47 pm (UTC)
Can you have an email approval process? So it isn't fully automated, and you don't end up with alke347234sa2@blah.net joining and spamming?
(Reply) (Thread)
[User Picture]From: wetzel
2006-07-01 06:50 pm (UTC)
mailman doesn't have a captcha for registering, does it?
(Reply) (Thread)
[User Picture]From: jwz
2006-07-01 06:53 pm (UTC)
Use myspace or evite instead of mailing lists?
(Reply) (Thread)
[User Picture]From: brad
2006-07-01 06:59 pm (UTC)
Go away, troll.
(Reply) (Parent) (Thread) (Expand)
[User Picture]From: ydna
2006-07-01 06:54 pm (UTC)
I've started setting the moderation bit on new subscribers. Mailman has a setting to do this automatically. When a new subscriber's first post hits the moderation board, there's a option to clear the subscriber's moderation bit when approving the posting.

No, it doesn't scale well.
(Reply) (Thread)
[User Picture]From: brad
2006-07-01 07:13 pm (UTC)
I can't for the life of me find that setting.

What page and what's it called? Or what version of Mailman?
(Reply) (Parent) (Thread) (Expand)
[User Picture]From: meowpurrr
2006-07-01 06:59 pm (UTC)
I was wondering the other day when this would start happening. I've been seeing spammers actually register on phpbb that have captcha turned on, too.
(Reply) (Thread)
[User Picture]From: ydna
2006-07-01 07:29 pm (UTC)
The new one for me is getting spam with technical sounding subjects as though it may have come from some mailing list. For example: "kernel buffer maximum" or "algorithm data access". Still generic, but close enough to make me pause. They're even showing up with similar chaff in the payload so now I don't want to dump them in the "learning" bin for fear Spamassassin will start generating more false positives.
(Reply) (Parent) (Thread)
From: (Anonymous)
2006-07-01 07:19 pm (UTC)
nominate moderators. Require moderator validation before accepting folks on the list. If humans are not willing to wait up to 24 hours for a response, you probably don't want them on the list.

(Reply) (Thread)
[User Picture]From: jgrafton
2006-07-01 08:50 pm (UTC)
how do you know if a new join is valid? it's fully possible that spmammers could use legitimate-looking email addresses only to spam it upon approval.
(Reply) (Parent) (Thread)
[User Picture]From: boggyb
2006-07-01 08:05 pm (UTC)
If it's a bot, you could defeat it by banning its email (which you'll need to do anyway to stop it reusing the current address), and then change how the verification works. Chances are it's verifying by sending a reply to the email, so a solution would be to switch it so you go to a particular address to verify, and then change how that address is displayed in the email (add false links pointing elsewhere, change the parameters in the link, don't use http:// and force the user to actually type the address in). Unfortuantly you run the risk that lusers will get it wrong when using the list, but that may be acceptable depending on what sort of luser-to-user ratio you want.
(Reply) (Thread)
[User Picture]From: mart
2006-07-01 10:57 pm (UTC)

That sounds like the start of an arms race that's just going to lead to more and more drastic measures over time…

(Reply) (Parent) (Thread)
[User Picture]From: perpetualmotion
2006-07-01 09:34 pm (UTC)

Track down spammer, apply moderate to high electrical current to testicles ? That always works for me, keeps my spam levels fairly low...

Crazy off topic: I just rescued one of these puppies yesterday, do you know anyone who would be interested ? Locally, that is... That hulking behemoth of heft is 90 pounds.
(Reply) (Thread)
From: ext_5755
2006-07-01 09:54 pm (UTC)

Domains are cheap!

Domains are SO cheap these days. You can easily buy a .com domain for under $3. To me, that makes the banning of a domain a useless strategy. Sure, it will work for a while, but switching domains is not a problem for a spammer.
(Reply) (Thread)
[User Picture]From: vxjasonxv
2006-07-01 09:59 pm (UTC)
Put Bad Behavior on every single one of your web serving locations.
(Before you ask. NO, It is not just an {insert CMS here} protection system. It can be used to ANYTHING website related.)

Using bad behavior will kill the bots before they can even hit the web site to POST to the form, or gather the e-mail address they need to talk to to subscribe.

Have any questions?
Feel free to talk to the author, he's a hell of a smart guy.
I could field *some* questions. But only from a user perspective.
(Reply) (Thread)
[User Picture]From: edm
2006-07-01 10:12 pm (UTC)

Spammers subscribing...

This seems to be becoming a common trend. One of my ISP customers has been battling a spammer that's been signing up for webmail accounts (with stolen credit card numbers it seems) and then using those for spamming. And others on the NZNOG list said they'd had similar experiences. I guess anything that is sufficiently widely deployed to make scripting its interface worthwhile. (And while captchas help, there's the "chinese television" algorithm to fix those.)

I suspect as others have suggested the best option is to moderate everyone until they've proved themselves good by posting acceptable post(s). Regular posters get a bit set that allows them to post without manual approval, but everyone else gets their posts held. This is approximately equivilent to what LiveJournal does with comments.
(And it sounds like Mailman now has support for that feature.)

The other possibility is to some sort of "self moderation" system. A few Usenet newsgroups have a moderation system where the first post you make is rejected with a message about what the group is about and an invitiation to send it again if it's on topic. Once you've done that you then get to post directly. Since most spamming is "drive by" this will probably help for a while (amazing greylisting still "works" -- although the abuse of webmail systems, etc, seems to be to steal redelivery attempts).

(Reply) (Thread)
[User Picture]From: ghewgill
2006-07-01 10:36 pm (UTC)

Re: Spammers subscribing...

At least one mailing list I'm on got spammed by a spammer posting using the list owner's email address. He turned on more protection for his own postings, but the spammer could easily have used any other legitimate subscriber's address.

It is not known whether the spammer used randomly chosen To and From addresses and happened to get lucky. That's going to happen sometimes, though.
(Reply) (Parent) (Thread)
[User Picture]From: crschmidt
2006-07-01 11:02 pm (UTC)
Not just danga's lists -- I got the same email from two other (unrelated) lists I'm signed up to as well. Sucks.
(Reply) (Thread)
[User Picture]From: heydusty
2006-07-02 08:57 pm (UTC)
Same here. Gmail's magical threading collapsed 30 spams from the trac, openid, rails and textmate mailing lists into one thread. First time I'd seen something like that as far as mailing lists go.
(Reply) (Parent) (Thread)
From: evan
2006-07-02 12:21 am (UTC)
Do you think a human did all the subscribing? It seems doubtful to me, and instead that they've just written enough code to jump through the mailman signup hoops. In that case, a brainless mailman captcha ought to be sufficient (like "enter the domain name of the list you're subscribing to"; just something complicated enough that they can't brute force the text field by entering in every substring of the label on the box or whatever).
(Reply) (Thread)
[User Picture]From: brad
2006-07-02 06:17 am (UTC)
No, I'm quite sure it was a bot. I was trying to point out how sad it is that bots can now join Mailman lists easier than humans. :-/
(Reply) (Parent) (Thread) (Expand)
Page 1 of 2
<<[1] [2] >>