This is the mail archive of the
mailing list for the GCC project.
Observation on the recent junk mail flood
- From: Paul Koning <pkoning at equallogic dot com>
- To: gcc at gcc dot gnu dot org
- Date: Thu, 21 Aug 2003 09:24:28 -0400
- Subject: Observation on the recent junk mail flood
- References: <88256D89.00143C04.email@example.com>
It looks like the problem is that some e-terrorist has sent forged
"subscribe" messages to the various lists. And those messages have
been accepted because the listserver requires a reply to its "do you
really want to subscribe" message but does NOT require any particular
So if you forge a subscribe from an address served by a mail robot
that autoreplies with a form letter to any incoming mail, such a
subscribe will succeed.
I'd say the listserver subscribe machinery needs to be strengthened.
At the risk of making it slightly more annoying for legitimate
subscribers, a good solution might be to require the confirming
response to contain the unique ID that was sent in the "please
confirm" message. That would require a cut & paste, but would likely
foil the "subscribe a robot" attack in nearly all cases. In other
words, make "just reply to this message to confirm" not work anymore.