This is the mail archive of the gcc@gcc.gnu.org mailing list for the GCC project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Observation on the recent junk mail flood


It looks like the problem is that some e-terrorist has sent forged
"subscribe" messages to the various lists.  And those messages have
been accepted because the listserver requires a reply to its "do you
really want to subscribe" message but does NOT require any particular
content. 

So if you forge a subscribe from an address served by a mail robot
that autoreplies with a form letter to any incoming mail, such a
subscribe will succeed.

I'd say the listserver subscribe machinery needs to be strengthened.
At the risk of making it slightly more annoying for legitimate
subscribers, a good solution might be to require the confirming
response to contain the unique ID that was sent in the "please
confirm" message.  That would require a cut & paste, but would likely
foil the "subscribe a robot" attack in nearly all cases.  In other
words, make "just reply to this message to confirm" not work anymore.

       paul


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]