[TOOLS-DEVELOPMENT] Mailman subscribe attacks - a new twist

Glen <glen@amsl.com> Thu, 17 September 2015 14:22 UTC

Return-Path: <glen@amsl.com>
X-Original-To: tools-development@ietfa.amsl.com
Delivered-To: tools-development@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32E0A1A1A9E for <tools-development@ietfa.amsl.com>; Thu, 17 Sep 2015 07:22:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.188
X-Spam-Level:
X-Spam-Status: No, score=-102.188 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gIpkDyPo1gP0 for <tools-development@ietfa.amsl.com>; Thu, 17 Sep 2015 07:22:44 -0700 (PDT)
Received: from mail.amsl.com (mail.amsl.com [4.31.198.40]) by ietfa.amsl.com (Postfix) with ESMTP id 22E891A1A6B for <tools-development@ietf.org>; Thu, 17 Sep 2015 07:22:44 -0700 (PDT)
Received: from mail.amsl.com (localhost [127.0.0.1]) by c8a.amsl.com (Postfix) with ESMTP id 834A71E5A12 for <tools-development@ietf.org>; Thu, 17 Sep 2015 07:22:00 -0700 (PDT)
Received: from mail-ob0-f178.google.com (mail-ob0-f178.google.com [209.85.214.178]) by c8a.amsl.com (Postfix) with ESMTPSA id 5D59A1E5A30 for <tools-development@ietf.org>; Thu, 17 Sep 2015 07:22:00 -0700 (PDT)
Received: by obqa2 with SMTP id a2so14360936obq.3 for <tools-development@ietf.org>; Thu, 17 Sep 2015 07:22:43 -0700 (PDT)
X-Received: by 10.60.70.40 with SMTP id j8mr24865558oeu.78.1442499763366; Thu, 17 Sep 2015 07:22:43 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.202.80.140 with HTTP; Thu, 17 Sep 2015 07:22:23 -0700 (PDT)
From: Glen <glen@amsl.com>
Date: Thu, 17 Sep 2015 07:22:23 -0700
Message-ID: <CABL0ig6SuNx9K+4xeOCbxd8svN5JWwPvuzgJu-FNBsf=VG8YwA@mail.gmail.com>
To: Glen Barney <glen@amsl.com>
Content-Type: multipart/alternative; boundary=001a11330ab4fbf4b1051ff2255f
Archived-At: <http://mailarchive.ietf.org/arch/msg/tools-development/P9mDSeRrvgUAD_tFzYqgDbOkUpM>
X-Mailman-Approved-At: Thu, 17 Sep 2015 07:24:25 -0700
Subject: [TOOLS-DEVELOPMENT] Mailman subscribe attacks - a new twist
X-BeenThere: tools-development@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: glen@amsl.com
List-Id: Tools Development list server <tools-development.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tools-development>, <mailto:tools-development-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tools-development/>
List-Post: <mailto:tools-development@ietf.org>
List-Help: <mailto:tools-development-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tools-development>, <mailto:tools-development-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Sep 2015 14:22:46 -0000

Greetings again:

Loa is reporting that on his list he is now getting subscribe attacks for
email-to-SMS gateway addresses.  He reports that he's received about 20 of
the following types of subscribe requests in the last day:

2524063603@mms.att.net

Obviously, flooding cell phones with junk mail is much more invasive than
random GMail addresses.  Since this attack targets a US-based carrier, I
have applied the same divert-to-secretariat behavior to addresses
containing the four primary US cellular carrier domains:

txt.att.net
mms.att.net
vtext.com
tmomail.net
sprintpcs.com

I did a check, and we have exactly zero users on any of our lists in any of
these domains.  (Which makes sense, most IETF list messages are far too
long to deal with over SMS.)  I therefore expect that this additional step
will have no impact on the community.

As an aside, an interesting, if incomplete, resource for gateway addresses
is here:  http://www.emailtextmessages.com/

I obviously do not intend to apply diversion to all of the domains in their
list, but I include it just for interest.

As always, any questions, let me know!

Glen
Glen Barney
IT Director
AMS (IETF Secretariat)