[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: spamcop

On Wednesday, September 27, 2006 10:58 AM -0500, Michael Marsh wrote:

> On 9/27/06, Kamaraju Kusumanchi <kamaraju@bluebottle.com> wrote:
> > If murphy is sending spamtraps, it deserves to be listed. period.
>
> Um, murphy sends confirmation email to any address registered
> through the web interface.  Even if you changed this to
> email-to-subscribe without a web option, addresses can be spoofed.
> This isn't about spam coming from murphy, it's about a denial of
> service attack against it.
>
> I suppose another option is to have the confirmations handled by a
> different host, though this still allows an attacker to DoS the
> confirmation server through spamcop, so that people using spamcop
> can no longer subscribe nor unsubscribe.

I agree with Michael: tricking a server that responsibly sends out
confirmation messages into sending one to a spamtrap is about denial of
service.  I also agree with Kumaraju that sending mail to spamtraps
should get anyone listed.  If your server is not otherwise a spam
source, and the DoS continues, you should expect to get the server
whitelisted.  However, it is your responsibility, and not the DNSBL
maintainer, to make sure this happens.

It's a rather nasty form of DoS, as it uses an organization that tries
to fight network abuse to cause problems for the FLOSS community.  Worst
of all, the Debian listmasters have swallowed the bait.  That's why it
is important, whether people like SpamCop or not, to arrange to get
murphy whitelisted.  Complaining that SpamCop is cluelessly administered
won't convince many to stop using SpamCop, yet will convince some that
the Debian community has an attitude problem.  Either way, the people
perpetrating the DoS win, though it turns out differently if we
cooperate with SpamCop.

--
Seth Goodman
Reply to: