Re: Nearly-spam mail causes unsubscription threat
On Sun, Aug 11, 2024 at 06:49:26PM +0200, Thomas Schmitt wrote:
> Andy Smith wrote:
> > What you have interpreted as "a threat" was simply a procedural
> > warning that if your address continues to be undeliverable then you
> > will be automatically unsubscribed.
>
> It is a threat
You are assigning human motivations to an automated process.
> because debian-user is the only mailing list where i ever
> witnessed that a troll exploited the unscubscription habits to
> throw out multiple users.
I was here when those events occurred and that is not what happened.
It was just a bug in Debian's list software combined with a
badly-behaving subscriber system. Some subscriber was bouncing mails
back to the actual list address. The Debian list software was
(correctly) detecting them as bounce messages and (correctly)
avoiding to send these on to the list, but it was incorrectly
parsing out the subscriber it thought they were coming from. The
result was that it was accumulating bounce score for whoever sent
the mail that was being bounced, not the system bouncing the email.
I explained this in the thread you linked to:
https://lists.debian.org/debian-user/2021/10/msg00524.html
This was not some "troll campaign" to get people unsubscribed. There
was no malicious action intended, it was just interaction of broken
software. I don't know if it was fixed on the Debian side by
tightening up the bounce handling or just locating the broken
subscriber.
I want to also stress that those events of 2021 also bear very
little relation to what you have just experienced, as the former
case was about the mishandling of actual bounce emails sent by a
third party whereas this one now is the correct handling of a
directly rejected SMTP conversation by your mail provider.
> So i want to prepare for possible real problems by first asking how many
> mail providers differ slightly from the list servers assessment and
> reaction.
It is an overreaction because this case is not like the other case;
as soon as the next mail is delivered to you correctly the bounce
score resets, so it is quite hard to get unsubscribed for rejecting
spam.
> > we can assume it will be rare that GMX and Debian will disagree over
> > spam score
>
> I refrain from developing a proof-of-concept how to exploit the current
> behavior. But i am quite sure it is possible to do so.
When you are starting from a misunderstanding of how it actually
works it seems unlikely but if I had to hazard a guess I'd say
probably not much has been fixed for the case from 2021 and it might
be possible to cause some small; degree of havoc by bouncing mails
directly back to debian-user@lists.debian.org as that misbehaving
system did in 2021.
This event you have experienced now though is run of the mill
ordinary and I don't think has much scope for maliciousness as you
have to be a party to the SMTP conversation to do it, i.e. you can
only really do it to yourself by rejecting the SMTP conversation.
To do it to others you'd have to craft an email that is sufficiently
spammy that it *causes* subscribers to reject it but not spammy
enough that Debian rejects it. You won't be able to guess which
subscribers will reject it. And their scores will be reset the
moment there is another successful mail.
So in grand scheme of things it doesn't seem like a very efficient
form of attack.
Thanks,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
Reply to: