From: "Aaron Cake" <aaron@xxxxxxxxx>
To: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: RE: Is predictable spam filtering a vulnerability?
Date: Thu, 17 Jun 2004 10:18:46 -0400
MIME-Version: 1.0
Received: from outgoing2.securityfocus.com ([205.206.231.26]) by
mc8-f2.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Fri, 18 Jun 2004
14:43:23 -0700
Received: from lists2.securityfocus.com (lists2.securityfocus.com
[205.206.231.20])by outgoing2.securityfocus.com (Postfix) with QMQPid
78FB1143812; Fri, 18 Jun 2004 18:26:43 -0600 (MDT)
Received: (qmail 4774 invoked from network); 17 Jun 2004 08:06:11 -0000
X-Message-Info: JGTYoYF78jEQIQmJRqn4zIchqtVGhE2/
Mailing-List: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@xxxxxxxxxxxxxxxxx>
List-Help: <mailto:bugtraq-help@xxxxxxxxxxxxxxxxx>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@xxxxxxxxxxxxxxxxx>
List-Subscribe: <mailto:bugtraq-subscribe@xxxxxxxxxxxxxxxxx>
Delivered-To: mailing list bugtraq@xxxxxxxxxxxxxxxxx
Delivered-To: moderator for bugtraq@xxxxxxxxxxxxxxxxx
Message-ID: <009601c45476$00737fe0$650aa8c0@aaronxp>
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2739.300
In-reply-to: <200406161326.AA304546076@xxxxxxxxxxx>
Return-Path: bugtraq-return-14825-andiroohunter=msn.com@xxxxxxxxxxxxxxxxx
X-OriginalArrivalTime: 18 Jun 2004 21:43:23.0227 (UTC)
FILETIME=[478332B0:01C4557D]
> During a recent email conversation with several participants, we
> discovered that the email service of one participant silently
> dropped legitimate emails that happened to contain certain
> combinations of words common in spam. I believe this sort of
> filter is common practice, and in fact even in place for some of
> my own email addresses.
>
> However, this experience made me think: isn't predictable spam
> filtering in general a vulnerability that could be used as a hoax
> device?
Certainly. I have brought this issue up with several other ISPs who insist
on blocking my personal domain because I'm a "little guy". They can't prove
that I don't spam, so they default to blocking everything that comes from
me
instead. AOL is the biggest and perhaps most annoying offender.
I personally see this as a denial of service attack against MYSELF.
Obviously not meant to be malicious in nature, but quite effective
regardless.
Imagine if I decided to use a spam fitler against someone else...I make an
email that contains known rejected words. I send that email, setting the
"FROM" address and header to be that of my victim. If I send out hundreds
of
these messages, I can use someone else's spam filter to mail-bomb my victim
with "rejected" messages.
The REAL issue is that any email filter that silently drops messages can
easily mistake legitimate mail for spam. The user never knows, sometimes
the
sender doesn't know, and the braindead admins who set up the filter think
they've done their job. What is even more useless is when the message is
bounced with instructions on how to get off their block list. You send an
email to their admin, yet it is bounced!
Spam filters are often worse then the spam problem itself.
---
Aaron Cake
Technical Services
Advanced Computer Ideas
Phone: 1-519-433-0279
Fax: 1-519-433-5413