Patrick May <pjm@spe.com> writes:
I run a small mailing list that has been subject to problems similar to the recent spate of "unscrives". Apparently there is a list of mailing lists circulating the warez boards along with scripts for spoofing subscription requests. ...
Crypto relevance: This attack will be eliminated when more mail agents support public key crypto and the mailing list software can be modified to check signatures on subscription requests.
Eric Thomas's LISTSERV has had a feature for 4 or 5 years that prevents spoofed subscription requests. The list owner can configure the mailing list so that whenever a subscription request is received, LISTSERV e-mails the apparent sender and asks to e-mail it 'OK nnnn', where 'nnnn' is a pseudo-random string uniquely identifying this request. If the confirmation isn't received within 48 hours, LISTSERV ignores the command. Similar confirmations can be requested for other commands, like unsubcribe. Works like a charm without any public key crypto or digital signatures. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps