[Novalug] IMPORTANT: the "novalug" list is moving

[Rich Kulawiec]

Okay, I said I'd follow up after coffee, but then there was...well,
alright, it turned out to be a very long day.  And then a useful example
landed in my inbox this morning, so I decided to run with this bit
of serendipity.  This is long -- again -- but I'm trying to explain
a complex set of concepts, so please bear with me.  Or just read the
summary and get back to work. ;)


Summary:
--------

There is no point, in 2014, in trying to keep spammers from acquiring
any email address that you actually use for general purposes like mailing
lists or routine correspondence.  (There *used* to be some point in this.
That ended circa 2002.)

I really do mean "no point".  Not "some point".  Not "maybe a little
point".  None.  0.0000.

And:
		Public mailing lists *are public*.

Which reads like a tautology and arguably is, but seems to be getting
lost in the shuffle.  Read on for the explanation.


Explanation:
------------

Let me show y'all a timely example of why these things are true.

(And keep in mind that I have *thousands* of examples like this,
so this isn't an isolated case.  It's the norm.)

This spam from the account of someone on the UMBC Linux Users' mailing
list showed up this morning.  I've heavily redacted this specimen in order
to avoid tripping your filters and in order to avoid naming the person
whose account got compromised, because I'm sure he's already having
a moderately bad day already.


> From: Fred Flintstone <fred.flintstone@example.com>
> To: "umbclinux" <blah@lists.umbc.edu>, "person1" <blah@ssa.gov>,
>         "person2" <blah@gmail.com>, "person3" <blah@yahoo.com>,
>         "person4" <blah@umbc.edu>, "sympa" <blah@lists.umbc.edu>,
>         "listproc" <blah@listproc.umbc.edu>,
>         "majordomo" <blah@lists.umbc.edu>, "rsk" <rsk@gsp.org>
> Subject: from Fred Flintstone
> 
> Hi! http://spammer link here


Now let's talk about the implications of this.

First, I know that Fred's email account at example.com has been
compromised.  I know this because I've examained the headers of
the message and yes, it really did come from Fred's account and yes,
it really did come from from example.com.  I don't know whether Fred's
computer has been compromised, or whether it will be subsequently...
but there's a pretty good chance that has happened or will happen,
because I'm looking at evidence that Fred already has security issues.

Second, I know that the entity which compromised it has access to
both his address book (to which entries *may* be auto-added, depending
on implementation and settings) and to his stored-on-server email.

[ How do I know that?  Because the attacker got my address from
Fred's account via one of those two, NOT from the UMBC LUG list
How do I know *that*?  Because I've never sent any traffic to it --
but I have to Fred, off-list. ]

How much stored-on-server email does Fred have?  I don't know.  If he uses
POP or IMAP to pull it down, or if he deletes messages, maybe not much.
But if example.com offers 10G of free space and he never deletes anything,
then it might be tens of thousands of messages.

I'm betting on the latter, because I know about example.com and how most
people use it.

Third, given that Fred is on the UMBC Linux Users' List, it's highly likely
that every message sent via that list since Fred joined it is stored
in his example.com email account.  (Those messages certainly have
*traversed* his example.com email account.)  Thus the attacker, most
likely, has or had access to *all of it*.

And if the attacker hadn't made themselves obvious, they could probably
have continued to collect more indefinitely.

And they did all that without going anywhere near the archives of the list.

This means that any protection afforded by the UMBC Linux Users' mailing
list mechanism itself is completely irrelevant.  That is, if the list
tries to hide the archives or obfuscate addresses or even doesn't have
any archives: *it doesn't matter.*

Fourth, I know that Fred's compromised email account is being actively
used to send spam.  Therefore either the attacker is a spammer or the
attacker is selling usable account credentials to spammers.  Or both.
For analytical purposes, it makes little difference.

Fifth: now for the punch line.

There are hundreds of millions of people just like Fred.  And *many*
more email accounts like Fred's.  (Why "many"?  Because if an attacker has
botted a computer, then they have access to ALL email accounts that
are accessed via that computer.  How many email accounts do *you* have?)

You [generic you] could be Fred tomorrow.

There are so many Freds that you can't avoid sending mail to them,
because you don't know and can't know the security state of everyone
you correspond with.  Moreover, those states can change at any moment
without notice, so knowing them all today (which is of course impossible)
would tell you *nothing* about them tomorrow.  Moreover, you don't know
and can't know the security state of everything that handles the various
Freds' email en route to them.  (Does their email provider use one of
those overpriced junk pieces of crap from Barracuda?  You know, the
ones that are featured on full-disclosure with regularity?)  And when
you send traffic to a mailing list, you don't even know WHICH Freds
you're sending to -- unless of course you're the list operator *and*
you individually identify every single subscriber.  And finally,
you have zero control over who those Freds forward your messages to.
Or where *they* archive it.

So good luck trying to gain control over all of that.

There is thus no point, in 2014, in trying to keep spammers from acquiring
any email address that you actually use for general purposes like mailing
lists or routine correspondence.  Nor is there any point in trying to keep
them from seeing any/all traffic that traverses public mailing lists.

And I do mean "no point".  Nobody should spend even 5 seconds worrying
about it, because there is nothing that you can do that will actually
work in the long term at Internet scale.

	[ Believe me, I know.  I've been running carefully controlled
	experiments on this for over a decade.  One of thoses uses
	fabricated email addresses which have never sent any traffic
	but are individually planted, once per address, in the headers
	of messages sent to various destinations.   Thus the subsequent
	arrival of any traffic of ANY kind at one of those addresses
	proves that the message has fallen into the hands of an attacker.
	It doesn't tell me who or how or where or when: only that
	it has happened and what the initial disclosure vector was.
	The results have been most instructive. ]

	[ BTW: this is not the only set of experiments I've run or
	am currently running.  This is not my first day on the job. ]

So.  What does this mean for mailing lists like novalug?

It means that to even think for moment that a mailing list of any size
(that is, more than a handful of members) affords ANY security or privacy
protections at all is absurd.

If novalug had 7 people on it, all of whom ran their own mail servers,
all of whom used reasonably-secure operating systems, all of whom
followed best practices in security, all of whom were individually vetted
for membership, etc...then *maybe*.  Maybe *temporarily*.

But *this* novalug?  With over 400 people?  Not a chance in hell:
the probability that 0 of the 443 people currently on novalug have
been compromised is very, very small.  It's vastly more likely that
several of those people are compromised and have been for some time.
Or that their email accounts are compromised.  Or that their email host
has been compromised.  Or that they're not people at all, but faux
addresses which feed into harvesters.

Oh, and by the way, and this perhaps is an even bigger punch line:

Novalug doesn't have, and hasn't had, for at least 4+ years, these
"protections" anyway.  Really.  Go look.  For example, to pick a
message at random:

	http://calypso.tux.org/pipermail/novalug/2010-December/026901.html

The whole archive is publicly available.  And yes, addresses are
"obfuscated", but as I've already explained, that's a farce.

(Unless you want to advance the argument that attackers capable of
building and controlling worldwide networks of bots are for some
inexplicable reason unable to write the rudimentary Perl or Python
or awk or sed or whatever to undo that obfuscation.)

So it's just a little too late to worry about this now.  And it's
not worth worrying about anyway, because, like I said waaaay above:

		Public mailing lists *are public*.

And ALL mailing lists over size X, where X is probably "a few dozen
members", are *effectively* public, sooner or later, whether you want
them to be or not.  You can't fix that no matter what you do because,
unfortunately, the contemporary security environment won't let you.

This is all old news.  Everything I just said has been true for over
a decade.   And I'm well aware of the folklore, mythology and wishful
thinking that says otherwise, which is part of the reason I've spent so
much time explaining this.  I am, as you might have guessed by this point,
rather well-versed in spammer capabilities, strategies, and tactics.
(Which is sort of like being an expert in raw sewage, but hey, someone
has to do it.)

So the bottom line is that there is zero, zip, nada, zilch reason to
lift a finger to hide/obfuscate/whatever the archives of novalug (or
NANOG or any IETF list or any Debian list or W3C list or Apache list or
FreeBSD list or any other public mailing list).  It achieves NOTHING.
It stopped being useful, even marginally useful, even on a good day with
the wind blowing in the right direction, over a decade ago.

So what can you do?  Well, for one thing, you can use decent anti-spam
defenses in your perimeter routers, firewalls, mail servers, and MTAs.
(That's a much longer conversation.  Which is why I'm writing a book.)
For another thing, if you just want to listen in on a mailing list,
come up with a one-off email address, subscribe it, and never send
any traffic from it.  (This is not a guarantee, by the way: I've run
experiments with this too and have observed leaks, which indicate
that there's a security problem on the list hosts.)

But that's about it.  Sorry.  I didn't create the contemporary security
environment, I'm just reporting it.

So.  My recommendation/suggestion/intention/whatever is that I just put
the darn archive up and we all stop fretting about it.  Whichever spammers
want it already grabbed the whole thing a long time ago.  And whichever
come along and want it later, will get it whenever it pleases them to
do so -- and none of us, no matter what we do, are going to be able to
stop that.  (We'll be lucky if we even *detect* it.)

---rsk