[lug] OT: Openlist, the mailing list blackhole service

Kirk Rafferty kirk at fpcc.net
Mon Jan 14 15:55:35 MST 2002 

On Mon, Jan 07, 2002 at 08:02:01AM -0600, Peter Hutnick wrote:
> Matt Clauson wrote:
> 
> > http://webdragon.dotorg.org/~mec/index.php?wl_mode=more&wl_eid=11
> > 
> > You might want to read this -- the Openlist people seem to be so dense 
> > it's funny.  They have their hearts in the right place, but they don't 
> > seem to grasp how their system can be abused.
> 
> 
> After reading the above link, it would seem that the easy answer is to 
> configure your MTA to blackhole all mail TO the robot, and ask them to 
> retest.

Apologies for posting a reply so late, I've been slow to read my LUG mail
lately.

The problem with your solution (configuring your MTA to blackhole the bot)
is that Openlists refuses to tell you which list they seeded, and also
refuses to disclose the email address of the bot.  In our case, it turned
out that it wasn't a list we were hosting (I know, because I spent hours
trying to figure out what list was being run open), but a dialup customer
who was running his own list (he wasn't spamming).  And even if you could
figure out the bot address, there's a good chance that they have anticipated
this and will use seed addresses from a different domain.

The process goes like this: You (Hostmaster) get an email from Openlists
saying that they have found a non-confirming mailing list, and that you are
about to be blackholed, unless you take immediate steps to close all of your
non-confirming mailing lists.

Because they refuse to tell you which list is being run open (to quote
the Openlists admin, "if one list is open, they're all open" and "we're
not interested in playing whack-a-list"), it gets very tricky.  Furthermore,
they do not unsubscribe the bot.  Closing the list is not sufficient, you
are essentially required to re-confirm every subscriber, because if the
bot receives 2 or more emails after you've confirmed that your lists are
closed, you are permenantly listed.  By permenantly, I mean that they will
not remove you ever.

Fortunately, I believe that no sysadmin in his right mind would use the
Openlists RBL, and that it will eventually die an unnoticed death.

By the way, for anybody thinking that creating an RBL for open mailing lists
is a good idea, think again.  Robots don't know the difference between an
email address and a list address.  Unless you're willing to manage every
submission by hand, it's not practical.

-k

More information about the LUG mailing list