LISTSERV at Work
Tweet This
LISTSERV Tech Tip

Q: Why did spam get through to my list without editor confirmation?

In rare cases, list owners will complain that spam messages were delivered to their lists, and the editors and moderators of the lists will insist that no one confirmed these messages. So what could be going on? Have spammers found a way around the LISTSERV confirmation and approval process?

In a word, no. In more than 30 years, the confirmation process has never failed to work correctly. Any apparent failures have all been traced back to the human component of inadvertently or incorrectly approving a message for posting. To delve further into this, we need to learn how to use the LISTSERV log files to track who approved the messages, see if there are any surprises involved and assess what can be done to mitigate the problem.

Tracking Message Approval in LISTSERV Log Files

When an unwanted or unexpected message is posted to a moderated list, the first question is usually who approved the list posting. A quick way to tell, if you have received a copy of the message, is to expose the (normally hidden) extended email header lines. Moderated messages will contain an "Approved-By" header line:

Received: by TRAINING.LSOFT.COM (LISTSERV-TCP/IP release 16.0) with spool id 17359 for TEST@TRAINING.LSOFT.COM; Fri, 2 Jun 2017 14:41:21 -0400
Approved-By: bparker@LSOFT.COM
Received: from hermes.colo.lsoft.us (HERMES.COLO.LSOFT.US [209.119.5.19]) by LISTSERV.BESTEFFORT.COM (SMTPL release 1.1d) for TEST@TRAINING.LSOFT.COM with TCP; Fri, 2 Jun 2017 14:40:40 -0400

But more often, the list owner or editor will contact the local LISTSERV administrator to find out who approved the posting and how it happened. To investigate this, the site administrator needs to access the LISTSERV logs on the server. The first step is to look in the LISTSERV-20170602.LOG file (the date the offending message was posted to the list). By looking at the list name and the time, you can get close in the log:

2 Jun 2017 14:41:21 Processing file 17359 from MAILER@TRAINING.LSOFT.COM
2 Jun 2017 14:41:21 Processing mail from bparker@LSOFT.COM for TEST
2 Jun 2017 14:41:21 Rebuilding HTML page for TEST...
2 Jun 2017 14:41:21 Web index for TEST is out of synch - rebuilding...
2 Jun 2017 14:41:21 Distributing mail ("TEST") from owner-test@TRAINING.LSOFT.COM...
2 Jun 2017 14:41:21 Mail posted via SMTP to tom@EXAMPLE.COM.
2 Jun 2017 14:41:21 Mail posted via SMTP to john@EXAMPLE.COM.
2 Jun 2017 14:41:21 Mail posted via SMTP to dave@EXAMPLE.COM.
2 Jun 2017 14:41:21 Mail posted via SMTP to mike@EXAMPLE.COM.
2 Jun 2017 14:41:21 Mail posted via SMTP to steve@EXAMPLE.COM.
2 Jun 2017 14:41:21 Mail posted via SMTP to bparker@POP.LSOFT.COM.
2 Jun 2017 14:41:21 Done - 1 outbound file (6 rcpts).
2 Jun 2017 14:41:21 Message DISTRIBUTEd to 6 recipients.

Now look at the two lines immediately before the line with "Processing file 17359..." to see if they look like this:

2 Jun 2017 14:41:21 From [ANONYMOUS]: X-LOGCK PF1FE609743BED3EE64
AUTHINFO(71.205.238.63) ORGINFO(71.205.238.63) WM: OK 7A20B227
2 Jun 2017 14:41:21 To [ANONYMOUS]: Message successfully approved.

Note especially the phrase "Message successfully approved" and the phrase "OK 7A20B227". The 8-digit cookie code is randomly generated and will be different in every case, but the OK with some 8-digit cookie code will be consistent. These two phrases indicate that the message just posted to the selected list name was approved by the editor or moderator of the list. If you do not see these phrases in the preceding two lines, then look exactly 10 minutes earlier in the log for two lines like this:

2 Jun 2017 14:31:21 Processing file 17359 from MAILER@TRAINING.LSOFT.COM
-> New subscriber, will process in 10 minutes.

Note that the "Processing file 17359" will be exactly the same file number as the "Processing file 17359" from the point where the message was posted to the list. If you see this, then look closely at the preceding two lines and you will see lines indicating editor or moderator approval:

2 Jun 2017 14:31:21 From [ANONYMOUS]: X-LOGCK PF1FE609743BED3EE64
AUTHINFO(71.205.238.63) ORGINFO(71.205.238.63) WM: OK 7A20B227
2 Jun 2017 14:31:21 To [ANONYMOUS]: Message successfully approved.

Note that LISTSERV has logged the IP address of the approver: ORGINFO(71.205.238.63). This will become significant in the next section. Meanwhile, by knowing the 8-digit approval cookie code (7A20B227), you can search backwards (earlier) in the log file to find where the message originally came in to LISTSERV and was then forwarded to editors or moderators for approval:

2 Jun 2017 14:10:21 Processing file 17325 from MAILER@TRAINING.LSOFT.COM
2 Jun 2017 14:10:21 Requesting confirmation, cookie=993F5525, ID=358BF0
2 Jun 2017 14:10:21 Sent information mail to rick@YAHOO.COM
2 Jun 2017 14:10:21 Requesting confirmation, cookie=7A20B227, ID=358BF0
2 Jun 2017 14:10:21 Sent information mail to jack@COMCAST.NET
2 Jun 2017 14:10:21 Requesting confirmation, cookie=A77DD565, ID=358BF0
2 Jun 2017 14:10:21 Sent information mail to tim@GMAIL.COM
2 Jun 2017 14:10:21 Sent information mail to bparker@LSOFT.COM

Note that this list has three moderators and the request-for-approval was sent to all three moderators at the same time. Each moderator gets a different approval cookie code (so LISTSERV will know which moderator approved the message), but the Message ID (ID=358BF0) is the same for all of them. Whoever approves the message first will allow that message to be posted to the list.

As noted above, the moderator of our example message was ORGINFO(71.205.238.63). A reverse lookup shows that this IP belongs to COMCAST.NET. Indeed, this person does use Comcast as their Internet service provider, so this correctly identifies that the person did, in fact, approve the message.

Challenges with Content Inspection

Let's take a look at another scenario where spam messages made it through to a moderated list. Examining the LISTSERV log file showed something interesting:

9 May 2017 20:14:31 From [ANONYMOUS]: X-LOGCK - ORGINFO(70.42.131.106) WM:
OK 993F5525
9 May 2017 20:14:31 To [ANONYMOUS]: Message successfully approved.
9 May 2017 21:15:37 From [ANONYMOUS]: X-LOGCK - ORGINFO(74.217.90.250) WM:
OK 6353946A
9 May 2017 21:15:37 To [ANONYMOUS]: Message successfully approved.
9 May 2017 21:18:13 From [ANONYMOUS]: X-LOGCK - ORGINFO(74.217.90.250) WM:
OK 530434DF
9 May 2017 21:18:13 To [ANONYMOUS]: Message successfully approved.
8 May 2017 23:42:45 From [ANONYMOUS]: X-LOGCK - ORGINFO(70.42.131.106) WM:
OK 3049D2E1
8 May 2017 23:42:45 To [ANONYMOUS]: Message successfully approved.
8 May 2017 23:53:13 From [ANONYMOUS]: X-LOGCK - ORGINFO(70.42.131.106) WM:
OK A77DD565
8 May 2017 23:53:13 To [ANONYMOUS]: Message successfully approved.

Note the similarity of the IP addresses associated with widely divergent moderators. In fact, this is reflective of a LISTSERV instance located behind a firewall, and all web traffic (such as clickable links to approve a LISTSERV message) is tested by the firewall as part of its content inspection feature known as Credential Phishing Prevention. Specifically, the firewall attempts to "follow" the URL to examine whether it might be a malicious site of some kind intended to harvest login information or other personally identifying data.

Unfortunately, with LISTSERV URLs, this is equivalent to a click action on the URL, thus effectively approving the message without human intervention. This practice of blindly following links is likely to have other unintended consequences, so we would strongly recommend that the administrator responsible for this firewall consider disabling this feature of the device.

These IP addresses are used by Palo Alto Networks, Inc., the makers of a family of firewall appliances. In fact, you should note both full IP ranges 70.42.131.0/24 and 74.217.90.0/24. These ranges may not be exhaustive of all IP ranges used by Palo Alto Networks. They are just the ones we see most often.

Recently, we have also seen the following from another source:

18 May 2017 09:13:11 From [ANONYMOUS]: X-LOGCK - ORGINFO(207.46.13.194) WM: OK C1255EFF
18 May 2017 09:13:11 To [ANONYMOUS]: Message successfully approved.

A PTR lookup of this IP address shows:

194.13.46.207.in-addr.arpa.
host = msnbot-207-46-13-194.search.msn.com.

So it seems that MSN/Microsoft may also be "inspecting" URLs in a similar manner resulting in an approval without human action.

Mitigations

So how to prevent this problem of non-human, virtually automatic approvals. There are a couple of approaches you could try. Both involve customizing the MSG_POSTING_CONFIRM_EDITOR mail template, which can be accessed by going under "List Management" (if you want to customize it for a particular list) or "Server Management" (if you want to change the default version of the template sitewide) to "Customization" > "Mail Templates".

In the MSG_POSTING_CONFIRM_EDITOR mail template, the lines that result in the insertion of the OK/confirmation link are these:

To APPROVE the message:
&OK_URL

If you change this to:

To APPROVE the message:
&WA_URL;?MOD=&LISTNAME;

Then LISTSERV will instead insert a link pointing to the list's moderation page, replacing the click-to-approve link. Moderators can then approve (or reject) messages using the web interface.

Alternatively, you could remove the link from the MSG_POSTING_CONFIRM_EDITOR mail template altogether, and instead have the moderators approve the messages via email.

Replacing the contents of the template with something similar to the following would have that effect:

This message was originally submitted by &FROMID to the &LISTNAME list at &MYHOST.

You can approve it using the "OK" mechanism, ignore it, or repost an edited copy. The message will expire automatically. You do not need to do anything if you just want to discard it.

Please refer to the List Owner's Manual at http://www.lsoft.com/resources/manuals.asp if you are not familiar with the "OK" mechanism.

These instructions are being kept purposefully short for your convenience in processing large numbers of messages.

Both methods will prevent non-human approvals of moderated messages.

References

Expose extended email headers in various mail clients:
http://www.haltabuse.org/help/headers/index.shtml


Subscribe to LISTSERV at Work.

© L-Soft 2017. All Rights Reserved.




Powered by LISTSERV Maestro