OT: Was: Re: Invitation to connect on LinkedIn

CLIFFORD ILKAY clifford_ilkay at dinamis.com
Tue Mar 3 07:35:54 UTC 2009 

Nils Kassube wrote:
> Paige Thompson wrote:
>> I blame the list, this email never should have gotten to here.
> 
> What? You let linkedin send spam to everybody in your addressbook on 
> your behalf and  instead of sending an apology you blame the list for 
> receiving your junk?

Lighten up. She admits that she authorized LinkedIn to contact people in
her address book to invite them join her network. There is nothing wrong
with that. She didn't realize that LinkedIn would send a message with
her email address in the "From" field to the list. I certainly wouldn't
have expected that either. How could she have known, and that's assuming
she even remembered that this list's address was in her address book? I
would have thought LinkedIn would have sent a message from something
like noreply at linkedin.com rather than put my email address in the "From"
field, had I asked LinkedIn to send invitations on my behalf. Had
LinkedIn done that, unless noreply at linkedin.com was a subscriber to this
list, there was no way the message from LinkedIn would have made it
through to the list and one errant message to the list wouldn't have
caused 20 messages whining about "spam". Please note that I haven't used
this feature of LinkedIn so I don't know if LinkedIn notifies the sender
of the details of which address it will use in the "From" address.

Adele also points out that if Canonical used SPF, even with what
LinkedIn did, her mail would not have made it through anyway because it
would have been rejected by Canonical's mail server as having a forged
"From" address. Given that SPF isn't universally-used, it's probably not
very practical for Canonical to reject mail from domains that don't
publish an SPF record so I find this argument wanting.

Other social networking sites, such as Facebook, don't behave the same
way as LinkedIn. When I authorize Facebook to invite people in my
address book, the "From" address is a facebook.com address, not my address.

This illustrates how easy it would be for spammers to pretend to be
anyone on this or any other mailing list and send spam to the list. They
could send 100 messages purporting to be from me until the list admins
blocked my address. Most people wouldn't understand that it wasn't me
who sent the messages because they don't have a grasp of how email or
listservs work and there would be calls for my head. The list admins,
even if they understood what was going on, would have no choice but to
block my email address from posting to the list just to stop the torrent
of forged mail (spam). All the spammer would have to do then is forge
messages using the address of another subscriber to the list. There is
no easy fix to this problem.

If posts from forged "From" addresses became a problem, one of the best
ways of dealing with that situation would be to use certificate-based
authentication, like the Sympa listserv offers
<http://www.sympa.org/manual/x509#configuration_to_recognize_smime_signatures>,
rather than relying on the very weak "From" address authentication
scheme that Mailman uses.

I don't blame Adele, the listserv, or Canonical. I blame LinkedIn for
forging "From" addresses.
-- 
Regards,

Clifford Ilkay
Dinamis
1419-3266 Yonge St.
Toronto, ON
Canada  M4N 3P6

<http://dinamis.com>
+1 416-410-3326

More information about the ubuntu-users mailing list