[Listwork] Re: [#20032500] Troll attacks causing mail loop on Google Groups and Indymedia mailing lists

[groups-support at google.com]

Hi Alster,

Thank you for your note. We very much appreciate you bringing this
situation to our attention. It is against our policies for a group owner
to add another group's mailing address to his group because of the
potential for email loops. In this particular case, we have removed the
two groups that you mentioned from our service and we have added
'lists.indymedia.org' to our list of email domains that can't be added as
members of a group. This should stop the current loop and prevent another
from occurring in the future.

We also appreciate your suggestions regarding account creation and the
ease of adding email addresses to a group. Google Groups allows group
owners to directly add users as a convenient way of transferring members
from other services. We don't intend this to be used to build lists for
unsolicited email. We try to prevent abuse by flagging every large bulk
add for review. This way a user can't add a large number of members to a
group quickly. The add request must be reviewed and approved by a Google
support representative before it can be sent.

Please let us know if you need any further information from us to lift the
ban on Google Groups email to your users.

Regards,
The Google Team


Original Message Follows:
------------------------
From: alster at indymedia.org
Subject: Troll attacks causing mail loop on Google Groups and Indymedia
mailing lists
Date: Tue, 25 Jan 2005 02:39:13 -0000

Dear GoogleGroups.com administration team,

it has come to our attention that approximately 20 Indymedia mailing lists
have been subscribed to some google groups, without our knowledge or our
permission. As a result of that, an infinite mail loop is setup and both
your and our services are abused. 

Since this happened a couple weeks ago, we have noticed an incredible
increase in spam attacks on our mailing lists. One of your users has
created groups in Google Groups and added posting email addresses of
indymedia mailing lists as new group members. Additionally, he has added
the posting address of the google group as a subscriber to our mailing
lists. This mail loop setup has repeatedly resulted in several hundred
users being continiously swamped with spam until we could setup spam
filters for the affected mailing lists.

The google groups in question are these:
http://groups-beta.google.com/group/anticomunismo/
http://groups-beta.google.com/group/indymedia/

Please close these groups after successfully verifying that their admin
has repeatedly violated your terms of service and sent unsolicited emails
to the following mailing lists:
cmi-abc
cmi-bh
cmi-bnu-jll
cmi-campinas
cmi-caxias
cmi-cuiaba
cmi-curitiba
cmi-floripa
cmi-fortaleza
cmi-goiania
cmi-juizdefora
cmi-poa
cmi-recife
cmi-rio
cmi-ssa
cmi-saopaulo
cmi-saoluis
cmi-vitoria
cmi-brasil
cmi-brasil-tech
cmi-brasil-contato

These post addresses of these mailing lists consist of their list name and
one of the following appendixes: "@lists.indymedia.org" or
"@indymedia.org".

As it is too easy for this or these user(s) to set up additional spam
groups on google groups and to continue to abuse your and our services,
the only option we currently have is to disallow all incoming email by
google groups. We dislike the fact that we are forced to take this action
and block all email by google groups by default, but this is currently the
only option we have available.

To get an idea of how someone could do this, to get an impression on how
time consuming this process is and which information you collect on your
users, I have just signed up an with google groups. I was quite surprised
to find that you provide as the default option to add massive amounts of
email addresses as list subscribers with no need for confirmation on their
side. A malicious user could setup and send out a massive spam within
three minutes and because you require no information about who he is, you
wouldn't be able to stop him.

I was quite surprised to see that you do not collect any information on
the users' location, date of birth etc. on the one hand but provide an
option to add massive amounts of email addresses as list subscribers with
no need for any kind of confirmation on their side and even made this the
default setting. I could have setup and used a massive spam list within
three minutes. This is definately a 'special service' you would otherwise
only come across at some chinese and brazilian ISPs.

While I like the fact that the amount of personal data you acquire in the
user signup process is only a small amount from a privacy point of view, I
dislike it when it comes to making sure your services are not abused.
Maybe - with this in mind - it's worth reconsidering the way new user
signups are handled at google groups. As you probably know, your
competitors handle this in a more secured way.

If you can provide a method to make sure this person will not continue to
abuse your services, or you have changed the way you handle user signups
and account data validation, please let us know at listwork at indymedia.org
so we can remove the sitewide block of google groups. To make sure your
replies reach us, please send a copy to my personal email address at
alster at zeromail.org .

Thank you very much for your cooperation.

Greetings,
Alster Wasserman


Language: en
Name: Alster Wasserman
topic: report_abuse