You've come to this page because you've asked questions similar to the following:
Why am I receiving messages from qsecretary ?
I'm receiving a challenge for every single message that I write. Is what I'm seeing normal ?
qsecretary would be improved if it kept a whitelist of all previously confirmed mailboxes, so that it didn't keep sending challenges for each new message. Why doesn't qsecretary have a whitelist ?
Is there a way to automatically generate the response messages to the qsecretary challenges ?
Mailing lists don't need challenge-response confirmation dialogues for posts. Simply denying posting access to non-subscribers is sufficient. Why does qsecretary even exist ?
These are the Frequently Given Answers to these questions.
Dan Bernstein's mailing lists used to behave exactly as classical mailing lists did, accepting submissions from anyone and re-sending them to all of the list subscribers. However, by the end of 2001, the amount of anonymous bulk mail being sent to the subscribers via those mailing lists reached intolerable levels, and in reaction Dan Bernstein instituted qsecretary on his mailing lists. As a result, the levels of anonymous bulk mail dropped off markedly (as can be seen by perusing the archives for the various lists before and after the points that qsecretary was instated for each list).
qsecretary is a challenge-response system, that only allows submissions through to the mailing list subscribers after the people submitting them have agreed to the terms and conditions laid out in the challenge message that qsecretary sends. Every response to a qsecretary challenge enters the respondent into a contract, that covers the specific message that qsecretary has challenged, with penalty clauses if one is found to be in violation of that contract.
The fact that one has entered into a contract with respect to a specific message is the reason that qsecretary sends a challenge for each individual submission to the list. There is no whitelisting, for the simple reason that the contract that one enters into by responding doesn't cover all messages that one will ever send to the mailing list. That would be far too general to be fair. The contract instead covers the one particular message that instigated the challenge.
The focus of qsecretary is not senders, but messages. Whitelisting sender mailboxes focusses on senders. But senders are not the problem, and sender mailboxes can be forged in any case. It is (anonymous bulk mail) messages that are the problem. qsecretary deals with the problem by having everyone who submits a message to the mailing list enter into a contract to state that that message is not an anonymous bulk mail message and to agree to penalties if that statement is false.
It is possible to employ mechanisms that deal with qsecretary challenges automatically. However, before you do so, bear in mind the implications of setting up such an auto-responder. The response to a qsecretary challenge is intended to enter one into a contract; which it might be unwise to automate.
Dealing with qsecretary challenges automatically, and in such a way that one does not create new vulnerabilities that the malicious can take advantage of, involves two processes:
Tagging each of one's outgoing submissions to the mailing list with a tag that is hard for someone else to forge, but that can be easily used to distinguish one's own messages from forgeries that someone else might be submitting to the list in one's name.
Scanning incoming mail for challenges from qsecretary, checking that those challenges refer to a genuine tagged original message that one actually sent in the first place, and automatically sending response messages if so.
The purpose of the tag is to prevent the auto-responder from responding willy-nilly to every challenge received from qsecretary. Doing so would allow an attacker to forge submissions in one's name, that one's auto-responder would then falsely confirm as being from onesself, leaving one liable for messages that one didn't actually write.
Charles Cazabon's pymsgauth package is one package that does both of these tasks. Outgoing mail is pre-processed by pymsgauth-mail to add such a tag, and incoming challenges are automatically responded to (if they were triggered by a genuine tagged original message that one sent) by pymsgauth-confirm.
If you are writing your own auto-responder, consider carefully how you generate the tags.
For example: A simple MD5 hash of the message text is insufficient. This is because
- an attacker who is forging message submissions purporting to come from you can easily do the same thing to the forged messages and thereby tag them as genuine; and
- the whole text of the original is not included by qsecretary in the challenge that it sends, making validation impossible.
A proper tag generation mechanism must employ some "secret" that only you possess, and that cannot be deduced by looking at the tags that you have affixed to all of your prior messages.
Every so often, a member of the Half-Baked Ideas Brigade re-invents one of the several half-baked ideas for either responding to, or replacing, qsecretary. The reason that these ideas are Half-Baked is that they haven't been thought through and contain several flaws, some of which expose quite serious vulnerabilities.
One popular idea from the Half-Baked Ideas Brigade is to entirely prevent non-subscribers from submitting messages to the list.
This idea hasn't been thought through, however, and has several drawbacks:
It prevents people who don't want to be subscribed and that want instead to access the mailing list via a more suitable interface (such as GMane), from doing so.
It prevents people from using a sender mailbox, on their list submissions, that is different to the mailbox that they use for receiving messages from the list. (This is of particular concern for people who use tools such as "dated" mailboxes, for example. But it affects anyone who wants mail received via the mailing list to reach a different mailbox to mail sent directly in reply to a post.)
It doesn't stop the senders of unsolicited bulk mail from posting to the list, since they need only forge the sender mailbox of a known subscriber in order to post to the list.
It utterly fails to stop any forged submissions made by Microsoft Worms that send forged messages to randomly selected recipients purporting to come from randomly selected senders. (Such a Microsoft Worm could randomly select the list submission mailbox and a subscriber's mailbox, for example.)
An even more popular idea from the Half-Baked Ideas Brigade is a simple auto-responder that replies to qsecretary challenges automatically. Time and again a new Brigade member posts a Half-Baked Idea for doing so. ("Hey everyone! Here's the simple way that I deal with the qsecretary challenges in my procmail script/.qmail file/Outlook filters.")
Correctly automating the responses to such challenges is not a trivial task, and involves more than simply responding to every single qsecretary challenge that arrives. There is another part to the task, as explained earlier.
In comparison, the Half-Baked Ideas from the Brigade are trivial and thus do not, in fact, operate correctly. A Brigade member employing such a mechanism is accepting responsibility for any submission to the list in that member's name, whether the Brigade member wrote it or whether it was a forgery written by someone else.
qsecretary has one known flaw.
Strangely, even though Dan Bernstein implemented challenge-response correctly for ezmlm's subscription and unsubscription mechanisms, his challenge-response implementation for qsecretary is different, and is vulnerable to broken auto-responders in a way that the mechanism for ezmlm is not.
Some broken auto-responders send their responses to the mailbox(es) listed
From: header. To avoid the problems that this
causes, ezmlm's subscription and unsubscription challenges
place a mailbox in the
From: header that does not
confirm the action to be taken, and place the actual action-triggering
mailbox, for confirmatory responses to be sent to, in the
Reply-To: header. The broken auto-responders that
automatically send responses to the mailbox in the
header thus do not automatically cause the subscription or
unsubscription action to be taken; whereas the MUAs, used by actual human
beings to reply to the challenge, send the response to the mailbox in the
Reply-To: header, triggering the action.
In contrast to the ezmlm scheme, qsecretary
places the action-triggering mailbox in the
The consequence of this is that anyone employing such a broken
auto-responder becomes a conduit for forged messages to be submitted to
the mailing list in that person's name.