The gen on Dan Bernstein's qsecretary and mailing lists.

You've come to this page because you've asked questions similar to the following:

These are the Frequently Given Answers to these questions.

What qsecretary is and why it exists

Dan Bernstein's mailing lists used to behave exactly as classical mailing lists did, accepting submissions from anyone and re-sending them to all of the list subscribers. However, by the end of 2001, the amount of anonymous bulk mail being sent to the subscribers via those mailing lists reached intolerable levels, and in reaction Dan Bernstein instituted qsecretary on his mailing lists. As a result, the levels of anonymous bulk mail dropped off markedly (as can be seen by perusing the archives for the various lists before and after the points that qsecretary was instated for each list).

qsecretary is a challenge-response system, that only allows submissions through to the mailing list subscribers after the people submitting them have agreed to the terms and conditions laid out in the challenge message that qsecretary sends. Every response to a qsecretary challenge enters the respondent into a contract, that covers the specific message that qsecretary has challenged, with penalty clauses if one is found to be in violation of that contract.

The fact that one has entered into a contract with respect to a specific message is the reason that qsecretary sends a challenge for each individual submission to the list. There is no whitelisting, for the simple reason that the contract that one enters into by responding doesn't cover all messages that one will ever send to the mailing list. That would be far too general to be fair. The contract instead covers the one particular message that instigated the challenge.

The focus of qsecretary is not senders, but messages. Whitelisting sender mailboxes focusses on senders. But senders are not the problem, and sender mailboxes can be forged in any case. It is (anonymous bulk mail) messages that are the problem. qsecretary deals with the problem by having everyone who submits a message to the mailing list enter into a contract to state that that message is not an anonymous bulk mail message and to agree to penalties if that statement is false.

Dealing with qsecretary challenges automatically and properly

It is possible to employ mechanisms that deal with qsecretary challenges automatically. However, before you do so, bear in mind the implications of setting up such an auto-responder. The response to a qsecretary challenge is intended to enter one into a contract; which it might be unwise to automate.

Dealing with qsecretary challenges automatically, and in such a way that one does not create new vulnerabilities that the malicious can take advantage of, involves two processes:

The purpose of the tag is to prevent the auto-responder from responding willy-nilly to every challenge received from qsecretary. Doing so would allow an attacker to forge submissions in one's name, that one's auto-responder would then falsely confirm as being from onesself, leaving one liable for messages that one didn't actually write.

Charles Cazabon's pymsgauth package is one package that does both of these tasks. Outgoing mail is pre-processed by pymsgauth-mail to add such a tag, and incoming challenges are automatically responded to (if they were triggered by a genuine tagged original message that one sent) by pymsgauth-confirm.

If you are writing your own auto-responder, consider carefully how you generate the tags.

For example: A simple MD5 hash of the message text is insufficient. This is because

A proper tag generation mechanism must employ some "secret" that only you possess, and that cannot be deduced by looking at the tags that you have affixed to all of your prior messages.

Some ideas from the Half-Baked Ideas Brigade

Every so often, a member of the Half-Baked Ideas Brigade re-invents one of the several half-baked ideas for either responding to, or replacing, qsecretary. The reason that these ideas are Half-Baked is that they haven't been thought through and contain several flaws, some of which expose quite serious vulnerabilities.

The Half-Baked Idea about preventing non-subscribers from posting

One popular idea from the Half-Baked Ideas Brigade is to entirely prevent non-subscribers from submitting messages to the list.

This idea hasn't been thought through, however, and has several drawbacks:

The Half-Baked Idea about responding to qsecretary challenges based solely upon a pattern-matching rule.

An even more popular idea from the Half-Baked Ideas Brigade is a simple auto-responder that replies to qsecretary challenges automatically. Time and again a new Brigade member posts a Half-Baked Idea for doing so. ("Hey everyone! Here's the simple way that I deal with the qsecretary challenges in my procmail script/.qmail file/Outlook filters.")

Correctly automating the responses to such challenges is not a trivial task, and involves more than simply responding to every single qsecretary challenge that arrives. There is another part to the task, as explained earlier.

In comparison, the Half-Baked Ideas from the Brigade are trivial and thus do not, in fact, operate correctly. A Brigade member employing such a mechanism is accepting responsibility for any submission to the list in that member's name, whether the Brigade member wrote it or whether it was a forgery written by someone else.

Flaws in qsecretary

qsecretary has one known flaw.

Strangely, even though Dan Bernstein implemented challenge-response correctly for ezmlm's subscription and unsubscription mechanisms, his challenge-response implementation for qsecretary is different, and is vulnerable to broken auto-responders in a way that the mechanism for ezmlm is not.

Some broken auto-responders send their responses to the mailbox(es) listed in the From: header. To avoid the problems that this causes, ezmlm's subscription and unsubscription challenges place a mailbox in the From: header that does not confirm the action to be taken, and place the actual action-triggering mailbox, for confirmatory responses to be sent to, in the Reply-To: header. The broken auto-responders that automatically send responses to the mailbox in the From: header thus do not automatically cause the subscription or unsubscription action to be taken; whereas the MUAs, used by actual human beings to reply to the challenge, send the response to the mailbox in the Reply-To: header, triggering the action.

In contrast to the ezmlm scheme, qsecretary places the action-triggering mailbox in the From: header. The consequence of this is that anyone employing such a broken auto-responder becomes a conduit for forged messages to be submitted to the mailing list in that person's name.

© Copyright 2003-2003 Jonathan de Boyne Pollard. "Moral" rights asserted.
Permission is hereby granted to copy and to distribute this web page in its original, unmodified form as long as its last modification datestamp is preserved.