Q: Why did spam get through to my list without editor confirmation?

By Ben Parker
Chief Corporate Consultant, L-Soft

In rare cases, list owners will complain that spam messages were delivered to their lists, and the editors and moderators of the lists will insist that no one confirmed these messages. So what could be going on? Have spammers found a way around the LISTSERV confirmation and approval process?

In a word, no. In more than 30 years, the confirmation process has never failed to work correctly. Any apparent failures have all been traced back to the human component of inadvertently or incorrectly approving a message for posting. To delve further into this, we need to learn how to use the LISTSERV log files to track who approved the messages, see if there are any surprises involved and assess what can be done to mitigate the problem.

Tracking Message Approval in LISTSERV Log Files

When an unwanted or unexpected message is posted to a moderated list, the first question is usually who approved the list posting. A quick way to tell, if you have received a copy of the message, is to expose the (normally hidden) extended email header lines. Moderated messages will contain an "Approved-By" header line:

But more often, the list owner or editor will contact the local LISTSERV administrator to find out who approved the posting and how it happened. To investigate this, the site administrator needs to access the LISTSERV logs on the server. The first step is to look in the LISTSERV-20170602.LOG file (the date the offending message was posted to the list). By looking at the list name and the time, you can get close in the log:

Now look at the two lines immediately before the line with "Processing file 17359..." to see if they look like this:

Note especially the phrase "Message successfully approved" and the phrase "OK 7A20B227". The 8-digit cookie code is randomly generated and will be different in every case, but the OK with some 8-digit cookie code will be consistent. These two phrases indicate that the message just posted to the selected list name was approved by the editor or moderator of the list. If you do not see these phrases in the preceding two lines, then look exactly 10 minutes earlier in the log for two lines like this:

Note that the "Processing file 17359" will be exactly the same file number as the "Processing file 17359" from the point where the message was posted to the list. If you see this, then look closely at the preceding two lines and you will see lines indicating editor or moderator approval:

Note that LISTSERV has logged the IP address of the approver: ORGINFO(71.205.238.63). This will become significant in the next section. Meanwhile, by knowing the 8-digit approval cookie code (7A20B227), you can search backwards (earlier) in the log file to find where the message originally came in to LISTSERV and was then forwarded to editors or moderators for approval:

Note that this list has three moderators and the request-for-approval was sent to all three moderators at the same time. Each moderator gets a different approval cookie code (so LISTSERV will know which moderator approved the message), but the Message ID (ID=358BF0) is the same for all of them. Whoever approves the message first will allow that message to be posted to the list.

As noted above, the moderator of our example message was ORGINFO(71.205.238.63). A reverse lookup shows that this IP belongs to COMCAST.NET. Indeed, this person does use Comcast as their Internet service provider, so this correctly identifies that the person did, in fact, approve the message.

Challenges with Content Inspection

Let's take a look at another scenario where spam messages made it through to a moderated list. Examining the LISTSERV log file showed something interesting:

Note the similarity of the IP addresses associated with widely divergent moderators. In fact, this is reflective of a LISTSERV instance located behind a firewall, and all web traffic (such as clickable links to approve a LISTSERV message) is tested by the firewall as part of its content inspection feature known as Credential Phishing Prevention. Specifically, the firewall attempts to "follow" the URL to examine whether it might be a malicious site of some kind intended to harvest login information or other personally identifying data.

Unfortunately, with LISTSERV URLs, this is equivalent to a click action on the URL, thus effectively approving the message without human intervention. This practice of blindly following links is likely to have other unintended consequences, so we would strongly recommend that the administrator responsible for this firewall consider disabling this feature of the device.

These IP addresses are used by Palo Alto Networks, Inc., the makers of a family of firewall appliances. In fact, you should note both full IP ranges 70.42.131.0/24 and 74.217.90.0/24. These ranges may not be exhaustive of all IP ranges used by Palo Alto Networks. They are just the ones we see most often.

Recently, we have also seen the following from another source:

A PTR lookup of this IP address shows: