RE: Intel.com Mailing List Arbitrary Address Removal Link

[<jlewis () lewis org>]

On Fri, 8 Feb 2002, Knud Erik Højgaard wrote:

> cnn.com has similar stuff with their mailing lists. The best part
> about their lists is that they require no 'approval' of joining the
> list - they just start sending you mails. Always great coming back
> from a holiday just to see your mailbox flooded with a few hundred
> mails.

I was considering posting about this, but you beat me to it.  Cnet / Ziff
Davis suffer the same problem.  Recently, this was used by a disgruntled
ex-coworker to harass me.  It seems it's much easier for someone else to
subscribe you to these lists than it is to get off of them.  Requests to
be removed are responded to with "go to this URL to switch your
subscription between HTML or plain text format messages."  ARGH!!!

As an experiment, I went to CNET's web site, found the URL to subscribe to
a few lists, and subscribed a bogus address on a domain I own.  This was
done via a simple web form with no confirmation whatsoever.  They've been
sending messages (which bounce back with 'no such user' errors) for 3 days
so far.

Depending on the mail software they're using, this might provide for an
interesting DoS against CNET's mailing list servers.

CNET is aware of this problem but seems unmotivated to do anything about
it.

-- 
----------------------------------------------------------------------
 Jon Lewis *jlewis () lewis org*|  I route
 System Administrator        |  therefore you are
 Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________