Bugtraq mailing list archives
Re: Intel.com Mailing List Arbitrary Address Removal Link
From: Joel Maslak <jmaslak () antelope net>
Date: Wed, 6 Feb 2002 18:47:37 -0700 (MST)
On Tue, 5 Feb 2002, E M wrote:
.: Problem :. While Intel requires you to login to modify account information, it does not require you to login to remove your e-mail (or any e-mail) from its mailing list database.
This is nothing new. The web interface is new, but being able to remove users from mailing lists without any verification is not. Many mailing lists - especially large volume ones - will remove any address that bounces. Creating a forged bounce request is quite trivial. The fix for this requires sophisticated bounce tracking software. The only real way to fix this problem is to send each recipient a message with a custom-encoded FROM envelope address, such as: bounce-<user-id>-<security-key>@example.com Where the user-id is some sort of database identifyer and the security key is simply a random number kept in the database to prevent malicious activity (it could also be some sort of cryptographic code). When the example.com mail server receives a message to bounce-xxx-yyy () example com, it checks the security key, verifies that the bounce is a permanent bounce, and deletes the user. You can also do something similar with WWW removal links: Click http://remove.example.com/<user-id>/<security-key> Most mass mailing systems don't do any of this, though, since this requires sending a unique message to every recipient. Instead of sending one body with lots of envelope addresses to, say, AOL, you end up sending lots of complete messages - including duplicate copies of the body - to AOL. -- Joel Maslak
Current thread:
- Intel.com Mailing List Arbitrary Address Removal Link E M (Feb 06)
- Re: Intel.com Mailing List Arbitrary Address Removal Link Joel Maslak (Feb 07)
- Re: Intel.com Mailing List Arbitrary Address Removal Link Todd Underwood (Feb 08)
- <Possible follow-ups>
- Re: Intel.com Mailing List Arbitrary Address Removal Link Thierry Zoller (Feb 07)
- Re: Intel.com Mailing List Arbitrary Address Removal Link Ryan M Harris (Feb 08)
- RE: Intel.com Mailing List Arbitrary Address Removal Link Knud Erik Højgaard (Feb 08)
- RE: Intel.com Mailing List Arbitrary Address Removal Link jlewis (Feb 09)
- Re: Intel.com Mailing List Arbitrary Address Removal Link Joel Maslak (Feb 07)