[linux-elitists] http get vs post; SPF for forgery prevention
Fri Oct 24 13:53:27 PDT 2003
* Andrew Moore <firstname.lastname@example.org> [2003-10-13 16:23-0500]
> On Sat, Oct 11, 2003 at 02:10:00AM +0100, Karsten M. Self wrote:
> > ----- Forwarded message from email@example.com -----
> > Click the link below to request that firstname.lastname@example.org add you to this list.
> > https://email@example.com&id=1a7DZz7li3NZFl40
> I wonder how long that link is active. It's now archived
> on at least one web page, meaning it will invariably be
> followed by a client of some kind. It won't be long until
> we can all spam firstname.lastname@example.org with mails "from"
> Does this represent yet another failure of challenge-response
> systems? Is it a large enough one that it will be exploited
> by spammers? Will we all start receiving spams "from" archived
> mailing lists?
This is a good example of why HTTP GET requests should not
have side effects like confirming registrations or mailing list
subscriptions. Fetching a URL should be a "safe" operation.
(though it looks like earthlink's isn't.)
related bits for those interested:
I'm not completely sure this applies to https: as well as http:
but I expect so.
Regarding bogus c-r challenges sent to forged addresses, has
anyone else been following SMTP forgery-prevention stuff?
(SPF, RMX, DMP, etc.)
SPF in particular seems to be coming along nicely, and has a
growing user/developer community.
Gerald Oskoboiny <email@example.com>
More information about the linux-elitists