[linux-elitists] http get vs post; SPF for forgery prevention

Gerald Oskoboiny gerald@impressive.net
Fri Oct 24 13:53:27 PDT 2003


* Andrew Moore <amoore@mooresystems.com> [2003-10-13 16:23-0500]
> On Sat, Oct 11, 2003 at 02:10:00AM +0100, Karsten M. Self wrote:
> > ----- Forwarded message from automated-response@earthlink.net -----
> > Click the link below to request that christgo@earthlink.net add you to this list.
> > https://webmail.pas.earthlink.net/wam/addme?a=christgo@earthlink.net&id=1a7DZz7li3NZFl40
> 
> I wonder how long that link is active. It's now archived
> on at least one web page, meaning it will invariably be
> followed by a client of some kind. It won't be long until 
> we can all spam christgo@earthlink.net with mails "from"
> Karsten.
> 
> Does this represent yet another failure of challenge-response
> systems? Is it a large enough one that it will be exploited
> by spammers? Will we all start receiving spams "from" archived
> mailing lists?

This is a good example of why HTTP GET requests should not
have side effects like confirming registrations or mailing list
subscriptions. Fetching a URL should be a "safe" operation.
(though it looks like earthlink's isn't.)

related bits for those interested:
http://lists.w3.org/Archives/Public/www-archive/2003Oct/0035.html

I'm not completely sure this applies to https: as well as http:
but I expect so.

Regarding bogus c-r challenges sent to forged addresses, has
anyone else been following SMTP forgery-prevention stuff?
(SPF, RMX, DMP, etc.)

SPF in particular seems to be coming along nicely, and has a
growing user/developer community.

    http://spf.pobox.com/

-- 
Gerald Oskoboiny <gerald@impressive.net>
http://impressive.net/people/gerald/



More information about the linux-elitists mailing list