[12179] in bugtraq
mail.com redirect problem
daemon@ATHENA.MIT.EDU (Fey, Rodolfo Christian)
Fri Oct 8 18:54:49 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Message-Id: <E757B0128B4ED31197170000F6C7CCF29261F5@buea127e.siemens.com.ar>
Date: Wed, 6 Oct 1999 19:24:41 -0300
Reply-To: "Fey, Rodolfo Christian" <Rodolfo.Fey@SIEMENS.COM.AR>
From: "Fey, Rodolfo Christian" <Rodolfo.Fey@SIEMENS.COM.AR>
X-To: "aleph1@UNDERGROUND.ORG" <aleph1@UNDERGROUND.ORG>,
"BUGTRAQ@SECURITYFOCUS.COM" <BUGTRAQ@SECURITYFOCUS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Hello all!
I don't know if somebody reported something like that before. Sorry if so...
Everybody can create an anonymous email account at mail.com (like hotmail or
yahoo mail). If you create an account and then you subscribe this account to
an email list (like bugtraq =)), you will get a message to confirm your
subscription. This is fine, and thanks that, you cannot subscribe *another*
email address to a list.
So, you subscribe your new account to many (many, many) lists and you
confirm your subscriptions. Soon you will start to receive tons (and tons,
and tons) of emails.
Where is the problem? OK. Mail.com let's you redirect your messages to
another account. You simply need to give another's email address (any
address, you don't need to give an mail.com address), and the whole emails
will be redirected to this account. The real problem is that no confirmation
is needed, so the victim will start to receive unsolicited emails and he
can't do anything!
Not only this; the messages which are forwarded *doesn't* stay in the
subscribed account's inbox... this means that the attacker doesn't needs to
clean periodically the inbox...
And more... From the victims point of view, the messages are sent directly
from the distribution lists, not from the subscribed account! (of course,
you can check the header and there you will see that the message was sent to
another address and then redirected).
I haven't tested this on other free webmail services, but I imagine that
there are more webmail services with the same problem...
> FEY, Rodolfo Christian
> II - IS
>
