[24164] in bugtraq
Re: Intel.com Mailing List Arbitrary Address Removal Link
daemon@ATHENA.MIT.EDU (Joel Maslak)
Thu Feb 7 15:09:31 2002
Date: Wed, 6 Feb 2002 18:47:37 -0700 (MST)
From: Joel Maslak <jmaslak@antelope.net>
To: E M <rdnktrk@hotmail.com>
Cc: bugtraq@securityfocus.com
In-Reply-To: <F130DgkwLd8Lq7R3TOk0000a0c9@hotmail.com>
Message-ID: <Pine.LNX.4.44.0202061842220.3434-100000@bigsky.antelope.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Tue, 5 Feb 2002, E M wrote:
> .: Problem :.
> While Intel requires you to login to modify account information, it does not
> require you to login to remove your e-mail (or any e-mail) from its mailing
> list database.
This is nothing new.
The web interface is new, but being able to remove users from mailing
lists without any verification is not.
Many mailing lists - especially large volume ones - will remove any
address that bounces. Creating a forged bounce request is quite trivial.
The fix for this requires sophisticated bounce tracking software. The
only real way to fix this problem is to send each recipient a message with
a custom-encoded FROM envelope address, such as:
bounce-<user-id>-<security-key>@example.com
Where the user-id is some sort of database identifyer and the security key
is simply a random number kept in the database to prevent malicious
activity (it could also be some sort of cryptographic code). When the
example.com mail server receives a message to bounce-xxx-yyy@example.com,
it checks the security key, verifies that the bounce is a permanent
bounce, and deletes the user.
You can also do something similar with WWW removal links:
Click http://remove.example.com/<user-id>/<security-key>
Most mass mailing systems don't do any of this, though, since this
requires sending a unique message to every recipient. Instead of sending
one body with lots of envelope addresses to, say, AOL, you end up sending
lots of complete messages - including duplicate copies of the body - to
AOL.
--
Joel Maslak
