Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Intel.com Mailing List Arbitrary Address Removal Link
From: Joel Maslak <jmaslak () antelope net>
Date: Wed, 6 Feb 2002 18:47:37 -0700 (MST)

On Tue, 5 Feb 2002, E M wrote:

.: Problem :.
While Intel requires you to login to modify account information, it does not
require you to login to remove your e-mail (or any e-mail) from its mailing
list database.

This is nothing new.

The web interface is new, but being able to remove users from mailing
lists without any verification is not.

Many mailing lists - especially large volume ones - will remove any
address that bounces.  Creating a forged bounce request is quite trivial.

The fix for this requires sophisticated bounce tracking software.  The
only real way to fix this problem is to send each recipient a message with
a custom-encoded FROM envelope address, such as:
Where the user-id is some sort of database identifyer and the security key
is simply a random number kept in the database to prevent malicious
activity (it could also be some sort of cryptographic code).  When the
example.com mail server receives a message to bounce-xxx-yyy () example com,
it checks the security key, verifies that the bounce is a permanent
bounce, and deletes the user.

You can also do something similar with WWW removal links:
        Click http://remove.example.com/<user-id>/<security-key>

Most mass mailing systems don't do any of this, though, since this
requires sending a unique message to every recipient.  Instead of sending
one body with lots of envelope addresses to, say, AOL, you end up sending
lots of complete messages - including duplicate copies of the body - to

Joel Maslak

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]