Posted on 8 Jul 1995 at 14:15:36 by Mark Hunnibell:
>I have nothing more than a little knowledge and a suspicious nature to go on
>here, but I think that it is possible that the recent problems with "Mr ROK"
>subscriptions may have been made possible by a WWW cgi script that used to work
>but now appears non-operational:
No, it's possible because the current Internet mail system allows mail to
be forged quite easily.  It requires just a small amount of knowledge about
how the system works, and no special software.  Brownvm is running standard
TCP/IP and mail software, and no changes were made to it for the CGI script.
>It seems natural to me that the cgi script would port the
>commands directly to the LISTSERV@BROWNVM, which is why I bring this whole thin
>up (someone said it all seemed to come from BROWN).
No, the script simply generates mail, which is delivered to LISTSERV in
the usual way.  The mail goes to LISTSERV@BROWNVM only if it is for one
of Brown's lists.  While the script could be used to forge a few subscriptions,
there are much easier ways to forge hundreds of subscription requests.
Also, no lists are included in the gateway unless the list owners request
or approve it.
In my opinion, the best defense against this kind of problem is use of
LISTSERV's "confirm" subscription option.  Using that option also ensures
that an address is valid before a subscription is entered for it.  However,
"confirm" is a bit of a nuisance, and can be confusing for people just
starting to use mail.  As is usually the case, increasing security reduces