LISTSERV - LSTOWN-L Archives - COMMUNITY.EMAILOGY.COM

LSTOWN-L Archives

LISTSERV List Owners' Forum

LSTOWN-L

	LISTSERV Archives
	LSTOWN-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Topic:	[<< First] [< Prev] [Next >] [Last >>]

Re: Justifiable paranoia?

Mark Hunnibell <[log in to unmask]>

Sat, 8 Jul 1995 14:08:41 -0400

text/plain (45 lines)

Hi folks:
 
I have nothing more than a little knowledge and a suspicious nature to go on
here, but I think that it is possible that the recent problems with "Mr ROK"
subscriptions may have been made possible by a WWW cgi script that used to work
but now appears non-operational:
 
   http://www.netspace.org/cgi-bin/lwgate
 
The author of this page (program) is at Brown University. The IP address for the
www.netscape.org system is at Brown University. When I looked at the page a
month or so ago, it would only allow subscriptions to a selected list of lists
but I would not be surprised if someone could discover a workaround to that or
perhaps the program was altered to allow subscription to any list.  The most
scary part of the page was that it asked the user for their email address.
Apart from errors caused by typing, this concept would also cause problems if
people's From: line didn't appear like they thought it did.  Additionally, it
would also be possible to input *any* address, hence creating a really nifty
spoofing utility.  It seems natural to me that the cgi script would port the
commands directly to the LISTSERV@BROWNVM, which is why I bring this whole thing
up (someone said it all seemed to come from BROWN).
 
The reason I looked at this page a while back is because I was thinking of doing
something similar but was very concerned about the open window created by
allowing the user to key in their own e-mail address.  The solution I had
arrived at was that a person would first have to send an e-mail message to a
special bot address which would reply via e-mail with a password that the person
would be asked for on the same form as their e-mail address.  My logic was that
if they sent mail from an account and subsequently received mail there (the
password), it would be reasonably safe to reproduce their e-mail address as the
From: line in a www-gatewayed message to a LISTSERV.
 
I've done no work on this, so please don't ask for the code... I have just
thought it as far through as that and some others I work with pointed out that
another password wasn't a very elegant or easy answer either.
 
I hope this helps and I *do* apologize to David Baker if he feels I've maligned
his work on the LISTSERV gateway, but this seems a puzzle that few have ideas
about so I hope you forgive my rambling.
 
Cheers
 
Mark Hunnibell                  Email: [log in to unmask]
KIDLINK Gopher/WWW Coordinator  http://www.connix.com/~markh

ATOM RSS1 RSS2

COMMUNITY.EMAILOGY.COM