On Wed, 20 May 2026, Kent Oyer wrote:
Hi Giovanni,
You make a fair point about this being an unexpected change for users running
4.0.2 pre-1934332. After a bit of pondering, I
have two responses/concerns (both IMHO):
1. Probing URLs we haven't vetted is risky and equally unexpected. If SA's
probe ends up unsubscribing a user from a list, or
approving/denying a request on their behalf, that's a far worse surprise than a
missing redirector match. An argument could
even be made that a lenient allowlist is itself an attack surface. A crafted
spam message can direct SA to fire HTTP requests
at attacker-chosen URLs on any allowlisted host, from the recipient's
mail-server IP. The narrower the allowlist, the smaller
the risk.
2. The .cf file is a curated allowlist, not part of the API. I think users
expect us to maintain it as we learn more about
which hosts are abusable and how they operate. Pruning entries that don't meet
the standard for inclusion is part of that
maintenance. For instance, the documentation in the .cf file states:
# Please only add entries that you manually verified as actual working
# redirectors that can have abusable custom URLs. Adding non-abusable
# services only generates unnecessary HTTP requests.
So the criteria for inclusion are: (1) actual working redirector and (2) from
an abusable service. Including hosts that
may-or-may-not be working redirectors seems contrary to that advice.
I concur completely.
Better safe than sorry in a situation like this, thus curate the list (at
least the bare-domain non-path list) conservatively rather than
aggressively. Proof is needed.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
[email protected] pgpk -a [email protected]
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Britain used to be the most powerful empire in the world.
Now they're terrified of pocketknives.
How the mighty have fallen. -- Matt Walsh
-----------------------------------------------------------------------
5 days until Memorial Day - honor those who sacrificed for our liberty
