At 8:30 AM -0700 7/23/98, David W. Tamkin wrote:
> It has a serious drawback, which must be addressed. I've seen this happen
> twice.
>
> Ezmlm sends email to the applicant address with a Reply-To: address whose
> local part is suffixed with the applicant address (the @-sign defused into
> an equal sign) and a personal confirmation token.
Frankly, if it's subscribing the From: address, but sending the
confirmation to the Reply-To: address, it has a security hole the size
of Rhode Island. That's not a drawback, that's a bug. A bad one. Same
if majordomo did this -- if "[EMAIL PROTECTED]" is being zubscribed, then
"[EMAIL PROTECTED]" gets the confirmation notice. Not whatever the email
subscribing that address uses as a reply-to.
This is a situation where reply-to HAS to be stripped and thrown away,
or you're just wide open for a forge-spam -- THROUGH the validation
process.
--
Chuq Von Rospach (Hockey fan? <http://www.plaidworks.com/hockey/>)
Apple Mail List Gnome (mailto:[EMAIL PROTECTED])
Plaidworks Consulting (mailto:[EMAIL PROTECTED])
<http://www.plaidworks.com/> + <http://www.lists.apple.com/>
