On 05/10/2008 17:21, mike scott wrote:
On 5 Oct 2008 at 11:34, Harold Fuchs wrote:
...
But isn't what you did only possible because both addresses are
"@scottsonline" and your ISP knows about that name? So you computer will
receive anything addressed to that domain. The password for your mail
account is at the domain level, I think. I use a gmail account for this
list. I don't *think* you could do to me what you did to yourself
without knowing the password on my gmail account. In this case the
password is at the individual address level because all gmail users are
"@" the same domain.
More precisely, as I run my own mail server for scottsonline, I set
up 'dummy' at that point - as a forwarded email address, which is the
equivalent of what appears to have happened with our friend. So
nothing at all to do with "domain level" passwords.
But think about it - anyone can send an unsub request for someone
else, either by telling their mail client they are that other person,
or using the OOo address construction I can never remember :-)
If mail is being forwarded, the final recipient will received the
magic cookie that will finally unsubscribe the address from the list.
I strongly suspect it actually doesn't matter who sends that back,
but in any event, an address can be faked as above.
My personal e-mail is @ a "hostname" on Demon (a UK ISP). A"hostname" is
a name you choose when you sign up with Demon. It must be unique within
the Demon world. Suppose you signed with Demon and chose "scottsonline"
as your hostname. You would then have available to you *unlimited*
e-mail addresses of the form
<user_address>@scottsonline.demon.co.uk
You can invent as many <user_address>'s as you like. Demon's SMTP/POP
servers will send/receive from/to any of them. The password on all of
them is the same because the password is for the "scottsonline"
hostname. It's up to you how you separate mail for your different
addresses. Using filters is one way. Using different "identities"
(Outlook Express & Thunderbird at least support this notion) is another.
But that's not the situation here.
If you'd like to confirm that Harold, I could set up a temporary test
address for you here, subscribe it to the list, then forward email
from it to you. I'm 99.9999999% sure you'd be able to unsubscribe by
the above means (and in the 0.0000001% chance it didn't work, I'd
knobble it on request or within, oh, say 24 hours anyway.) Let me
know?
Mike, no. I corrected that e-mail with a "whoops" a few minutes after
sending it. What I said in that ("whoops") message was:
"Whoops. No. The victim *can*, I think, "unsubscribe" using Mike Scott's
procedure described above. Sorry. So, to summarise, I think the victim
can't prevent the attack but can cure it. "
Subsequently Roy ([EMAIL PROTECTED]) pointed out:
"I'll bet not many people have sent for the list "help" email...
How to un-subscribe a "forwarded" email address is clearly defined
towards the bottom..."
That "help" describes a method whereby you don't have to "fake" an
e-mail address in your account settings.
--
Harold Fuchs
London, England
Please reply *only* to [email protected]
