Here's our test message, so that anyone who cares can look at the headers. As you can see, Barbara was able to impersonate me, without knowing my password and I was able to forward mail to her, without using her password.
-------- Original Message -------- Return-Path: <[EMAIL PROTECTED]> X-Original-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: from linux.home (localhost.localdomain [127.0.0.1]) by linux.home (Postfix) with ESMTP id 9F502E2B0 for <[EMAIL PROTECTED]>; Sun, 5 Oct 2008 15:41:31 -0400 (EDT) X-Apparently-To: [EMAIL PROTECTED] via 206.190.37.193; Sun, 05 Oct 2008 12:39:58 -0700 X-Originating-IP: [207.200.0.226] Authentication-Results: mta104.rog.mail.re2.yahoo.com from=rogers.com; domainkeys=neutral (no sig) Received: from pop-rog.mail.yahoo2.akadns.net [206.190.36.17] by linux.home with POP3 (fetchmail-6.3.8) for <[EMAIL PROTECTED]> (single-drop); Sun, 05 Oct 2008 15:41:31 -0400 (EDT) Received: from 207.200.0.226 (EHLO mail.onr.com) (207.200.0.226) by mta104.rog.mail.re2.yahoo.com with SMTP; Sun, 05 Oct 2008 12:39:58 -0700 Received: from [192.168.1.108] (unknown [70.114.194.139]) by mail.onr.com (Postfix) with ESMTP id 9A13350071 for <[EMAIL PROTECTED]>; Sun, 5 Oct 2008 14:39:57 -0500 (CDT) Message-ID: <[EMAIL PROTECTED]> Date: Sun, 05 Oct 2008 14:39:57 -0500 From: Users Test <[EMAIL PROTECTED]> User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: James Knott <[EMAIL PROTECTED]> Subject: Re: [Fwd: Re: [users] Re: openoffice.org - Malicious Third-Party Subscription] References: <[EMAIL PROTECTED]> In-Reply-To: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit I got it -- now I'm pretending to be you to reply. James Knott wrote: > Here's your message forwarded to my gmail account. If you get it, let > me know at my [EMAIL PROTECTED] address. > > > -------- Original Message -------- > Return-Path: <[EMAIL PROTECTED]> > X-Original-To: [EMAIL PROTECTED] > Delivered-To: [EMAIL PROTECTED] > Received: from linux.home (localhost.localdomain [127.0.0.1]) by > linux.home (Postfix) with ESMTP id EA3EFE2B0 for > <[EMAIL PROTECTED]>; Sun, 5 Oct 2008 14:10:25 -0400 (EDT) > X-Apparently-To: [EMAIL PROTECTED] via 206.190.37.193; Sun, 05 > Oct 2008 11:10:17 -0700 > X-Originating-IP: [204.16.104.2] > Authentication-Results: mta107.rog.mail.re2.yahoo.com from=onr.com; > domainkeys=neutral (no sig) > Received: from pop-rog.mail.yahoo2.akadns.net [206.190.36.17] by > linux.home with POP3 (fetchmail-6.3.8) for <[EMAIL PROTECTED]> > (single-drop); Sun, 05 Oct 2008 14:10:25 -0400 (EDT) > Received: from 204.16.104.2 (HELO openoffice.org) (204.16.104.2) by > mta107.rog.mail.re2.yahoo.com with SMTP; Sun, 05 Oct 2008 11:10:15 -0700 > Received: (qmail 22582 invoked by uid 5000); 5 Oct 2008 18:10:08 -0000 > Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm > Precedence: bulk > X-No-Archive: yes > list-help: <mailto:[EMAIL PROTECTED]> > list-unsubscribe: <mailto:[EMAIL PROTECTED]> > list-post: <mailto:[email protected]> > Reply-To: [email protected] > Delivered-To: mailing list [email protected] > Received: (qmail 22568 invoked from network); 5 Oct 2008 18:10:08 -0000 > X-IronPort-Anti-Spam-Filtered: true > X-IronPort-Anti-Spam-Result: > AugAABOg6EjPyADio2dsb2JhbACTXQEBAQEBAQcLCgcRnjATCAOFMmQIBHo > X-IronPort-AV: E=Sophos;i="4.33,364,1220252400"; > d="scan'208";a="13706388" > X-IRONPORT: SCANNED > Message-ID: <[EMAIL PROTECTED]> > Date: Sun, 05 Oct 2008 13:10:06 -0500 > From: Barbara Duprey <[EMAIL PROTECTED]> > User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) > MIME-Version: 1.0 > To: [email protected] > References: <[EMAIL PROTECTED]> > <[EMAIL PROTECTED]> > <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> > <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> > <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> > <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> > In-Reply-To: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > Content-Transfer-Encoding: 7bit > Subject: Re: [users] Re: openoffice.org - Malicious Third-Party > Subscription > > > > James Knott wrote: > > Barbara Duprey wrote: > > > >>> I then created a bogus account, using the name "test" on the same ISP as > >>> the first test. When I tried to send the main ISP's SMTP server > >>> rejected it, saying the account couldn't be verified. So it would > >>> appear this method would at least require a valid account somewhere. > >>> > >> The behavior doesn't seem very predictable. In my case, I'm quite sure > >> I went through the same steps two different times: creating a bogus > >> account in Thunderbird, then trying to send a message from it. In > >> between, I deleted the bogus account. And you had different results on > >> your two tests, but neither asked for a password. It sounds as if > >> recommending this as a solution for problem "unsubscribes" may or may > >> not work, depending on the SMTP server and possibly other factors like > >> different mail clients. > >> > >> In a related post, I asked what people thought about just eliminating > >> the "goodbye" confirmation. I don't think malicious unsubscribes are > >> either likely or particularly harmful, and it would be much easier to > >> deal with malicious subscribes. The unsubscribe process could send a > >> message, but not require response, and that would mean that once the > >> subscription account was known, anybody could do the unsubscribe. So > >> when we got one of these "please unsubscribe me" posts, we could just > >> do it, or tell an apparently unsubscribed OP to look at a full message > >> header to identify the subscriber, then use the > >> [EMAIL PROTECTED] to unsubscribe. Haven't > >> heard any response to that idea yet. > >> > >> > > Hi Barbara > > > > I'd like to try an experiment where I forward email from my gmail > > account to your account. Do I have your permission to try this? If so, > > which account would you prefer I use? > > Sure, and [EMAIL PROTECTED] is fine. It's definitely something it would be > good to know. How would you like me to respond? > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > > -- > Use OpenOffice.org <http://www.openoffice.org> -- Use OpenOffice.org <http://www.openoffice.org> --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
