Harold Fuchs wrote: > I see that some experiments have been done to see if it possible to > unsubscribe an address you don't "own" and that in at least some > circumstances the experiments have been successful. > > Would someone please explain carefully and clearly > a) What the circumstances are that allow this. In particular, is it > *only* possible when the address being "unsubscribed" (the attacker) > is having its messages forwarded to the person performing the > procedure (the victim)? If not, what other possibilities are there? > You may have more than email account, buy normally only use one SMTP server. This means you can send any email from address, through that one SMTP server. I have done this, when sending mail on my personal account, from my work computer. Unfortunately it also means you can impersonate someone else. In our example, impersonation would be necessary, in order to get the subscription ended. > and > > b) What exactly is the procedure > > Also, if the explanation uses the term "mimic account", would the > explainer please explain what this term means. > > Thanks. > > I set up my gmail account to forward mail to Barbara and was able to do so without her password. This means anyone could forward mail to someone else. In return, Barbara created an account, using my address as her from address, again without knowing my password. This allowed her to impersonate me. So, if I had set up forwarding so that she received list mail, she know can impersonate me to unsubscribe from the list. However, this does not completely stop someone who is determined to harass someone in this manner. It might only slow them down a bit.
-- Use OpenOffice.org <http://www.openoffice.org> --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
