On 7 Oct 2008 at 20:38, James Knott wrote: .... Isn't it necessary to impersonate the address that the mail is > originally sent to, in order to request unsubscribe? Otherwise, we're > back to the situation where anybody could unsubscribe anyone.
Don't forget unsubbing is a two-step process. The original request needs to identify /who/ is to be unsubbed -- this comes either from the 'from' mail header or by cutting up the '=' form of the 'to' unsub address. The request needs authenticating because it's trivial to forge such a request. OOO does this by sending to the I-want-to-be-unsubbed address a magic cookie. It assumes that whoever finally receives this magic cookie is a legitimate user of that address, and so anyone who can quote that cookie is allowed to confirm the unsubscription request. If a malicious unsub request is sent in, the attacker won't ordinarily receive the cookie, so cannot complete the request. Instead the legit email subscriber will get it, wonder what's going on (and hopefully take action!!) Quite reasonable, as it covers a situation where an address is forwarded. It does mean a malicious mail admin (or anyone with similar access /could/ intercept mail and play daft tricks. I don't believe that's a significant issue though. -- Permission for this mail to be processed by any third party in connection with marketing or advertising purposes is hereby explicitly denied. http://www.scottsonline.org.uk lists incoming sites blocked because of spam [EMAIL PROTECTED] Mike Scott, Harlow, Essex, England --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
