On Thu, Nov 05, 1998 at 07:17:20AM -0500, Rainmaker wrote:
> Why two? If one is a confirmation, it isn't necessary. We have
> four lists going on Majordomo, and don't send out a confirmation.
> Only one have we had folks subscribe others erroneously, and
> it's not worth the hassle to eliminate that procedure.
Whose hassle?
If someone decides to bulk-subscribe a victim to 10,000 mailing lists
(and yes, this has happened, multiple times), then you've only got
to deal with one victim on one mailing list. It's not much hassle
for you.
The victim has to issue 10,000 unsubscribe requests -- and given
that people use majordomo, listproc, listserv, smartlist, and lots
of other MLMs (mailing lists managers), that victim also has to
figure out the correct incantation for each mailing list. Meanwhile,
they have to absorb the traffic from all those lists -- because,
until they manage to unsubscribe, they *will* get it. More than
one organization (e.g. victim's ISP) has been severely loaded down
by such an attack -- which in turn affects every other user of
those facilities.
If you use confirmation, then the victim *does* have to delete
10,000 "did you really subscribe?" messages, which is a couple of
orders of magnitude less work for them as well as for any mail
gateway/server that they're using.
So it's not much hassle for you, or for the attacker: it's a *lot*
for the victim, and you could have saved them most of it just by
changing your majordomo configuration a bit.
That's just one example. Consider also that without confirmation
you've made it much easier for someone to subscribe the address
of a mail-to-news gateway, or other things that you really,
REALLY, do not want subscribed to your mailing lists.
There's at least one scenario worse than that, but I'm not going to
discuss it on a public mailing list, lest I give anybody ideas.
> IMHO, a confirmation sent out asking if I really subscribed is merely a CYA tactic.
Sites that do not do so are rapidly being discovered and utilized by
unscrupulous individuals to launch such attacks. Given that the
problem is known, and that the fix is easy, it's as negligent not
to implement it as it is to allow open mail relaying.
---Rsk
Rich Kulawiec
[EMAIL PROTECTED]
____________________________________________________________________
--------------------------------------------------------------------
Join The Web Consultants Association : Register on our web site Now
Web Consultants Web Site : http://just4u.com/webconsultants
If you lose the instructions All subscription/unsubscribing can be done
directly from our website for all our lists.
---------------------------------------------------------------------
