Bugtraq mailing list archives
Re: Intel.com Mailing List Arbitrary Address Removal Link
From: Todd Underwood <todd () osogrande com>
Date: Thu, 7 Feb 2002 14:00:36 -0700 (MST)
joel, all, On Wed, 6 Feb 2002, Joel Maslak wrote:
The fix for this requires sophisticated bounce tracking software. The only real way to fix this problem is to send each recipient a message with a custom-encoded FROM envelope address, such as: bounce-<user-id>-<security-key>@example.com Where the user-id is some sort of database identifyer and the security key is simply a random number kept in the database to prevent malicious activity (it could also be some sort of cryptographic code). When the example.com mail server receives a message to bounce-xxx-yyy () example com, it checks the security key, verifies that the bounce is a permanent bounce, and deletes the user.
it's worth noting that this is a succinct description of VERP (variable envelope return path), something used by ezmlm and qmail to accomplish exactly this--make it difficult to forge a bounce and easy to determine true per-recipient bounces. VERP makes handling large mailing lists trivial and significantly reduces this security problem. see http://www.lifewithqmail.org/lwq.html#verp for a good description. -- todd underwood, vp & cto oso grande technologies, inc. todd () osogrande com "Those who give up essential liberties for temporary safety deserve neither liberty nor safety." - Benjamin Franklin
Current thread:
- Intel.com Mailing List Arbitrary Address Removal Link E M (Feb 06)
- Re: Intel.com Mailing List Arbitrary Address Removal Link Joel Maslak (Feb 07)
- Re: Intel.com Mailing List Arbitrary Address Removal Link Todd Underwood (Feb 08)
- <Possible follow-ups>
- Re: Intel.com Mailing List Arbitrary Address Removal Link Thierry Zoller (Feb 07)
- Re: Intel.com Mailing List Arbitrary Address Removal Link Ryan M Harris (Feb 08)
- RE: Intel.com Mailing List Arbitrary Address Removal Link Knud Erik Højgaard (Feb 08)
- RE: Intel.com Mailing List Arbitrary Address Removal Link jlewis (Feb 09)
- Re: Intel.com Mailing List Arbitrary Address Removal Link Joel Maslak (Feb 07)