Re: list
- Date: Fri, 13 Feb 1998 15:54:52 +0100 (MET)
Xander Jansen wrote:
> + >The only way to prevent most (but probably not all) forged subscriptions
> + >is the confirm mechanism but as James pointed out that too has problems
> + >but when choosing between two evils I would prefer a confirmation
> + >mechanism above the ease to subscribe local sublists.
> +
> + Why is the cookie confirmation an .XOR. for subscribing a local sublist?
>
> It is not exactly an .XOR. but depending on the implementation of the
> software the acknowledgement of the subscription has to come from specific
> return-adresses and that can cause either some hacking or at least using a
> mail client that sends out the ACK as coming from the sublist address. But
> again, this depends on how the cookie-mechanism is implemented. I don't
> know how majordomo does it but I guess there will be some checking on
> adresses. If the only check is the returned cookie than I guess there is
> no problem at all and the confirmation mechanism has no repercussions for
> sublist-subscriptions.
As far as I could check, majordomo doesn't match the From_ address against
the From: address when checking the cookie confirmation. (And, AArgh!
the cookies as implemented in majordomo 1.94.3 look dangerously easy to
hack. Well, let's hope spammers aren't good at cryptography ):
--
#! ##### Jan-Pieter Cornet ##### johnpc@localhost ##### perl
++$_;$!=$_+++$_;($:,$,,$/,$*)=$!=~/.(.)...(.)(.).(.)/;$!=$_+$_;
($@,$\,$~)=$!=~/(.)(.).(.)/; $_="$,$/$:"; $@localhost $~="$~$_";($_)=
\$$=~/\((.)/;$|=++$_;$_++;$|++;$~="$~ $@localhost:";`$~$/$\$*$, $|>&$_`