-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SpamCop (http://spamcop.net/) has a service which operates as follows: 1) You get an account ([EMAIL PROTECTED]) 2) If someone ([EMAIL PROTECTED]) sends you e-mail, and the sender's e-mail address is not in your "known" profile, the e-mail is held on the SpamCop system, and a message sent to the originator. This message contains a URL which the originator must access. Accessing this URL verifies to SpamCop that the sender address is a valid e-mail address. SpamCop then "releases" the mail and marks the sender as "known" to [EMAIL PROTECTED] Unfortunately, the URL generated in step (2) contains a fixed prefix followed by an incrementing sequence number. A spammer therefore needs to send one innocuous e-mail (to a friend at spamcop.net?) from a real e-mail address to get the initial sequence number. He then spams everyone at spamcop.net while his shell script calls "lynx" with repeatedly-incrementing sequence numbers. Fix: Spamcop should add (for example) a random 16-byte cookie to each URL to make it harder to guess. Status: Weakness reported to SpamCop a week ago; no response yet. - -- David F. Skoll Roaring Penguin Software Inc. | http://www.roaringpenguin.com GPG fingerprint: 9314 DC81 CE49 05C5 2F64 252B 3134 AD1F 1216 8F20 GPG public key: http://www.roaringpenguin.com/dskoll-key-2001.txt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: pgpenvelope 2.9.0 - http://pgpenvelope.sourceforge.net/ iD8DBQE6XfVFMTStHxIWjyARAk5mAJ0SZ7Yw8LQvue+QR4KEA6SDVES4VwCfbb9V QGhVjqDAQ5mrhbYesTFiTF8= =L88E -----END PGP SIGNATURE-----
