At 10:02 AM -0400 10/14/99, Tom Neff wrote:
> The Web based challenge system does not get abused by spammers, primarily
> because it's hand-rolled and they have little motive or opportunity to
> reverse engineer it. Of course if I offered it to the world and it became
> popular, they would hack it in a week.
Not if you did it right -- which is to NOT do what majordomo did, and
send it out with a pre-defined hash default that nobody changes (or
few change). As long as every site is required to set up their own
hash value, it'd be very hard for a spammer to hack into it, even
with access to the source. (a good way to do this is similar to how
PHP does it, by asking folks to type in random characters until it
gets "enough")
> The stock MJ confirm is only good for catching users with bad mail setups,
> e.g. their configured From: address is wrong. Spammers have script driven
> "confirms" in regular use. I can't say I'm surprised, as I could hack one
> together in an hour if I needed it :)
so change the hash values in majordomo.cf. Then they can script it,
but it won't validate the AUTH line.
> Unfortunately, these are, if anything, easier to script, since detecting the
> URL in the message body is fairly trivial.
but we get back to the issue, which is that of verification. If the
user can't use the URL to validate without getting a cookie via
email, and that cookie can't be reversed engineered, it doesn't
matter if they can get to the URL and script it. Teh weakness in MJ
is that the hashes are well-known, so a hacker can make some basic
assumptions to circumvent that "return a cookie" part.
heck, by carrying state on the address like MJ2 and Majordomo's
1.53.4 version of the confirmation keys does, you can literally use
one time keys, and so it doesn't what the hackers try.
> of many of them, each containing a different English language explanation of
> how to confirm.
That's the rub. At some level, the more you assume they're fluent in
english, the more you're going to run into issues. The hackers,
especially, don't worry about fluency when they attack someone. As my
lists have internationalized, I've gotten really sensitive to this
issue -- even if the content is english, you can't really assume the
the users are technically savvy or can decipher stuff like:
> For example, one might say
>
> ==========
> If you D O N O T want to join XYZ-L, send mail to [EMAIL PROTECTED]
> or click on the URL http://www.xyz-l.com/3240dfs409ew .
> If you D O want to join, look in the list below and send email to the
> address you find next to the flower name:
Better to use a one-time key, keep state of it, and make it as simple
as humanly possible for the end user.
--
Chuq Von Rospach - Plaidworks Consulting (mailto:[EMAIL PROTECTED])
Apple Mail List Gnome (mailto:[EMAIL PROTECTED])
What was that?
French horns...
