mike scott wrote:
(Everything snipped - can we put this subthread to rest please?)
/IF/ a mailicious mail account has /everything/ forwarded to a target
victim, there is no problem at all for the victim to unsubscribe the
mailicious account from this list, even without any access to that
malicious account. They do need to know the email address of the
account.
They just send an unsub email with that malicious address as sender.
Because of the forwarding, they will receive the unsub confirmation
request. They then reply to this.
Job done.
Trouble is, under some circumstances that doesn't seem to work, and we
haven't pinned down the circumstances yet. For example, I've tried
setting up a mimic account in Thunderbird and been stopped by a request
for a password for the account when I try to send; for some reason, it
doesn't always act the same with my configuration. Apparently some SMTP
servers at least sometimes verify either the existence of an account
(which would not be a problem in this case, because the problem account
is still active to redirect the messages), or the authority to send
messages from it.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]