On 07/10/2008 10:10, mike scott wrote:
On 7 Oct 2008 at 9:32, Harold Fuchs wrote:
2008/10/7 mike scott <[EMAIL PROTECTED]>
<snip>
He's back, I see.
He certainly seems to have a major problem, in getting unwanted mails
not just from this list. If someone has taken /real/ umbrage, and
rigged a forwarding account that filters unsubscription request
emails, he's stymied. Although his real ire should be directed at
gmail for not fixing the problem, methinks: that seems to be the
common point from what he's written.
<snip>
Er. Please, how could Google fix this problem? One has never needed
permission to forward e-mail. As far as I know there's no such facility in
That's not strictly true. It's almost certainly illegal to forward
mail /without/ permission of the recipient
(tacit/implicit/otherwise).
Is it?
Certainly in the UK - unauthorized
modification of computer data, unauthorized access to a computer
system - and I'd bet on the USA being likewise.
Whose data is the attacker in this case modifying without authorisation?
As far as I can see the victim's data are not being modified in any way.
Whose computer system is being accessed without authorisation? I think
"access" in this context means that the accessor logs in to the accessed
computer or otherwise makes the accessed computer's files available for
viewing/manipulation. The victim's computer was not being accessed. I
think the worst the attacker could be charged with is spamming the victim.
Google (& I've not checked) almost certainly have T&C's that say no
misuse of their system is allowed - if this isn't misuse, I don't
know what is! They could (should?) simply shut down the offending
account completely.
Here I agree. But did anyone ask Google? As far as I know the attack was
stopped by the mediators of this list.
the protocols. Are you saying Google should abolish its Autoforward feature?
Of course not.
I think you'd hear howls of protest if you suggested that. And even if
Google wrote special software, one could just use Outlook Express or
Thunderbird (or, presumably, any other mail client) to do it. Both those
programs let you set up a rule/filter that does autoforward. For example, I
And misuse would result in a complaint to the ISP concerned, and a
responsible ISP would have a "quiet word" for starters. Again, most
ISPs will have T&Cs prohibiting misuse.
Harold, suppose I took umgbrage and started sending thousands of
emails to you. What would you do? I suspect you'd ask nicely for me
to stop (if you could), then trace the source back to my account at
virginmedia and quite rightly complain to them. I'd be offnet faster
than you could say 'spam'. Why should Google expect not to be as
responsible?
I agree. But again, did anyone ask Google?
can arrange in Outlook Express to forward to you any message that comes in
to me addressed to "users@openoffice.org". And there's nothing you can do
about that. You may be able to *cure* it by unsubscribing me but you can't
*prevent* it happening in the first place.
Ultimately, I suspect legal action could be taken against the
offending /mail system/ operator if they've been notified of a
problem and fail to act. IANAL of course.
Nor am I. Is spam actionable?
While we are on this, what is the procedure for unsubscribing the attacker?
Does the victim have to masquerade as the attacker by setting up a special
account in his/her mail system? Or can it be done using ezmlm's proceudre as
explained in its Help?
Haven't we been round this? To summarise: /Provided/ the intermediate
attacking email address is known, you simply send an unsub request
for that address(*). Then /provided/ the unsub confirmation is
forwarded like the unwanted clutter, you will receive it. You might
have to search through tens of thousands of other items for it! Then
you reply to it - and it doesn't matter what your sending address is
at this point, as it has a magic cookie embedded.
Sorry to be pedantic but this is exactly where the confusion lay in my
mind. You have now clarified it by saying the victim can *either*
- masquerade as the attacker by setting up a "fake" (mimic?) e-mail
account using the attacker's e-mail address *or*
- use the "=" form of the ezmlm unsubscribe request.
Do *both* of those work? Nobody before has clearly stated that; previous
commentators left that hanging which I why I asked.
<snip>
(*) by (1) changing your email client to use the attacker's address
as the sender address; (2) telnetting into your favourite SMTP server
and providing the necessary sender address; (3) using the "=" form of
the OOo list unsub address as noted in the help {I can /never/
remember the exact form, so won't try to guess!!!}
--
Harold Fuchs
London, England
Please reply *only* to users@openoffice.org