James Knott wrote:
Barbara Duprey wrote:
James Knott wrote:
You may have more than email account, buy normally only use one SMTP
server. This means you can send any email from address, through that
one SMTP server. I have done this, when sending mail on my personal
account, from my work computer. Unfortunately it also means you can
impersonate someone else. In our example, impersonation would be
necessary, in order to get the subscription ended.
Actually, the impersonation is probably not required for OOo, because
apparently the goodbye message (if received) can be responded to
without regard to the account; it contains a "magic cookie" that is
what the list manager cares about. But it does apparently seem to be
necessary for the attacker to be forwarding the traffic, and not
filtering the goodbye message.
Isn't it necessary to impersonate the address that the mail is
originally sent to, in order to request unsubscribe? Otherwise, we're
back to the situation where anybody could unsubscribe anyone.
Not really. If I tried to unsubscribe you, for instance, you'd be the
one to get the unsub confirmation (whether I did the normal unsubscribe
from a mimic or the indirect unsub). You presumably would not respond to
that, and you'd know there was something fishy going on. What is
different here is that the attacker is forwarding messages to the
victim, so if he doesn't filter the unsub confirmation, the victim can
respond to it (and it doesn't matter whether it's from his own account
or a mimic, because only the "magic cookie" matters).
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
