At 10:02 AM -0400 10/14/99, Tom Neff wrote:
The Web based challenge system does not get abused by spammers, primarily
because it's hand-rolled and they have little motive or opportunity to
reverse engineer it. Of course if I offered it to the world and it became
popular, they would hack it in a week.
Not if you did it right -- which is to NOT do what majordomo did, and
send it out with a pre-defined hash default that nobody changes (or
few change). As long as every site is required to set up their own
hash value, it'd be very hard for a spammer to hack into it, even
with access to the source. (a good way to do this is similar to how
PHP does it, by asking folks to type in random characters until it
The stock MJ confirm is only good for catching users with bad mail setups,
e.g. their configured From: address is wrong. Spammers have script driven
"confirms" in regular use. I can't say I'm surprised, as I could hack one
together in an hour if I needed it :)
so change the hash values in majordomo.cf. Then they can script it,
but it won't validate the AUTH line.
Unfortunately, these are, if anything, easier to script, since detecting the
URL in the message body is fairly trivial.
but we get back to the issue, which is that of verification. If the
user can't use the URL to validate without getting a cookie via
email, and that cookie can't be reversed engineered, it doesn't
matter if they can get to the URL and script it. Teh weakness in MJ
is that the hashes are well-known, so a hacker can make some basic
assumptions to circumvent that "return a cookie" part.
heck, by carrying state on the address like MJ2 and Majordomo's
1.53.4 version of the confirmation keys does, you can literally use
one time keys, and so it doesn't what the hackers try.
of many of them, each containing a different English language explanation of
how to confirm.
That's the rub. At some level, the more you assume they're fluent in
english, the more you're going to run into issues. The hackers,
especially, don't worry about fluency when they attack someone. As my
lists have internationalized, I've gotten really sensitive to this
issue -- even if the content is english, you can't really assume the
the users are technically savvy or can decipher stuff like:
For example, one might say
If you D O N O T want to join XYZ-L, send mail to 209urwe0dfj @
or click on the URL http://www.xyz-l.com/3240dfs409ew .
If you D O want to join, look in the list below and send email to the
address you find next to the flower name:
Better to use a one-time key, keep state of it, and make it as simple
as humanly possible for the end user.
Chuq Von Rospach - Plaidworks Consulting (mailto:chuqui @
Apple Mail List Gnome (mailto:chuq @
What was that?