Unsubscribe DoS

Greetings,

while reviewing postmasters email for a mail system we manage, I came across an email from some list/spam server that offers an unsubscribe URL. This was a bounced email for a user that no longer has a mail box on the systems. So I just opened the browser and unsubscribed the user to avoid any further bounces.

Nice feature I thought..... and then I started to take a look at the URL
[1]. Obviously we have the subscriber ID (email recipient), the customer
ID (the client of the list/spam server), and the campaign ID (to identify the mailing itself).

The risk is that someone could just enter any subscriber ID and unsubscribe someone else.

That made me wonder how widespread the problem is. Are there any pointers or references to list/spam server opt-in/opt-out systems that are prone to automated attacks, such as a for-loop posting http pages?

Regards,
Frank

[1]http://mailiwant.com/unsubscribe.jsp?subid=123456&custid=12&campid=1234
Received on Fri Dec 20 18:32:12 2002

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek