Hosting Provided By

RE: Unsubscribe DoS

From: Arnold, Jamie <harnold(at)binghamton.edu>
Date: Fri Dec 20 2002 - 19:19:22 EST

Many of these "unsubscribe" urls are just a way of verifying that the email address is a valid one. Probes, of a sort.

Jamie

~~Ipsa scientia potestas est~~

~~Knowledge itself is power~~

<>~<

-----Original Message-----
From: Frank Knobbe [mailto:frank@knobbe.us] Sent: Thursday, December 19, 2002 12:35 AM To: vuln-dev@securityfocus.com
Subject: Unsubscribe DoS

Greetings,

while reviewing postmasters email for a mail system we manage, I came across an email from some list/spam server that offers an unsubscribe URL. This was a bounced email for a user that no longer has a mail box on the systems. So I just opened the browser and unsubscribed the user to avoid any further bounces.

Do you need help?

Nice feature I thought..... and then I started to take a look at the URL [1]. Obviously we have the subscriber ID (email recipient), the customer ID (the client of the list/spam server), and the campaign ID (to identify the mailing itself).

The risk is that someone could just enter any subscriber ID and unsubscribe someone else.

That made me wonder how widespread the problem is. Are there any pointers or references to list/spam server opt-in/opt-out systems that are prone to automated attacks, such as a for-loop posting http pages?

Regards,
Frank

[1]http://mailiwant.com/unsubscribe.jsp?subid=123456&custid=12&campid=1234 Received on Fri Dec 20 20:32:11 2002

This message: [ Message body ]
Next message: appsec(at)technicalinfo.net: "Re: Cross site scripting explained"
Previous message: Frank Knobbe: "Unsubscribe DoS"
Maybe in reply to: Frank Knobbe: "Unsubscribe DoS"
Next in thread: John Dow: "Re: Unsubscribe DoS"
Reply: John Dow: "Re: Unsubscribe DoS"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:37 EDT