tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vitor Buitoni <vitor.buit...@digitro.com.br>
Subject Re: Autoresponers getting subscribed to the list <AUTO> 'Getty=987-032'Tomcat 5 jpda debugging
Date Fri, 30 Jan 2004 19:02:54 GMT
Yes, surely it's a vulnerability in this system.

Perhaps the subscription confirmation should include something else 
besides just a single reply...
Is it possible to use the system that sends the user an image containing 
some text, and to confirm the user have to type what he sees in the 
image? Or some kind of control like this, that would make it difficult 
for machines to confirm the subscription automatically.

Thanks!

Vitor


Giuliano Gavazzi wrote:

> At 9:37 am -0800 2004/01/30, David Rees wrote:
>
>> Vitor Buitoni wrote, On 1/30/2004 3:50 AM:
>>
>>> Maybe some admin could unsubscribe this annoying guy?
>>
>>
>> The real question is how are these guys getting subscribed?  It 
>> appears that someone has figured out a way to subscribe random 
>> addresses to the list without validation.
>>
>> I'm guessing that it works because someone spoofs a subscribe 
>> request, and ezmlm responds to the spoofed address with the 
>> confirmation.  These autoresponders which include the whole message 
>> reply, and voila, they have been subscribed to the list.
>
>
> well, but this also means that ezmlm sucks, or that it should be 
> configured in a different way. I guess that during this storm 
> subscriptions, (but not un-subscriptions please!) should be stopped. I 
> not want to check my mail the morning after some virus manage to 
> subscribe a few autoresponders to the list.
>
> Giuliano




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message