From: "Walter Dnes" <waltdnes(_at_)waltdnes(_dot_)org>
Sent: Thursday, July 10, 2003 4:11 AM
Password approach
=================
ASRG puts up an XML structure on its signup page. The necessary
elements are something like
- TOKEN = OOGA_BOOGA
Subscribing consists clicking on a URL. This will pop up a dialog in
the users's browser that...
1) Submits the the user's email address to the mailing list
2) Saves the XML token data to the user's account on his ISP.
Spammer notices that this group is almost exclusively male, and a
p****-enlargement ad will be "100% targetted". Spammer sends a spam
containing the additional SMTP command...
TOKN: OOGA_BOOGA
Recipient's ISP checks their database, sees that this client has listed
OOGA_BOOGA as a valid consent token, and lets the spam through... oops.
In my Choicelist system I propose a similar link based permission system.
Quote:
\x93Adding entries to the list is done by entering the Choicelist
identity number of the desired list into the box provided, or
clicking on a special Opt-In link such as:
<A HREF=\x93mailto:Choicelist12345\x94>Opt-In</A>
A link like this would be recognized by the MUA.
The user would then be asked to confirm the Opt-In.\x94
The sender can prevent spoofing of a Choicelist opt-in by adding
authentication information to their identity, so at least in this
implementation the attack you proposed would not work.
John Fenley
_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE*
http://join.msn.com/?page=features/junkmail
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg