Markus Stumpf wrote:
On Thu, Mar 18, 2004 at 09:50:09AM -0500, Meng Weng Wong wrote:
Another problem is that because these headers are subject to forgery,
the spammer can forge
List-Unsubscribe:
<mailto:ietf-mxcomp-request(_at_)imc(_dot_)org?body=unsubscribe>
which fools the MUA; putting that metadata into the SPF record moves
the announcement back into a space that's controlled by the purported
sender domain. You only want to trust a List-Unsubscribe if the message
itself passes RMX/DMP/LMAP/MXCOMP/MARID tests.
I don't think I can follow you here?
Well behaved MLMs use double-ACK for opt-in as well as opt-out.
However I am aware that with this list I could probably unsubscribe all
of you with a single batch job.
IMHO the proposal should not make workarounds to try to fix security
flaws in MLM software or their configuration.
ezmlm e.g. shows (and I think at least majordomo can also do this) how you
can use safe crypto cookies for confirmation of the subscribe and unsubscribe
process. This can be securely done without any LMAP checking at all:
new(_at_)example(_dot_)net requests unsubscribe for
joe(_at_)example(_dot_)com
MLM creates unique secret with a token only known to the MLM and
sends it back to joe(_at_)example(_dot_)com(_dot_) It also has a upper
limit on
duration of validity
Now the mailbox joe(_at_)example(_dot_)com has a cookie that will only
unsubscribe
joe(_at_)example(_dot_)com from one particular ML. You can even forward that
cookie
to your new account new(_at_)example(_dot_)net and still use the cookie
together
with the address joe(_at_)example(_dot_)com to unsubscribe
joe(_at_)example(_dot_)com (and
none else).
A LMAP check would IMHO even be counterproductive here.
You're thinking of checking the wrong message against LMAP criteria. It
looks like you're thinking of validating the unsubscribe request, while Meng
was talking about only trusting List-* headers in messages that have passed
LMAP validation.
Philip Miller