Great Circle Associates Majordomo-Workers
(March 1996)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Cascading help messages loop
From: Brent @ GreatCircle . COM (Brent Chapman)
Date: Sun, 10 Mar 1996 16:45:00 -0800
To: michele @ garnet . berkeley . edu (Michele Tomkin), majordomo-workers @ greatcircle . com

[I'm switching this over to Majordomo-Workers, since it's more of a
future-feature development issue.  -Brent]

At 11:29 AM 3/8/96, Michele Tomkin wrote:
>Forging fake mass subscriptions to mailing lists seems to be the
>new net misbehavior of the week.  We have seen this here at UC Berkeley
>a lot recently.  It is causing system administrators, list owners,
>and usrs a lot of grief and work.

Yeah, I agree.

>One way to prevent this type of occurrence would be to add an option
>to Majordomo so that requests for subscription require verification.
>Upon receipt of a request for subscription, Majordomo would assign
>(and temporarily store) a verification_cookie to the request and
>send a piece of mail back to the originating address, that requests a
>"verify verify_cookie subscribe ..." command.  Upon receipt of the
>verify command by Majordomo, they would be added to open lists, or
>forwarded to the owner for closed lists.

Actually, it should be possible to do it without storing the cookie.  You
just have to be reasonably smart about how you generate the cookie; you
want to generate it in such a way that you can regenerate it at will, but
that attackers can't easily generate it.

How about this: start with the user's one-line request.  Append the user's
email address, if they haven't already specified it on the request.
Normalize it by stripping comments out of email address, stripping multiple
whitespace, converting to all lower-case, etc.  Append or prepend a
site-specific "secret" from the /etc/ file.  Run this whole
line through MD5 or SNEFRU or some other crypto-checksum function; use the
result of that as the verification cookie the user has to return, as
Michele describes above.

As long as your site's secret is still the same when the user sends back
the verification, it's easy to verify the cookie.  However, there's no good
way for an attacker to figure out what you're site's secret is except by
brute force; if you choose a good secret (like choosing a good password),
that should be very difficult.

So, anybody got a version of MD5 or SNEFRU implemented in Perl?  :-)


Brent Chapman         | Great Circle Associates    | 1057 West Dana Street
Brent@GreatCircle.COM | | Mountain View, CA 94041
                   Internet Tutorials from the Experts!

Indexed By Date Previous: Re: Have you seen this error?
From: Rich Haller x6-1716 <>
Next: Re: Cascading help messages loop
From: Dave Wolfe <>
Indexed By Thread Previous: Re: Have you seen this error?
From: Rich Haller x6-1716 <>
Next: Re: Cascading help messages loop
From: Dave Wolfe <>

Search Internet Search