[Declined] postings via emails (yahoo! groups!)

Started by assad, April 26, 2004, 04:33:24 PM

Previous topic - Next topic

[Unknown]

#60
I'm afraid that's not the case.  The problem is that I can send an email to a close friend of yours, from this address:

[email protected]

I do not need to hack into your account or guess your password.  I can easily do it given a destination address.  This is a problem in the way the SMTP protocol was designed.

The way it is often detected is by checking if "hotmail.com" was the actual host that SENT the email.  For example, if "hacker.net" sent the email, but it SAYS it's from "hotmail.com", then you can guess it may be a fake.

In practice, it's not nearly so cut and dry.  Many companies have gotten rich (or gone bankrupt) trying to make solutions for this problem, and this is part of what spam filters are for!

This is why when you get viruses from people, it doesn't mean the SENDER of the email is infected; viruses commonly pick two people from the contact list of the infected computer, and send from one, to the other.  This means that your friend John might be infected, and send an email pretending to be from Beth to Jack.  This makes it very hard for John to even know he is infected.

Edit: and, even if your opinion is that this is "hard enough" or that "it doesn't really happen on mailing lists I've used" or "it won't happen for me", those are just arguments for why it should be a mod.  I am not going to put a feature into SMF, or let anyone else put a feature into the default distribution, if *I* can hack it.  If I am able to exploit the feature, then it is insecure.  Even if I'm not, it may be insecure - but if I KNOW how to and am CAPABLE of hacking a default install, however configured, than I would think SMF was insecure.

That's not going to happen.

-[Unknown]

rhizome

#61
Ahh, I see this feature request has been declined. I understand the reasons.

But still a bit confused, does that mean there won't be a mod for it?  or is that something different because declined means it's won't be a default feature for smf.

EDIT: I've just read the edit on [Unknown]'s post.
Even more confused now.
So if was a mod, the admin would be acknowledging that it's won't be fully secure, but SMF would still release it as a mod?

thanks

[Unknown]

A mod is not a default feature; this is not going to be a default feature, but it looks like Grudge is willing to make a mod for it.

-[Unknown]

alitahir

Please tell me how you can know mail adresses of my close friends?

You know just my mail adress if I am a member of this forum. You can send me a mail from the  forum. This is just what I want.

Your counter argument presupposes that you hack my computer individually. This is not exactly a case that we should bother . Or I am misreading your point?

[Unknown]

You are.  I need no access to your computer at all.  I can use my computer to send an email that says it is from you.  This email is not from you, but other people may believe it when it says it is.

-[Unknown]

Grudge

Well - the way I intend to make it as a mod *should* make it pretty secure. Basically, every email sent out from SMF will have a unique ID which is randomly generated and stored in the database. When someone replies to the email it sends the unique ID in the header, as well as obviously their email address. (Up to here this is kinda what 1.1 does by default - except the database stuff).

When the email is received the script will check the unique ID and the email address from the database to make sure it is valid - and if it is it will make the post and THEN delete the entry - this stops more than reply per message.

Note that the mod I intend to write will ONLY work on replies to notifications and the like. I don't intend to allow posting of new topics through the mailing list - as this can never be done in a secure way. The only way I can imagine allowing relatively secure new topic posting would be to either:

1) Allow a user to select a password specifically for email notifications (i.e not their usual account password) which they send in every topic reply. This would also need to do spam protection to stop people working out this password.
2) Allow replies to a weekly digest (or similar) which would start a new topic - but this idea sucks :)

So basically, if I mod it I only intend to half mod it - I won't create a mod which I know is unsecure.
I'm only a half geek really...

alitahir

Ok!  You still dont have adresses of my closest friends. In fact you don't even need to know my adress.  You can just create an arbitrary mail adress and pretend that it exists.

You can do that with or without e mail integration. So what is the difference?

I just try do understand and  thank you anyway for your kind reply.

[Unknown]

Okay.  But, let's say I choose the address [email protected] as your "closest friend".  And, then I choose this topic - this one here - and "reply" to it.

The forum receives an email - an email from YOUR email address.  It realizes this is a post for the forum!  For this topic in fact!  Using this, I could post as if I were you.  To me, this is as bad as if I could log in as you and post using your account - because that is effectively what it allows me.

-[Unknown]

rhizome

Quote from: Grudge on June 28, 2005, 05:44:38 PM
...
Note that the mod I intend to write will ONLY work on replies to notifications and the like. I don't intend to allow posting of new topics through the mailing list - as this can never be done in a secure way. The only way I can imagine allowing relatively secure new topic posting would be to either:

1) Allow a user to select a password specifically for email notifications (i.e not their usual account password) which they send in every topic reply. This would also need to do spam protection to stop people working out this password.
2) Allow replies to a weekly digest (or similar) which would start a new topic - but this idea sucks :)

So basically, if I mod it I only intend to half mod it - I won't create a mod which I know is unsecure.

It  makes a lot of sense not allowing new topics to be started via email anyway, regardless of the security issue which of course is the most imp issue nevertheless.

Many thanks for thinking about working on this.
I know the poll ain't up to much but it's a mod I bet people will start using because it's there and will give added functionality to their forums. (Remember how mobile texting was just an after thought)

Yonkey

Quote from: [Unknown] on June 28, 2005, 01:25:12 PM
Quote from: Yonkey on June 28, 2005, 12:29:52 PM
You could enforce security by forcing the user to put their username and password some place in the e-mail

That's definately not more secure!
It's secure in the sense that only you know your own password, and spammers/virus senders do not.  ;) 

The only problem (and I agree this is a major problem) is that you're passing it as clear unencrypted text, which means it theoretically could be viewed by any administrator between your mail server and the forum's.

It would probably be best to use three layers of security: e-mail address (From address), IP range (check if originating IP address of e-mail is in any of the IP addresses that member uses) and PIN.  The PIN is separate from the user's password, but is a random encrypted number based on UNIXTIME dateRegistered, lastLogin and maybe the number of characters in the username.  This PIN is first dynamically generated and sent to the member when he/she requests mail2forum functionality in his/her profile, and is generated and sent again with every response sent to the forum via mail (in the form of a confirmation e-mail).

The odds of a hacker being able to guess this PIN is probably more or less the same as him guessing your password.

Anyway, this is probably far too complex to be a standard feature but it would make a pretty challenging mod.  :D

Mastiff

I'd still like to hear someone explain why this is such a huge deal to a forum, yet mailing lists have gotten by just fine for ages.  What I mean is, people can impersonate whoever they want in E-mail and send it to a listserv or majordomo, yet the sky isn't falling as far as I'm aware.
"If you're an ugly chick, you're basically the same as a dude... I mean, you're gonna have to work."

Yonkey

Once you subscribe to a mailing list, your e-mail address is placed in a white list of allowed addresses.  Usually spammers don't know the e-mail address of the mailing list, and of course they are never allowed in the white list, so that's why mailing lists rarely get spammed.  Some mailing lists even use a moderation/spam filter before relaying the messages to everyone.  If a message is detected as spam, it's not sent out.  Also, things like newsletter mailing lists are usually one-way and no one can use it to spam because replying to it would go to a [email protected] or similar.

With a forum, you can view people's e-mail addresses (if they allow it to be visible).  If you allow guest access, spiders can harvest these e-mail addresses.  All it takes is a spammer or malicious user to connect these dots, and your forum will get vandalized like there's no tomorrow. :P

Mastiff

I'm not really understanding where the difference is.  With the forum, you can also only allow registered members to post via E-mail, so the security is the same.  It's true that spiders can harvest some E-mail addresses, but a normal spammer won't think to send from these addresses to the forum address.  A malicious user can subscribe in either case and then send phoney E-mails to the list or forum.
"If you're an ugly chick, you're basically the same as a dude... I mean, you're gonna have to work."

[Unknown]

I really don't care how insecure mailing lists may or may not be.  SMF will not be so insecure.

-[Unknown]

Mastiff

Quote from: [Unknown] on June 28, 2005, 11:07:07 PM
I really don't care how insecure mailing lists may or may not be.  SMF will not be so insecure.

-[Unknown]

Fair enough.  I'll just put my 0.02 in that in the form of a mod, maybe we don't need to be as worried - since it's optional.  Without being able to post new messages via E-mail, much of the functionality is lost, IMO.  In my particular instance, all the utility is lost, since most of my members are on the mailing list at present.  Also, a forum is a great way to archive a mailing list.
"If you're an ugly chick, you're basically the same as a dude... I mean, you're gonna have to work."

Dannii

This could be done as a mod, however to have any security at all anything posted should be posted as a guest. Prehaps even create a new type of guest -  an email response guest. Guest responses already aren't presumed to be secure, you can put any name you like. The same for email responses.

But to post as a user, you should have to get session information.
"Never imagine yourself not to be otherwise than what it might appear to others that what you were or might have been was not otherwise than what you had been would have appeared to them to be otherwise."

Mastiff

Good idea.  M2F for phpBB allows guest E-mail posting if you enable it, but it does attempt to match E-mail addresses to users in the forum user list and use those if it can; that's the default mode.  An option would be to disable that feature and for posts originating from E-mail, always post as a guest with a flag of some kind to indicate E-mail. 
"If you're an ugly chick, you're basically the same as a dude... I mean, you're gonna have to work."

Tobias Eigen

Hello,

Very glad this discussion is going on - unfortunately I'm in the middle of a move from Washington DC to Seattle, so can't contribute very actively. Has anyone here actually tried Fud forum and it's mailing list integration? It works flawlessly on my system and is completely secure. I'd be happy to set up a test forum and let people test it out.

I've covered this alot in this thread, but in summary, the things Fud and it's maillist.php script does well on my mailman system:
- MBOX importing (including creating users!)
- Replacing mailman's archiver to import messages to Fud (moderation possible)
- Send messages out to list address for distribution by mailman 

It's very simple, stays out of the list management functionality completely, and simply works! All this discussion about security is really pointless - with Fud-like functionality we can all set up our forums as secure as we want using mailman or some other list manager, on a list-by-list basis.

I also would be very curious to see if Mailman's maillist.php script can be adapted for use in SMF - it seems to work very well and alot of work has gone into it.

Cheers,

Tobias
Kabissa - Space for Change in Africa
http://www.kabissa.org

Joomla Website, Mailman mailing list server, seeking SMF/Mailman integration a la Fud Forum (http://www.fudforum.org).

http://del.icio.us/tobiaseigen/mail2forum

rhizome

#78
I doubt saying that it's been done on FUD is going to convince [Unknown] that it doesn't pose a security issue

But setting up a test forum would be good

I'm hoping that the MOD Grudge is thinking of developing will provide at least some of the functionality

alitahir

#79
Unknown, thanks  for elaborating on the unsecurity of incoming mails. 

However  outgoing mails is not concerned with this weakness.  So we can just forget about posting by mail but we can still desire  to  have a mail list feature who concerns only outgoing mails. In this way we can distribute content, digests or weekly reports. Users  who want to post would need  to follow a link and log in to the forum.

SMF would be reserved to post creation, archiving  and  all the usual interactive stuff.

Mail list (only outgoing)  would provide to a larger public, a convenient way of being on touch. Most active members anyway would switch to the forum for reading also. But mail broadcasting would enlarge the base and provide a bridge to a greater number of people.

So what about this stripped off version of integration idea?

Advertisement: