Re: Re: form+subscription+Perl+sendmail = TROLL

Dear tachyon,
I was wondering why this <anonymous@hercules.dns-solutions.net> kept getting subscribed ...
So the mailinglistprogram grabs the Return-Path:, not the From: in making subscribers?

It's early morning in northwestern Norway, after a long night of trying to eff the ineffable. Maybe a workaround will come to me in tortured dreams, or maybe someone here will have pity and suggest something . . .
Or maybe it can't be done with a button on a form if the server's mailheader is that way?
ps. I have removed the offending <INPUT...>
-Dagfinn-

Volda, Norway, where trolls dance on the telephonewires

Comment on Re: Re: form+subscription+Perl+sendmail = TROLL

Replies are listed 'Best First'.
Re: Re: Re: form+subscription+Perl+sendmail = TROLL by iburrell (Chaplain) on Nov 06, 2002 at 21:18 UTC
The mailing list program ezmlm does use the Return-Path from the mail as the address to subscribe and the one is sends the confirmation mail to. The Return-Path is the SMTP envelope sender set with the MAIL FROM command. You usually can't forge this on Unix machines when going through the sendmail process. You can set this when talking directly to the SMTP server but many SMTP servers have limitations on what address they accept. If you are talking to your own mail server, you can configure it to accept these messages but make sure you don't allow your mail server to become a spam relay. I would argue that ezmlm's behavior is wrong. It should use the From: header to determine the address to subscribe. Its behavior inhibits what you are trying to do of generating a subscription message on behalf of someone else. By forging the Return-Path all bounces messages will go to the user. They really should go to an address that you look at. It doesn't provide any extra security from forgery or spam because the return-path is as easy to forge as the From: header. You probably don't have any choice in which mailing list program you are using. If you have control of the mailing list, you might want to check if there is some way you can change this behavior. Or if there is some way to access the subscription process.	[reply]
Re: Re: Re: Re: form+subscription+Perl+sendmail = TROLL by vnomad (Novice) on Nov 07, 2002 at 01:01 UTC
Greetings, and good news. But first, thanks for all the generous help I am receiving! I also assumed that it might not be possible to `forge' the Return-Path header, but decided I would try anyhow, and added the line `print MAIL "Return-Path: $from\n";` [download] to my soup. To my surprise it worked, and the subscription button works fine now. That header was disturbingly easy to change . . . Now I need to take a closer look at security. But it sure is nice to have overcome this particular troll. Since I am hosted by `Prohosting.com' I took what they have given, and that is ezmlm for a mailing list. Thanks again to all that had mercy on my little silly predicament! Dagfinn Volda, Norway, where trolls dance on the telephonewires	[reply] [d/l]