Forum OpenACS Q&A: reply-to forum feature a security problem

Hi
We have the reply-to feature on or our .LRN installation, so students/users can reply to a notfication and their reply gets posted in the forums.

Regretably most email applications add the address you send emails to, to the addressbook.So  if a student ever posts someting to a thread, there is a chance that the address will get "atacked" (The thread gets junk postings).

Any solution/ideas about this?

Collapse
Posted by Malte Sussdorff on
  • Add a "last posted via email to thread x" record to the user. If it is less than y minutes ago, assume it is spam and bounce the mail back to the user. Downside: If the user is answering to a thread multiple times and sends it at the same time, then the last emails would bounce.
  • Alternatively you could look at the send/written information contained in the email and use that one (if the account is hijacked, all the mails are send within seconds, my assumption).
  • Another idea would be to use a one time hash key in the email address. This way the user could only reply *once* to a given thread via email. This does in no way solve the problem of starting *new* threads.
  • Run spam assassin in front of your webserver. It should be able to detect if the user is trying to spam (which would mean the user got hijacked).
Personally I'd favour the one time hash solution and force people to start a new thread using the web forum as this still opens the possibility to reply to a posting as you would in any normal email conversation, but prevents spamming (intentional or not).
Collapse
Posted by Jeff Davis on
Add a "last posted via email to thread x" record to the user. If it is less than y minutes ago, assume it is spam and bounce the mail back to the user. Downside: If the user is answering to a thread multiple times and sends it at the same time, then the last emails would bounce.
Most things that scrounge addresses from the address book tend not to send lots of messages to the same address in a short period of time so this is sort of limited in it's usefulness.

Rather than a hash key for one time use I think it would be better to expire the reply address and after some period and if there was a reply you could do tdma style validation of the sent message.

The way the things that allow emailed blog posts work is to either use a secret email address (has the same problem we have now), require a keyword in the subject or message body which authenticates the user, or use cryptographically signed email (mail2blog does this).