Hello all! I don't know if somebody reported something like that before. Sorry if so... Everybody can create an anonymous email account at mail.com (like hotmail or yahoo mail). If you create an account and then you subscribe this account to an email list (like bugtraq =)), you will get a message to confirm your subscription. This is fine, and thanks that, you cannot subscribe *another* email address to a list. So, you subscribe your new account to many (many, many) lists and you confirm your subscriptions. Soon you will start to receive tons (and tons, and tons) of emails. Where is the problem? OK. Mail.com let's you redirect your messages to another account. You simply need to give another's email address (any address, you don't need to give an mail.com address), and the whole emails will be redirected to this account. The real problem is that no confirmation is needed, so the victim will start to receive unsolicited emails and he can't do anything! Not only this; the messages which are forwarded *doesn't* stay in the subscribed account's inbox... this means that the attacker doesn't needs to clean periodically the inbox... And more... From the victims point of view, the messages are sent directly from the distribution lists, not from the subscribed account! (of course, you can check the header and there you will see that the message was sent to another address and then redirected). I haven't tested this on other free webmail services, but I imagine that there are more webmail services with the same problem... > FEY, Rodolfo Christian > II - IS >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:06:57 PDT