To LUGNET HomepageTo LUGNET News HomepageTo LUGNET Guide Homepage
 Help on Searching
 
Post new message to lugnet.admin.nntpOpen lugnet.admin.nntp in your NNTP NewsreaderTo LUGNET News Traffic PageSign In (Members)
 Administrative / NNTP / 798
797  |  799
Subject: 
Re: E-mail authentication during posting (test reply)
Newsgroups: 
lugnet.admin.nntp
Date: 
Mon, 18 Jun 2001 17:46:45 GMT
Viewed: 
825 times
  
In lugnet.announce, Todd Lehman writes:
The Quick Summary
=================

Effectively immediately, all LUGNET News posts now require e-mail
authentication after posting, in order to prevent the continuance of forged
messages.  An exception to this rule is if you are a member and signed-in
through the web interface, in which case the system has already authenticated
you and simply logs your Member-ID in the message headers.


The Explanation
===============

The message transport system which LUGNET uses is based on trust and honesty.
It is an open system called NNTP (Network News Transport Protocol) in which
it is actually relatively easy for someone to dishonestly forge messages --
to cause them to appear as though they were written by someone other than you.

We've been lucky as a community that we were able to get this far (more than
two years -- almost three) without a dire need for authentication of messages.
Recently, however, there has been a spate of message forgeries.  These
forgeries have to stop.

The simplest way around this is for the server to accept a message, then send
a quick confirmation e-mail to the poster listed in the From: header.  This
e-mail contains a special URL which will authenticate or "release" the message
into the pool of active messages.  Click that URL, then click "Post It" and
you're all set.

I'm sorry that this extra step had to be imposed, but in retrospect, it seems
foolish that it wasn't there all along.

BTW, if you are a LUGNET Member and you are signed in and post messages via
the web interface, the system already knows who you are, and it won't send
you an e-mail asking you to authenticate your messages.  There is (currently)
a slight loophole here in that a member could (if they jumped through enough
hoops) actually still provide a false e-mail address, but the Member-ID number
is logged in the article headers, so if someone does this, it will be possible
to know whom to give the boot.  I'll be doing some more work later to close up
this loophole.

--
Todd S. Lehman | LUGNET Admin <todd@lugnet.com>

p.s.  My apologies if this message reaches you twice at different e-mail
addresses...the address list I used was the entire database of everyone who
has registered for posting privileges at LUGNET, and I didn't want to risk
guessing wrong about which addresses are people's primary ones.



1 Message in This Thread:

Entire Thread on One Page:
Nested:  All | Brief | Compact | Dots
Linear:  All | Brief | Compact
    

Custom Search

©2005 LUGNET. All rights reserved. - hosted by steinbruch.info GbR