To LUGNET HomepageTo LUGNET News HomepageTo LUGNET Guide Homepage
 Help on Searching
 
Post new message to lugnet.admin.nntpOpen lugnet.admin.nntp in your NNTP NewsreaderTo LUGNET News Traffic PageSign In (Members)
 Administrative / NNTP / 799
798  |  800
Subject: 
Re: E-mail authentication during posting
Newsgroups: 
lugnet.admin.nntp, lugnet.general
Date: 
Mon, 18 Jun 2001 18:25:29 GMT
Viewed: 
1497 times
  
Well, I understand the problem, but also see another one with this.

For people personally paying for their bandwith it will just be even more
expensive.
I tested only one message now, but how about checking several messages at
once?
Or a better solution.

I apriciate your concern, but I think there is a better solution.

Sonnich


LUGNET Admin <todd@lugnet.com> wrote in message
news:GF40AG.31A@lugnet.com...
The Quick Summary
=================

Effectively immediately, all LUGNET News posts now require e-mail
authentication after posting, in order to prevent the continuance of • forged
messages.  An exception to this rule is if you are a member and signed-in
through the web interface, in which case the system has already • authenticated
you and simply logs your Member-ID in the message headers.


The Explanation
===============

The message transport system which LUGNET uses is based on trust and • honesty.
It is an open system called NNTP (Network News Transport Protocol) in • which
it is actually relatively easy for someone to dishonestly forge • messages --
to cause them to appear as though they were written by someone other than • you.

We've been lucky as a community that we were able to get this far (more • than
two years -- almost three) without a dire need for authentication of • messages.
Recently, however, there has been a spate of message forgeries.  These
forgeries have to stop.

The simplest way around this is for the server to accept a message, then • send
a quick confirmation e-mail to the poster listed in the From: header. • This
e-mail contains a special URL which will authenticate or "release" the • message
into the pool of active messages.  Click that URL, then click "Post It" • and
you're all set.

I'm sorry that this extra step had to be imposed, but in retrospect, it • seems
foolish that it wasn't there all along.

BTW, if you are a LUGNET Member and you are signed in and post messages • via
the web interface, the system already knows who you are, and it won't send
you an e-mail asking you to authenticate your messages.  There is • (currently)
a slight loophole here in that a member could (if they jumped through • enough
hoops) actually still provide a false e-mail address, but the Member-ID • number
is logged in the article headers, so if someone does this, it will be • possible
to know whom to give the boot.  I'll be doing some more work later to • close up
this loophole.

--
Todd S. Lehman | LUGNET Admin <todd@lugnet.com>

p.s.  My apologies if this message reaches you twice at different e-mail
addresses...the address list I used was the entire database of everyone • who
has registered for posting privileges at LUGNET, and I didn't want to risk
guessing wrong about which addresses are people's primary ones.



1 Message in This Thread:

Entire Thread on One Page:
Nested:  All | Brief | Compact | Dots
Linear:  All | Brief | Compact
    

Custom Search

©2005 LUGNET. All rights reserved. - hosted by steinbruch.info GbR