Subject:
|
Re: E-mail authentication during posting
|
Newsgroups:
|
lugnet.admin.nntp
|
Date:
|
Wed, 20 Jun 2001 21:28:49 GMT
|
Viewed:
|
955 times
|
| |
|
|
I think policy makes sense.
- Marc Cook
In lugnet.announce, Todd Lehman writes:
> The Quick Summary
> =================
>
> Effectively immediately, all LUGNET News posts now require e-mail
> authentication after posting, in order to prevent the continuance of forged
> messages. An exception to this rule is if you are a member and signed-in
> through the web interface, in which case the system has already authenticated
> you and simply logs your Member-ID in the message headers.
>
>
> The Explanation
> ===============
>
> The message transport system which LUGNET uses is based on trust and honesty.
> It is an open system called NNTP (Network News Transport Protocol) in which
> it is actually relatively easy for someone to dishonestly forge messages --
> to cause them to appear as though they were written by someone other than you.
>
> We've been lucky as a community that we were able to get this far (more than
> two years -- almost three) without a dire need for authentication of messages.
> Recently, however, there has been a spate of message forgeries. These
> forgeries have to stop.
>
> The simplest way around this is for the server to accept a message, then send
> a quick confirmation e-mail to the poster listed in the From: header. This
> e-mail contains a special URL which will authenticate or "release" the message
> into the pool of active messages. Click that URL, then click "Post It" and
> you're all set.
>
> I'm sorry that this extra step had to be imposed, but in retrospect, it seems
> foolish that it wasn't there all along.
>
> BTW, if you are a LUGNET Member and you are signed in and post messages via
> the web interface, the system already knows who you are, and it won't send
> you an e-mail asking you to authenticate your messages. There is (currently)
> a slight loophole here in that a member could (if they jumped through enough
> hoops) actually still provide a false e-mail address, but the Member-ID number
> is logged in the article headers, so if someone does this, it will be possible
> to know whom to give the boot. I'll be doing some more work later to close up
> this loophole.
>
> --
> Todd S. Lehman | LUGNET Admin <todd@lugnet.com>
>
> p.s. My apologies if this message reaches you twice at different e-mail
> addresses...the address list I used was the entire database of everyone who
> has registered for posting privileges at LUGNET, and I didn't want to risk
> guessing wrong about which addresses are people's primary ones.
|
|
1 Message in This Thread:
- Entire Thread on One Page:
- Nested:
All | Brief | Compact | Dots
Linear:
All | Brief | Compact
|
|
|
|
