Hi
Thanks that seems to me a reasonable simple alternative for using surbl, however using surbl would be automatic...
Alain
On 3/24/05, Devin Carraway surbl-box-at-devin.com |surbl list| <...> wrote:
On Wed, Mar 23, 2005 at 11:30:57PM +0100, Alain wrote:
After seen the various msg's about open redirect's, I did a search about "safe" http redirectors, but didn't find many resources.
While it's not that difficult to make a safe one with a manual whitelist, it's not in all scripts (.asp,.pl,php) easy to make a script that uses SURBL to block spammers. Such a script would have the big advantage that it could be generic. Are there available on the net?
An equally important strategy to making a safe redirector absent whitelisting of partial or entire hostnames is to employ HMAC authentication. Basically, your redirector generator keeps a secret, you hash the secret with the URL and give back an auth token, then send back both the tokena and the URL to the real redirector. The redirector re-computes and compares the auth token, and redirects only if the token matches. Basically, it's a simplified form of only redirecting to signed URLs which requires only one secret.
-- Devin \ aqua(at)devin.com, IRC:Requiem; http://www.devin.com Carraway \ 1024D/E9ABFCD2: 13E7 199E DD1E 65F0 8905 2E43 5395 CA0D E9AB FCD2 _______________________________________________ Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss