[SURBL-Discuss] tips how to make a safe redirector
coc454402 at sneakemail.com
Sat Apr 16 12:22:09 CEST 2005
Thanks that seems to me a reasonable simple alternative for using
surbl, however using surbl would be automatic...
On 3/24/05, Devin Carraway surbl-box-at-devin.com |surbl list|
> On Wed, Mar 23, 2005 at 11:30:57PM +0100, Alain wrote:
> > After seen the various msg's about open redirect's, I did a search
> > about "safe" http redirectors, but didn't find many resources.
> > While it's not that difficult to make a safe one with a manual
> > whitelist, it's not in all scripts (.asp,.pl,php) easy to make a
> > script that uses SURBL to block spammers. Such a script would have
> > the big advantage that it could be generic. Are there available on
> > the net?
> An equally important strategy to making a safe redirector absent whitelisting
> of partial or entire hostnames is to employ HMAC authentication. Basically,
> your redirector generator keeps a secret, you hash the secret with the URL and
> give back an auth token, then send back both the tokena and the URL to the
> real redirector. The redirector re-computes and compares the auth token, and
> redirects only if the token matches. Basically, it's a simplified form of
> only redirecting to signed URLs which requires only one secret.
> Devin \ aqua(at)devin.com, IRC:Requiem; http://www.devin.com
> Carraway \ 1024D/E9ABFCD2: 13E7 199E DD1E 65F0 8905 2E43 5395 CA0D E9AB FCD2
> Discuss mailing list
> Discuss at lists.surbl.org
More information about the Discuss