[SURBL-Discuss] tips how to make a safe redirector

Alain coc454402 at sneakemail.com
Sat Apr 16 12:22:09 CEST 2005


Thanks that seems to me a reasonable simple alternative for using
surbl, however using surbl would be automatic...


On 3/24/05, Devin Carraway surbl-box-at-devin.com |surbl list|
<...> wrote:
> On Wed, Mar 23, 2005 at 11:30:57PM +0100, Alain wrote:
> > After seen the various msg's about open redirect's, I did a search
> > about "safe" http redirectors, but didn't find many resources.
> >
> > While it's not that difficult to make a safe one with a manual
> > whitelist, it's not in all scripts (.asp,.pl,php) easy to make a
> > script that uses SURBL to block spammers.  Such a script would have
> > the big advantage that it could be generic.  Are there available on
> > the net?
> An equally important strategy to making a safe redirector absent whitelisting
> of partial or entire hostnames is to employ HMAC authentication.  Basically,
> your redirector generator keeps a secret, you hash the secret with the URL and
> give back an auth token, then send back both the tokena and the URL to the
> real redirector.  The redirector re-computes and compares the auth token, and
> redirects only if the token matches.  Basically, it's a simplified form of
> only redirecting to signed URLs which requires only one secret.
> --
> Devin  \ aqua(at)devin.com, IRC:Requiem; http://www.devin.com
> Carraway \ 1024D/E9ABFCD2: 13E7 199E DD1E 65F0 8905 2E43 5395 CA0D E9AB FCD2
> _______________________________________________
> Discuss mailing list
> Discuss at lists.surbl.org
> http://lists.surbl.org/mailman/listinfo/discuss

More information about the Discuss mailing list