[SpamCop-List] Re: MSN "Newsletters"
Tue, 4 Feb 2003 18:27:02 -0800
In article <b1pqfh$1m1$1>, mcwebber says...
> Considering that it's on the same server or owned by the same outfit it's
> very possible they do referrer checking to be sure the form was filled out
> on MSN so they can match your IP to your login.
If you go to the MSN Newsletters page without first logging in to the MSN
service, how do they relate the IP login to the referrer?
Here is what happened in my latest run. I am connected through PacBell, as
you should be able to verify from my headers (the SBC Yahoo! migration did
not change the PPPoE connections we make). I used Google to search for the
MSN Newsletters site. Upon linking, the referrer should only tell MSN that
I am coming from Google, and the IP address has nothing to do with the MSN
On arriving at the site, I entered a Hotmail email address which I know is
connected to the MSFT .Net Passport service. The message is that my
account is secured and I need to log in to .Net Passport to continue.
Next, I entered another Hotmail email address which I have not, yet
secured with .Net Passport. Instead of a login request, I have a lovely
list of newsletters, with hotlinks, to choose from.
Last night I clicked on one of those links, and received a confirmation
letter. Not a "click here to confirm, or we won't send" letter, but a
"welcome, you are subscribed, go here to unsubscribe" letter. I was never
asked to authenticate the request with the password for the UserID that
got me to the list.
Anybody can try a Hotmail address on that page. If the Hotmail user has
secured their UserID with a .Net Passport connection, MSN Newsletters
requests the password for the Hotmail account in question. If the Hotmail
user has not secured the account, they can be unilaterally subscribed by
anybody else who goes to that subscription page.
I will say one more time. I went to that page from a Google search, logged
on to a service other than MSN, and using a Hotmail UserID that was not
logged in to any part of MSN at the time of the visit. My default browser
is Beonex, a Mozilla clone; I don't see where MSN is going to find the
information they need to verify that the subscriber is the owner of the
~Win dain a lotica, En vai tu ri, Si lo ta
~Fin dein a loluca, En dragu a sei lain
~Vi fa-ru les shutai am, En riga-lint