[SpamCop-List] Re: MSN "Newsletters"

spamcop-list@news.spamcop.net spamcop-list@news.spamcop.net
Tue, 4 Feb 2003 18:27:02 -0800 

In article <b1pqfh$1m1$1>, mcwebber says...
> Considering that it's on the same server or owned by the same outfit it's
> very possible they do referrer checking to be sure the form was filled out
> on MSN so they can match your IP to your login.

Yes, but...

If you go to the MSN Newsletters page without first logging in to the MSN 
service, how do they relate the IP login to the referrer?

Here is what happened in my latest run. I am connected through PacBell, as 
you should be able to verify from my headers (the SBC Yahoo! migration did 
not change the PPPoE connections we make). I used Google to search for the 
MSN Newsletters site. Upon linking, the referrer should only tell MSN that 
I am coming from Google, and the IP address has nothing to do with the MSN 
service.

On arriving at the site, I entered a Hotmail email address which I know is 
connected to the MSFT .Net Passport service. The message is that my 
account is secured and I need to log in to .Net Passport to continue. 
Next, I entered another Hotmail email address which I have not, yet 
secured with .Net Passport. Instead of a login request, I have a lovely 
list of newsletters, with hotlinks, to choose from.

Last night I clicked on one of those links, and received a confirmation 
letter. Not a "click here to confirm, or we won't send" letter, but a 
"welcome, you are subscribed, go here to unsubscribe" letter. I was never 
asked to authenticate the request with the password for the UserID that 
got me to the list.

Anybody can try a Hotmail address on that page. If the Hotmail user has 
secured their UserID with a .Net Passport connection, MSN Newsletters 
requests the password for the Hotmail account in question. If the Hotmail 
user has not secured the account, they can be unilaterally subscribed by 
anybody else who goes to that subscription page.

I will say one more time. I went to that page from a Google search, logged 
on to a service other than MSN, and using a Hotmail UserID that was not 
logged in to any part of MSN at the time of the visit. My default browser 
is Beonex, a Mozilla clone; I don't see where MSN is going to find the 
information they need to verify that the subscriber is the owner of the 
account.

-- 
Norman
~Win dain a lotica, En vai tu ri, Si lo ta
~Fin dein a loluca, En dragu a sei lain
~Vi fa-ru les shutai am, En riga-lint