Backpack Spam
Anyone else getting backpack spam? I hadn’t checked out my reboot7 backpack page after the conference and just noticed that someone spammed it about a week ago:
Backpack handles email-posting by assigning every page a unique, randomly generated email-address. Any emails sent to such an address will be added to the corresponding page. Should your address be compromised, you can have a new random address assigned to your page (btw, wordpress is handling posting-by-mail similarly since v1.2). Zero authentication, all protection based on the assumption that nobody will find out your page-addresses in the first place.
So any spammer sending out a few million mails to random addresses because he might hit a few thousand actually existing addresses could taint your pages and refreshing your page-address offers zero protection against this since your address possibly hasn’t been compromised anyway.
Adding some sort of authentication to this could badly impair on the ease of use of posting by email, especially from mobile devices, as it would most likely involve adding some sort of token, username or password, with wacky separator strings between authentication data and actual content (wordpress handled posting-by-mail like this before v1.2). So how could you make this a little more secure? A simple approach would be to whitelist certain sender-addresses and discard any emails sent from an address which isn’t listed. Even though forging smtp-headers is easy (i recently wrote some java to do just that for a lab assignment and seriously, if you don’t know smtp you have no idea how easy it is – anyone with half a brain can do it), there’s now another authentication token that needs to be guessed/eavesdropped which means it takes a much more concerted effort to break in.
Would you like to comment or share this post?
Tell me what you think on Twitter: Tweet
