Page 1 of 2

Refill a disposable through an email message

PostPosted: Wed Feb 18, 2004 4:00 am
by SysKoll
Proposed feature: Give users an option to refill one of their disposable through an email interface.
  • A user would use the web site to pick a refill password.
  • Then, to refill a disposable, the user would send an email (from anywhere) to that disposable with subject "REFILL X password" where X = 1 to 20. The disposable's counter would immediately be reset to that number X.


For instance, say you pick "P3ngu1n" as your refill password and you want to refill your disposable joe.blow.UserName. You send an email to joe.blow.UserName@spamgourmet with subject "REFILL 10 P3ngu1n" and this disposable's counter gets set to 10.

Refill a disposable through an email message

PostPosted: Wed Feb 18, 2004 11:50 am
by kyricc
As I suggested in the original thread for this request, I would suggest (as an added bit of security) to only allow this request to come from your registered 'real address'.

-jb

PostPosted: Wed Feb 18, 2004 2:40 pm
by SysKoll
Kyricc,

The From field of an email is so easy to forge that this is not adding much security.

PostPosted: Wed Feb 18, 2004 3:40 pm
by josh
I agree that it's not secure enough to verify that the command came from your "real" address -- not because I imagine that ill-wishers will be refilling sg users' disposables with forged From: headers, though: after all, sg keeps the ill wishers from knowing the real address in the first place, and if they do know it somehow, it seems like a lot of evil-doing pain for not much evil-getting gain -- why not just send email to the real address? :) ...

Rather, the possibility of abuse (however implausible) will occur to tech journalists, who will then bash the feature as "insecure" -- I've read too many reviews (e.g., http://www.pcmag.com/article2/0,4149,12616,00.asp , http://www.pcmag.com/article2/0,4149,844094,00.asp - both are so "important" that they're the number two google hit for the search term "spamgourmet") that focus on sg auto-create as a security problem without a) mentioning prefixes and watchwords, which effectively seal it off, or b) admitting what a silly scenario it is to imagine spammers sitting around making up disposable email addresses, or that sg no-brainer users have been enjoying the service with absolutely no maintenance worries or "made up" addresses for *years* now... (and if one had listened to the journalists years ago, he or she would have missed out on all that transparent spam protection)

So, learning the harsh lessons of journalistic blockheadedness, I'd say the shallow *appearance* of security is, unfortunately, almost as important as actual security.

PostPosted: Sat Feb 21, 2004 2:28 pm
by Guest
I was thinking this could be a way of interacting with spamgourmet through email. For example:

- Add more messages:
Subject: RESTOCK 20 oranges

- Shutdown an address:
Subject: RESTOCK 0 oranges

You know when you want to create that initial munged address so you can send an email so it looks like it came from spamgourmet (the mysendto page). How about enabling that functionality through email. Like I send an email:

To: iwon.joe.blow@xoxy.net
Subject: MUNGE oranges

Then what spamgourmet does is send me an email with the from address set to the munged address. Then I can reply to that email and my real address will be hidden.

PostPosted: Sat Feb 21, 2004 3:04 pm
by Guest
Adding a trusted sender:

To: amazon.joe.blow@xoxy.net
Subject: ADDTRUSTED amazon.com P3ngu1n

PostPosted: Sun Feb 22, 2004 12:00 am
by Guest
Get status of an address:

Subject: GETSTATUS P3ngu1n

Returns current message count and trusted senders.

PostPosted: Tue Feb 24, 2004 3:05 pm
by ben
It would be better to allow it in the message body and allow for multiple instructions.

regards,
Ben

Yes please!

PostPosted: Fri Feb 27, 2004 4:58 pm
by csunderland
I think this is a great idea.

I'm not sure at all of the best way to implement it, but I just wanted to voice my support :!:

Chris

PostPosted: Mon Mar 01, 2004 12:49 pm
by cerk
Good idea, and I second the suggestion on only allowing refilling when mailed from users original mail address. Although "From" field is easy to forge, the "Sent from" field in the mail header is (close to) impossible. Besides, I can't really imagine spammers going to that extent of trouble on hacking into Sent-from field just to enable your disposable address.

Go for it.

PostPosted: Tue Mar 02, 2004 12:41 pm
by kyricc
SysKoll wrote:Kyricc,

The From field of an email is so easy to forge that this is not adding much security.


I guess I was coming from the standpoint of your original message to the poll. While the From: header is easy to fake you had stated something about a password. I was figuring the combination of correct From: header + correct password would suffice.

-jb

PostPosted: Tue Mar 02, 2004 12:49 pm
by anon
The from: field is easy to forge, but the only thing that spamgourmet protects is your real email address -- so if someone *has* your real email address, and can therefore forge a from: field, what's the point of doing so? That person can just send email *straight to* your real email address and circumvent spamgourmet altogether -- no worries about refilling or anything else...

PostPosted: Sun May 16, 2004 4:42 pm
by bill1000
How about just making it an option that the user could turn off and on as desired? Maybe also assigning a seperate password that could only be used for e-mail commands. If someone actually does go to the trouble of sniffing out the e-mail password and spam quotas start changing, then the actual user could just log in with his real password and change the e-mail one or just turn that option off.

ideas

PostPosted: Tue Aug 03, 2004 11:44 am
by prolixity
perhaps to ease fears of other people changing your settings

1) send email command from "real" address
2) SG replies to "real" address somehow with a confirmation url

Should the SG user not click the url the account change(s) are not implemented. Perhaps set a url expiry time just in case (3 days?)


* somehow =

- to the alias being modified -- but not reduce it's "count"
- other?

PostPosted: Thu Oct 21, 2004 7:51 pm
by Mercury
sorry, but it makes no sense to me: if you have time to send mail to sg, you also have time to visit sg's webpage to change whatever you want. there's no advantage.