Hacker News new | ask | show | jobs
by a4agarwal 5849 days ago
Hey guys. I'm the cofounder of Posterous.

Yes, someone did figure out how to post to Dustin's site today. This security hole is now fixed.

We had a specific problem with the way we dealt with SPF records. Dustin didn't set any up, and there was a specific way that Robin Duckett's email server responded that caused us to flag it as a false negative for spoofing.

For the vast majority of users who use gmail, hotmail or other services, this was never an issue.

Since our launch on day one, we have taken email spoof detection very seriously. It's one of our core differentiators: to be able to securely post to your blog by emailing a single, easy to remember address. We don't want to do secret addresses or secret words.

Over the past 2 years, we've developed robust spoof detection ip and spend a ton of time trying to stay a step ahead of hackers. Fortunately, we've only had a few very specific, isolated cases where one of our sites was spoofed and each time we have improved our system.

Thanks for bringing this to our attention. We always need to be one step ahead of the hackers/spoofers, and we thank the Hacker News community for keeping us on our toes!
1 comments
ergo98 5849 days ago
Great that you responded to the issue.

>We had a specific problem....

Most of the people here work in technology. Your response sounds a bit hand-wavy, as if you're alluding to some great complexity when the described "hack" is so incredibly rudimentary it would be the first thought of anyone making such a solution. The parts in this mechanism are trivial.

We've all done the "well...the packets they..uh...confluence of...ECC..."

>trying to stay a step ahead of hackers

Be wary of false confidence. I would wager that you've stayed a step ahead simply because you haven't gotten their attention yet. It's a classic "low security", non-scalable start-up approach. A "we'll deal with that once we're big enough that people notice it" approach.

>Over the past 2 years, we've developed robust spoof detection ip

Beyond using SPF and DomainKeys, I would be surprised if you have anything that could accurately get called "IP" in the realm of email. It's a long, long trodden ground.

link