| Hey guys. I'm the cofounder of Posterous. Yes, someone did figure out how to post to Dustin's site today. This security hole is now fixed. We had a specific problem with the way we dealt with SPF records. Dustin didn't set any up, and there was a specific way that Robin Duckett's email server responded that caused us to flag it as a false negative for spoofing. For the vast majority of users who use gmail, hotmail or other services, this was never an issue. Since our launch on day one, we have taken email spoof detection very seriously. It's one of our core differentiators: to be able to securely post to your blog by emailing a single, easy to remember address. We don't want to do secret addresses or secret words. Over the past 2 years, we've developed robust spoof detection ip and spend a ton of time trying to stay a step ahead of hackers. Fortunately, we've only had a few very specific, isolated cases where one of our sites was spoofed and each time we have improved our system. Thanks for bringing this to our attention. We always need to be one step ahead of the hackers/spoofers, and we thank the Hacker News community for keeping us on our toes! |
Is it possible to publish the algorithms and technique you are using to prevent spoofing. It would really be a big help to us as well as every body else.
Thanks,
Al