http://www.dslreports.com/forum/r8615396 en Mon, 14 Dec 2009 19:36:29 EDT Mon, 14 Dec 2009 19:36:29 EDT http://www.dslreports.com/forum/remark,8615616 nil : In all fairness to Ben and Mena I don't think you can call them 'lazy' over a bad fix.. Movable Type is still a terrific tool and still free.. Hopefully they'll have a better fix soon, in the meantime, people should just remove the script altogether. There's no true need for it.
--
Life is too short to be boring]]> http://www.dslreports.com/forum/remark,8615616 Wed, 26 Nov 2003 17:36:57 EDT http://www.dslreports.com/forum/remark,8615514 trparky : Me too, the fix is horrible. Basically, the fix shows that they are lazy and that they don't want to fix it the correct way.
--
WedgeAntilles250]]> http://www.dslreports.com/forum/remark,8615514 Wed, 26 Nov 2003 17:22:44 EDT http://www.dslreports.com/forum/remark,8615396 justin : Reading the fix that movabletype.org have done .. well, it doesn't strike me as particularly good. So now they've limited the script to one target address and a short message body?

A spam-bot with a list of N movable type domain names could, in parallel, spam N people per second, even if everyone fixed their script per the recommendation. Ok that isn't as efficient as spamming NxM people per second (the original script allowed lists of people). But it is still possible.

It would be better if movabletype.org put a challenge response token into the loop, so you can't POST to it unless you have done a GET of the form, first, and a delay as well. Better still, remove the ability to enter a custom message (where the advert goes) entirely!

Or just remove the script and do not allow anon users to send links to any email address they like.]]> http://www.dslreports.com/forum/remark,8615396 Wed, 26 Nov 2003 17:09:14 EDT