Security hole- for sure

["Barbara B. Peck" <bpeck@together.net>]

Actually there severa ways I know of to post to RideCamp.

1) Access the endurance.net web page, click archives & click on "guest post"

   I can do this form my computer at work, BUT add my home Email address,

  My home addy is then the one that shows up in the posts heading, even though it's NOT the address I'm posting from.

2) Access also from my any computer, thru any mail provider, ( a friends or what ever) sending to    Guest@endurance, which will  then show the addy from which it was sent.

  

3) From my home computer's eail provider, to Ridecamp@endurance.net . Since my home addy is registered with RC,   the post then comes thru with my home computers email addy.

 

So, In essence, you can post as a guest, hide the true email addy the post was sent from, and add an Email return addy that's anybodys (not really yours.)

 

Now, *maybe* Steph's server get's both addresses, I don't know, That's a question for her to answer about her server. 

 I know my account at IBM, will show me the routing the email took,  if  that routing was *different* than the Emails return addy.  My MSM/Outlook express does *not* do that (or maybe I just don't know how to look for it).

 

I agree... it's definately a security hole. 

Even though I'm a long time user of guest posting, it should  be eliminated.

Barb.