Yes, someone did figure out how to post to Dustin's site today. This security hole is now fixed.
We had a specific problem with the way we dealt with SPF records. Dustin didn't set any up, and there was a specific way that Robin Duckett's email server responded that caused us to flag it as a false negative for spoofing.
For the vast majority of users who use gmail, hotmail or other services, this was never an issue.
Since our launch on day one, we have taken email spoof detection very seriously. It's one of our core differentiators: to be able to securely post to your blog by emailing a single, easy to remember address. We don't want to do secret addresses or secret words.
Over the past 2 years, we've developed robust spoof detection ip and spend a ton of time trying to stay a step ahead of hackers. Fortunately, we've only had a few very specific, isolated cases where one of our sites was spoofed and each time we have improved our system.
Thanks for bringing this to our attention. We always need to be one step ahead of the hackers/spoofers, and we thank the Hacker News community for keeping us on our toes!
A couple of years ago, I emailed Garry Tan about this very issue after successfully posting to a friend's Posterous. They were only thankful for the heads up and investigated.
A year or two later, I was interviewing at a company whose product has a similar feature (post todos more or less), and decided to see if I could post to my friends todo list. I was thinking that if I could, I'd post to the guy who was interviewing me's list "Hire Andrew--he exposed a hole." It didn't work on my friends account, and I got an email a couple of minutes later. "I see you were doing some fuzzing, were you able to get any messages through?" I wasn't able to (though I didn't try too hard), and I didn't get the job either. (I ended up with a better job, so it all worked out).
Odd, the other Posterous threads are getting buried so quickly. When a new comment is posted in any thread it appears at the top, except for these Posterous threads. Is this damage control on the part of YC?
The only other person so far to comment under the co-founder on this thread (at time of writing) is jseeba, who has had very little activity and one of the few comments he's ever made was in a thread called "Ask YC: Your favorite startups" where he said "Posterous. It just works." So jseeba doesn't do much around here in the 2 or so years he's been a member but made time to chime in for Posterous again.
This happened to me too when I submitted a link about Posterous. Not long after it made it to the front page, the subject was changed to an inaccurate and less attention-getting subject. Moderator power...
Yes, someone did figure out how to post to Dustin's site today. This security hole is now fixed.
We had a specific problem with the way we dealt with SPF records. Dustin didn't set any up, and there was a specific way that Robin Duckett's email server responded that caused us to flag it as a false negative for spoofing.
For the vast majority of users who use gmail, hotmail or other services, this was never an issue.
Since our launch on day one, we have taken email spoof detection very seriously. It's one of our core differentiators: to be able to securely post to your blog by emailing a single, easy to remember address. We don't want to do secret addresses or secret words.
Over the past 2 years, we've developed robust spoof detection ip and spend a ton of time trying to stay a step ahead of hackers. Fortunately, we've only had a few very specific, isolated cases where one of our sites was spoofed and each time we have improved our system.
Thanks for bringing this to our attention. We always need to be one step ahead of the hackers/spoofers, and we thank the Hacker News community for keeping us on our toes!