[Mailman-Developers] Yet another weird-a$$ potential attack problem...

J C Lawrence claw@kanga.nu
Thu, 04 Apr 2002 22:49:18 -0800 

On Fri, 5 Apr 2002 00:13:44 -0500 
Barry A Warsaw <barry@zope.com> wrote:

> E.g. we could shut off email confirms altogether and force only web
> confirmations.  Or we could be more Majordomo-ish as JC describes.

A base problem is barrier to entry:

  Barrier to entry for stupid software and barrier to entry for users
  who are uncomfortable with email systems (or who just don't understand
  them).

While I don't want to target Mailman at 96yr old charming wee
grandmothers who are still not quite sure about anything since Truman,
it doesn't hurt to be friendly to them and the current
JUST-REPLY-TO-THIS-MESSAGE confirmation is pretty grandmother friendly
if you are going to retain a double-opt-in.  Moving to the MD-like model
I described gives significant extra opportunities for the non-technical
grandmothers of the world to be confused, make errors, and in general
not get the service they would like from Mailman.

  No, its not that the MD approach is terribly complex at the UI level,
  its that its at least an order of magnitude more complex than the
  current JUST-REPLY model.  Think about it in terms of number of
  stupid/silly/dumb/oh-my-gawds-how-did-they-do-that things that a user
  could do in editing his reply down to the token versus the current
  just-hit-reply-and-send.

I like grandmothers.  I'd like them to like Mailman.  I'd also like them
not to be pissed off at Mailman because it throws stupid auto-responder
messages at them.

Suggest:

  Keep the just-hit-reply model,

Accomplish this as follows:

  Put the token both in the Subject: and the beginning of the message.

  Search the reply message for the token in Subject: and the first N
  (N<10) lines of the message.  The token has to exist in BOTH for the
  conformation to be successful.

This puts an extra onus on the confirm message writers and translators:

  The token must be restated very close to the beginning of the message
  (probably within the first 4 lines).

I think that's a fairly acceptable constraint.  The 10 line limit should
be enough padding to allow the translators some slack, to adapt to grody
MIME/HTML wrapping, but to not pick up stupid auto responders which
bounce messages back with a leading prefix/vacation/comment.

-- 
J C Lawrence                
---------(*)                Satan, oscillate my metallic sonatas. 
claw@kanga.nu               He lived as a devil, eh?		  
http://www.kanga.nu/~claw/  Evil is a name of a foeman, as I live.