[Mailman-Developers] Yet another weird-a$$ potential attack problem...

[Chuq Von Rospach]

On 4/4/02 9:13 PM, "Barry A. Warsaw" <barry@zope.com> wrote:

>   CVR> I finally had to address probe the entire list, because the
>   CVR> mailbot was coming back from a domain that wasn't subscribed
> 
> Won't the VERP-ish support in MM2.1 make your life so much easier?
> (Coming as someone who's had to do the same thing on occasion.)

Yes, although in this case, they're sending back a new message to the "from"
address, throwing out everything but the subject, which they insert into
their subject line. So I think this mailbot through a forwarded address
would evade even VERP.

> It's a real issue, and as I see it there is no right answer, there are
> only trade-offs. 

Yeah. My feelings exactly. And I'm not the one to draw lines in the sand
here.

> So I don't know.  I'm inclined to favor user convenience for now, but
> I've no doubt that we'll have to re-debate this decision as time goes
> by.

Unless someone comes with with an idea that turns this from a minor problem
into a less-minor one, I agree. Examples of these problems really happening
would help sway me... I'd be a lot more worried if it didn't require
braindamage on the part of the other side, but we can't blame stupid users
for stupid IS departments, either...

 

-- 
Chuq Von Rospach, Architech
chuqui@plaidworks.com -- http://www.chuqui.com/

Very funny, Scotty. Now beam my clothes down here, will you?