[Mailman-Developers] Possible yahoogroups problem.

Chuq Von Rospach chuqui at plaidworks.com
Mon Jul 7 23:49:45 EDT 2003 

well, I was promised more than once that yahoo security was going to  
contact me, and nobody ever did. Ohwell.

here's the issue: it looks to me like someone's figured out Yahoo's  
confirmation protocol.

First, we got (edited for brevity):

> From: Yahoo! Groups  
> <confirm-s2-6n1LGtpWyFrKWHIUtg2mjc8G=Ss-mailman- 
> owner=lists.apple.com at yahoogroups.com>
> Date: Mon Jun 23, 2003  1:13:36 AM US/Pacific
> To: mailman-owner at lists.apple.com
> Subject: Please confirm your request to join associated_secretarial
> Reply-To:  
> confirm-s2-6n1LGtpWyFrKWHIUtg2mjc8G=Ss-mailman- 
> owner=lists.apple.com at yahoogroups.com
>

> Hello mailman-owner at lists.apple.com,
>
> We have received your request to join the associated_secretarial
> group hosted by Yahoo! Groups, a free, easy-to-use community service.
>

> 1) Go to the Yahoo! Groups site by clicking on this link:
>
>     
> http://groups.yahoo.com/i?i=6n1LGtpWyFrKWHIUtg2mjc8G-Ss&e=mailman- 
> owner%40lists%2Eapple%2Ecom

obviously, our list server never requested to join the list, but if  
that were it, I'd have simply thrown this out and ignored it with all  
of the other spam and stuff like this.

But then shortly thereafter, we got...

> From: associated_secretarial Moderator  
> <associated_secretarial-owner at yahoogroups.com>
> Date: Mon Jun 23, 2003  1:15:33 AM US/Pacific
> To: mailman-owner at lists.apple.com
> Subject: Welcome to associated_secretarial
>

>
> Hello,
>
> Welcome to the From the Eagle's Nest, a newsletter designed to help  
> you and your business to future successes.  Great tips for those just  
> getting started and for established businesses.  "Starting Out" ,  
> "Cold Call Strategy", "Taping Tips" and "Working from Home" are just  
> some of the articles to look out for.  The bi-weekly series addresses  
> the newer communications and technologies available for those who want  
> to "move with the times".  With a genuine desire to help small  
> business, this newsletter is one you'll be glad you have in your  
> "Better Business Arsenal".
>

We unsubscribed immediately, of course, but the question is, how did  
that subscription get confirmed? I didn't do it. My associated didn't.

So I'm worried that someone's figured out how to circumvent yahoo's  
confirmation process. I wanted to bring this up with Yahoo, but they  
evidently weren't interested.

(and the reason I'm posting this to mailman-developers: just a general  
question, since I haven't had time to look it up myself: does the  
mailman confirmation process use an algorithm that could potentially be  
reverse engineered? If it happened to Yahoo, it could happen to  
Mailman. Even if it didn't happen to Yahoo, it could happen to other  
services if their confirmations can be predicted in some way.

Anyone want to hazard a reason why it might NOT be a breach of yahoo's  
algorithm here? I'm just a bit worried that we're seeing a new phase  
where spammers have figured out how to get around these protections; if  
so, it also opens up mailing lists to be a new form of guided missile  
in attacks on people, something I'd rather avoid, thank you...)

More information about the Mailman-Developers mailing list