[Mailman-Developers] Possible yahoogroups problem.
Chuq Von Rospach
chuqui at plaidworks.com
Thu Jul 10 13:54:44 EDT 2003
On Thursday, July 10, 2003, at 12:35 PM, Paul Hoffman / IMC wrote:
> (Of course, watching the outgoing mail would make this attack easier
> too. :-) )
>
of course, if they're sniffing packets or otherwise intercepting
content, the only thing that'll stop it is a phone call... carrier
pigeon, maybe.
My worry, of course, is that the e-mail community has had a tendency to
see mail-back validation as the solution to many problems (and it is,
just not as globally as some might hope) --- but I don't think the
community has ever stopped to make sure those techniques were really
secure in a formal way, or defined what it takes to be secure. the
existance has been enough...
(but then, there are all sorts of attack vectors in mail lists that
haven't been properly addressed. If I want to mailbomb your inbox into
a cinder, does it matter whether I subscribe you 50 busy mail lists, or
simply shove 1,500 "if you want to confirm your subscription..."
replies in via a forged address? Most servers will happily keep
resending confirmations without rate limiting, so you don't even need
to find 1500 lists... Ditto help and info messages, postmaster
auto-bots, etc, etc... )
More information about the Mailman-Developers
mailing list