[Mailman-Developers] bugtraq submission warning: email address
harvesting exploit
Terri Oda
terri at zone12.com
Thu Nov 27 12:08:24 EST 2003
On Tue, Nov 25, 2003 at 11:07:39AM -0800, Chuq Von Rospach wrote:
> Fails ADA and accessibility requirements badly. I'd argue against any
> solution that fails such basic needs without any real way to fix it.
What about reverse turing tests that aren't graphics-based? It's easier to
beat "What is the sum of three and fifteen?" or "what is the name of this
mailing list?" text-tests than the more complex RTTs, but it would make
exploit code that much harder to write without sacrificing users who can't,
for example, view graphics or hear sounds.
> Better is to simply teach the archives not to distribute sensitive
> information at all. And a lot easier to implement, actually.
So, is anyone working on this *within* pipermail? I know there are great
alternative archivers out there, but Mailman still winds up with a bad
reputation if the default isn't very secure. Maybe for 2.2 we could have a
"completely obscure archived email addresses" option which changed them all
to user at xxxxxx.
More information about the Mailman-Developers
mailing list