[Mailman-Developers] Spam vulnarability due to open public mboxes
Bastiaan Welmers
bastiaan-postfix-users at welmers.net
Tue Feb 24 12:26:35 EST 2004
Hi,
I found an spam vulnarability in mailman public archives.
However (you can choose to) mailaddresses in public archives are spam
protected because @ will be replaced in " at " or " op " in both the txt
and the html files, in the raw mbox file are still being the unprotected email addresses.
I found this bug by change: after I subscribed a brand-new mailaddress to a
public-archive list, shortly after that I recieved spam. A google search to this brand-new
mail address brought me to the mbox file where it just stays unprotected.
My idea to solve this:
- if mm_cfg.ARCHIVER_OBSCURES_EMAILADDRS is set (admin wants
mail adresses to be secured) then the "fullarch" replacement in
archtoc.html won't be the default ../%s.mbox/%s.mbox % listname but
mlist.GetScriptUrl("private")/../%s.mbox/%s.mbox % listname
This has to be set in Archives/HyperArch.py near line 692 in def
htmlTOC.
So if list admin wants their archives to be spam-secured,
the link to the mbox file will be through the private
cgi, thus needs a password.
The private CGI program however, if no login-cookie already found,
returns a login-form with form-action just the URL to the private list archives, not to
the mbox file. Also something to fix.
For futher completion:
- if mm_cfg.ARCHIVER_OBSCURES_EMAILADDRS is set there
won't be made symlinks of the mbox files. This has to be written in
Archives/Archiver.py near line 234 in def CheckHTMLArchiveDir.
I'm going to write code of it, is it something to post on this mailing list?
/Bastiaan
More information about the Mailman-Developers
mailing list