[Mailman-Developers] Mailing lists exploited
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed May 17 10:57:57 EDT 2017
On Wed 2017-05-17 09:20:21 +0100, Jonathan Knight wrote:
> The attack we're trying to defend against is a scripted one which grabs a
> list of all the mailing lists, then harvests the administrator email and
> then tries to spam each list using the administrator as a sender address.
>
> If the archives are public then I guess you could write a reasonable
> algorithm to try and guess an unmoderated address but I don't think its as
> easy to hit thousands of mailing lists using that approach.
i'm not convinced that these two scripts are significantly different in
difficulty, though i acknowledge that the former is marginally easier.
it sounds to me like the real underlying concern is about allowing
submissions to bypass moderation based on forgeable data like the From:
header. fixing it in the display side seems likely to trigger a game of
whack-a-mole.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/mailman-developers/attachments/20170517/97fc2e85/attachment.sig>
More information about the Mailman-Developers
mailing list