[Mailman-Developers] Mailing lists exploited
Jonathan Knight
j.knight at keele.ac.uk
Wed May 17 11:08:50 EDT 2017
Hi Daniel
Our use case is that most (but not all) of our lists are internal and so
the archives are not public. However the listinfo pages are public for the
few public lists that we run and to allow of campus staff and students to
access the list management screens.
So for us, hiding the list administrator email on the list info pages
effectively cuts off the ability to get a prospective list of possible
administrators.
But I agree that for public lists with public archives the benefit is
minimal, but I don't think it does much harm
Jon
On 17 May 2017 at 15:57, Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:
> On Wed 2017-05-17 09:20:21 +0100, Jonathan Knight wrote:
> > The attack we're trying to defend against is a scripted one which grabs a
> > list of all the mailing lists, then harvests the administrator email and
> > then tries to spam each list using the administrator as a sender address.
> >
> > If the archives are public then I guess you could write a reasonable
> > algorithm to try and guess an unmoderated address but I don't think its
> as
> > easy to hit thousands of mailing lists using that approach.
>
> i'm not convinced that these two scripts are significantly different in
> difficulty, though i acknowledge that the former is marginally easier.
>
> it sounds to me like the real underlying concern is about allowing
> submissions to bypass moderation based on forgeable data like the From:
> header. fixing it in the display side seems likely to trigger a game of
> whack-a-mole.
>
> --dkg
>
--
Jonathan Knight
IT Services
Keele University
More information about the Mailman-Developers
mailing list