[Mailman-Users] what gives?

[Chuq Von Rospach]

On Feb 17, 2005, at 8:19 AM, Mark Sapiro wrote:

> I'm still a bit more skeptical at this point than "no doubt", but I'm
> open to the idea.

since I've already found the culprit (I hope), it's well beyond no 
doubt. it's guaranteed.

> Someone is somehow watching this public list and getting addresses of
> (some, all?) first time posters to this list and attempting to
> subscribe those addresses to some other list.
>
> There doesn't seem to be any security issue here.

It's a huge security issue. Someone is hijacking a mailing list and 
forcing its users to see content they didn't ask for, iwthout 
permission of the owner of the list. Now, imagine instead of a single 
confirm message, every posting got it. And that the harvesting address 
was on hotmail.com and forwarding off somewhere.

now what? how do you find it? how do you stop it?

> as this list is
> public and anyone can subscribe to it or visit its archive.

which doesn't give anyone a right to spam users of it. or harvest it.

You want to kill a mailing list? do what I just suggest, and every time 
someone posts to it, they get porn spam. the list'll go stone dead very 
quickly. Want to kill mailing lists in general? let it be known that 
spammers have figured out that to harvest emails, all they need do is 
subscribe to mailing lists and harvest what comes in to their 
safe-house address. And since there's no direct connection there, how 
do you stop THAT?

There are things that could be done, but few to no mailing lists do 
them. And it's a serious issue that I feel is just a matter of time...

It's a big issue, mark. it's one of people repurposing our stuff for 
their purposes, and whether we have a say in them being able to do it 
(or stopping them somehow). USENET ultimately had no control 
mechanisms. It's dead.

mail lists? very vulnerable.