lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 8 Feb 2005 14:52:33 -0000
From: "Dave Korn" <davek_throwaway@...mail.com>
To: full-disclosure@...ts.netsys.com
Cc: mailman-developers@...hon.org, bugtraq@...urityfocus.com
Subject: Re: mailman email harvester


"Bernhard Kuemel" <bernhard@...ys.at> wrote in message
news:4207F04C.2010403@...ys.at...
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi!
>
> Tons of email addresses from mailman mailing lists are vulnerable to
> be collected by spammers.
>
> They are "protected" by obfuscation (user@...mple.com -> user at
> example.com) and access to the subscriber list can be restricted to
> subscribers. The obfuscation is trivially reversed and harvester
> scripts can subscribe to gain access to restricted lists.

  Yes, but no spammers actually do so.  For experimental proof of this
claim,

http://www.cdt.org/speech/spam/030319spamreport.shtml

" But none of the addresses that were obscured, whether in "human-readable"
or "HTML-obscured" form, received a single piece of spam, leading us to
conclude that e-mail address "harvesters" are not presently capable of
collecting such addresses. While this may change as time passes and
technology develops, for the time being it appears that obscuring an e-mail
address is an effective means of avoiding spam. "

  The harvesters don't bother because there are so many un-obfuscated email
addresses out there, enough to keep them busy for a lifetime of spamming,
anyway.

> An improved version that collects addresses that are restricted to
> subscribers, processes more lists and works more parallelized is
> planned.

  Why?  You hoping to sell it to spammers?  Obfuscating *works*; if YOU
break it, that makes YOU a spamming motherfucker.  Why don't you go fuck
yourself instead?

  Oh, and by the way

<bernhard@...ys.at>
<bernhard@...ys.at>
<bernhard@...ys.at>
<bernhard@...ys.at>
<bernhard@...ys.at>
<bernhard@...ys.at>
<bernhard@...ys.at>
<bernhard@...ys.at>



    drop dead,
      DaveK
-- 
Can't think of a witty .sigline today....



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists