| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: bernhard at bksys.at (Bernhard Kuemel) Subject: Re: [Mailman-Developers] mailman email harvester -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thomas Hochstein wrote: |> Given the risk, now made worse by Bernhard's very helpfully |> distributing this script for spammers, this is a really urgent |> issue. | | Since it is known for many *years* that spammers are harvesting | addresses from ML-archives, and since anybody can see that | replacing "at" with "@" is ... not a very hard task, I fail to | see any urgency here (or any problem in the very simple script | Berhard distributed). There may be no urgency but something should be done. Obviously there is a problem (as can also be seen by the emotions). Since the only solution we found for now is not to publish the email addresses, we should do that. I pointed this out over a year ago and the number of vulnerable lists only grew. Probably because being able to see who else is on the list is a nice feature which we don't want to give up. We repress the problem: We think, spammers don't exploit it because they find enough addresses elsewhere. But spammers are smart: They play a lot of tricks to pass spam filters, they defeat graphical turing tests to semiautomatically sign up email accounts which the use for spamming, they make worms which act as mail relays. They probably already harvest mailing list subscriber addresses and if they don't do so by now, they sure will, sooner or later. But they would be fools to tell us about it. We would lock our email addresses away from them. I am writing the exploit code not for the spammers. They may already have one. I'm writing it to wake us up and treat this problem properly. Brad Knowles wrote: |> However, still many lists either have the member list openly |> published, or available to the list members. | | True enough. However, even if we changed the default in Mailman | to be accessible only to the list administrator, it would take a | very, very long time before 50% of all Mailman installations were | secured in this manner. I hope my exploit code will speed this up. I plan to release the improved version, which harvests addresses restricted to subscribers of about 100.000 mailing lists in several (3-6) months. | That said, changing the default is probably the right thing to | do. Please include a note of the upcoming exploit. The current exploit harvests about 600 lists where the addresses are published unrestricted. | Moreover, it would be trivially easy for spammers to subscribe to | the list and silently collect all address information that comes | across. | | There's enough schemes out there for finding addresses that no | one simple scheme is going to work, and the methods that we know | will work are going to take a long time to become the default | standard. If hashcash (http://www.hashcash.org/) gets integrated in our mail systems we no longer need to hide or obfuscate our email addresses. Bernhard -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org iD8DBQFCDWCH9zL78+QhnUgRAhSfAJ9WpPLARJ4bTG6ZPGH7anxc4FA5YwCdGn0C nwSeZoHoitZKRA+6rE1hlFU= =lM5z -----END PGP SIGNATURE-----
Powered by blists - more mailing lists