[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <4207F04C.2010403@bksys.at>
Date: Mon, 07 Feb 2005 23:48:44 +0100
From: Bernhard Kuemel <bernhard@...ys.at>
To: full-disclosure@...ts.netsys.com, bugtraq@...urityfocus.com,
mailman-developers@...hon.org
Subject: mailman email harvester
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi!
Tons of email addresses from mailman mailing lists are vulnerable to
be collected by spammers.
They are "protected" by obfuscation (user@...mple.com -> user at
example.com) and access to the subscriber list can be restricted to
subscribers. The obfuscation is trivially reversed and harvester
scripts can subscribe to gain access to restricted lists.
I suggested a graphical turing test that would bar scripts but the
mailman developers argued spammers might hire a couple of temps that
would solve the test as it already happened for the creation of
email accounts. The only solution would be not to have the desired
information available. This is already an option by restricting
access to the member list to the list administrator.
However, still many lists either have the member list openly
published, or available to the list members. To raise awareness to
this issue I wrote a script that collects addresses from openly
accessible lists. It stops after processing 1000 (the maximum
allowed) search results from google and collects 76772 email
addresses (61124 unique). It is attached as mmxp1.
An improved version that collects addresses that are restricted to
subscribers, processes more lists and works more parallelized is
planned.
Bye, Bernhard
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org
iD8DBQFCB/BK9zL78+QhnUgRAl7nAJ44fPPFBYV1k7QjT7+c4RbzFgcDUgCfQnpJ
65K8Z4+yycyvXFCrwRpB1cM=
=+VYN
-----END PGP SIGNATURE-----
View attachment "mmxp1" of type "text/plain" (948 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists