lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <4207F04C.2010403@bksys.at>
Date: Mon, 07 Feb 2005 23:48:44 +0100
From: Bernhard Kuemel <bernhard@...ys.at>
To: full-disclosure@...ts.netsys.com, bugtraq@...urityfocus.com,
        mailman-developers@...hon.org
Subject: mailman email harvester

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi!

Tons of email addresses from mailman mailing lists are vulnerable to
be collected by spammers.

They are "protected" by obfuscation (user@...mple.com -> user at
example.com) and access to the subscriber list can be restricted to
subscribers. The obfuscation is trivially reversed and harvester
scripts can subscribe to gain access to restricted lists.

I suggested a graphical turing test that would bar scripts but the
mailman developers argued spammers might hire a couple of temps that
would solve the test as it already happened for the creation of
email accounts. The only solution would be not to have the desired
information available. This is already an option by restricting
access to the member list to the list administrator.

However, still many lists either have the member list openly
published, or available to the list members. To raise awareness to
this issue I wrote a script that collects addresses from openly
accessible lists. It stops after processing 1000 (the maximum
allowed) search results from google and collects 76772 email
addresses (61124 unique). It is attached as mmxp1.

An improved version that collects addresses that are restricted to
subscribers, processes more lists and works more parallelized is
planned.

Bye, Bernhard
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQFCB/BK9zL78+QhnUgRAl7nAJ44fPPFBYV1k7QjT7+c4RbzFgcDUgCfQnpJ
65K8Z4+yycyvXFCrwRpB1cM=
=+VYN
-----END PGP SIGNATURE-----

View attachment "mmxp1" of type "text/plain" (948 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ