lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <200209261822.50727.ka@khidr.net>
From: ka at khidr.net (Ka)
Subject: Bugtraq postings from non-members may disclose some list-member's addresses

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings,

yesterday I posted something to full-disclosure and at the same time 
to bugtraq, but did so unintentionally from an email address which 
is not subscribed to bugtraq (I simply responded to a posting from
Gossi the dog with "reply to all"). 

Intentionally I'm doing the same with this message -
it's allways good to have a test case, isn't it? .o)

As a result, I'm getting all the bouncing list-emails delivered back
to me personally, i.e. all MTAs of members with delivery problems 
or vacation messages set up send their bounce message to me instead 
of back to the bugtraq administration.

Obviously under the described circumstances the Return-Path: header 
is not set by the bugtraq list software.

The few examples where the headers of my original posting where 
sent back to me as part of an "message undeliverable" error, 
show that the mail came from lists.securityfocus.com. The first
MTA was allways specified as

Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
        by outgoing.securityfocus.com (Postfix) with QMQP
        id D55EEA373E; Wed, 25 Sep 2002 12:55:59 -0600 (MDT)

And of course there was no Return-Path: set.



Since yesterday I learned, which members have their mailbox full,
are out of office, or fucked up their .forward files into 
undeliverabilty (if there is such a word in English).
Not many members BTW, but enough for a good party.



Severity:		low
Fun-Factor:		high
Vendor notified:	neahneah - would've spoiled the fun otherwise.


Have a nice day!
Ka
- -- 
Better a newer mind than a never mind.
But best to run around out of no mind.
http://www.khidr.net/users/ka/pgpkey.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9kzRX72vu22ltWBERAqLVAJ4iSWXnDvzhk8ipQ+G+oyEKLyWoEgCeIGWz
5ANkI0TLVQ2MjOfXPSEMP7c=
=jwYF
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ