lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <420D6088.8080400@bksys.at>
From: bernhard at bksys.at (Bernhard Kuemel)
Subject: Re: [Mailman-Developers] mailman email harvester

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thomas Hochstein wrote:
|> Given the risk, now made worse by Bernhard's very helpfully
|> distributing this script for spammers, this is a really urgent
|> issue.
|
| Since it is known for many *years* that spammers are harvesting
| addresses from ML-archives, and since anybody can see that
| replacing "at" with "@" is ... not a very hard task, I fail to
| see any urgency here (or any problem in the very simple script
| Berhard distributed).

There may be no urgency but something should be done. Obviously
there is a problem (as can also be seen by the emotions). Since the
only solution we found for now is not to publish the email
addresses, we should do that.

I pointed this out over a year ago and the number of vulnerable
lists only grew. Probably because being able to see who else is on
the list is a nice feature which we don't want to give up. We
repress  the problem: We think, spammers don't exploit it because
they find enough addresses elsewhere. But spammers are smart: They
play a lot of tricks to pass spam filters, they defeat graphical
turing tests to semiautomatically sign up email accounts which the
use for spamming, they make worms which act as mail relays.

They probably already harvest mailing list subscriber addresses and
if they don't do so by now, they sure will, sooner or later. But
they would be fools to tell us about it. We would lock our email
addresses away from them.

I am writing the exploit code not for the spammers. They may already
have one. I'm writing it to wake us up and treat this problem properly.


Brad Knowles wrote:
|> However, still many lists either have the member list openly
|> published, or available to the list members.
|
| True enough.  However, even if we changed the default in Mailman
| to be accessible only to the list administrator, it would take a
| very, very long time before 50% of all Mailman installations were
| secured in this manner.

I hope my exploit code will speed this up. I plan to release the
improved version, which harvests addresses restricted to subscribers
of about 100.000 mailing lists in several (3-6) months.

| That said, changing the default is probably the right thing to
| do.

Please include a note of the upcoming exploit. The current exploit
harvests about 600 lists where the addresses are published unrestricted.

| Moreover, it would be trivially easy for spammers to subscribe to
| the list and silently collect all address information that comes
| across.
|
| There's enough schemes out there for finding addresses that no
| one simple scheme is going to work, and the methods that we know
| will work are going to take a long time to become the default
| standard.

If hashcash (http://www.hashcash.org/) gets integrated in our mail
systems we no longer need to hide or obfuscate our email addresses.

Bernhard
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQFCDWCH9zL78+QhnUgRAhSfAJ9WpPLARJ4bTG6ZPGH7anxc4FA5YwCdGn0C
nwSeZoHoitZKRA+6rE1hlFU=
=lM5z
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ