Last night I discovered a hole in listserver and sent off several emails to the programmers at Ipswitch. This was after hours so I didn't get a reply, and didn;t get one today either. This is something I deem to be serious because it could lead to spammers harvesting names off your mailing lists, even if you have the Disable List Command selected for each mailing list. Even with the List command disabled your mailing list subscribers addresses appear to be vulnerable. I have no idea if this hole can be recreated on every IMail server, but it's very real on our IMail server running 6.02 and was verified a number of times. I forwarded all documentation to Ipswitch last night. Okay, a little back ground, because this happens under somewhat limited conditions (I think). I, like many others here, use forms on my site to enable individuals to sign up for a list, or unsub from a list. For security's sake the email this form generates is sent TO the individual with the subscribe command and instructions to delete ALL other text in the body when they respond. The FROM address is [EMAIL PROTECTED] and the TO address is obviously the individual. When they respond, they should delete all text (as the instructions indicate because you will receive an error if other text is in the body along with a list command) and they will be subbed. No different than sending email directly to [EMAIL PROTECTED] with the subscribe list command. As it turns out though, in my instructions I include the email address of each list owner as [EMAIL PROTECTED] in each email so they can write the individual with any questions they might have. It appears that **IF** the individual replies to that email, WITHOUT deleting the other text, and the list owners email address is left in the body along with the list command that they will receive back a list of the mail mode subscribers, digest mode subscribers, and three other weird emails. I find this to be a serious hole myself because every one of my subscribers is potentially risk from harvesting. Again I have no idea if this is replicatable by everyone, or whether this is something that only transpires on my machine, but it is very real.. to me anyway. Normally I would give Robert a day or so to respond, but it turns out he's out of the office until Monday now and I think everyone here who is running 6.02 should know about this. Going to run the 6.03 patch and see if the problem disappears. Will let you know. I did not test this with previous installations so I have no idea if this is an old problem, or something that is entirely new. ----- Anthony Abby Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list.
