> The hole remains in 6.03 I'm not finding it here, using 6.02, when sending a command to [EMAIL PROTECTED] - with the word [EMAIL PROTECTED] below the command line - and a few variations. I couldn't duplicate your situation exactly, because I had no message to reply to. (This would be REALLY scary if some of the stuff I tried worked.) However, I accidentally opened version 5 of the IMail manual, to see what the manual had to say, and THAT version said that the list command was always available to the list owner. My best wild guess is that.... A) Maybe you are unintentionally spoofing your list-owner addresses in the headers of those replies, and/or B) You may have unintentionally buried a list command (list listname) If you find "B", you could give yourself a little relief by working that unintentional list command out of your message. If that works, you could at least take some comfort in knowing that at least your average mope would have a difficult time duplicating whatever went on in "A". - and maybe you can hold the rest of them off till the cavalry arrives. Gary Mauer Window Cleaning Network Oconomowoc, Wisconsin, USA [EMAIL PROTECTED] http://www.window-cleaning-net.com/ > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of > [EMAIL PROTECTED] > Sent: Thursday, March 09, 2000 6:39 PM > To: [EMAIL PROTECTED] > Subject: Re: [IMail Forum] Hole in 6.02 List Server > > > The hole remains in 6.03 > > Anthony > ----- Original Message ----- > From: <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Thursday, March 09, 2000 6:39 PM > Subject: [IMail Forum] Hole in 6.02 List Server > > > > Last night I discovered a hole in listserver and sent off several emails > to > > the programmers at Ipswitch. This was after hours so I didn't get a > reply, > > and didn;t get one today either. This is something I deem to be serious > > because it could lead to spammers harvesting names off your > mailing lists, > > even if you have the Disable List Command selected for each > mailing list. > > Even with the List command disabled your mailing list subscribers > addresses > > appear to be vulnerable. > > > > I have no idea if this hole can be recreated on every IMail server, but > it's > > very real on our IMail server running 6.02 and was verified a number of > > times. I forwarded all documentation to Ipswitch last night. > > > > Okay, a little back ground, because this happens under somewhat limited > > conditions (I think). I, like many others here, use forms on my site to > > enable individuals to sign up for a list, or unsub from a list. For > > security's sake the email this form generates is sent TO the individual > with > > the subscribe command and instructions to delete ALL other text in the > body > > when they respond. The FROM address is [EMAIL PROTECTED] and the TO > > address is obviously the individual. When they respond, they should > delete > > all text (as the instructions indicate because you will receive an error > if > > other text is in the body along with a list command) and they will be > > subbed. No different than sending email directly to [EMAIL PROTECTED] > > with the subscribe list command. > > > > As it turns out though, in my instructions I include the email > address of > > each list owner as [EMAIL PROTECTED] in each email so they can > write > > the individual with any questions they might have. It appears > that **IF** > > the individual replies to that email, WITHOUT deleting the > other text, and > > the list owners email address is left in the body along with the list > > command that they will receive back a list of the mail mode subscribers, > > digest mode subscribers, and three other weird emails. > > > > I find this to be a serious hole myself because every one of my > subscribers > > is potentially risk from harvesting. Again I have no idea if this is > > replicatable by everyone, or whether this is something that only > transpires > > on my machine, but it is very real.. to me anyway. > > > > Normally I would give Robert a day or so to respond, but it > turns out he's > > out of the office until Monday now and I think everyone here who is > running > > 6.02 should know about this. Going to run the 6.03 patch and see if the > > problem disappears. Will let you know. I did not test this > with previous > > installations so I have no idea if this is an old problem, or something > that > > is entirely new. > > > > ----- > > Anthony Abby > > > > > > Please visit http://www.ipswitch.com/support/mailing-lists.html > > to be removed from this list. > > > > Please visit http://www.ipswitch.com/support/mailing-lists.html > to be removed from this list. > Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list.
