On Thu, Feb 10, 2005 at 11:40:29AM -0500, Tobias Eigen wrote: > Hi all, > > Is there a way to change the setting to restrict access to the roster > for all lists, globally? If there isn't one, would one of you be > willing to write one quickly? The only other option I see is to remove > the ~mailman/cgi-bin/roster script which would be a pity. > > Given the risk, now made worse by Bernhard's very helpfully > distributing this script for spammers, this is a really urgent issue.
Not that hard to write such a script. I expect the spammers already have several alternatives to choose from. So, it's quite likely no harm has been done, and some good, arising from Bernhard's raising the issue in public. I'd go further and mention that while Berhhard's script harvests membership rosters, it isn't that much more difficult to write a script that gets around the obfuscation of email addresses in the list archives. A list I used to manage until a few weeks ago (Hey, anybody got a lead on a Seattle-area opportunity for a rabid Python developer? Who also does C, SQL, HTML, CSS and various assemblers?) apparently had its archives harvested recently by some bank phishing folk. Emails were obscured in the archives using the "user at wherever.domain" option, and the archives had been regenerated quite some time ago back to their beginning, with that option in force. The roster has never been open to anybody but the list admin, so I don't believe it was the roster. Hence, likely it was the archives that were harvested. There are a pretty fair number of good reasons for keeping list archives open. My opinion is a person posting to a list assumes the risk of having his or her email address harvested, and that one unwilling to assume this risk should refrain from posting. However I understand if others do not subscribe to that belief, and that there may be circumstances where there are reasonable grounds for wanting to manage a list by some other policy. My suggestion is that an option be considered to redact all email addresses whatsoever from a list archive. Including anything mentioned in-line in the text of the post that even vaguely looks like an email address. No doubt somebody on this list manages a list where users are quite sensitive to public exposure, who might care to advocate for such an option, and even code it, should the idea meet with sufficient approval. -- Dan Wilder <[EMAIL PROTECTED]> _______________________________________________ Mailman-Developers mailing list [email protected] http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org
