Re: [Mailman-Developers] Mailing lists exploited

Tue, 16 May 2017 01:29:55 -0700 

Mark is right.

The spamming process was to scrape the listinfo page and locate the "list
is run by" line and then de-obfuscate the "j.knight at keele.ac.uk" into "
j.kni...@keele.ac.uk".  Then an email was faked using j.kni...@keele.ac.uk
as the sender to see if the list is either unmoderated or whether the
administrator had set their own email address as unmoderated on a moderated
list.

There's not a lot that can be done to protect against that other than
changing the "list is run by" so that the administrators real email address
isn't obvious.

Jon.


On 15 May 2017 at 23:19, Barry Warsaw <ba...@list.org> wrote:

> On May 15, 2017, at 11:03 AM, Mark Sapiro wrote:
>
> >It's not done in Mailman 3.
> >
> >For mailman 2.1, the administrator email addresses are a mailto: link the
> >goes to the LISTNAME-owner address, but the email addresses are exposed
> and
> >only mildly obfuscated ('@' -> ' at ').
> >
> >I would consider adding a configuration option to either obfuscate the
> >addresses further (e.g. drop the domain entirely) or replace the text with
> >something like "Listname list run by listname-ow...@example.com".
>
> I'm a little confused by the OP.  Is it:
>
> 1) A message to the posting address From: listname-ow...@example.com is
> not
> being moderated?  I would expect it to be since that address is not a
> member
> of the list.
>
> 2) Emailing To: listname-ow...@example.com directly which would end up
> spamming the list owners?
>
> MM3 doesn't currently moderate messages sent to the list owners, but it
> could.  Messages to -owners flows through a different, shorter chain of
> rules
> and pipeline, but I've always thought that that would be configurable.
>
> -Barry
> _______________________________________________
> Mailman-Developers mailing list
> Mailman-Developers@python.org
> https://mail.python.org/mailman/listinfo/mailman-developers
> Mailman FAQ: http://wiki.list.org/x/AgA3
> Searchable Archives: http://www.mail-archive.com/
> mailman-developers%40python.org/
> Unsubscribe: https://mail.python.org/mailman/options/mailman-
> developers/j.knight%40keele.ac.uk
>
> Security Policy: http://wiki.list.org/x/QIA9
>



-- 
Jonathan Knight
IT Services
Keele University
_______________________________________________
Mailman-Developers mailing list
Mailman-Developers@python.org
https://mail.python.org/mailman/listinfo/mailman-developers
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: 
http://www.mail-archive.com/mailman-developers%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org

Security Policy: http://wiki.list.org/x/QIA9

Reply via email to