On 7/10/06, Mark Sapiro <[EMAIL PROTECTED]> wrote: > Fabiano Breves wrote: > > > >This problem came out of nowhere. Everything was just fine till today. I > >have a large announce-only list and use the 'Approved: password on the > first > >line' method to securely send messages to the list. As I said it was > working > >just fine, but today, the user responsable of sending the announces (and > I), > >had a surprise - the password was revealed troughout the list. I changed > the > >password, no ane had the time to use it to spam into the list (thank > God). > > > >I have a test list with just a few internal users, and tried to replicate > >the problem without much success. > > > >The user is sending the message from an Outlook Express client in Rich > Text > >format (HTML). This seemed not to be a problem till now. > > > This is definitely a problem and always has been. See below. If your > Mailman is 2.1.7 or later, it should be OK, but maybe the poster > upgraded OE or something that changed the message format.
Sorry I did not told what version (2.1.8rc1) we are using. After a little more digging I tihink the problem is the Outlook Express but I need more time to be sure and I'm not in the office right now. > >As I couldn't replicate the problem within the test list I'm afraid that > the > >password will be revealed again. > > > >I checked the source code of the messages and noticed there are two > texts, > >one in plain text format (without the password) and one in HTML format > (with > >the password). > > > > This indicates either one of two things. > > If you are using a Mailman version prior to 2.1.7, this has always been > the case. The Approved: line is only found in and removed from the > first text/plain part of the message. As I'm in 2.1.8rc1 I think we don't need to worry about this firt one. > If you are using Mailman 2.1.7 or later, we still look for the > Approved: line in the first text/plain part in the message, but if we > find it, we attempt to remove it from all text parts. This may have > failed. If so, please send me (off list) a copy of the message (as an > attachment so I see it exactly with all headers and MIME structure). > Ideally, in this case, I would like to see the post as received by > Mailman, but if this isn't available, the post from the list will do. As soon I get to the office (probably tomorrow) I'll send to your e-mail the message. > >If do not use the password the message can't be send. Did anyone have a > >similar problem ?? Does anyone knows a better way to securely send > >announce-only messages ?? > > > Provide the Approved: line as an actual message header rather than as > the first body line, but that's probably not possible with Outlook > Express. Next best is to post plain text only without any HTML parts. > In this case if the Approved: line isn't found and removed, the post > won't go to the list. We have a web application that can send mail to lists. Maybe I can change the way the poster sends the announce message. The aplication is based on ASP language. What header should I use and how I use it. Send msgs with this method seems to be the solution because I can take out the responsability of putting the password of the poster. Thanks for your help. > -- > Mark Sapiro <[EMAIL PROTECTED]> The highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan > > -- Fabiano de Carvalho Breves [EMAIL PROTECTED] ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp