On Fri, 2003-11-28 at 17:05, Barry Warsaw wrote:
> On Fri, 2003-11-28 at 06:26, Colin Palmer wrote:
> > (then you just need to add an ACL to the webserver to stop someone
> > downloading the listname.mbox file that has all the unmunged addresses
> > still in it)
> I'd consider turning this off for
On Sat, 29 Nov 2003 19:43:48 +
Richard Barrett <[EMAIL PROTECTED]> wrote:
> On 29 Nov 2003, at 14:55, J C Lawrence wrote:
>> On Sat, 29 Nov 2003 14:40:48 + Richard Barrett
>> <[EMAIL PROTECTED]> wrote:
> ... I know that Mailman developers are not interested in my input
> about major new r
On 29 Nov 2003, at 14:55, J C Lawrence wrote:
On Sat, 29 Nov 2003 14:40:48 +
Richard Barrett <[EMAIL PROTECTED]> wrote:
On 29 Nov 2003, at 13:32, J C Lawrence wrote:
On Sat, 29 Nov 2003 07:12:45 + Richard Barrett
<[EMAIL PROTECTED]> wrote:
On 29 Nov 2003, at 00:48, J C Lawrence wrote:
For
On Sat, 29 Nov 2003 14:40:48 +
Richard Barrett <[EMAIL PROTECTED]> wrote:
> On 29 Nov 2003, at 13:32, J C Lawrence wrote:
>> On Sat, 29 Nov 2003 07:12:45 + Richard Barrett
>> <[EMAIL PROTECTED]> wrote:
>>> On 29 Nov 2003, at 00:48, J C Lawrence wrote:
>> For me, and (possibly) for Mailman
On 29 Nov 2003, at 13:32, J C Lawrence wrote:
On Sat, 29 Nov 2003 07:12:45 +
Richard Barrett <[EMAIL PROTECTED]> wrote:
On 29 Nov 2003, at 00:48, J C Lawrence wrote:
[ 850805 ] Aggressive anti email address harvesting measure
This patch appears to fail to distinguish between email addresses
On Sat, 29 Nov 2003 07:12:45 +
Richard Barrett <[EMAIL PROTECTED]> wrote:
> On 29 Nov 2003, at 00:48, J C Lawrence wrote:
>>> [ 850805 ] Aggressive anti email address harvesting measure
>> This patch appears to fail to distinguish between email addresses and
>> Message IDs.
>>
> And ...
>
On 29 Nov 2003, at 00:48, J C Lawrence wrote:
On Fri, 28 Nov 2003 16:32:09 +
Richard Barrett <[EMAIL PROTECTED]> wrote:
Prompted by this thread and taking on board some of the ideas
expressed in the discussion I have posted the following patch for MM
2.1.3 on sourceforge:
[ 850805 ] Aggressiv
On Fri, 28 Nov 2003 16:32:09 +
Richard Barrett <[EMAIL PROTECTED]> wrote:
> Prompted by this thread and taking on board some of the ideas
> expressed in the discussion I have posted the following patch for MM
> 2.1.3 on sourceforge:
> [ 850805 ] Aggressive anti email address harvesting measu
Prompted by this thread and taking on board some of the ideas expressed
in the discussion I have posted the following patch for MM 2.1.3 on
sourceforge:
[ 850805 ] Aggressive anti email address harvesting measure
https://sourceforge.net/tracker/?
func=detail&aid=850805&group_id=103&atid=3001
On Thursday 27 November 2003 11:05 pm, Barry Warsaw wrote:
> On Fri, 2003-11-28 at 06:26, Colin Palmer wrote:
> > (then you just need to add an ACL to the webserver to stop someone
> > downloading the listname.mbox file that has all the unmunged addresses
> > still in it)
>
> I'd consider turning t
On Fri, 2003-11-28 at 06:26, Colin Palmer wrote:
> (then you just need to add an ACL to the webserver to stop someone
> downloading the listname.mbox file that has all the unmunged addresses
> still in it)
I'd consider turning this off for 2.1.4 if people agree. Perhaps making
it available only
On Thu, 2003-11-27 at 14:19, Chuq Von Rospach wrote:
> On Nov 27, 2003, at 10:32 AM, Barry Warsaw wrote:
>
> > We don't need to get into lengthy language wars here, but I submit that
> > there's no practical difference in performance between Python and Perl,
> > especially in the problem domain th
On Nov 27, 2003, at 2:26 PM, Colin Palmer wrote:
re.sub('@', _(' at ') with re.sub(r'([EMAIL PROTECTED])[\w\.-]+', r'\1...'
which achieves a similar effect with ARCHIVER_OBSCURES_EMAILADDRS
turned
on.
which is a no-op, since spambot's learned how to de-obfuscate that
stuff years ago. False sense
On Fri, 2003-11-28 at 06:08, Terri Oda wrote:
> So, is anyone working on this *within* pipermail? I know there are great
> alternative archivers out there, but Mailman still winds up with a bad
> reputation if the default isn't very secure. Maybe for 2.2 we could have a
> "completely obscure arch
On Nov 27, 2003, at 10:32 AM, Barry Warsaw wrote:
We don't need to get into lengthy language wars here, but I submit that
there's no practical difference in performance between Python and Perl,
especially in the problem domain that Mailman addresses.
Sorry, given that Mailman is almost always rate
On Nov 27, 2003, at 9:52 AM, Terri Oda wrote:
Of course. We should remember that *that's* the reason not to do
turing
tests.
It's a great example of people solving problems before they actually
define them, and throwing resources at symptoms, not really solving
what's at root cause.
Now some
It's not a security issue. It's a privacy issue. Very different beasts.
Very important beasts, but the only thing they have in common is the
number of legs they have.
The underlying issue is similar to many bugtraq issues: what used to be
a common, acceptable coding practice no longer is. But m
On Wed, 2003-11-26 at 05:36, Bernhard Kuemel wrote:
> It is my impression that python is slow, at least it has a
> lengthy startup. It may still be suitable for certain tasks,
> however I have no idea which as I don't speak python. Mailman was
> run once per minute from cron on my old server. M
On Tue, 2003-11-25 at 15:06, Bernhard Kuemel wrote:
> It would probably be more efficient if some who are familiar with
> the mailman code fixed its "security flaws".
Just to be snitty and pedantic, I don't consider email address leaks in
Pipermail to be security flaws. Not that I don't conside
On Thu, 2003-11-27 at 12:17, Chuq Von Rospach wrote:
> that would be the answer, or throw it out (I'm not a huge fan of
> pipermail; it's only advantage to mailman is it's written in Python)
> and do something else. Or leave pipermail alone, and write a CGI that
> all archives exit through that
On Thu, 2003-11-27 at 12:08, Terri Oda wrote:
> > Better is to simply teach the archives not to distribute sensitive
> > information at all. And a lot easier to implement, actually.
>
> So, is anyone working on this *within* pipermail? I know there are great
> alternative archivers out there,
On Thu, Nov 27, 2003 at 09:17:33AM -0800, Chuq Von Rospach wrote:
> if it can be made accessible, I have no problem with it. But I think
> it's solving the wrong problem, because the data is still accessible to
> a motivated person. you're not fixing the issue, simply raising the bar
> and hopin
On Thu, 27 Nov 2003 09:17:33 -0800
Chuq Von Rospach <[EMAIL PROTECTED]> wrote:
> On Nov 27, 2003, at 9:08 AM, Terri Oda wrote:
>> On Tue, Nov 25, 2003 at 11:07:39AM -0800, Chuq Von Rospach wrote:
> Remember challenge/response? When everyone thought it was the solution
> to all of our problems? To
On Nov 27, 2003, at 9:08 AM, Terri Oda wrote:
On Tue, Nov 25, 2003 at 11:07:39AM -0800, Chuq Von Rospach wrote:
Fails ADA and accessibility requirements badly. I'd argue against any
solution that fails such basic needs without any real way to fix it.
What about reverse turing tests that aren't gra
On Thu, 27 Nov 2003 12:08:24 -0500
Terri Oda <[EMAIL PROTECTED]> wrote:
> On Tue, Nov 25, 2003 at 11:07:39AM -0800, Chuq Von Rospach wrote:
> I know there are great alternative archivers out there, but Mailman
> still winds up with a bad reputation if the default isn't very secure.
Disagreed.
>
On Tue, Nov 25, 2003 at 11:07:39AM -0800, Chuq Von Rospach wrote:
> Fails ADA and accessibility requirements badly. I'd argue against any
> solution that fails such basic needs without any real way to fix it.
What about reverse turing tests that aren't graphics-based? It's easier to
beat "What
Bernhard Kuemel wrote:
A million string interpolations and file accesses in 2.1 s - not bad.
Hmm, maybe the startup overhead of python is still significant
with 1,000,000 iterations so here are 10,000,000 timings:
[EMAIL PROTECTED]:~/src/benchmark$ time perl -e 'for
($i=1;$i<=1000;$i++) {pri
Richard Barrett wrote:
Maybe. However, I don't like python as on our old P60 server it burned
up so much CPU time (15 s/min).
It would be interesting to see you present convincing evidence that
Python runs slower than Perl which you seem happy to rely on.
That can be difficult as different progra
Richard Barrett wrote:
Since your answer is the only one and the problem does not appear to
be addressed sufficiently I wrote an example exploit program that
finds mailman lists and harvests their email addresses. After about
20 minutes it collected about 30.000 email addresses:
http://bks
Doug Selph wrote:
On Tuesday, Nov 25, 2003, at 11:46 US/Central, Bernhard Kuemel wrote:
If you think the problem is worth fixing please estimate how long it
will take and I will wait a reasonable time for a fix before I post
the problem and the exploit code to bugtraq. Otherwise I will post to
On 25 Nov 2003, at 20:06, Bernhard Kuemel wrote:
Richard Barrett wrote:
Since your answer is the only one and the problem does not appear to
be addressed sufficiently I wrote an example exploit program that
finds mailman lists and harvests their email addresses. After about
20 minutes it col
Barry Warsaw wrote:
On Tue, 2003-11-25 at 12:46, Bernhard Kuemel wrote:
If you think the problem is worth fixing please estimate how long
it will take and I will wait a reasonable time for a fix before I
post the problem and the exploit code to bugtraq. Otherwise I
will post to bugtraq in about
On Nov 25, 2003, at 11:03 AM, Barry Warsaw wrote:
I want to remind you about my graphical turing test I proposed as
solution:
http://mail.python.org/pipermail/mailman-developers/2003-November/
016082.html
I'd consider something like that a new feature, and not likely to make
it into the maintenan
On Tue, 2003-11-25 at 13:31, Bernhard Kuemel wrote:
> I want to remind you about my graphical turing test I proposed as
> solution:
>
> http://mail.python.org/pipermail/mailman-developers/2003-November/016082.html
I'd consider something like that a new feature, and not likely to make
it into th
On Tuesday, Nov 25, 2003, at 11:46 US/Central, Bernhard Kuemel wrote:
If you think the problem is worth fixing please estimate how long it
will take and I will wait a reasonable time for a fix before I post
the problem and the exploit code to bugtraq. Otherwise I will post to
bugtraq in about 1
On 25 Nov 2003, at 17:46, Bernhard Kuemel wrote:
David Champion wrote:
* On 2003.11.16, in <[EMAIL PROTECTED]>,
This test may disable users of non graphical web browers or email
only subscribers to subscribe.
I've generally found that encoding the address as HTML character
entities works fine. I
On Tue, 2003-11-25 at 12:46, Bernhard Kuemel wrote:
> If you think the problem is worth fixing please estimate how long
> it will take and I will wait a reasonable time for a fix before I
> post the problem and the exploit code to bugtraq. Otherwise I
> will post to bugtraq in about 1 week.
I
David Champion wrote:
* On 2003.11.16, in <[EMAIL PROTECTED]>,
This test may disable users of non graphical web browers or email
only subscribers to subscribe.
I've generally found that encoding the address as HTML character
entities works fine. I've had a bait address on my web page for quite
so
38 matches
Mail list logo
