Re: [Mailman-Developers] Mailing lists exploited
On Tue 2017-05-16 13:29:21 +0100, Jonathan Knight wrote:
I think the real name if its available and the list owner address if not. If you use the local part (e.g. j.knight) would still make it possible to guess the @keele.ac.uk if the mailing lists are all hosted on maillists.keele.ac.uk.
surely it's easy for an attacker to guess moderation-free sender addresses by a quick scan of the list archives as well. what attackers are we really trying to defend against here?
--dkg
On 05/16/2017 08:17 PM, Daniel Kahn Gillmor wrote:
surely it's easy for an attacker to guess moderation-free sender addresses by a quick scan of the list archives as well.
Only if there are public archives.
I realized I am more or less immune from this attack for my several production lists. The lists are all @example.org (obviously not the real domain) and the list owner is listmanager@example.org which is a forwarder to the real list admins and is not a member or authorized poster of any of the lists.
It was set up this way because we have a number of such forwarders for various functions and having a generic address for a function is a convenience that avoids people mailing the wrong people when responsibilities change, but a side benefit is the address exposed on web pages can't post without moderation, plus one could add it to discard_these_nonmembers and never see posts From: that address.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
The attack we're trying to defend against is a scripted one which grabs a list of all the mailing lists, then harvests the administrator email and then tries to spam each list using the administrator as a sender address.
If the archives are public then I guess you could write a reasonable algorithm to try and guess an unmoderated address but I don't think its as easy to hit thousands of mailing lists using that approach.
Jon
On 17 May 2017 at 04:17, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
On Tue 2017-05-16 13:29:21 +0100, Jonathan Knight wrote:
I think the real name if its available and the list owner address if not. If you use the local part (e.g. j.knight) would still make it possible to guess the @keele.ac.uk if the mailing lists are all hosted on maillists.keele.ac.uk.
surely it's easy for an attacker to guess moderation-free sender addresses by a quick scan of the list archives as well. what attackers are we really trying to defend against here?
--dkg
-- Jonathan Knight IT Services Keele University
participants (3)
-
Daniel Kahn Gillmor -
Jonathan Knight -
Mark Sapiro