passwords in third party web archives, newsgroups
Are the mailman developers at all concerned by
http://www.google.com/search?q=mailman-owner+reminder+password http://x66.deja.com/=dnc/getdoc.xp?AN=641175690
This is probably especially a problem with lists that were converted from another MLM, where there was no explicit "one address, one reader" assumption at the time the archive was subscribed.
[note:
- I'm not subscribed to the mailman mailing lists, nor do I use mailman except as a list subscriber and the maintainer of the rec.music.gaffa news2mail gateway; please cc me on any direct responses.
- I looked through the archives and saw many discussions of passwords, but did not find this issue addressed; my apologies if I missed it.
- Yes, the rec.music.gaffa gateway filters mailman admin messages, and has done so since a few hours after the first reminder appeared in the newsgroup.
- No, I don't think this is a huge security issue, but it certainly does have some potential for minor mischief.
- I may mention this (in passing) in a submission to comp.risks soon.
]
-dan
At 7:00 PM -0500 11/5/00, Dan Riley wrote:
Are the mailman developers at all concerned by
http://www.google.com/search?q=mailman-owner+reminder+password http://x66.deja.com/=dnc/getdoc.xp?AN=641175690
This is probably especially a problem with lists that were converted from another MLM,
It's an interesting issue. Mailman includes the X-No-Archive header in these messages, so anyone who's archiving them anyway isn't following the protocol. I'm not sure it's a major issue, and it's an end-user mis-behavior at that -- but it's still somewhat troubling that it gets into archives and search engines. I'm not sure what mailman can do to prevent end-users from shooting themselves in the foot here, though.
the passwords are a trivial issue to me. the REAL issue is you have mail lists putting up archives that are being put into global search engines -- and those archives are full of unprotected email addresses just waiting for the spam harvester bots. Compared to that, the passwords are nothing -- like dealing iwth a hangnail on a foot with gangrene.
and if the lists want their archives to be wide open like that, there's not a damn thing Mailman can do to save them from themselves. But as long as there are easily harvested email addresses in the search engines, the passwords simply aren't something I'm going to worry about.
"DR" == Dan Riley dsr@mail.lns.cornell.edu writes:
DR> Are the mailman developers at all concerned by
DR> http://www.google.com/search?q=mailman-owner+reminder+password
DR> http://x66.deja.com/=dnc/getdoc.xp?AN=641175690
Yes, but it's too late to do anything about this in Mailman 2.0. Individual users should be able to disable password reminders to their address. Such archiver "false-users" can then just have this turned off.
I'm glad there's a workaround for now! -Barry
participants (3)
-
barry@digicool.com -
Chuq Von Rospach -
Dan Riley