[ mailman-Bugs-1059637 ] Leave choice on obfuscation method to sysadmin

Wed Sep 21 18:21:55 CEST 2005

Bugs item #1059637, was opened at 2004-11-03 12:14
Message generated for change (Comment added) made by magicfab
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1059637&group_id=103

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Pipermail
Group: 2.1 (stable)
Status: Open
Resolution: None
Priority: 5
Submitted By: Alster (alster)
Assigned to: Nobody/Anonymous (nobody)
Summary: Leave choice on obfuscation method to sysadmin

Initial Comment:
As far as I know, currently the way pipermail
obfuscates email addresses is hardcoded to "user at
domain.com". This is really easy to harvest.

It may be a better idea to leave the method of
obfuscation to the mailman (sys)admin (not list admin).
This will result in increased diversity of obfuscation
methods on the several pipermail setups and thus to
decreased harvesting.

----------------------------------------------------------------------

Comment By: Fabián A. Rodríguez S. (magicfab)
Date: 2005-09-21 12:21

Message:
Logged In: YES 
user_id=92045

This would also affect messages that are already archived or
the existing methods for archival of messages. See this in
the Mailman FAQ:
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq04.034.htp

Some docs on making your lists less vulnerable to harvesting:
http://www.list.org/mailman-member/node40.html

Other related threads:
http://mail.python.org/pipermail/mailman-developers/2004-February/016569.html
http://zope.org/Members/bwarsaw/MailmanDesignNotes/MailmanProblems

----------------------------------------------------------------------

Comment By: Fabián A. Rodríguez S. (magicfab)
Date: 2005-09-21 12:03

Message:
Logged In: YES 
user_id=92045

I agree this should be addressed as more and more bots &
agents harvest public lists for this information. Even
private lists that are not tuning 2.1.6 may be vulnerable to
this harvesting method.

I'd like to suggest to use a random obfuscation method *for
each message* .

----------------------------------------------------------------------

Comment By: Jean Delvare (khali)
Date: 2005-07-18 06:15

Message:
Logged In: YES 
user_id=66405

I would second this request. The current obfuscation scheme
is next to useless. I understand that it would make little
sense hardcoding a more complex obfuscation scheme, as it
could easily be reverse-engineered. However, if the
obfuscation method was left to the administrator, there
would be virtually as many different obfuscation schemes as
sites, so reverse-engineering would be much more difficult,
if impossible.

As a side note, I wonder why there is no option in mailman
to plain discard the e-mail addresses from the Archive. This
should be even more simple to implement, and sufficient at
least for my own needs.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1059637&group_id=103