[Mailman-Developers] Potential risk of VERP?
Barry A. Warsaw
Tue, 12 Feb 2002 13:24:08 -0500
I just thought of a potential risk to VERPing, and I'd like to get
some feedback from you all about it.
Let's say I run a mailing list firstname.lastname@example.org and someone like (oh, I
dunno) yahoogroups subscribes to the list and provides subscription
services of its own. I.e. people can subscribe to email@example.com
and they'll get all the messages posted to firstname.lastname@example.org. Yes, we've
seen this happen quite a bit.
Now, suppose someone on email@example.com starts bouncing, and we're
VERPing. Won't our Mailman think that firstname.lastname@example.org is the
bouncing member? In a sense they are, but I can see an attack vector:
- subscribe to some downstream reflector for a group,
- purposely set your address to bounce
- email@example.com gets disabled, thus shutting off a large list of
Or will/should yahoogroups rewrite the envelope sender for /its/