[Mailman-Developers] [ mailman-Feature Requests-537022 ] Requesting email not attached in confirmation message
noreply@sourceforge.net
noreply@sourceforge.net
Thu, 02 May 2002 22:18:57 -0700
Feature Requests item #537022, was opened at 2002-03-30 00:59
You can respond by visiting:
http://sourceforge.net/tracker/?func=detail&atid=350103&aid=537022&group_id=103
Category: None
Group: None
>Status: Closed
>Resolution: Fixed
Priority: 5
Submitted By: Ben Bucksch (benb)
Assigned to: Nobody/Anonymous (nobody)
Summary: Requesting email not attached in confirmation message
Initial Comment:
When somebody requests to be signed up to a mailing
list, there's a comformation message sent out to the
email address being (in the process of being) subscribed.
However, it seems like mailman doesn't include the IP
address and timestamp of the user trying to sign up the
email address. This information is critical in case
somebody else tried to subscribe you without your
consent (i.e. the whole point of the confirmation
messages).
In our case, somebody tries to sign up the public
Mozilla mailing lists to other mailing lists. Since the
lists are public, the confirmation messages are mostly
useless.
----------------------------------------------------------------------
>Comment By: Barry Warsaw (bwarsaw)
Date: 2002-05-03 01:18
Message:
Logged In: YES
user_id=12800
Actually, with the freshly rewritten command handler, you
now get a copy of your original request. However, it
doesn't come with the confirmation message, it comes with a
results notification of your original request.
----------------------------------------------------------------------
Comment By: Barry Warsaw (bwarsaw)
Date: 2002-04-03 19:00
Message:
Logged In: YES
user_id=12800
I'm moving this to the feature request tracker. It may or
may not make it into MM2.1
----------------------------------------------------------------------
Comment By: Ben Bucksch (benb)
Date: 2002-04-02 01:04
Message:
Logged In: YES
user_id=1193
OK. You say "when using the web to make a subscription request".
I just tried to subscribe to your mailman-announce list
(which is run by Mailman 2.0.8) via *email*, and it just
includes the From address. That's of course useless, as that
can be forged trivially.
IMO, including the full subscription message, esp. headers,
would be needed.
----------------------------------------------------------------------
Comment By: Barry Warsaw (bwarsaw)
Date: 2002-04-02 00:35
Message:
Logged In: YES
user_id=12800
Uh, yeah! Mailman 1.1 is really old.
----------------------------------------------------------------------
Comment By: Ben Bucksch (benb)
Date: 2002-04-02 00:34
Message:
Logged In: YES
user_id=1193
I have a subscription message (caused by an attacker) here,
sent from Mailman 1.1. I guess you fixed it in the meantime?
----------------------------------------------------------------------
Comment By: Barry Warsaw (bwarsaw)
Date: 2002-04-01 16:06
Message:
Logged In: YES
user_id=12800
When using the web to make a subscription request, the
confirmation message does indeed include the IP address of
the browser client, as provided in the cgi environment.
It's true that the timestampe isn't given, although I'm
unsure how useful that would be given that the Date: on the
confirmation message is probably pretty close.
----------------------------------------------------------------------
You can respond by visiting:
http://sourceforge.net/tracker/?func=detail&atid=350103&aid=537022&group_id=103