[Mailman-Developers] Possible yahoogroups problem.

Barry Warsaw barry at python.org
Tue Jul 8 13:36:38 EDT 2003


On Tue, 2003-07-08 at 01:49, Chuq Von Rospach wrote:

> So I'm worried that someone's figured out how to circumvent yahoo's  
> confirmation process. I wanted to bring this up with Yahoo, but they  
> evidently weren't interested.

Okay, so /that/ sucks.

> (and the reason I'm posting this to mailman-developers: just a general  
> question, since I haven't had time to look it up myself: does the  
> mailman confirmation process use an algorithm that could potentially be  
> reverse engineered? If it happened to Yahoo, it could happen to  
> Mailman. Even if it didn't happen to Yahoo, it could happen to other  
> services if their confirmations can be predicted in some way.

Short of a brute-force attack, I think it would be difficult.  In the
tradition of openness (and because it's all in the source anyway, as
opposed to Yahoo's code -- yay for us :), here's what we do:

When someone's subscription is held for approval, we generate the unique
cookie by combining three pieces of information, and then sha
hexdigesting the string representation of that data.  If an attacker
could figure out the string rep, they could hash it themselves and guess
the cookie.  The data we use:

- the str() of the output of random.random()
- the str() of the server's current time
- the str() of the "content"

and we concatenate these three strings together before hashing them.  In
the case of a subscription request, the content is a UserDesc instance,
which has a repr like:

<UserDesc person at example.com (Paul Erson) [password] [digest? no] [en]>

(apologies for any line split)

I'd think that because three of the UserDesc components come directly
from the subscribee, it would be very difficult to guess the UserDesc
repr, /aside/ from the difficulty of guessing the random float and
timestamp.  Given sha's hash security, I'd be inclined to think we're
safe <wink>.

An attacker could brute-force it, but I suspect you'd succumb to denial
of service either in Mailman or in upstream tools long before the
confirmation cookie was cracked.

But maybe I'm missing an obvious hole, either in the cookie generation
or somewhere else in the confirmation process.

> Anyone want to hazard a reason why it might NOT be a breach of yahoo's  
> algorithm here? I'm just a bit worried that we're seeing a new phase  
> where spammers have figured out how to get around these protections; if  
> so, it also opens up mailing lists to be a new form of guided missile  
> in attacks on people, something I'd rather avoid, thank you...)

BTW, is there something we can do to prevent Mailman addresses from
getting subscribed to Yahoo! or other listservs?  I'd rather not
hardcode in Yahoo! brain damage, so I'm looking for a more principled
approach.

-Barry





More information about the Mailman-Developers mailing list