[Mailman-Developers] bugtraq submission warning: email address harvesting exploit

Tue Nov 25 16:51:09 EST 2003

On 25 Nov 2003, at 20:06, Bernhard Kuemel wrote:

> Richard Barrett wrote:
>>> Since your answer is the only one and the problem does not appear to 
>>>  be addressed sufficiently I wrote an example exploit program that  
>>> finds mailman lists and harvests their email addresses. After about 
>>> 20  minutes it collected about 30.000 email addresses:  
>>> http://bksys.at/bernhard/30,000%20email%20addresses.gz
>> I am just a spectator but this doesn't look like a major contribution 
>>  to the Open Source movement by you.
>
> You are right. It is a small contribution. I also filed a PHP bug 
> today. Another small contribution. Makes 2 today. But not all days are 
> as productive as this one.
>
>> As a way of getting your code and ideas adopted it is one hell of an  
>> approach.
>
> Well, I'm not sure if a graphical turing test makes up for the 
> drawbacks I mentioned so I'm not sure it will make it to mailman. But 
> I'm glad that the email harvesting problem get's some attention now.
>
>> A better approach might be to work up a patch for the current Mailman 
>>  release that will demonstrably function in practice (how are we 
>> going  to manage all those images your original "Turing test"  
>> proposal will  lead to) and submit that like any other contributor.
>
> It would probably be more efficient if some who are familiar with the 
> mailman code fixed its "security flaws". Also we first need to find 
> out what should be done about it. A graphical turing test may rule out 
> users of non graphical web browsers and maybe we can come up with 
> something bettter. Implementing it prematurely might be a waste of 
> human resources.
>
>> You can program in Perl so using Python should be a snap for a clever 
>> fellow like you.
>
> Maybe. However, I don't like python as on our old P60 server it burned 
> up so much CPU time (15 s/min).

It would be interesting to see you present convincing evidence that 
Python runs slower than Perl which you seem happy to rely on.

> I can also program in C so I could probably fix the PHP bug as well. 
> However, I do not always feel like doing everything, especially if the 
> others don't like it.

Maybe dilettante springs to mind as a description that fits.

>
>> But I confess if it were for me to decide on a response to your 
>> threats,
>
> I was looking for a better word than 'warning', however, none of the 
> alternatives seemed to fit. Also I tried to make my announcement of my 
> bugtraq post as little offensive as bugtraq post as little offensive 
> as possible. If you are a native english speaker maybe you can show me 
> an even better way.

How about acting like a contributor to produce solutions instead of 
being a smart guy: why just contributes to the pool of problems when 
you could contribute to the pool of solutions to problems. Why should 
anybody take your proposals seriously, and invest their unpaid effort 
into proving their worth, when you cannot be bothered to invest the 
effort yourself.

>
>> which it is not, I'd say sex and travel fits the bill.
>
> Well, well, if you prefer some hints about sex over my bug reports 
> maybe we should change the forum. About travelling, if you want you 
> can join next European Rainbow gathering, my every year summer 
> highlight. See my rainbow website for details: http://rainbow.bksys.at 
> .
>
>>> Have a nice day,
>> There's irony for you.
>
> That was not meant ironically. Hmm, maybe 'cheers' would have been 
> less ambigous, but only '(kind) regards' came to my mind at that time 
> and that sounded too formal to me. Other suggestions?
>
> Cheers, Bernhard
>
> -- 
> Webspace; Low end Serverhousing ab 15 e, etc.: http://www.bksys.at
> Linux Admin/Programmierer: http://bksys.at/bernhard/services.html
>