[Mailman-Developers] bugtraq submission warning: email address harvesting exploit

Terri Oda terri at zone12.com
Thu Nov 27 12:08:24 EST 2003

On Tue, Nov 25, 2003 at 11:07:39AM -0800, Chuq Von Rospach wrote:
> Fails ADA and accessibility requirements badly. I'd argue against any  
> solution that fails such basic needs without any real way to fix it.

What about reverse turing tests that aren't graphics-based?  It's easier to
beat "What is the sum of three and fifteen?" or "what is the name of this
mailing list?" text-tests than the more complex RTTs, but it would make
exploit code that much harder to write without sacrificing users who can't,
for example, view graphics or hear sounds. 

> Better is to simply teach the archives not to distribute sensitive  
> information at all. And a lot easier to implement, actually.

So, is anyone working on this *within* pipermail?  I know there are great
alternative archivers out there, but Mailman still winds up with a bad
reputation if the default isn't very secure.  Maybe for 2.2 we could have a
"completely obscure archived email addresses" option which changed them all
to user at xxxxxx.  

More information about the Mailman-Developers mailing list