[Mailman-Developers] bugtraq submission warning: email address harvesting exploit

[Chuq Von Rospach]

On Nov 27, 2003, at 9:52 AM, Terri Oda wrote:

> Of course.  We should remember that *that's* the reason not to do 
> turing
> tests.
>

It's a great example of people solving problems before they actually 
define them, and throwing resources at symptoms, not really solving 
what's at root cause.

Now sometimes you have no alternative than a continuing arms race of 
escalation, like in the current spam/anti-spam wars. But it's always 
useful to sit back and see if you can figure out what the real problem 
is and whether you can circumvent it at a basic level and not just run 
around patching the latest version of it.

And it's also important to not over-fix a problem. After all, there's 
still nothing stopping spammers from simply subscribing to mailing 
lists and harvesting addresses from postings directly, other than it's 
simply easier and more anonymous to grab archives. So don't waste time 
OVER-securing the archives, since that just leads to a false sense of 
security anyway. If you really want to secure this, you'll have to tear 
down mailman to square one, and re-engineer it to obscure mail 
addresses on all traffic, and replace them with mapped addresses that 
forward through the server. that means all 1to1 traffic (replies, etc) 
also need to travel through the server, and effectively, Mailman starts 
becoming an anonymous remailer type of beast as well as a mail server. 
Which creates a whole new class of problems while solving this one...

(and yes, that's actually a design paradigm I'm noodling on, in what 
little time I have to noodle right now.)