[Mailman-Developers] bugtraq submission warning: email address harvesting exploit

Colin Palmer colinp at waikato.ac.nz
Thu Nov 27 17:26:46 EST 2003

On Fri, 2003-11-28 at 06:08, Terri Oda wrote:
> So, is anyone working on this *within* pipermail?  I know there are great
> alternative archivers out there, but Mailman still winds up with a bad
> reputation if the default isn't very secure.  Maybe for 2.2 we could have a
> "completely obscure archived email addresses" option which changed them all
> to user at xxxxxx.  

On the copy of Mailman I run here, I just went though 
Mailman/Archiver/HyperArch.py and replaced all the occurances of
re.sub('@', _(' at ') with re.sub(r'([\w\.-]+ at .)[\w\.-]+', r'\1...'
which achieves a similar effect with ARCHIVER_OBSCURES_EMAILADDRS turned

(then you just need to add an ACL to the webserver to stop someone
downloading the listname.mbox file that has all the unmunged addresses
still in it)

Colin Palmer <colinp at waikato.ac.nz>
University of Waikato, ITS Division

More information about the Mailman-Developers mailing list