[Mailman-Developers] bugtraq submission warning: email address
harvesting exploit
Colin Palmer
colinp at waikato.ac.nz
Thu Nov 27 17:26:46 EST 2003
On Fri, 2003-11-28 at 06:08, Terri Oda wrote:
> So, is anyone working on this *within* pipermail? I know there are great
> alternative archivers out there, but Mailman still winds up with a bad
> reputation if the default isn't very secure. Maybe for 2.2 we could have a
> "completely obscure archived email addresses" option which changed them all
> to user at xxxxxx.
On the copy of Mailman I run here, I just went though
Mailman/Archiver/HyperArch.py and replaced all the occurances of
re.sub('@', _(' at ') with re.sub(r'([\w\.-]+ at .)[\w\.-]+', r'\1...'
which achieves a similar effect with ARCHIVER_OBSCURES_EMAILADDRS turned
on.
(then you just need to add an ACL to the webserver to stop someone
downloading the listname.mbox file that has all the unmunged addresses
still in it)
--
Colin Palmer <colinp at waikato.ac.nz>
University of Waikato, ITS Division
More information about the Mailman-Developers
mailing list