[Mailman-Developers] bugtraq submission warning: email address harvesting exploit

Richard Barrett r.barrett at openinfo.co.uk
Fri Nov 28 11:32:09 EST 2003

Prompted by this thread and taking on board some of the ideas expressed  
in the discussion I have posted the following patch for MM 2.1.3 on  

[ 850805 ] Aggressive anti email address harvesting measure


Basics of the patch are:

For those with deep concerns about email address harvesting this patch  
offers a more aggressive masking of email addresses in Mailman mail  
archive files.

The patch modifes two files in the standard Mailman distribution:  
Mailman/Defaults.py and Mailman/Cgi/private.py and can be applied using  
the following command from within the Mailman build directory:

     path -p1 < path-to-patch-file

It would be fairly trivial to make enabling this feature per-list  
configurable rather than it being a site admin decision and I will  
enhance this patch for that purpose if people show an interest in it  
being done.

The following notes about the patch can be found in Defaults.py. Rather  
idiosyncratically most of the operational elements of this patch are in  
that file. My reasoning behind this decision is that if people want to  
fool with the regexes that are at the heart of this patch they can see  
what will be affected by the changes more readily if the related bits  
are in the same place.

# Anti-spam email address harvesting prevention measures.
# These measures are to limit the ability of spam generators to acquire
# email address from archived material in Mailman's list archives.
# Implementation is via a dynamic search and replace for email
# addresses, appearing in files of MIME type text/html or text/plain, as
# those files are requested. The underlying archive file content as
# generated by the archiving software remains unchanged.
# The implementation requires that archive files are all delivered by a
# modified private.py CGI script which only requires user authentication
# if the list whose archive material is being requested is set up as a  
# list. In order to get public archives served by private.py a  
# like this:
#     RewriteRule ^/pipermail/(.*) /mailman/private/$1 [PT]
# needs to be used in the Apache httpd.conf to transparently redirect
# public archive file requests.
# When email addresses are found, the domain part of the addressed is  
# with a string of 'x' characters. If the local part of the address  
appears to
# have been VERP'ed then the VERP information is similarly obscured.  
This is
# a fairly brutal set of irreversible modifications to any email  
addresses in
# the returned text and will break any mailto: links in the text.
# Th eamil address regex looks for either an '@' character or its HTML  
# version '%40' as the local-part/domain separator. You should set
# ARCHIVER_OBSCURES_EMAILADDRS = 0 and run bin/arch to rebuild existing  
# to prevent that feature interfering with the operation of these  
# prevention measures.
# If you decide to change the regexes then copy all of this stuff into
# mm_cfg.py and make the changes there.

Any thoughts or comments, let me know.

Richard Barrett                               http://www.openinfo.co.uk

More information about the Mailman-Developers mailing list