[Mailman-Developers] bugtraq submission warning: email address harvesting exploit

Colin Palmer colinp at waikato.ac.nz
Sun Nov 30 15:45:51 EST 2003

On Fri, 2003-11-28 at 17:05, Barry Warsaw wrote:
> On Fri, 2003-11-28 at 06:26, Colin Palmer wrote:
> > (then you just need to add an ACL to the webserver to stop someone
> > downloading the listname.mbox file that has all the unmunged addresses
> > still in it)
> I'd consider turning this off for 2.1.4 if people agree.  Perhaps making
> it available only through a site config var.  I'm not sure how easy that
> is, but it seems important enough to close off access to the mbox file.

Maybe just have ARCHIVE_TO_MBOX default to 0?

I deliberately want Mailman to keep creating mbox archives in case I
want to regenerate the list archives completely using a newer version of
HyperArch, or switch to something else entirely, I just don't want to
offer them for download, so having them created outside of /pipermail/
if they are turned on would be nice, but not an urgent thing since it's
easy enough to block access at the webserver.

Colin Palmer <colinp at waikato.ac.nz>
University of Waikato, ITS Division

More information about the Mailman-Developers mailing list