[Mailman-Developers] Hole in subscription confirmation?
les at 2pi.org
Mon Dec 6 10:03:08 CET 2004
We're running 2.1.4 in production. Last week, a couple of our
lists got subscribed to a mail-archiver service, apparently by a
subscriber to those lists. The mail archiving service doesn't do
any subscription confirmations, and the subscriptions to it were
confirmed via the web interface.
I don't quite see how this could happen. The mail archiver and the
place where the confirmations came from are a continent and an
ocean apart, so collusion is unlikely. Any ideas? Is there a way
for someone submitting a subscription request to get a copy of the
confirmation email from mailman? If so, there could be a hole to
for maliciously-generated subscriptions.
More information about the Mailman-Developers