[Mailman-Developers] Hole in subscription confirmation?

Les Niles les at 2pi.org
Mon Dec 6 10:03:08 CET 2004

We're running 2.1.4 in production.  Last week, a couple of our
lists got subscribed to a mail-archiver service, apparently by a
subscriber to those lists.  The mail archiving service doesn't do
any subscription confirmations, and the subscriptions to it were
confirmed via the web interface.

I don't quite see how this could happen.  The mail archiver and the
place where the confirmations came from are a continent and an
ocean apart, so collusion is unlikely.  Any ideas?  Is there a way
for someone submitting a subscription request to get a copy of the
confirmation email from mailman?  If so, there could be a hole to
for maliciously-generated subscriptions.


More information about the Mailman-Developers mailing list