[Mailman-Developers] Hole in subscription
brad at stop.mail-abuse.org
Mon Dec 6 11:58:26 CET 2004
At 1:03 AM -0800 2004-12-06, Les Niles wrote:
> I don't quite see how this could happen. The mail archiver and the
> place where the confirmations came from are a continent and an
> ocean apart, so collusion is unlikely.
Actually, collusion is highly likely.
> Any ideas?
There are many easy ways to do this. One would be for the person
who is doing the confirmations to be sent all "unusual" e-mails by
the mail archiving service. When a subscription confirmation comes
in, the mail archiving service doesn't recognize it and forwards it
on to them, they confirm the subscription via the web, and then
finish the configuration of the mail archiving service so that it
recognizes future postings as "normal".
There are many other ways to skin this cat.
> Is there a way
> for someone submitting a subscription request to get a copy of the
> confirmation email from mailman?
If they control the remote end, that would be very easy. They
just set up an alias which points to the real address plus their own.
> If so, there could be a hole to
> for maliciously-generated subscriptions.
I'm sure there are all sorts of creative ways to abuse this
process. We've trapped the most straightforward methods to abusively
subscribe someone else to something, but I'm sure that there are
others that we have missed -- there always are.
Brad Knowles, <brad at stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
SAGE member since 1995. See <http://www.sage.org/> for more info.
More information about the Mailman-Developers