[Mailman-Developers] Hole in subscription confirmation?

[Brad Knowles]

At 1:03 AM -0800 2004-12-06, Les Niles wrote:

>  I don't quite see how this could happen.  The mail archiver and the
>  place where the confirmations came from are a continent and an
>  ocean apart, so collusion is unlikely.

	Actually, collusion is highly likely.

>                                          Any ideas?

	There are many easy ways to do this.  One would be for the person 
who is doing the confirmations to be sent all "unusual" e-mails by 
the mail archiving service.  When a subscription confirmation comes 
in, the mail archiving service doesn't recognize it and forwards it 
on to them, they confirm the subscription via the web, and then 
finish the configuration of the mail archiving service so that it 
recognizes future postings as "normal".

	There are many other ways to skin this cat.

>                                                      Is there a way
>  for someone submitting a subscription request to get a copy of the
>  confirmation email from mailman?

	If they control the remote end, that would be very easy.  They 
just set up an alias which points to the real address plus their own.

>                                    If so, there could be a hole to
>  for maliciously-generated subscriptions.

	I'm sure there are all sorts of creative ways to abuse this 
process.  We've trapped the most straightforward methods to abusively 
subscribe someone else to something, but I'm sure that there are 
others that we have missed -- there always are.

-- 
Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

   SAGE member since 1995.  See <http://www.sage.org/> for more info.