[Mailman-Developers] mailman email harvester

Dan Wilder wilder at eskimo.com
Thu Feb 10 19:32:43 CET 2005 

On Thu, Feb 10, 2005 at 11:40:29AM -0500, Tobias Eigen wrote:
> Hi all,
> 
> Is there a way to change the setting to restrict access to the roster  
> for all lists, globally? If there isn't one, would one of you be  
> willing to write one quickly? The only other option I see is to remove  
> the ~mailman/cgi-bin/roster script which would be a pity.
> 
> Given the risk, now made worse by Bernhard's very helpfully  
> distributing this script for spammers, this is a really urgent issue.

Not that hard to write such a script.  I expect the spammers already
have several alternatives to choose from.  So, it's quite likely
no harm has been done, and some good, arising from Bernhard's
raising the issue in public.

I'd go further and mention that while Berhhard's script harvests
membership rosters, it isn't that much more difficult to write a
script that gets around the obfuscation of email addresses in the
list archives.  A list I used to manage until a few weeks ago 
(Hey, anybody got a lead on a Seattle-area opportunity for a rabid Python 
developer? Who also does C, SQL, HTML, CSS and various assemblers?) 
apparently had its archives harvested recently by some bank phishing folk.
Emails were obscured in the archives using the "user at wherever.domain" 
option, and the archives had been regenerated quite some time ago
back to their beginning, with that option in force.  The roster has never 
been open to anybody but the list admin, so I don't believe it was the roster.
Hence, likely it was the archives that were harvested.

There are a pretty fair number of good reasons for keeping list archives
open.  My opinion is a person posting to a list assumes the risk of
having his or her email address harvested, and that one unwilling to assume
this risk should refrain from posting.  However I understand if others
do not subscribe to that belief, and that there may be circumstances where
there are reasonable grounds for wanting to manage a list by some other 
policy.

My suggestion is that an option be considered to redact all email 
addresses whatsoever from a list archive.  Including anything mentioned 
in-line in the text of the post that even vaguely looks like an email 
address.  

No doubt somebody on this list manages a list where users are quite
sensitive to public exposure, who might care to advocate for such an option, 
and even code it, should the idea meet with sufficient approval.

-- 
Dan Wilder <wilder at eskimo.com>

More information about the Mailman-Developers mailing list