[Mailman-Users] mailman and privacy

Federico Grau donfede at casagrau.org
Tue Sep 11 07:48:38 CEST 2001

Hi folks,

We have an announcement mailing list (happens to be rather large, 16k) running
on debian potato / mailman 1.1.  We have sent out a couple mailings and so far
its worked ok, were still ironing out some kinks here and there.  

However, we are concerned with the privacy of the subscribers.  We initially
noticed that anyone could see 1) if a user was subscribed 2) if they happened
to be on vacation (or some other user option) simply by visiting the default
list page and entering the users email... it is not until the user tries to
make changes that their password is requested.

Potentially someone could try random addresses, or addresses of people they
were targeting, to see if they happened to be subscribed or not.

We temporarily "bypassed" that problem by removing the option for a user to
view/change their options from the web.  

However, now we realize that simply trying to subscribe to an email return
back that X user is already subscribed to the list!  Again, someone could
enter random or targeted addresses to see if people are subscribed or not.

I have yet to do a full round of research on my own, but as this issue is
getting hot under my seat I was wondering if people on the list had
constructive feedback?


More information about the Mailman-Users mailing list