[Mailman-Users] How hard is it to spoof an email?

Brad Knowles brad at stop.mail-abuse.org
Mon Jan 30 01:59:33 CET 2006

At 4:50 PM -0500 2006-01-29, Jp Possenti wrote:

>  So basically what you are saying is that Mailman is very insecure? (in
>  short)

	No, not Mailman.  At least, not Mailman per se.  No, *ALL* SMTP 
e-mail is inherently insecure -- unless you add stuff to it to make 
it secure.  HTTP is inherently insecure for the web, which is why you 
use SSL to encrypt the connection and make it safe to transmit 
sensitive information.

	For e-mail, if you care that much about security, you would need 
to encrypt every message you send to the list (e.g., using PGP), the 
list software would need to de-crypt it and then re-encrypt it for 
all of the list recipients.

	If you're not so worried about hiding your message from prying 
eyes but you still want to be certain as to who sent which message, 
then you would need to add a cryptographic signature to all your 
e-mail, and you would need to make sure that this signature survives 
all message transit points and doesn't get munged along the way (a 
common problem with mailing list managers).

Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

  LOPSA member since December 2005.  See <http://www.lopsa.org/>.

More information about the Mailman-Users mailing list