Chuq Von Rospach <[EMAIL PROTECTED]> writes:
> At 10:02 AM -0400 10/14/99, Tom Neff wrote:
>> The stock MJ confirm is only good for catching users with bad mail
>> setups, e.g. their configured From: address is wrong. Spammers have
>> script driven "confirms" in regular use. I can't say I'm surprised, as
>> I could hack one together in an hour if I needed it :)
> so change the hash values in majordomo.cf. Then they can script it, but
> it won't validate the AUTH line.
They can still script it for every list on your server. All they need is
one return from a subscribe and knowledge of the hashing algorithm; I
think DJB has the mathematical details somewhere. The Majordomo hash
function isn't cryptographically strong.
You could replace it with one that is, of course.
--
Russ Allbery ([EMAIL PROTECTED]) <URL:http://www.eyrie.org/~eagle/>
