Feature Requests item #537022, was opened at 2002-03-30 00:59 You can respond by visiting: http://sourceforge.net/tracker/?func=detail&atid=350103&aid=537022&group_id=103
Category: None Group: None >Status: Closed >Resolution: Fixed Priority: 5 Submitted By: Ben Bucksch (benb) Assigned to: Nobody/Anonymous (nobody) Summary: Requesting email not attached in confirmation message Initial Comment: When somebody requests to be signed up to a mailing list, there's a comformation message sent out to the email address being (in the process of being) subscribed. However, it seems like mailman doesn't include the IP address and timestamp of the user trying to sign up the email address. This information is critical in case somebody else tried to subscribe you without your consent (i.e. the whole point of the confirmation messages). In our case, somebody tries to sign up the public Mozilla mailing lists to other mailing lists. Since the lists are public, the confirmation messages are mostly useless. ---------------------------------------------------------------------- >Comment By: Barry Warsaw (bwarsaw) Date: 2002-05-03 01:18 Message: Logged In: YES user_id=12800 Actually, with the freshly rewritten command handler, you now get a copy of your original request. However, it doesn't come with the confirmation message, it comes with a results notification of your original request. ---------------------------------------------------------------------- Comment By: Barry Warsaw (bwarsaw) Date: 2002-04-03 19:00 Message: Logged In: YES user_id=12800 I'm moving this to the feature request tracker. It may or may not make it into MM2.1 ---------------------------------------------------------------------- Comment By: Ben Bucksch (benb) Date: 2002-04-02 01:04 Message: Logged In: YES user_id=1193 OK. You say "when using the web to make a subscription request". I just tried to subscribe to your mailman-announce list (which is run by Mailman 2.0.8) via *email*, and it just includes the From address. That's of course useless, as that can be forged trivially. IMO, including the full subscription message, esp. headers, would be needed. ---------------------------------------------------------------------- Comment By: Barry Warsaw (bwarsaw) Date: 2002-04-02 00:35 Message: Logged In: YES user_id=12800 Uh, yeah! Mailman 1.1 is really old. ---------------------------------------------------------------------- Comment By: Ben Bucksch (benb) Date: 2002-04-02 00:34 Message: Logged In: YES user_id=1193 I have a subscription message (caused by an attacker) here, sent from Mailman 1.1. I guess you fixed it in the meantime? ---------------------------------------------------------------------- Comment By: Barry Warsaw (bwarsaw) Date: 2002-04-01 16:06 Message: Logged In: YES user_id=12800 When using the web to make a subscription request, the confirmation message does indeed include the IP address of the browser client, as provided in the cgi environment. It's true that the timestampe isn't given, although I'm unsure how useful that would be given that the Date: on the confirmation message is probably pretty close. ---------------------------------------------------------------------- You can respond by visiting: http://sourceforge.net/tracker/?func=detail&atid=350103&aid=537022&group_id=103 _______________________________________________ Mailman-Developers mailing list [EMAIL PROTECTED] http://mail.python.org/mailman/listinfo/mailman-developers
