At 1:03 AM -0800 2004-12-06, Les Niles wrote:
I don't quite see how this could happen. The mail archiver and the place where the confirmations came from are a continent and an ocean apart, so collusion is unlikely.
Actually, collusion is highly likely.
Any ideas?
There are many easy ways to do this. One would be for the person who is doing the confirmations to be sent all "unusual" e-mails by the mail archiving service. When a subscription confirmation comes in, the mail archiving service doesn't recognize it and forwards it on to them, they confirm the subscription via the web, and then finish the configuration of the mail archiving service so that it recognizes future postings as "normal".
There are many other ways to skin this cat.
Is there a way for someone submitting a subscription request to get a copy of the confirmation email from mailman?
If they control the remote end, that would be very easy. They just set up an alias which points to the real address plus their own.
If so, there could be a hole to for maliciously-generated subscriptions.
I'm sure there are all sorts of creative ways to abuse this process. We've trapped the most straightforward methods to abusively subscribe someone else to something, but I'm sure that there are others that we have missed -- there always are.
-- Brad Knowles, <[EMAIL PROTECTED]>
"Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755SAGE member since 1995. See <http://www.sage.org/> for more info. _______________________________________________ Mailman-Developers mailing list [EMAIL PROTECTED] http://mail.python.org/mailman/listinfo/mailman-developers Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org
