The attack we're trying to defend against is a scripted one which grabs a list of all the mailing lists, then harvests the administrator email and then tries to spam each list using the administrator as a sender address.
If the archives are public then I guess you could write a reasonable algorithm to try and guess an unmoderated address but I don't think its as easy to hit thousands of mailing lists using that approach. Jon On 17 May 2017 at 04:17, Daniel Kahn Gillmor <d...@fifthhorseman.net> wrote: > On Tue 2017-05-16 13:29:21 +0100, Jonathan Knight wrote: > > > I think the real name if its available and the list owner address if not. > > If you use the local part (e.g. j.knight) would still make it possible to > > guess the @keele.ac.uk if the mailing lists are all hosted on > > maillists.keele.ac.uk. > > surely it's easy for an attacker to guess moderation-free sender > addresses by a quick scan of the list archives as well. what attackers > are we really trying to defend against here? > > --dkg > -- Jonathan Knight IT Services Keele University _______________________________________________ Mailman-Developers mailing list Mailman-Developers@python.org https://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
