On Wed 2017-05-17 09:20:21 +0100, Jonathan Knight wrote: > The attack we're trying to defend against is a scripted one which grabs a > list of all the mailing lists, then harvests the administrator email and > then tries to spam each list using the administrator as a sender address. > > If the archives are public then I guess you could write a reasonable > algorithm to try and guess an unmoderated address but I don't think its as > easy to hit thousands of mailing lists using that approach.
i'm not convinced that these two scripts are significantly different in
difficulty, though i acknowledge that the former is marginally easier.
it sounds to me like the real underlying concern is about allowing
submissions to bypass moderation based on forgeable data like the From:
header. fixing it in the display side seems likely to trigger a game of
whack-a-mole.
--dkg
signature.asc
Description: PGP signature
_______________________________________________ Mailman-Developers mailing list Mailman-Developers@python.org https://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
