Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: [Mailman-Developers] mailman email harvester
From: Bernhard Kuemel <bernhard () bksys at>
Date: Sat, 12 Feb 2005 02:48:56 +0100

Hash: SHA1

Thomas Hochstein wrote:
|> Given the risk, now made worse by Bernhard's very helpfully
|> distributing this script for spammers, this is a really urgent
|> issue.
| Since it is known for many *years* that spammers are harvesting
| addresses from ML-archives, and since anybody can see that
| replacing "at" with "@" is ... not a very hard task, I fail to
| see any urgency here (or any problem in the very simple script
| Berhard distributed).

There may be no urgency but something should be done. Obviously
there is a problem (as can also be seen by the emotions). Since the
only solution we found for now is not to publish the email
addresses, we should do that.

I pointed this out over a year ago and the number of vulnerable
lists only grew. Probably because being able to see who else is on
the list is a nice feature which we don't want to give up. We
repress  the problem: We think, spammers don't exploit it because
they find enough addresses elsewhere. But spammers are smart: They
play a lot of tricks to pass spam filters, they defeat graphical
turing tests to semiautomatically sign up email accounts which the
use for spamming, they make worms which act as mail relays.

They probably already harvest mailing list subscriber addresses and
if they don't do so by now, they sure will, sooner or later. But
they would be fools to tell us about it. We would lock our email
addresses away from them.

I am writing the exploit code not for the spammers. They may already
have one. I'm writing it to wake us up and treat this problem properly.

Brad Knowles wrote:
|> However, still many lists either have the member list openly
|> published, or available to the list members.
| True enough.  However, even if we changed the default in Mailman
| to be accessible only to the list administrator, it would take a
| very, very long time before 50% of all Mailman installations were
| secured in this manner.

I hope my exploit code will speed this up. I plan to release the
improved version, which harvests addresses restricted to subscribers
of about 100.000 mailing lists in several (3-6) months.

| That said, changing the default is probably the right thing to
| do.

Please include a note of the upcoming exploit. The current exploit
harvests about 600 lists where the addresses are published unrestricted.

| Moreover, it would be trivially easy for spammers to subscribe to
| the list and silently collect all address information that comes
| across.
| There's enough schemes out there for finding addresses that no
| one simple scheme is going to work, and the methods that we know
| will work are going to take a long time to become the default
| standard.

If hashcash (http://www.hashcash.org/) gets integrated in our mail
systems we no longer need to hide or obfuscate our email addresses.

Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]