Re: [fw-wiz] Sourceforge sending out passwords in the clear.

From: R. DuFresne (dufresne@sysinfo.com)
Date: 08/02/02


From: "R. DuFresne" <dufresne@sysinfo.com>
To: Paul Robertson <proberts@patriot.net>
Date: Fri Aug  2 14:23:01 2002

On Fri, 2 Aug 2002, Paul Robertson wrote:

        [SNIP]

>
> If you have my mailman password, you can unsubscribe me from the list
> (should be obvious when I stop receiving messages,) set me to digest, set
> me to nomail, and maybe a handful of other things[1].
>
> Granted, you could MITM my mailing list traffic and if I wasn't checking
> headers, you'd probably get me- but overall, that's not a huge risk (it
> sends list manager passwords too- a much higher risk, though that only
> happens at list creation and is easy to mitigate by not making the list live or
> populating it until after the password is changed.)
>

        [SNIP]

>
> You'd be surprised at the administrative stuff I deal with now, and this
> list holds a very high ratio of clueons.
>

Many mailman list do this monthly send of the passwords and account info,
as well as some including chater info for the lists these days since so
many are moving over to mailman. The Firewalls list does so monthly,
FULL-Disclosure does also. So far I do not recall any of the security
focus lists doing so, we read a number of those. but, for those lists
that do, we have not encountered any problems. I've seen instances of
users with full mail box notices or address no longer vaild messages get
dropped from the Firewalls list due to one of the list readers there
forging unsubscribes, so perhaps the password infoo is not always
nessecary...

Thanks,

Ron DuFresne

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart
testing, only testing, and damn good at it too!


Relevant Pages

  • Re: looking for mailing list manager recommendations
    ... > Mailman handles these. ... > Mailman saves list archives with the included pipermail. ... ahead, but if you're not, outsource your lists. ... Red Hat Community Ambassador Program ...
    (RedHat)
  • Re: looking for mailing list manager recommendations
    ... I'm happy with Mailman ... Mailman uses the standard aliases format. ... Note, however, that creating NEW lists ... If using virtual domains with Postfix, ...
    (RedHat)
  • mailman: illegal list name
    ... Why does mailman see or use @dur for the FQDN when it should be ... You can specify as many of the arguments as you want on the command line: ... hosts's lists. ... If you want the email hostname to be different from the one looked up by ...
    (Ubuntu)
  • Re: Configuring sendmail for mailing lists
    ... I have worked with MailMan and alias lists as well as been subscribed to MajorDomo, ListServ, and Ecartus mailing lists. ... MailMan uses its own internal subscriber database. ... Multiple aliases are needed per list to filter where messages are in the delivery stream. ...
    (comp.mail.sendmail)
  • Re: Mailing list manager: Mailman and majordomo
    ... Speaking of docs for mailman, I found the web site pretty bare as far as ... Any idea where I can find more info on another web site? ... files I would need to edit to create my mailing lists and add my users? ...
    (RedHat)