mailman email harvester

From: Bernhard Kuemel (bernhard_at_bksys.at)
Date: 02/07/05

  • Next message: morning_wood: "[Full-Disclosure] netdde during update"
    Date: Mon, 07 Feb 2005 23:48:44 +0100
    To: full-disclosure@lists.netsys.com, bugtraq@securityfocus.com, mailman-developers@python.org
    
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Hi!

    Tons of email addresses from mailman mailing lists are vulnerable to
    be collected by spammers.

    They are "protected" by obfuscation (user@example.com -> user at
    example.com) and access to the subscriber list can be restricted to
    subscribers. The obfuscation is trivially reversed and harvester
    scripts can subscribe to gain access to restricted lists.

    I suggested a graphical turing test that would bar scripts but the
    mailman developers argued spammers might hire a couple of temps that
    would solve the test as it already happened for the creation of
    email accounts. The only solution would be not to have the desired
    information available. This is already an option by restricting
    access to the member list to the list administrator.

    However, still many lists either have the member list openly
    published, or available to the list members. To raise awareness to
    this issue I wrote a script that collects addresses from openly
    accessible lists. It stops after processing 1000 (the maximum
    allowed) search results from google and collects 76772 email
    addresses (61124 unique). It is attached as mmxp1.

    An improved version that collects addresses that are restricted to
    subscribers, processes more lists and works more parallelized is
    planned.

    Bye, Bernhard
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.5 (GNU/Linux)
    Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

    iD8DBQFCB/BK9zL78+QhnUgRAl7nAJ44fPPFBYV1k7QjT7+c4RbzFgcDUgCfQnpJ
    65K8Z4+yycyvXFCrwRpB1cM=
    =+VYN
    -----END PGP SIGNATURE-----

    
    

    #!/usr/bin/perl -w

    #http://www.google.com/search?q=%22list+is+only+available+to+the+list+members%22+mailman/listinfo&start=600&num=100
    #2.1.4 "current archive" "private list which" mailman/listinfo site:org

    $n=0;
    $u=0;
    for ($i=0;1;$i+=10) {
            $#urls=-1;
            $google=`wget -qO - -U 'any browser' 'http://www.google.com/search?q=%22Click+here+for+the+list%22+mailman%2Flistinfo&start=$i'`;
    # print $google;
            @urls=($google=~m*<p class=g><a href=(http://\S+?)>*g);
    # print join("\n",@urls);
            if ($#urls==-1) {last;}
    # print "\naoeu $#urls\n";
            
            foreach $url (@urls) {
                    $u++;
                    $url=~s*/listinfo/*/roster/*;
                    print STDERR "$url...\n";
                    $roster=`lynx -connect_timeout=10 -dump $url`;
            # print $roster;
                    @mails=$roster=~/^ +\* \(?\[\d+\](.* at .*?)\)?$/mgo;
                    foreach $mail (@mails) {
                            $mail=~s/ at /@/;
                            print "$mail\n";
                            $n++;
                    }
            print STDERR "mails=".($#mails+1).", total=$n, url=$u, google=$i\n";
    # exit;
            } #foreach url

    } #while google


  • Next message: morning_wood: "[Full-Disclosure] netdde during update"

    Relevant Pages

    • [Full-Disclosure] Re: mailman email harvester
      ... processes more lists and works more parallelized is ... The addresses of mailing list subscribers are top quality to ... | You hoping to sell it to spammers? ... The report you cited is about individuals obfuscating addresses in ...
      (Full-Disclosure)
    • Re: Another flood of spam
      ... We all know there are a relative few large-scale spammers who send a large percentage of the spam, I'm not surprised when this mailing list happens to make it onto one of their lists. ... As much as I do not want to restrict the Debian lists to "subscribers only post", I will not be surprised nor blame the Debian developers if that decision is made. ...
      (Debian-User)
    • Re: freebsd list admins?
      ... makes it difficult for others like myself who read the lists online and ... Making it writable to subscribers only in-and-of-itself does not solve the ... spammer problem. ... the list subscriber only there is no way to get rid of spammers. ...
      (freebsd-questions)
    • Re: Another flood of spam
      ... Each time the spammers find another way around the spam filters, ... As much as I do not want to restrict the Debian lists to "subscribers ...
      (Debian-User)
    • Re: An interesting note - definitely off topic
      ... exagerating and publicizing the claim, ... subscribers aren't subjected to advertising. ... entirely familiar with how mailing lists work. ... I put the list on temporary moderation. ...
      (soc.genealogy.medieval)