You are here: Home > Participate > Join a Discussion > Mailman Archives
<<< Chronological >>> Author Index    Subject Index <<< Threads >>>

Re: list

  • To: (Xander Jansen)
  • From: Jan-Pieter Cornet < >
  • Date: Fri, 13 Feb 1998 15:54:52 +0100 (MET)
  • Cc:

Xander Jansen wrote:
> + >The only way to prevent most (but probably not all) forged subscriptions
> + >is the confirm mechanism but as James pointed out that too has problems
> + >but when choosing between two evils I would prefer a confirmation
> + >mechanism above the ease to subscribe local sublists. 
> + 
> +   Why is the cookie confirmation an .XOR. for subscribing a local sublist?
> It is not exactly an .XOR. but depending on the implementation of the
> software the acknowledgement of the subscription has to come from specific
> return-adresses and that can cause either some hacking or at least using a
> mail client that sends out the ACK as coming from the sublist address. But
> again, this depends on how the cookie-mechanism is implemented. I don't
> know how majordomo does it but I guess there will be some checking on
> adresses. If the only check is the returned cookie than I guess there is
> no problem at all and the confirmation mechanism has no repercussions for
> sublist-subscriptions. 

As far as I could check, majordomo doesn't match the From_ address against
the From: address when checking the cookie confirmation. (And, AArgh!
the cookies as implemented in majordomo 1.94.3 look dangerously easy to
hack. Well, let's hope spammers aren't good at cryptography ):

#! ##### Jan-Pieter Cornet ##### johnpc@localhost ##### perl
($@,$\,$~)=$!=~/(.)(.).(.)/; $_="$,$/$:"; $@localhost $~="$~$_";($_)=
\$$=~/\((.)/;$|=++$_;$_++;$|++;$~="$~ $@localhost:";`$~$/$\$*$, $|>&$_`

  • Post To The List:
  • References:
<<< Chronological >>> Author    Subject <<< Threads >>>