Re: [SLE] Identity usurpation in suse lists
![](https://seccdn.libravatar.org/avatar/861b5545c111d2257fa12e533e723110.jpg?s=120&d=mm&r=g)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 El 2005-06-03 a las 13:02 -0400, Cristian Rodriguez escribió:
We need a list with login/password. Or a news forum, as Novell implements in parallel to lists (support-forums.novell.com), but with autentification procedure. Whatever.
A mail-list with login-password (mailman mess style) does't protect you from ANYTHING. IMHO the user-pass stuff for a mail list is really,really bad idea.
Hum? :-o
this guy have some points about the issue:
Ah. I see the point. But I don't refer to a login/password at the configuration web page, but for every single post sent... like smtp auth. What we need is something impeding "Joe Bad Person" from posting as "Carlos R", and then having "Joe Innocent Bystander" thinking that "Carlos R" is insulting him. And... the link above refers to mailmans configuration http page being a pain. I don't know, but one of the auxiliary lists we had to create while shunning the official SuSE list in haste is using mailman precisely. I find it has nice features. On the other hand, the method used by "ezmlm" of confirmation emails can be broken as well, I think. Consider this scenario: - "A" posts an email posing as "B" to the list. "A" can be a virus. - The list (C) send a confirmation email to "B". - It happens that "B" is the help desk entry point of some business, and it has an autoresponder, which duly autoresponds to the list server (C) saying that their query will be answered as promptly as possible. - The list server (C) thinks that "B" has confirmed his subscription, and starts sending list email to "him". - Finally, we listers start getting "bounces" from "B" every time we email the list, saying that "our" query will be answered promptly. I believe this has already happened here, because I have received such bounces. But I can not confirm it. On the other hand... the initial login page to google groups, for instance, requires the user copying a text shown in a distorted image. There must be something in that idea. - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFCoKcPtTMYHG2NR9URAp9xAJ47E6qhYwP4hNfXDBufzo+IcJyriwCgipop aYByqytV1RDDG1s4VvqhTQQ= =8KtJ -----END PGP SIGNATURE-----
![](https://seccdn.libravatar.org/avatar/861b5545c111d2257fa12e533e723110.jpg?s=120&d=mm&r=g)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Friday 2005-06-03 at 20:52 +0200, I wrote:
El 2005-06-03 a las 13:02 -0400, Cristian Rodriguez escribió:
A mail-list with login-password (mailman mess style) does't protect you from ANYTHING. IMHO the user-pass stuff for a mail list is really,really bad idea.
Hum? :-o
this guy have some points about the issue:
That article is old and rebutted in the mailmam FAQ: .../packages/mailman/www/jwzrebuttal.ht Nevertheless, it doesn't address the problem that we have in suse-linux-s :-( - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFCoulWtTMYHG2NR9URAoRFAJ9Cw/w4D+2KaFapCUkHfqUdyrVlBQCfYeaY H1uJ+KSDjJ7695erh6mJy6A= =begK -----END PGP SIGNATURE-----
participants (1)
-
Carlos E. R.