Great Circle Associates List-Managers
(April 1997)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: I think-this is.BIG secucrity HOLE
From: Brent Chapman <Brent @ GreatCircle . COM>
Date: Wed, 23 Apr 1997 18:21:53 -0800
To: Dmitry Gorobets <dmitro @ domino . dp . ua>
Cc: list-managers @ greatcircle . com, Tom Limoncelli <tal @ dnrc . bell-labs . com>, bonnie @ staff . prodigy . com (Bonnie Scott)
In-reply-to: <199704232107 . RAA07376 @ couch . dnrc . bell-labs . com>
References: <199704231959 . PAA76848 @ mail1w-int . prodigy . net> from "Bonnie Scott" at Apr 23, 97 03:59:28 pm

At 5:07 PM -0400 4/23/97, Tom Limoncelli wrote:
>Yes, if you want to override the moderator on a moderated mailing list
>don't email to LIST @
 SITE, but mail to LIST-outgoing @
 SITE
>
>To defeat this, the admin should replace "LIST-outgoing" with
>"LIST-secretword" and make sure that people can't find out what
>"secretword" is.  For example:
>
>	1.  Configure Sendmail to not display it in the Received: headers.
>	2.  Make sure your /etc/aliases file can't be accessed by
>		untrustworthy users. (this may mean running your
>		mailing lists on a machine that only lets you in)
>	3.  Disable EXPN and VRFY (this should be done anyway).
>
>--tal

Good summary.  Two more points:

1) This is a Majordomo-specific issue; therefore, it doesn't belong on the
List-Managers mailing list (which is for list management issues that are
NOT specific to a particular piece of software).  Itshould have been posted
to the Majordomo-Users mailing list instead.

2) This very issue is discussed in the Majordomo Frequently Asked Questions
file (<http://www.greatcircle.com/majordomo/FAQ>, question 3.6).


-Brent

--
Brent Chapman			Internet/intranet training and consulting,
Brent @
 GreatCircle .
 COM		specializing in network design and security.
Great Circle Associates,Inc.	Visit us at http://www.greatcircle.com/	




References:
Indexed By Date Previous: Mail to AOL, MNS, NETCON, etc all hosed.
From: Joe Smith <jms @ tardis . Tymnet . COM>
Next: Re: Updated list of forged addresses
From: Ken Parker <admin @ kparker . nai . net>
Indexed By Thread Previous: Re: I think-this is.BIG secucrity HOLE
From: Tom Limoncelli <tal @ dnrc . bell-labs . com>
Next: Updated list of forged addresses
From: Alexander Verbraeck <A . Verbraeck @ IS . TWI . TUDelft . NL>

Google
 
Search Internet Search www.greatcircle.com