[sf-lug] Yes, Mailman stores and sends the passwords in the clear
Rick Moen
rick at linuxmafia.com
Sun Jun 9 17:13:15 PDT 2019
Quoting Akkana Peck (akkana at shallowsky.com):
> I'll never make it as the Moriarty of mailing list spoofing. :-)
Don't feel bad about that; security requires twisty thinking, and you're
a lot better at this than most coders are.
My former landlord and friend who ran the then-famous The CoffeeNet
(Linux-based) Internet care at 744 Harrison nr. 3rd Street -- where we
both lived above the cafe -- used to invoke my help whenever he wrote
utilities in C, in order to find all possible ways to break them by
doing command-lines startups of the utilties one wasn't supposed to do.
He'd fix a coding bug, tell me to try again, I'd find a mischievous way
to make it fail, he'd snarl & grin at the same time, and he'd stomp off
to fix _that_ coding bug, too. Reiterate until even my twisty sysadmin
mind could find a way to break it.
As to spoofing, honestly, the real opportunities for spoofing don't lie
in mailing list managers like Mailman and Sympa, but rather in SMTP as a
standard. Sending forgeries of someone else's e-mail address is still a
thing (though SPF and DKIM/DMARC are reducing it a lot), and there is
also always the evergreen method: Send mail from a throwaway real
address but attach the forgery target's realname field to the forgery.
This often works because far, _far_ too many people never stop to notice
the unexpectly new sending address and stop to think 'Is this forged?"
That really can't be fixed, because that's less a problem with SMTP than
it is with the recipients themselves.
More information about the sf-lug
mailing list