View Full Version : kind of stupid question, probably
09-10-2002, 06:35 PM
i have been surfing the forum, giving myself a little bit of understanding about ezmlm, and there is one issue that had cropped up a few times in old posts--a security issue. while the posts are not very recent, i could not find any mention of a fix, so i wanted to know if it ever had been fixed. it simply regards the fact that a recepient of an announcement-only list could somehow (if i knew, i could try it myself and answer my own question, but i don't) send a message to everyone on the list himself, unless you changed the list-owner name shortly after sending your message out. i'm assuming what was being guarded against was slightly more complicated than someone hitting reply, which is all i knew to try.
long story short--do i need to perform the name-change maneuver each time, or is this old, solved news?
That particular problem still exists :( and ALL Announcement Only lists would be well advised to change the list owner address after sending each mailing for security reasons.
I change mine to really obscure addresses such as firstname.lastname@example.org and then right before sending a new list message change it to a valid email address and then immediately afterwards change it to something else again.
- The only stupid...... is the one not..... and that's the Truth :P -
09-10-2002, 06:50 PM
oh...thanks, bob. i guess by stupid, i was referring to the fact that i didn't know how to attempt the breach myself. not that i'm asking! :)
09-10-2002, 07:03 PM
Is there any kind of solution in the works, or even possible? I've set up announcement mailing lists for clients and it's impractical to change the list-owner address every time there's a mailout. They don't have CNC access, for one thing. When they wanted to send a mailing they'd have to notify me, I'd change . . . etc etc, you get the picture.
Originally posted by Binky:
Is there any kind of solution in the works, or even possible?
The solution, at this point, appears to be ezMLM/IDX which FutureQuest has definitely looked at..thought about..considered...
However as with many major upgrades, which ezMLM/IDX would qualify as, there are many aspects, including but not limited to, CNC integration, possible compatibility issues with older ezMLM lists, offering both side by side... the list goes on.
This has been a desired upgrade that FutureQuest has been looking at, however as with everything in life today we must prioritize the functions in somewhat the following fashion:
Have more impact on Quality of Life More on this soon !
Fit in with the current flow of enhancements
IOW... this is something that FutureQuest is looking to move towards however it will have to wait it's turn :QTlight:
Disclaimer: FutureQuest may determine that an enhanced mailing list solution other then ezMLM/IDX would be more appropriate at some future date and this post in no way guarantees that the ultimate solution will be ezMLM/IDX
- Just gotta love the disclaimers :rasberry: -
09-12-2002, 07:12 PM
as long as you are sending messages from cnc, the list owner address does not even need to be a real address, does it? you could just leave it as is (if fake) forever, assuming you used cnc to send the messages. i tried this, it sent out messages, and i'm assuming this prevents someone else from sending messages. correct? (i realize not everyone wants to send out from cnc, but i personally don't mind.)
Hi again Andy,
The general problem with that approach is that the CNC sent mailing list will show the Owner's email address as the From: address. Once that is known then anyone can simply change their From: email address to match and then send an email to the list:(
Changing the Owner's email address either before and after or at least after is still required to be safer.
Hope this helps clarify further,
09-12-2002, 07:32 PM
i hate to push the issue, but just to be sure, this is true even if the from: address is an impossible address? ("email@example.com")
Hi again Andy,
Would this qualify:
Bob@some.Future.Quest.tld cause that is what I set the list owner to. I then set my email client to show that email address as the From: address and sent a message to the test list.
It was received in very short order :( I always invite everyone to test for themselves as you can setup as many mailing lists as you want so setting up special lists just for testing is a great idea.
09-12-2002, 07:54 PM
thanks, bob (at bob.bob). believe it or not, i don't know how to change my from address in my email client, thus did not test it myself.
vBulletin® v3.6.8, Copyright ©2000-2013, Jelsoft Enterprises Ltd.