Re: U-ZO: Re: [Exim] Malformed address on a list

Top Page
Delete this message
Reply to this message
Author: Marilyn Davis
Date:  
To: under-zo
CC: exim-users
Subject: Re: U-ZO: Re: [Exim] Malformed address on a list
Thanks for the great help fellows. Our greatest security is this
list, eh?

Philip said:

> > > Assuming your majordomo aliases are in /etc/aliases, then yes, but are
> > > they really there?
> > >
> >
> > Yes. Is that a bad thing?
>
> I don't suppose so, but lots of people keep the mailing lists separate
> from the other aliases, which is why I asked, just be sure.
>


Good. Nothing else goes on here, just me and mail lists and vote
mechanisms. There are those few system-required aliases but not
worthy of imposing organization.

On Fri, 16 Jun 2000, Jeffrey Goldberg wrote:

> On Jun 16, 2000 Marilyn Davis <marilyn@???> wrote:
>
> > On Fri, 16 Jun 2000, Jeffrey Goldberg wrote:
>
> > > (1) Use the private aliase file scheme to protect the out-going aliases.
> > >     That is far better than security through obscurity.  The mechamism is
> > >     described in a FAQ linked to from the exim FAQ regarding majordomo.
> > >     This is a wonderful thing you can do with exim.

> >
> > We don't hide the addresses of the list members. We don't hide
> > anything. We don't do anything illegal or promote anything illegal
> > and we believe in openness. If a public service isn't open, it's not
> > a "public" service. We are only concerned with denial-of-service
> > attacks, or attacks that cost me time to fix. Is this still necessary
> > for us? I'll read that FAQ again.
>
> Either you or I have misunderstood. Is your list a "members only" list
> for posting? If not, then someone could attack your list simply by
> flooding it. You did say that you were worried about attacks on it.


Yes, only members can post to the important one.

Some are absolutely open but I can turn off any floods with exim, or
my own filters.

Jeffrey said:

>
> If the list is a members only posting list, then that "security" feature
> can be evaded by someone mailing directly to the listname-outgoing aliase
> if you have used the -outgoing as the suffix for that. (This issue is
> discussed in the majordomo FAQ as well.) The document referred to in
> the exim FAQ for setting up majordomo provides a nice solution to that
> problem.


Ah ha! I'll fix it.

>
> I am more than surprised that you don't conceal the addresses of your list
> members. General privacy concerns suggest that you should. Or have I
> misunderstood?


No. We aren't into privacy. We hold polls where we can see how each
voted, like a show of hands. That's how you do consensus development
and stimulate discussion and come to the best decisions.

Tabor said about not concealing addresses:

> If so then you're doing a major disservice to your list members. Majordomo


"disservice".... me??? ... Ouch. See that "under-zo@???"
address all this gets sent to? That's the administration list for
Zapatistas Online. I'll do anything they want with their lists. I am
not in control here.

> servers that allow unrestricted access to the "who" command are constantly
> abused by spammers to gather address lists. They're very attractive


Interesting. I just checked my majordomo log and I do see one series
of who's that is suspicious -- from Dec of some year. (It certainly
is a meager log!) S/he did 7 lists that had a max of 6 or 9 people
and must have gotten discouraged. S/he didn't get near the zo lists.
:^) Maybe I'll set the access to "list". We'll see what others
think.

I have a special address that I use only for web-surfing, which I
rarely do and only do if I *have* to, and it gets plenty of spam. I
hit the delete key, big deal. Spam is a fact of life, like exhaust
fumes.

If we consider concealing the addresses, it's to avoid attacks on the
individual members, which has happened to Zapatistas.

But we have a device available to protect addresses from spam and from
being forge-subscribed onto a hundred majordomo lists -- which is how
they ruined lots of addresses before. We're sort of stubborn about
not letting the spammers and attackers control our paradigm. These
are the "Zapatista Tools" and I'll release them some day soon, in case
anyone else can use them.

Just so that you understand, Zapatistas struggle for
autonomous-group-direct-democracy, the political paradigm of the
indigenous in Chiapas for unknown generations. Zapatistas Online is a
group that emulates that model online, as does eVote.

Jeffrey teased me with his mis-information:

> Best of luck (even though if I were a Mexican, I would be voting against
> those you support. So double check any security advice I give you).[1]
>
> Cheers,


There's no Zapatista on any ballot to vote against. We understand
plebiscitic politics to be demeaning, corporation-sponsored puppet
shows.

BTW, I don't know if it's worth logging all majordomo mail. Once I
tracked down a big-time attacker to a university in Nicaragua, I
probably spoke to him on the phone, he was probably
government-sponsored -- so what authority is going to help us? It's
much easier to build another Zapatista tool and just plug the hole
and forget about whodunit.

This list sure helps! Thank you.

Marilyn Davis, Ph.D.
eVote - online polling software for email lists
http://www.deliberate.com 
marilyn@???    
+1 650 965-7121  (USA)


Disclaimer: I only speak from my personal understanding of Zapatismo.
I am no spokesperson and I have no authority.