Great Circle Associates List-Managers
(January 2001)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Using who/review to check server security
From: "24-7 Lists" <listaddict @ 247computing . com>
Date: Thu, 4 Jan 2001 00:40:45 -0500
To: "Richard Vandenberg" <list-admin @ vansys . com>, "list-managers @ GreatCircle . COM" <list-managers @ GreatCircle . COM>
References: <002401c075e2$cf14a7f0$0100a8c0 @ colossus . vansys . com>

"Richard Vandenberg" <list-admin @
 vansys .
 com> wrote:
<snip>
> Here's the scoop: We shut off our 'who' command years ago, to ensure
> spammers didn't grab our lists. But that still hasn't helped us keep our
own
> email addresses under control, because there are lots of servers that
still
> leave 'who' enabled.
</snip>

It certainly is a concern, but on most lists anyone who posts is risking
having their email slurped whether or not a who-like command is available to
the public and/or list members.  There are programs readily available which
make it trivial to slurp email addresses from web-based mailing list
archives and mailboxes.  Even if the list manager obfuscates email addresses
in its web-based archive, there's nothing stopping any list subscriber from
generating a public web-based archive that  doesn't obfuscate the email
addresses.  But since you didn't bring up these issues I won't go into more
detail.

> So we instituted a little policy that prior to subscribing to a list, we'd
> have a little probe of the server to see if the 'who'/'review'/whatever
> command was disabled or not. If it's not disabled, we either choose not to
> subscribe, or we use a couple of shared-office addresses that we have some
> filters on.

That sounds reasonable to me.  I'm curious - have you contacted any of the
list admins who have a public who-like command and notified them that this
was the case and mentioned the downside of the configuration?  I think we
can all learn from any experiences you may have had.

> I don't see anything wrong with what we're doing, although I can see why
it
> might raise some concerns. I think that any potential subscriber/customer
is
> entitled to test a mailing list's security prior to subscribing.

I'm not surprised it might pique list admins' interest if they see someone
issuing who commands.  You stated that you "apparently" pi**ed off some
people by doing so.  Did they actually tell you so in so many words?  Were
these people who had who enabled or disabled?  IMO, if they don't want
people issuing that command they should disable it.  If it's disabled they
shouldn't care.  From time to time I check websites for a "stats", "wusage",
"webalizer", "nettracker", etc. directory to see if they have site usage
reports which I can learn something from when researching competitor, peer,
and related sites.  If someone makes a feature or service public, but
doesn't really want it public they should take greater lengths to make sure
it isn't.

BTW, I'm sending from an email address that I use as a centralized IMAP
account which everyone in my company has access to through email and an
internal web archive system.  I've had a number of list admins ask me for
info about myself and interest in their list b/c the email address
apparently gives some the perception that it's a robot.  But none of them
have ever been pi**ed off.  ;-)

--
Steve Werby
COO
24-7 Computer Services, LLC
Tel: 804.817.2470
http://www.247computing.com/




References:
Indexed By Date Previous: Using who/review to check server security
From: "Richard Vandenberg" <list-admin @ vansys . com>
Next: Creating HTML Message
From: Denis Olivier <d . olivier @ dolist . net>
Indexed By Thread Previous: Using who/review to check server security
From: "Richard Vandenberg" <list-admin @ vansys . com>
Next: Creating HTML Message
From: Denis Olivier <d . olivier @ dolist . net>

Google
 
Search Internet Search www.greatcircle.com