I just sent the following message and was able to unsubscribe a
completely _different_ address (murphyl@pobox) than the address I sent
it from (murphy@justdoit.dccs) from the list named "fresh", which has
an open subscription policy (subscribe_policy = open).
To: majordomo@lists
Subject:
Reply-to: murphyl@pobox.upenn.edu
--text follows this line--
unsubscribe fresh
--lam
This means that "open" is only slightly better than "auto" as a
subscription policy, because using the "Reply-To" field, anyone can
pretend to be anyone else! Majordomo doesn't check Reply-To against
"From " or "From:" to be sure they are the same. I would've expected,
with the Open policy, that it would have forwarded the request to the
list owner for approval since Reply-To didn't match the real address
from whence the request came.
A notification of the unsubscription was sent to murphyl@pobox, so if
someone does take someone else off the list, they'll at least know
about it. But the Majordomo Log only says:
Sep 15 12:16:17 scotty.dccs.upenn.edu majordomo[10027] {murphyl@pobox.upenn.edu} unsubscribe fresh murphyl@pobox.upenn.edu
It doesn't record the "From " or "From: " address in the Log.
I was also able to get the same "Reply-To" trick to work for adding a
different address than me as a new subcriber to a list.
--lam
____________________________________________
| |
| Linda A Murphy |
| murphy@dccs.upenn.edu |
| http://lam.dccs.upenn.edu/~murphy/ |
| Lead Programmer/Analyst |
| PennNet Services Development & Support |
| Data Communications & Computing Services |
| University of Pennsylvania |
|__________________________________________|
|
|
