-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "KPB" == Kendall P Bullen <kendall@his.com> writes:
>> Relying on just the email headers for verification is way too
>> insecure.
KPB> Then why is there a restrict_post feature?
restrict_post is not a security feature. It is nothing more than a
crude attempt at privacy enforcement. It is trivial to bypass. But
bypassing restrict_post is generally a lot less destructive than
bypassing the list administration authentication system. The former
just annoys the list members; the latter can destroy the list. Big
difference between the two.
KPB> Since you'd have to know who is a "trusted" user for
KPB> administrativa, and presumably it would be non-obvious (if you're
KPB> smart), unless someone tried it from every e-mail address they saw
KPB> on a list, it doesn't seem like a big danger to me.
List moderator identities are usually not that big a secret. That
narrows the "address space" to search by quite a bit.
KPB> (And I presume that the attempts that failed would bounce to the
KPB> list owner, so they would know someone was trying to hack the
KPB> list.)
The problem is that by the time the list owner got to his mail, it would
be too late. The subscriber list will have been damaged beyond repair
(assuming malicious intent, worst case scenario).
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv
iQCVAwUBMs1LIZ6VRH7BJMxHAQHxcAQAyP1Cd9rHByVCxwf+rxfU82xWt+draj8c
k6or2bsv5SZBejXlxIrh/sQ/EGmbowd5tHP3JNd4qTyEx29wRcu6kj9H8RmO9TXu
7GAygWGM1+vQg6WXQVBiAVVoUIR97vhROVlg//5blxpgK4vtXJcitTPf7NRrfT1D
jU9Wol1gBsE=
=w/qb
-----END PGP SIGNATURE-----
--
Rich Pieri <rich.pieri@prescienttech.com> | When not in use, Happy Fun Ball
Prescient Technologies, Inc. | should be returned to its special
A Stone & Webster Company | container and kept under
I speak for myself, not PTI or SWEC | refrigeration.
References:
|
|
