How secure is the algorithm used with "+confirm" to generate auth keys? One
of the list admins at the site that also hosts my lists is reporting that one
of his lists is getting a large number of *successful* bogus svbscriptions
despite being set to open+confirm. The site in question is a frequent target
of svbscription-bombing software -- is it possible that someone's written
something that can figure out what the auth key "should" be, and can
successfully svbscribe someone against their will by sending a normal request
followed by a bogus "what it should be" auth key without ever getting back the
actual key generated by majordomo?
If this is the case there should probably be a patch written to replace the
algorithm if there isn't one already. I can see this quickly reducing a large
number of lists to complete unusability.
::: Lazlo (email@example.com; http://www.swcp.com/lazlo)
::: Internet Music Wantlists: http://www.swcp.com/lazlo/Wantlists