Majordomo-Workers: Re: Is 'wh*ch' useful?

Majordomo-Workers
(October 1997)

Indexed By Thread: [Previous] [Next]

Subject:	*Re: Is 'whch' useful?**
From:	Chuq Von Rospach <chuqui @ plaidworks . com>
Date:	Tue, 14 Oct 1997 11:18:19 -0700
To:	Jason L Tibbitts III <tibbs @ hpc . uh . edu>, majordomo-workers @ GreatCircle . COM
In-reply-to:	<ufa7mbgamfg.fsf@sina.hpc.uh.edu>

At 11:28 PM -0700 10/13/97, Jason L Tibbitts III wrote:

> Note that the site owner can set a maximum, and each list owner can set a
> maximum or deny the request entirely.  Plus the advertise settings limit
> 'which' access implicitly.

I've turned which off, because I think the security is to loose. I've
been trying to get time to build an alternative that I feel protects
things, but I haven't had time (Apple keeps finding things for me to do
for some reason). But even with the maximum, it's far too easy for
someone to cull addresses out of the list.

IMHO, which should only return data that it is fairly certain
represents the user. Limiting it to a certain number of returns is
false security -- it still exposes users to being culled by a spammer.

So, my rough feel for this, pending time to actually implement, is:

o Which returns lists which are exact matches on the address in the header.

o Which returns information that matches what mungedomain would allow
(i.e., fred@foo.com matches taht and fred@bar.foo.com).

o If someone is trying to find what address they're subscribed to, data
is only returned for their current domain, and only for advertised
lists: (i.e, "which fred", from fred.farkle@foo.com, only returns
addresses who's user component includes fred from *.foo.com).

The current system has problems with things like this -- say you limit
it to 10 addresses per which. Someone comes in and does "Which a"
"which b" "which c" ..... and walks away with a good chunk of your
subscriber list. Not all, but too much...

If the user needs address info from outside his domain, then I'd say
that's time for human intervention, and e-mail to the admin.

(another area where majordomo discloses addresses and shouldn't is the
bounces stuff. I've got plans to rewrite that, because posting lists of
bounced addresses to the entire membership is really not a good idea.
that'll happen before the which stuff, because it's actually in use....)

--
         Chuq Von Rospach (chuq@apple.com) Apple IS&T Mail List Gnome
                 <http://www.solutions.apple.com/ListAdmin/>

 Plaidworks Consulting (chuqui@plaidworks.com) <http://www.plaidworks.com/>
   (<http://www.plaidworks.com/hockey/> +-+ The home for Hockey on the net)

Follow-Ups:

Re: Is 'wh*ch' useful?
From: Jason L Tibbitts III <tibbs@hpc.uh.edu>

References:

Is 'wh*ch' useful?
From: Jason L Tibbitts III <tibbs@hpc.uh.edu>

Indexed By Date	Previous:	*Re: Is 'whch' useful?** From: Jason L Tibbitts III <tibbs@hpc.uh.edu>
Indexed By Date	Next:	*Re: Is 'whch' useful?** From: Jason L Tibbitts III <tibbs@hpc.uh.edu>
Indexed By Thread	Previous:	*Re: Is 'whch' useful?** From: Jason L Tibbitts III <tibbs@hpc.uh.edu>
Indexed By Thread	Next:	*Re: Is 'whch' useful?** From: Jason L Tibbitts III <tibbs@hpc.uh.edu>