Majordomo-Workers: Re: Is 'wh*ch' useful?

Majordomo-Workers
(October 1997)

Indexed By Thread: [Previous] [Next]

Subject:	*Re: Is 'whch' useful?**
From:	Jason L Tibbitts III <tibbs @ hpc . uh . edu>
Date:	16 Oct 1997 01:33:07 -0500
To:	majordomo-workers @ greatcircle . com
In-reply-to:	Jason L Tibbitts III's message of 14 Oct 1997 18:55:56 -0500
References:	<ufa7mbgamfg.fsf@sina.hpc.uh.edu> <ufapvp799wz.fsf@sina.hpc.uh.edu>

OK, my proposal (only return if you matched a very small number of
addresses) is blown.  Why?

Say I have hideaddress set.  So you get my full name in a who output but
not my address.  Then you do a which on my name and get my address.  Oops.

So I guess that there either has to be complex interaction with hideaddress
and hideall, or substring searching has to go (i.e. be password
restricted).

So there are a few other options, some garnered from previous proposals:

* Restrict the match to the address portion of the address only.  It was
  really nice to search for your name and get out the address you were
  using at the time, but I guess we can't allow it.

* Require the match string to be a syntactically valid address and do exact
  matching only.  Unfortunately, this makes it damn hard to figure out
  which of N machines you zubscribed from, and

* Require the match string to (in some way) match or be a part of the
  address you're sending the mail from.  I suppose so, but then someone at
  AOL can get a large portion of the average list easily.

* Just reduce which to showing you what the address you're posting from
  belongs to.  (i.e. which just doesn't let you specify a search string; it
  takes your address and that's it.)  Expose hidden addresses and
  unadvertized lists.  Disable 'which' access from everything but the email
  interface.  (If you've forged your reply address to expose an address,
  they'll get the reply mail, not you.)

* Get rid of 'which' entirely (or neuter it as above) and have a 'ping'
  command which sends a message _to the zubscribed address_ saying what
  address the list server thinks it is.  Of course, this immediately
  becomes a bombing exploit, so have it connected with some periodic
  event. 

I like the latter: you can combine faq postings, periodic bounce probes,
and address notification into one.  We have to do single-address bounce
probes anyway (once bounce handling goes in); no reason not to built this
all into it.  But I think this gets away from the subject of salvaging the
which command.  I'm beginning to doubt whether or not it can be salvaged.

 - J<

References:

Is 'wh*ch' useful?
From: Jason L Tibbitts III <tibbs@hpc.uh.edu>
Re: Is 'wh*ch' useful?
From: Jason L Tibbitts III <tibbs@hpc.uh.edu>

Indexed By Date	Previous:	Re: How do I explain aliases? From: "Jeff Heinen" <jeff.heinen@inherent.com>
Indexed By Date	Next:	*Re: Is 'whch' useful? --> moved from -work** From: Dave Wolfe <dwolfe@risc.sps.mot.com>
Indexed By Thread	Previous:	*Re: Is 'whch' useful?** From: Jason L Tibbitts III <tibbs@hpc.uh.edu>
Indexed By Thread	Next:	*Re: Is 'whch' useful?** From: Mark Rauterkus <mrauterkus@sportsurf.net>