On Mon, 2015-01-19 at 16:57 -0500, Michael Gilbert wrote: > Isn't the spam vector already wide open for > nnnnnn-subscribe@bugs.debian.org, which isn't much (ab)used today? > > I fail to see how any of the discussed changes open an abuse vector > that doesn't already exist. OK, so let me help you see. The vector you are pointing to doesn't exist. You can _not_ subscribe to a bug by sending email to nnnn-subscribe@bugs.debian.org. You subscribe to a bug by sending an email to an address that looks like this: 701234-subyes-8aba1368a9ac33362ea1f68c28446c15-65bf3bd3886fb8abfe59d40709c844f2@bugs.debian.org I presume this "invite" address is unforgeable (because Ian Jackson's expertise is in crypto, and he said earlier he designed the system). Sending an email to nnnn-subscribe@bugs.debian.org just asks the system to send an invite containing such an address to someone. I'm not sure what email address gets the invite - it could be the envelope MAIL FROM, or the Reply-To, or the From. But really "who" doesn't matter. All the matters is the only a person controlling an email address is able to subscribe it to a bug, not some random noob. For what it's worth, the invitation contains full text of the subscription request, including all the RFC5322 headers. If it was someone doing something unpleasant it gives you some hope of tracking them down, or blocking them. In other words the current system contains robust defences against such an attack. All I (and I presume Ben) are saying is removing those defences is not a good idea, given it's easy enough to design a system that keeps them. Currently most of the auto subscription proposals appearing here do remove them.
Attachment:
signature.asc
Description: This is a digitally signed message part