Bug#359905: PTS: unsubscription fraud possible
Raphael Hertzog <hertzog@debian.org>
> Several persons complained of the *risk* but you're the first one who
> tells us that he has been unsubscribed by someone with malicious intent.
I have no way of telling whether or not I was, as I didn't notice
soon enough to check the logs. I hope it's more likely to be some
other reason. I just noticed a possibility when tidying my PTS use.
> I'll include a patch which changes the subject to "Unsubscription notice"
> or something similar.
You'll prepare it, or accept it when it arrives?
[...]
> The best solution would be be to implement the bounce handler (with
> VERP-like headers) but an intermediary solution would be to extract the
> unsubscription code into a stand-alone perl script that I can call on
> master directly.
I probably need to understand how mail gets into the system
better before I can see how to prepare the bounce handler.
How about a confirmation bypass for admin-gpg-signed requests?
Thanks,
--
MJR/slef
My Opinion Only: see http://people.debian.org/~mjr/
Please follow http://www.uk.debian.org/MailingLists/#codeofconduct
Reply to: