[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#359905: PTS: unsubscription fraud possible

Raphael Hertzog <hertzog@debian.org>
> Several persons complained of the *risk* but you're the first one who
> tells us that he has been unsubscribed by someone with malicious intent.

I have no way of telling whether or not I was, as I didn't notice
soon enough to check the logs. I hope it's more likely to be some
other reason. I just noticed a possibility when tidying my PTS use.

> I'll include a patch which changes the subject to "Unsubscription notice"
> or something similar.

You'll prepare it, or accept it when it arrives?

> The best solution would be be to implement the bounce handler (with
> VERP-like headers) but an intermediary solution would be to extract the
> unsubscription code into a stand-alone perl script that I can call on
> master directly.

I probably need to understand how mail gets into the system
better before I can see how to prepare the bounce handler.
How about a confirmation bypass for admin-gpg-signed requests?

My Opinion Only: see http://people.debian.org/~mjr/
Please follow http://www.uk.debian.org/MailingLists/#codeofconduct

Reply to: