Bug#359905: PTS: unsubscription fraud possible
On Thu, 30 Mar 2006, MJ Ray wrote:
> > Because I believe it's not a bug but a feature. It can even help to be
> > able to unsubscribe someone else who has troubles unsubscribing alone.
>
> Respectfully, I disagree. This bug is making the PTS
> unreliable for co-maintainers.
Several persons complained of the *risk* but you're the first one who
tells us that he has been unsubscribed by someone with malicious intent.
> > And it's your problem if you don't read carefully the mail that you
> > received at your own address (IIRC, they have no special PTS like header
> > and thus shouldn't be filtered out from normal e-mail).
>
> They have an attacker-specified subject line and can be loaded
> with content after the stop command, to trigger spam traps.
> If you expect users to flag up these messages, how can they
> spot them?
I'll include a patch which changes the subject to "Unsubscription notice"
or something similar.
> > BTW, right now we have no other tool to unsubscribe people (even people
> > whose email doesn't work anymore) so if you want this feature to be
> > implemented you probably should work to solve the other related problems
> > before. :-)
>
> Which other related problems, please?
The fact that I'm using the mail interface to unsubscribe email which are
bouncing ? and that I couldn't do that anymore if a confirmation was
requested ...
The best solution would be be to implement the bounce handler (with
VERP-like headers) but an intermediary solution would be to extract the
unsubscription code into a stand-alone perl script that I can call on
master directly.
Cheers,
--
Raphaël Hertzog
Premier livre français sur Debian GNU/Linux :
http://www.ouaza.com/livre/admin-debian/
Reply to: