right now our conversation is bi-directional since the listserv is off-line. i also looked at the headers and they do seem to originate within google itself ( bogon receipts). so, are you telling me that the mere fact that an email is addressed to the list will get it published without verifying that the sender is a subscriber? everything else i mention relate to the needless exposure of the subscriber's real name and email addr and the permitting of private anchors. obviously, i believe that these practices greatly increase security risks for the subscriber and will subject them to a potential flood of noxious junk. -- Thank you, Johann v. Preu?en On 2016.Apr.04 13:46, Jeffrey Walton wrote: > On Mon, Apr 4, 2016 at 4:28 PM, Johann v. Preu?en <jvp at forthepolls.org> wrote: >> i am not certain i understand how it is google's fault that this >> owenevans98|Dawn was able to slip into the listserv database. this is, of >> course, assuming that this was not done via a simple sign-up. i also do not >> understand how prohibiting a posting (content, infra) that obfuscates a >> message within a host of symbols with a net zero percent of prose and 100% >> anchor description is responding to some sort of a "fad". this list is re >> problems and solutions that can only be conveyed in prose ... no prose == no >> message. and permitting private anchors is also a questionable security >> practice. it does not seem unreasonable to require anchors to be to >> recognized sandbox sites or -- much better -- to an openssl-operated one. > Yeah, this particular message looks like classic spam (headers > available at http://groups.google.com/forum/#!original/mailing.openssl.users/eXD0UYueasw/jsZtjTLPCQAJ). > > When the spam was getting through, I checked some of the headers and > most were coming from Gmail users. See, for example, > http://pastebin.com/hRAtRt7S. That particular message likely had its > spam score lowered because of the DKIM signing. > > I was also contacted offlist for the spam I was sending. I saw the > headers on two of the messages, and they clearly were from me and > submitted through Google's web interface. They looked just like the > headers in http://pastebin.com/hRAtRt7S. I did not send them, and they > did not show up in my Outbox. > > Its the reason I'm guessing Google services had a vulnerability that > was silently patched. > > Jeff -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3825 bytes Desc: S/MIME Cryptographic Signature URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160404/ec678b04/attachment-0001.bin>
