if this list was for tex-mex cooking recipes or ES vacation rentals, i would agree that expectations for privacy might be very low and individual subscribers are responsible to be as circumspect as they personally feel they must be. however, this is a list of people in the fore-front of addressing global security issues and -- i would think -- subscribers would certainly want their personal info (U.S. Title XIII PII) to be as secure as the issues they are grappling with rather than having it published in the clear. the security issue re the subscriber email addr spreads beyond the actual person as well. suppose we have henrietta schmidt who is the email security officer for xyz corp who is addressed as h.schmidt at xyz.com. since most large firms and almost all gov agencies have rigid mailbox addressing schemes, it is quite possible to extrapolate from this one email addr to a much wider range. like xyz's CIO joe blow who is most likely to be found at j.blow at xyz.com or some close variant. the payoffs for the successful breaching of systems of large firms and governments is huge and it does not require much imagination to deduce that the pantheon of perpetrators is large, their diligence is intense, and their numbers are not confined to a bunch of "script kiddies". quite plainly, i do not believe that openssl should be making their job easier. -- Thank you, Johann v. Preu?en On 2016.Apr.04 14:49, Jeffrey Walton wrote: > On Mon, Apr 4, 2016 at 5:32 PM, Johann v. Preu?en <jvp at forthepolls.org> wrote: >> right now our conversation is bi-directional since the listserv is off-line. >> >> i also looked at the headers and they do seem to originate within google >> itself ( bogon receipts). so, are you telling me that the mere fact that an >> email is addressed to the list will get it published without verifying that >> the sender is a subscriber? >> >> everything else i mention relate to the needless exposure of the >> subscriber's real name and email addr and the permitting of private anchors. >> obviously, i believe that these practices greatly increase security risks >> for the subscriber and will subject them to a potential flood of noxious >> junk. > Yes, I agree Johann. The thing I would point out is there's usually no > expectation of privacy with a mailing list, so users should not be > surprised if their email address shows up in a traditional email > header or an X-header somewhere. > > What piqued my interest was that sudden spurt of spam. Something was > not right, but I could not finger it. > > Jeff -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3825 bytes Desc: S/MIME Cryptographic Signature URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160404/60486efa/attachment-0001.bin>