Jan Henkins jan at
Wed Jan 28 10:56:36 CET 2009


On Wed, January 28, 2009 01:59, roguemoko at wrote:

> This should especially be done by mailing list servers and more so in
> openmoko's case as the contact with openmoko personnel and developers is
> pretty crucial.
> Preventing your own people from being impersonated and forged mails
> being relayed via your own list seems common sense to some of us, or at
> least me :)

There is another situation that I find to be a worry: In order to send
mail to this list you have to have a registered address. In the above case
it was proper "" addresses that was used in the Joe Job
attack, but it could have been anybody else who have sent an email to the
list. Looking in the list archives I can see that not enough is being done
to obscure sender addresses. Currently the only thing that is being done
is to replace the "@" with a "<space>at<space>". So "dorian at"
would become "dorian at". Sweet! Armed with wget to leech all the
archives, a few text tools (grep, Perl, Python, etc) and I can build up a
list of addresses (almost 100% confirmed working addresses) that could be
used for various spamming activities. A list of active addresses is worth
money too! ;-) So what I suggest is that the list administrators obfuscate
list members' addresses even more. MailMan's Pipermail archiver can do
this if properly set up.

Jan Henkins

More information about the community mailing list