[Full-Disclosure] Bugtraq postings from non-members may disclose some list-member's addresses

From: Ka (kaat_private)
Date: Thu Sep 26 2002 - 09:22:33 PDT

Next message: David Endler: "Errata: iDEFENSE Security Advisory 09.26.2002: Exploitable Buffer Overflow in gv"

Previous message: Sergio: "Re: Xoops RC3 script injection vulnerability fixed"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings,

yesterday I posted something to full-disclosure and at the same time 
to bugtraq, but did so unintentionally from an email address which 
is not subscribed to bugtraq (I simply responded to a posting from
Gossi the dog with "reply to all"). 

Intentionally I'm doing the same with this message -
it's allways good to have a test case, isn't it? .o)

As a result, I'm getting all the bouncing list-emails delivered back
to me personally, i.e. all MTAs of members with delivery problems 
or vacation messages set up send their bounce message to me instead 
of back to the bugtraq administration.

Obviously under the described circumstances the Return-Path: header 
is not set by the bugtraq list software.

The few examples where the headers of my original posting where 
sent back to me as part of an "message undeliverable" error, 
show that the mail came from lists.securityfocus.com. The first
MTA was allways specified as

Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
        by outgoing.securityfocus.com (Postfix) with QMQP
        id D55EEA373E; Wed, 25 Sep 2002 12:55:59 -0600 (MDT)

And of course there was no Return-Path: set.



Since yesterday I learned, which members have their mailbox full,
are out of office, or fucked up their .forward files into 
undeliverabilty (if there is such a word in English).
Not many members BTW, but enough for a good party.



Severity:		low
Fun-Factor:		high
Vendor notified:	neahneah - would've spoiled the fun otherwise.


Have a nice day!
Ka
- -- 
Better a newer mind than a never mind.
But best to run around out of no mind.
http://www.khidr.net/users/ka/pgpkey.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9kzRX72vu22ltWBERAqLVAJ4iSWXnDvzhk8ipQ+G+oyEKLyWoEgCeIGWz
5ANkI0TLVQ2MjOfXPSEMP7c=
=jwYF
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Next message: David Endler: "Errata: iDEFENSE Security Advisory 09.26.2002: Exploitable Buffer Overflow in gv"
Previous message: Sergio: "Re: Xoops RC3 script injection vulnerability fixed"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Sep 26 2002 - 10:12:13 PDT