[openssl-users] Fwd: CONGRATULATION____REF#87670

Johann v. Preußen jvp at forthepolls.org
Mon Apr 4 21:32:26 UTC 2016 

right now our conversation is bi-directional since the listserv is off-line.

i also looked at the headers and they do seem to originate within google itself 
( bogon receipts). so, are you telling me that the mere fact that an email is 
addressed to the list will get it published without verifying that the sender is 
a subscriber?

everything else i mention relate to the needless exposure of the subscriber's 
real name and email addr and the permitting of private anchors. obviously, i 
believe that these practices greatly increase security risks for the subscriber 
and will subject them to a potential flood of noxious junk.

--
Thank you,

Johann v. Preußen

On 2016.Apr.04 13:46, Jeffrey Walton wrote:
> On Mon, Apr 4, 2016 at 4:28 PM, Johann v. Preußen <jvp at forthepolls.org> wrote:
>> i am not certain i understand how it is google's fault that this
>> owenevans98|Dawn was able to slip into the listserv database. this is, of
>> course, assuming that this was not done via a simple sign-up. i also do not
>> understand how prohibiting a posting (content, infra) that obfuscates a
>> message within a host of symbols with a net zero percent of prose and 100%
>> anchor description is responding to some sort of a "fad". this list is re
>> problems and solutions that can only be conveyed in prose ... no prose == no
>> message. and permitting private anchors is also a questionable security
>> practice. it does not seem unreasonable to require anchors to be to
>> recognized sandbox sites or -- much better -- to an openssl-operated one.
> Yeah, this particular message looks like classic spam (headers
> available at http://groups.google.com/forum/#!original/mailing.openssl.users/eXD0UYueasw/jsZtjTLPCQAJ).
>
> When the spam was getting through, I checked some of the headers and
> most were coming from Gmail users. See, for example,
> http://pastebin.com/hRAtRt7S. That particular message likely had its
> spam score lowered because of the DKIM signing.
>
> I was also contacted offlist for the spam I was sending. I saw the
> headers on two of the messages, and they clearly were from me and
> submitted through Google's web interface. They looked just like the
> headers in http://pastebin.com/hRAtRt7S. I did not send them, and they
> did not show up in my Outbox.
>
> Its the reason I'm guessing Google services had a vulnerability that
> was silently patched.
>
> Jeff


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3825 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160404/ec678b04/attachment-0001.bin>

More information about the openssl-users mailing list