Majordomo and EXPN

[james () OAKTREE CO UK (James Ponder)]

I've done the usual and checked the archives for previous mentions of this
problem, but there doesn't seem to have been any.  The majordomo sites that
I've looked at all have this problem, including the majordomo lists
themselves, even though this issue is talked about in the majordomo FAQ.

When someone sends a message to a majordomo list, the mail goes through an
alias that pipes the mail through the wrapper program with a series of
arguments.  One argument is the name of another alias which has the list of
email addresses in it (via a sendmail :include: directive).  The problem
with this setup is that anyone can use EXPN on the address that mail goes
to in order to reveal the alias that contains all the email addresses, then
it's just a question of using EXPN on that alias and sendmail will output
all the subscriber's email addresses.

e.g.:
telnet somewhere.com 25
220 somewhere.com ESMTP Sendmail 8.8.5/Somewhere-971021-1 ready at ...
EXPN somewhere-announce
250 <"|/usr/local/mail/majordomo/wrapper resend -l somewhere-announce
         -h somewhere.com somewhere-announce-list"@somewhere.com>
EXPN somewhere-announce-list
...

Several documents on the subject (including the FAQ) do indicate that
people should choose a non-guessable alias and also disable EXPN.  It
would seem however that people do not do this - it is no good just choosing
something that isn't myannounce-outgoing, if you don't disable EXPN, you
are still vulnerable to people posting to your announcement list and
downloading all your subscribers (who could be confidential customers).

I'm not really asking for comments, just making sure everyone is aware of
this, as people don't seem to be - if you have chosen announce-list,
announce-outgoing or announce-real, you really should change it.


Best wishes, James

-=- James Ponder -=- james () oaktree co uk -=- http://www.oaktree.co.uk/ -=-