[Bf-committers] Probe Message Privacy Issue

[Dan McGrath]

===== (Dalai) =====

> > For bf-committers, that option is off btw.
> Yup, but even for bf-cycles this option is on.
>
> So let's just close them all and move on?

Sounds good to me. I will take a look at this on the weekend or perhaps
later tonight.

> I also got the "probe" email by the way. But again, if it exposes only the
> email of list members that have posted (or tried to post) something, it is
> ok-ish.
>
> Cheers,
> Dalai

I believe those are the VERP probes that you were referring to. There are a
spammer that manually subscribed himself to the list to send a spam
yesterday from an @yahoo.com email address, and as a result, triggered
that. I've since removed and blocked him from our lists. (Don't these guys
have anything else better to do with their lives than waste mine/ours?)

===== (Ton) =====

> I don't know what you mean with this. How?
> No list should expose its subscribers to everyone, and I never configured
this in the past to allow that.

It's very likely that it is the default than, to allow people to see the
list members. Since each list has it's own unique options, it could be non
uniformly set across our lists. In all honesty, Dalai brings up a good
point in that it is ok'ish; the reason is simple: it's a public list, and
bots could just as easily compile a list of members by scraping the list
archives in minutes. IIRC, you have to subscribe to the list in order to
see it (by default?), so a bot already has to jump through a bunch of hops.
It's probably just easier to scrap the archive.

I suspect that this whole issue of having the members visible is just being
overblown, honestly, but true that someone who wants to watch "in secret"
and not post, would be exposed in such a query.

> For bf-committers, that option is off btw.
>
> What we DO expose is the mail address of someone who mails to this this
list,
> That's something I really prefer to keep.
>
> -Ton-


Dan