With the latest message I send to the CentOS list I got this strange 'probe' message. The included bounce example has nothing to do with my email-adres, but rather with someone subscribed to the list.
So it seems that somehow the mailinglist manager is sending bounces to the wrong email-adres. Or I do not understand the 'probe' message (and the included bounce message) at all.
Kind regards, -- dag wieers, dag@wieers.com, http://dag.wieers.com/ -- [all I want is a warm bed and a kind word and unlimited power]
---------- Forwarded message ---------- From: centos-bounces+88b00897fa730a013c0f2ecda1f082e22416f412@centos.org To: dag@wieers.com Date: Fri, 12 May 2006 14:54:41 +0000 Subject: CentOS mailing list probe message X-Spam-Status: No, score=1.9 required=3.0 tests=FROM_LOCAL_HEX,NO_REAL_NAME autolearn=no version=3.1.1
This is a probe message. You can ignore this message.
The CentOS mailing list has received a number of bounces from you, indicating that there may be a problem delivering messages to dag@wieers.com. A bounce sample is attached below. Please examine this message to make sure there are no problems with your email address. You may want to check with your mail administrator for more help.
If you are reading this, you don't need to do anything to remain an enabled member of the mailing list. If this message had bounced, you would not be reading it, and your membership would have been disabled. Normally when you are disabled, you receive occasional messages asking you to re-enable your subscription.
You can also visit your membership page at
http://lists.centos.org/mailman/options/centos/dag%40wieers.com
On your membership page, you can change various delivery options such as your email address and whether you get digests or not. As a reminder, your membership password is
mazaec
If you have any questions or problems, you can contact the list owner at
centos-owner@centos.org
Woops, i would sugest changing your password ie, the one printed into the bounce message :)
I hope you are not using this for anything else than mailling lists :)
later charles
On Friday 12 May 2006 11:50, Dag Wieers wrote:
With the latest message I send to the CentOS list I got this strange 'probe' message. The included bounce example has nothing to do with my email-adres, but rather with someone subscribed to the list.
So it seems that somehow the mailinglist manager is sending bounces to the wrong email-adres. Or I do not understand the 'probe' message (and the included bounce message) at all.
Kind regards, -- dag wieers, dag@wieers.com, http://dag.wieers.com/ -- [all I want is a warm bed and a kind word and unlimited power]
---------- Forwarded message ---------- From: centos-bounces+88b00897fa730a013c0f2ecda1f082e22416f412@centos.org To: dag@wieers.com Date: Fri, 12 May 2006 14:54:41 +0000 Subject: CentOS mailing list probe message X-Spam-Status: No, score=1.9 required=3.0 tests=FROM_LOCAL_HEX,NO_REAL_NAME autolearn=no version=3.1.1
This is a probe message. You can ignore this message.
The CentOS mailing list has received a number of bounces from you, indicating that there may be a problem delivering messages to dag@wieers.com. A bounce sample is attached below. Please examine this message to make sure there are no problems with your email address. You may want to check with your mail administrator for more help.
If you are reading this, you don't need to do anything to remain an enabled member of the mailing list. If this message had bounced, you would not be reading it, and your membership would have been disabled. Normally when you are disabled, you receive occasional messages asking you to re-enable your subscription.
You can also visit your membership page at
http://lists.centos.org/mailman/options/centos/dag%40wieers.comOn your membership page, you can change various delivery options such as your email address and whether you get digests or not. As a reminder, your membership password is
mazaecIf you have any questions or problems, you can contact the list owner at
centos-owner@centos.org
On Fri, 12 May 2006, Charles Lacroix wrote:
Woops, i would sugest changing your password ie, the one printed into the bounce message :)
I hope you are not using this for anything else than mailling lists :)
Thanks :) Actually it was a generated password (which mailman does if you don't specify one). If I use passwords, I have them randomly generated by Revelation with a size of 16. Consequently, I don't know any of those passwords by heart. And thanks to Revelation, I don't have to.
Thanks again for the email.
Kind regards, -- dag wieers, dag@wieers.com, http://dag.wieers.com/ -- [all I want is a warm bed and a kind word and unlimited power]
On Fri, 2006-05-12 at 18:07 +0200, Dag Wieers wrote:
On Fri, 12 May 2006, Charles Lacroix wrote:
Woops, i would sugest changing your password ie, the one printed into the bounce message :)
I hope you are not using this for anything else than mailling lists :)
Thanks :) Actually it was a generated password (which mailman does if you don't specify one). If I use passwords, I have them randomly generated by Revelation with a size of 16. Consequently, I don't know any of those passwords by heart. And thanks to Revelation, I don't have to.
Is it just me or ...
Putting a password, regardless of source, into a "probe", which by its very existence seems to have a higher likelihood of interception, seems foolish. If there is a problem along the intermediate steps (if any) and somebody is examining stuff, for righteous or nefarious reasons, ...
Thanks again for the email.
Kind regards, -- dag wieers, dag@wieers.com, http://dag.wieers.com/ -- [all I want is a warm bed and a kind word and unlimited power]
<snip sig stuff>
William L. Maltby wrote:
Putting a password, regardless of source, into a "probe", which by its very existence seems to have a higher likelihood of interception, seems foolish. If there is a problem along the intermediate steps (if any) and somebody is examining stuff, for righteous or nefarious reasons, ...
the passwd is sent to the email address its meant for. if you have access to emails being sent to that address, its sort of academic getting the passwd anyway ( click on forgot passwd, new passwd emailed out ...etc )
- KB
On Fri, 2006-05-12 at 20:47 +0100, Karanbir Singh wrote:
William L. Maltby wrote:
Putting a password, regardless of source, into a "probe", which by its very existence seems to have a higher likelihood of interception, seems foolish. If there is a problem along the intermediate steps (if any) and somebody is examining stuff, for righteous or nefarious reasons, ...
the passwd is sent to the email address its meant for. if you have
If you have to send a probe, does this not raise the possibility that the email is being diverted? If so, the fact that it's sent to... doesn't provide much feeling of security.
But I *am* and amateur at this security stuff and buzzwords like "man- in-the-middle" may just cause excess trepidation in me. Anyway, that's what caused me to raise the question.
I don't even like it that your (CentOS's) monthly reminder to me is sent with password unencrypted... and I am the only user here. If I could post my public key and have that monthly reminder encrypted, I'd do it.
access to emails being sent to that address, its sort of academic getting the passwd anyway ( click on forgot passwd, new passwd emailed out ...etc )
Well, it's too bad that we can't make all access via SS* w/no passwords required. But a new one-time-only-use password (IOW, it must be changed on first use and w/i a specified time interval) isn't too bad.
- KB
On Fri, 2006-05-12 at 16:48 -0400, William L. Maltby wrote:
On Fri, 2006-05-12 at 20:47 +0100, Karanbir Singh wrote:
William L. Maltby wrote:
Putting a password, regardless of source, into a "probe", which by its very existence seems to have a higher likelihood of interception, seems foolish. If there is a problem along the intermediate steps (if any) and somebody is examining stuff, for righteous or nefarious reasons, ...
the passwd is sent to the email address its meant for. if you have
If you have to send a probe, does this not raise the possibility that the email is being diverted? If so, the fact that it's sent to... doesn't provide much feeling of security.
But I *am* and amateur at this security stuff and buzzwords like "man- in-the-middle" may just cause excess trepidation in me. Anyway, that's what caused me to raise the question.
I don't even like it that your (CentOS's) monthly reminder to me is sent with password unencrypted... and I am the only user here. If I could post my public key and have that monthly reminder encrypted, I'd do it.
You can turn it off in your preferences for the list in mailman: http://lists.centos.org/mailman/options/centos
access to emails being sent to that address, its sort of academic getting the passwd anyway ( click on forgot passwd, new passwd emailed out ...etc )
Well, it's too bad that we can't make all access via SS* w/no passwords required. But a new one-time-only-use password (IOW, it must be changed on first use and w/i a specified time interval) isn't too bad.
We didn't write mailman ... nor did we write the probe e-mail that it sends.
On Fri, 2006-05-12 at 16:19 -0500, Johnny Hughes wrote:
On Fri, 2006-05-12 at 16:48 -0400, William L. Maltby wrote:
On Fri, 2006-05-12 at 20:47 +0100, Karanbir Singh wrote:
William L. Maltby wrote:
<snip>
I don't even like it that your (CentOS's) monthly reminder to me is sent with password unencrypted... and I am the only user here. If I could post my public key and have that monthly reminder encrypted, I'd do it.
You can turn it off in your preferences for the list in mailman: http://lists.centos.org/mailman/options/centos
I know. Just haven't gotten around to it.
access to emails being sent to that address, its sort of academic getting the passwd anyway ( click on forgot passwd, new passwd emailed out ...etc )
Well, it's too bad that we can't make all access via SS* w/no passwords required. But a new one-time-only-use password (IOW, it must be changed on first use and w/i a specified time interval) isn't too bad.
We didn't write mailman ... nor did we write the probe e-mail that it sends.
I *know* that. It was not a personal or project attack. But the answer to my concern that was posted (it is sent to... so... <equiv to everything's probably OK>) got one of my feet on the soap box. :-( Didn't mean to seem critical.
All that not withstanding, I believe we can't be to relaxed about security and even *dumb* concerns (as mine might be) are worth noting or discussing.
<snip sig stuff>
Thanks,
-
Charles Lacroix -
Dag Wieers -
Johnny Hughes -
Karanbir Singh -
William L. Maltby