[Internet Privacy] Mailing List Usernames and Passwords Loose on the Internet

Along with numerous threads of conversation, a whole bunch of passwords and usernames are cached on the web due to a poorly-implemented feature in the realm of open source

Unless you have been living on a deserted island for the past 12 years, you’ve surely come across a mailing list – if not as active poster, at least as a fervent reader. Mailing list software is the cornerstone of various communities ranging from support websites to forum alternatives.

Distributed under the  General Public License (GNU), Mailman is a free software application which is widely used for managing electronic mail discussion and e-newsletter lists. Integrated with the WWW, Mailman runs on GNU/Linux and the majority if Unix-like systems, which made it the favorite pick when it comes to mail list software.

Among many features included in the Mailman application, there’s one key point that seems to have become a nightmare. When creating an account, the user gets the (already checked) option to receive a monthly membership reminder which includes their username and password typed in clear text, as shown in the image below:


Password Reminder


Fig. 1. Mailing list membership reminder


Now imagine that most mailing lists are public and these reminders are added as actual posts to the mailing lists which are publicly indexable by most of the existing search engines. The result is a massive disclosure of personal information, which can be harvested by miscellaneous bots and spiders and put to malicious use.

A simple query for “mailing list membership reminder” revealed results unveiling users’ personal login credentials.


Search results

Fig. 2. Search results for: “mailing list membership reminder”



So, if you use Mailman mailing lists, you should immediately change your account password and turn off the monthly notifications.

And if you’re a mailing list administrator, you should alter the default settings regarding the monthly password reminders and submit a request to search engines to purge this kind of information from their cache.



Fig. 3. Mailman settings


Try BitDefender Internet Security 2010 for free 30 days!

About the author


A blend of teacher and technical journalist with a pinch of e-threat analysis, Loredana Botezatu writes mostly about malware and spam. She believes that most errors happen between the keyboard and the chair. Loredana has been writing about the IT world and e-security for well over five years and has made a personal goal out of educating computer users about the ins and outs of the cybercrime ecosystem.