Unless you have been living on a deserted island for the past 12 years, you’ve surely come across a mailing list – if not as active poster, at least as a fervent reader. Mailing list software is the cornerstone of various communities ranging from support websites to forum alternatives.
Distributed under the General Public License (GNU), Mailman is a free software application which is widely used for managing electronic mail discussion and e-newsletter lists. Integrated with the WWW, Mailman runs on GNU/Linux and the majority if Unix-like systems, which made it the favorite pick when it comes to mail list software.
Among many features included in the Mailman application, there’s one key point that seems to have become a nightmare. When creating an account, the user gets the (already checked) option to receive a monthly membership reminder which includes their username and password typed in clear text, as shown in the image below:
Fig. 1. Mailing list membership reminder
Now imagine that most mailing lists are public and these reminders are added as actual posts to the mailing lists which are publicly indexable by most of the existing search engines. The result is a massive disclosure of personal information, which can be harvested by miscellaneous bots and spiders and put to malicious use.
A simple query for “mailing list membership reminder” revealed results unveiling users’ personal login credentials.
Fig. 2. Search results for: “mailing list membership reminder”
So, if you use Mailman mailing lists, you should immediately change your account password and turn off the monthly notifications.
And if you’re a mailing list administrator, you should alter the default settings regarding the monthly password reminders and submit a request to search engines to purge this kind of information from their cache.
Fig. 3. Mailman settings