So the problem I described last January and again mentioned last September is
still happening to me, and now to a lot more people. It will only become more
and more prevalent as viruses become more common and sites that filter them
become more common.
Perhaps I should restate the problem more simply. Mailman is committing the
basic sin of network security -- receiving data from the network and trusting
it for purposes other than as opaque data.
It is using messages posted to the list -- the content and format of which it
does not control -- to detect bouncing email addresses. Because of this it
cannot tell if the bounces it's receiving are caused by a broken email address
or caused by some particularity of the posted message.
Virus scans are only one type of bounce that could cause someone to be
unsubscribed spuriously. For example, most mail servers have a maximum message
size for example. Consider the security implications: all I have to do to mass
unsubscribe many people--even everyone--on a list is send a message over 50k.
Everyone using old versions of sendmail will be unsubscribed. A larger message
will unsubscribe anyone using most modern MTAs. Nor do the tests that require
multiple bounces protect anything; I just have to send my attack a few times
quickly.
Really Mailman should simply not trust outside data for any purpose. It should
treat the bounces received from mailing list messages purely as hints. It
should then send its *own* message with content not subject to any control
from outside to the user. Only if that known inoffensive message bounces
should it consider removing the user.
This is really a DOS security issue, though the worst case attack is
unsubscribing many users of a list. That it gets triggered normally even when
not specifically under attack only makes the problem apparent.
--- Begin Message ---
The problem I described in January is still happening. I find the current
bounce processing of mailman to be inadequate. Something more like the bounce
processing of ezmlm is needed.
I should not be removed from a mailing list purely on the basis of bounces of
uncontrolled messages. The messages that bounced could have been spam or
outlook worms or whatever.
Before removing a subscriber mailman should send a message with known content
testing the address. Only if such a message bounces should a user be dropped.
As it is I'm being removed from mailing lists whenever a new Outlook worm
appears and sends multiple messages in a row. Or a new spammer discovers a
list I'm on and sends multiple messages in a row to the list.
It's especially bad on low-volume lists where it's quite possible for spam or
Outlook worm messages to be the only messages for days.
Greg Stark <[EMAIL PROTECTED]> writes:
> I find I am being removed from mailman mailing lists left and right. I believe
> the default values for the bounce removal should be reconsidered. It's
> possible that you haven't had many users in my situation and so haven't really
> had a chance to tune these parameters on the low end yet. But they clearly
> aren't working for me at a few sites.
>
> My particular situation is that my site has seen fit to filter viruses by
> refusing delivery. This causes a bounce from the remote MTA every time someone
> sends me an Outlook virus. Why my site administrators felt this was necessary
> is a question for another day, it's not like I use Outlook or like my spam
> filters wouldn't have thrown these messages away anyways, but whatever.
>
> The net result is that some small fraction of messages to me bounce and list
> management software notices this. The only reason I became aware of the
> problem was because ezmlm also does this type of processing but it sends a
> warning message before removing users. It only removes you if the warning
> message itself bounces. In fact it sends two such warning messages and only
> removes the user if *both* bounce. This provides the user with a chance to
> react to the first message and fix the problem -- if they ever see the
> message.
>
> I could beg for a similar feature in mailman, but I'm not sure it's necessary.
> But I am sure it's necessary to tune the bounce processing parameters. The
> relatively few bounces I'm generating shouldn't be causing me to get removed
> when all the real messages are being delivered fine.
>
> It seems the legitimate messages that are correctly delivered should reset the
> count of bounces to 0. Reading the source it seems it has to see
> DEFAULT_MAX_POSTS_BETWEEN_BOUNCES such legitimate posts between messages. I'm
> fairly convinced this parameter should always be 0. If any successful delivery
> occurs the user should never be removed due to bounces.
>
> What I don't understand is how DEFAULT_MAX_POSTS_BETWEEN_BOUNCES relates to
> the parameters I see in the admin. None of the parameters in the admin
> corresponds to this. How is it calculated?
>
> --
> greg
>
>
> _______________________________________________
> Mailman-Developers mailing list
> [EMAIL PROTECTED]
> http://mail.python.org/mailman/listinfo/mailman-developers
>
>
--
greg
--- End Message ---
--
greg
_______________________________________________
Mailman-Developers mailing list
[EMAIL PROTECTED]
http://mail.python.org/mailman/listinfo/mailman-developers
Unsubscribe:
http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org
