At 2:36 PM -0400 2004-06-17, Greg Stark wrote:
Virus scans are only one type of bounce that could cause someone to be
unsubscribed spuriously. For example, most mail servers have a maximum message
size for example. Consider the security implications: all I have to do to mass
unsubscribe many people--even everyone--on a list is send a message over 50k.
Everyone using old versions of sendmail will be unsubscribed. A larger message
will unsubscribe anyone using most modern MTAs. Nor do the tests that require
multiple bounces protect anything; I just have to send my attack a few times
quickly.
50k?!? Where are you getting this number? Maximum message size on most MTAs is usually a default of something like 1-10MB, or even unlimited. In more than ten years of specializing in running mail systems, I don't think I have *once* seen an MTA that was default configured to a maximum message size of just 50k.
Really Mailman should simply not trust outside data for any purpose. It should
treat the bounces received from mailing list messages purely as hints. It
should then send its *own* message with content not subject to any control
from outside to the user. Only if that known inoffensive message bounces
should it consider removing the user.
This is really a DOS security issue, though the worst case attack is unsubscribing many users of a list. That it gets triggered normally even when not specifically under attack only makes the problem apparent.
This is basically what Mailman is now doing. From the Mailman-2.1.5/NEWS file:
- The bounce processor has been redesigned so that now when an address's
bounce score reaches the threshold, that address will be sent a probe
message. Only if the probe bounces will the address be disabled. The
score is reset to zero when the probe is sent. Also, bounce events are
now kept in an event file instead of in memory. This should help
contain the bloat of the BounceRunner. New supporting variables in Defaults.py: VERP_PROBE_FORMAT,
VERP_PROBE_REGEXPREGISTER_BOUNCES_EVERY is promoted to a Defaults.py variable.
-- Brad Knowles, <[EMAIL PROTECTED]>
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-Benjamin Franklin, Historical Review of Pennsylvania.SAGE member since 1995. See <http://www.sage.org/> for more info.
_______________________________________________ Mailman-Developers mailing list [EMAIL PROTECTED] http://mail.python.org/mailman/listinfo/mailman-developers Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org
