At 10:19 AM 11/28/2005, Mark Sapiro wrote: >The ban list will prevent subscribing a banned address directly, but I >think there is a way around it. Namely, if addr1 is banned, a person >who can receive confirmations sent to another address can subscribe >that address and then change the subscription address to addr1. I >haven't verified this, but I think it's true. If so, I think it's a >bug. > >In your case, you can check Mailman's 'subscribe' log to see if the >banned address actually subscribed, or possibly identify a different >address that subscribed and was possibly later changed to the banned >address. Unfortunately for this investigation, address changes aren't >logged or reported.
The log indicates that the specific address was subscribed and confirmed through the web so that eliminates the "subscribe and change" possibility. Nov 26 13:47:08 2005 (54395) mylist: new (digest) "[email protected]" <The Mail Archive>, via web confirmation I ran a test trying to subscribe an address that is listed in the ban list. From the listinfo page, the subscription request resulted in a statement that the address was banned. From the [EMAIL PROTECTED], the subscription request received a reply that the address was banned. So the ban is working. I now believe that the subscription was not done in a normal manner but may have been taking advantage of a hole in the program's operations. I'm checking other server logs to get to the bottom of it. Sidenote: If you don't know who The Mail Archive is, you should take a minute to check it out. If you run any private lists, you definitely do NOT want that address subscribed to it. They operate a site for anyone to subscribe any list for public archiving without the listowner's approval. >subscribe_policy = confirm only means the user has to confirm. It has >nothing to do with banning per se. > >As far as prevention is concerned, be sure that admin_notify_mchanges >is Yes so you will be notified of subscribes and unsubscribes (but not >address changes), and consider setting subscribe_policy to 'Require >approval' or 'Confirm and approve'. Yes, I had that in effect at the time and saw the subscription right after it happened and was able to unsubscribe it. I have now also changed the subscribe_policy to Confirm and Approve. Not real happy with that but it seems that I am forced to do it under the circumstances. Best wishes, Rae ------------------------------------------------------ Mailman-Users mailing list [email protected] http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp
