[Mailman-Users] 1 xxx moderator request(s) waiting
Hi I have a wating meassge, but the cue is empty. How can I get off this waring? The xxx are repace to hide (spam) the real neames =Waring message everyday= The [EMAIL PROTECTED] mailing list has 1 request(s) waiting for your consideration at: http://xxx/cgi-bin/mailman/admindb/xxx Please attend to this at your earliest convenience. This notice of pending requests, if any, will be sent out daily. Pending posts: From: [EMAIL PROTECTED] on Thu Jan 12 15:15:41 2006 Subject: 1 Cause: Post by non-member to a members-only list =output of bin/dumpdb lists/xxx/request.pck [- start pickle file -] - start object 1 - {'version': (0, 1)} [- end pickle file -] = Via the web interface is not message visible The list is working ok Peter -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] any info on this reported exploit?
Jim == Jim Popovitch [EMAIL PROTECTED] writes: Jim Stephen J. Turnbull wrote: Oh, if you prefer windstorms, hurricane is a bad analogy. Far more accurate is tornado.0.1 wink Jim Hurricane is the most accurate analogy, because with Jim hurricanes nobody knows about them until the NWS (at least Jim here in the USA) informs them The reason nobody knows until they're told is because they haven't thought to google for satellite weather photos.wink One reason I say that hurricanes are a bad analogy (besides the fact that they're not sentient, while even script kiddies are sentient) is that they're big and they trash everything in their path. Of course it makes sense to invest in a press office to make announcements about them. Furthermore, non-specialists have a strong interest in the news, because they have options---they can board the windows and run away. This is not the case with Mailman; only specialists (sysadmins as well as developers) can do anything about it, and they should know where to find the equivalent of satellite weather photos (CERT, SecurityFocus, etc). Here, we have a vulnerability; in this case the exploit is obvious, but who is really going to exploit it? Furthermore, if you just keep daily stats on the size of the queues, you'll almost certainly catch it before it's a real problem, unless you're using lists for time-sensitive information. But in that case you'd better be set up for hourly reports, anyway. While there are profitably exploitable defects, most defects are like this one. Is there really much benefit to keeping everyone up to date? No. Now consider a moderately dangerous bug, like the path-traversal bug. *It wasn't a Mailman bug, Mailman cannot enforce access control.* If you announce this bug, and how to work around it, you've exposed the bug in Apache to the world. If the Apache developers don't have a fix ready to deploy, this is very dangerous. Even if you don't mention Apache, the black hats see your announcement and realize (1) Mailman is not a webserver; (2) the path traversal bug must be in a webserver; (3) they see how it works through the countermeasure taken. Mailman has just published a way to exploit Apache. Of course not all cases are like this example, but determining what kind of case it is, and what information others are likely to consider sensitive (including asking them), is time- and attention-consuming. Jim You mis-characterize (yet again?) what I am saying. I am not Jim advocating for the developers to work more, or differently. But you are. I've worked on such fixes (a rank amateur, but I was who was available), and I've seen pros at work. You consistently assume that the developers already possess the information you ask for; I see no reason to believe they do. Even the small amount of information you say you want takes a fair amount of attention to produce. If there are two developers involved, they'll undoubtedly have different cost estimates, so there needs to be a meeting. If there is another project involved, there will have to be a national electionwink. In a free software project, it's reasonable to say that the only tasks where reliable schedule estimates can be made are those that are already finished. Release of security-related information is yet more controversial (witness this thread). More meetings Jim That is an option that I reserve the right to make the Jim decision on. Don't remove my capability to make that decision Jim by hiding the info. Neither I nor you have any *right* in the matter. Jim Huh? re-read my comments. I reserve the right to shut my Jim Mailman system down, for any reason, at any time, Jim lack-of-a-workaround or not. No, you re-read your comments. Don't remove is an imperative phrase in the English language. Your use of the imperative mood is sufficient justification for assuming you think you have some rights in the matter of receiving information. Elsewhere you talk about what you expect, which corroborates that inference. Jim Why should Mark/Barry/Tokio trust me anymore then the next Jim guy? They shouldn't. I'm saying that there are a number of alternatives. One of those is for you to contribute enough (and otherwise show reliability) to become trusted. If you want to ask them for off the top of their heads estimates, you'd better be trustworthy, because they're in too much of a hurry to think carefully about what they're saying. I really have to disapprove of the way you consistently deprecate costs that others incur, while inflating those that you face. Jim You need to re-read what I've been writing. I've read what you've written carefully, see above for evidence. You may need to be more careful to write what you mean more precisely, but that's not my problem---it's hard enough to respond accurately to what's there in black and white. Regarding the inflation of costs,
Re: [Mailman-Users] Verifying posts
Jim == Jim Popovitch [EMAIL PROTECTED] writes: Jim Hi all, I've been looking into TMDA (http://tmda.net) and got Jim to wondering if something like this (or a subset of it) Jim should be incorporated into Mailman. There was a thread about this in the fairly recent past, perhaps it was on mailman-developers, though. IIRC the consensus was making this more trouble than it's worth is not going to be easy. In the interest of preempting a flamewar, let me note here that challenge-response systems are a hot button for at least one of the frequent posters on this list, and it would be a good idea to review past threads and be prepared for those arguments. There was another thread on mailman-developers about a month ago regarding the idea of weeding out unused addresses, although the policy proposed there was significantly more aggressive. -- School of Systems and Information Engineering http://turnbull.sk.tsukuba.ac.jp University of TsukubaTennodai 1-1-1 Tsukuba 305-8573 JAPAN Ask not how you can do free software business; ask what your business can do for free software. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Verifying posts
At 1:28 AM +0900 2006-01-30, Stephen J. Turnbull wrote: There was a thread about this in the fairly recent past, perhaps it was on mailman-developers, though. IIRC the consensus was making this more trouble than it's worth is not going to be easy. There is a FAQ entry on how to integrate Mailman with TMDA. IIRC, it is one of the longest, most extensive, and most complex FAQ entries. In the interest of preempting a flamewar, let me note here that challenge-response systems are a hot button for at least one of the frequent posters on this list, and it would be a good idea to review past threads and be prepared for those arguments. I can't speak for anyone else, but I'm pretty violently opposed to TMDA in general. There was another thread on mailman-developers about a month ago regarding the idea of weeding out unused addresses, although the policy proposed there was significantly more aggressive. I'm not sure I would be opposed to a feature where posts to a list that result in moderation would require a confirmation before being displayed in the moderation queue (thus eliminating most spam where the sender's address is forged), but that's about as far as I would go. -- Brad Knowles, [EMAIL PROTECTED] Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin (1706-1790), reply of the Pennsylvania Assembly to the Governor, November 11, 1755 LOPSA member since December 2005. See http://www.lopsa.org/. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] 1 xxx moderator request(s) waiting
Peter wrote: =Waring message everyday= The [EMAIL PROTECTED] mailing list has 1 request(s) waiting for your consideration at: http://xxx/cgi-bin/mailman/admindb/xxx Please attend to this at your earliest convenience. This notice of pending requests, if any, will be sent out daily. Pending posts: From: [EMAIL PROTECTED] on Thu Jan 12 15:15:41 2006 Subject: 1 Cause: Post by non-member to a members-only list =output of bin/dumpdb lists/xxx/request.pck [- start pickle file -] - start object 1 - {'version': (0, 1)} [- end pickle file -] = Somewhere in your system is a crontab that is running a cron/checkdbs that's in a different directory and reporting on a different lists/xxx/request.pck file. I.e. you have or once had a Mailman installed in a different place and this email is coming from that Mailman. -- Mark Sapiro [EMAIL PROTECTED] The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
[Mailman-Users] Is there a workaround to this?
I have been reading throughout the web and it seems that when one is reading a mailing list in Outlook, Mailman does something like this: http://www.washington.edu/computing/mailman/faqs/mailman.header.html Is there a work-around to that yet? Kind regards, Jp -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
[Mailman-Users] New Lists not getting emails from internal domain
Hi, I have successfully migrated our Mailman to a new server. All seem to work perfectly on the existing Lists. However when, I created a new list, somehow emails coming from the internet are being accepted/relayed and bounced properly but email coming from my own domain indicates unknown user. Example : Domain name : network.com Mailing list Server : lists.network.com I updated the /etc/aliases as well. Thanks in advance. Neilrey -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
[Mailman-Users] How hard is it to spoof an email?
How hard would it be for someone to maliciously start sending all the users in my list emails or start deleting people from it by sending bounce errors or by spoofing the admin email and start emailing everyone on the list? Is this a common problem, or is mailman secure about it? What are some ways to help avoid any problems? Please explain carefully and with plenty of details as I am still figuring things out. Kind regards, Jp -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Is there a workaround to this?
Jp Possenti wrote: I have been reading throughout the web and it seems that when one is reading a mailing list in Outlook, Mailman does something like this: http://www.washington.edu/computing/mailman/faqs/mailman.header.html Is there a work-around to that yet? See http://www.python.org/cgi-bin/faqw-mm.py?req=showfile=faq02.003.htp. -- Mark Sapiro [EMAIL PROTECTED] The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] New Lists not getting emails from internal domain
Neilrey Espino wrote: I have successfully migrated our Mailman to a new server. All seem to work perfectly on the existing Lists. However when, I created a new list, somehow emails coming from the internet are being accepted/relayed and bounced properly but email coming from my own domain indicates unknown user. This appears to be an issue with how your incoming MTA treats mail from your own domain (localhost?) vs. the internet. That would be an MTA configuration issue which would be better addressed on a list or other resource specific to your MTA. -- Mark Sapiro [EMAIL PROTECTED] The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] How hard is it to spoof an email?
Jp Possenti wrote: How hard would it be for someone to maliciously start sending all the users in my list emails or start deleting people from it by sending bounce errors or by spoofing the admin email and start emailing everyone on the list? It all depends on how your list is set up. Is this a common problem, or is mailman secure about it? What are some ways to help avoid any problems? Go to the FAQ wizard Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py and search for spoof. -- Mark Sapiro [EMAIL PROTECTED] The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Is there a workaround to this?
So basically there is none yet. Hopefully in the future there will be. I don't want to hack anything really, just don't feel comfortable enough, and it maybe breaking something else in the long run after an upgrade or update. Kind regards, Jp -Original Message- From: Mark Sapiro [mailto:[EMAIL PROTECTED] Sent: Sunday, January 29, 2006 2:07 PM To: [EMAIL PROTECTED]; mailman-users@python.org Subject: Re: [Mailman-Users] Is there a workaround to this? Jp Possenti wrote: I have been reading throughout the web and it seems that when one is reading a mailing list in Outlook, Mailman does something like this: http://www.washington.edu/computing/mailman/faqs/mailman.header.html Is there a work-around to that yet? See http://www.python.org/cgi-bin/faqw-mm.py?req=showfile=faq02.003.htp. -- Mark Sapiro [EMAIL PROTECTED] The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
[Mailman-Users] Why are footers sent as attachments?
Why is it that when I set Mailman to apply a footer with some info, Outlook detects it as an attachment? Is this yet another problem with just outlook? Also does the footer in mailman support HTML? I want to make it so at the bottom of every email I can include a reply to address for them to unsubscribe. This sort of leads me to my next question. To have a user unsubscribe without seeing the web interface and just by email, which would be the right command? [EMAIL PROTECTED] [EMAIL PROTECTED] Or are there more? Also does anything need to be written in the subject line? If not, what if someone writes something or writes something that is not right, will it still unsubscribe them? I would like to state that if they want to be removed, to please click here to send an email to unsubscribe. Kind regards, Jp -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] How hard is it to spoof an email?
I have a couple of questions regarding that FAQ link: 1. Setting the max_num_recipients to 1 will mean that any time I make a newsletter to the public, I need to login and approve that request, correct? I am just confused about the wording of the command. Does that mean that the message will go through but just to 1 person in the list and the other say 499 people will not receive it? I apologize for the ignorance. 2. For setting everyone's moderation bit on, I can figure that out as it's an option under General - Additional settings. But for the second part regarding posting using an approved:header I don't see that option anywhere. How would this work? Kind regards, Jp -Original Message- From: Mark Sapiro [mailto:[EMAIL PROTECTED] Sent: Sunday, January 29, 2006 2:18 PM To: [EMAIL PROTECTED]; mailman-users@python.org Subject: Re: [Mailman-Users] How hard is it to spoof an email? Jp Possenti wrote: How hard would it be for someone to maliciously start sending all the users in my list emails or start deleting people from it by sending bounce errors or by spoofing the admin email and start emailing everyone on the list? It all depends on how your list is set up. Is this a common problem, or is mailman secure about it? What are some ways to help avoid any problems? Go to the FAQ wizard Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py and search for spoof. -- Mark Sapiro [EMAIL PROTECTED] The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Why are footers sent as attachments?
Jp Possenti wrote: Why is it that when I set Mailman to apply a footer with some info, Outlook detects it as an attachment? Is this yet another problem with just outlook? Also does the footer in mailman support HTML? Please read the FAQ. A search of the FAQ for footer should turn up the answers to both these questions. I want to make it so at the bottom of every email I can include a reply to address for them to unsubscribe. This sort of leads me to my next question. To have a user unsubscribe without seeing the web interface and just by email, which would be the right command? [EMAIL PROTECTED] [EMAIL PROTECTED] Either one, they're synonymous (assuming List and Listname are synonymous). Or are there more? Send an unsubscribe command to [EMAIL PROTECTED] Also does anything need to be written in the subject line? If not, what if someone writes something or writes something that is not right, will it still unsubscribe them? For the first two, the subject is ignored so the answer to your second question is yes. I would like to state that if they want to be removed, to please click here to send an email to unsubscribe. You can simply put some text and mailto:[EMAIL PROTECTED], but whether or not this will be 'clickable' depends entirely on the recipient's MUA. Even if you make the footer look like HTML, it will be in a text/plain part of the message so it won't be rendered as HTML. -- Mark Sapiro [EMAIL PROTECTED] The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Why are footers sent as attachments?
Mark, If I decide to do the one that is like this: [EMAIL PROTECTED] The command goes in the subject or body? In this case unsubscribe would be in which? Or does it not matter? Kind regards, Jp Possenti -Original Message- From: Mark Sapiro [mailto:[EMAIL PROTECTED] Sent: Sunday, January 29, 2006 3:18 PM To: [EMAIL PROTECTED]; mailman-users@python.org Subject: Re: [Mailman-Users] Why are footers sent as attachments? Jp Possenti wrote: Why is it that when I set Mailman to apply a footer with some info, Outlook detects it as an attachment? Is this yet another problem with just outlook? Also does the footer in mailman support HTML? Please read the FAQ. A search of the FAQ for footer should turn up the answers to both these questions. I want to make it so at the bottom of every email I can include a reply to address for them to unsubscribe. This sort of leads me to my next question. To have a user unsubscribe without seeing the web interface and just by email, which would be the right command? [EMAIL PROTECTED] [EMAIL PROTECTED] Either one, they're synonymous (assuming List and Listname are synonymous). Or are there more? Send an unsubscribe command to [EMAIL PROTECTED] Also does anything need to be written in the subject line? If not, what if someone writes something or writes something that is not right, will it still unsubscribe them? For the first two, the subject is ignored so the answer to your second question is yes. I would like to state that if they want to be removed, to please click here to send an email to unsubscribe. You can simply put some text and mailto:[EMAIL PROTECTED], but whether or not this will be 'clickable' depends entirely on the recipient's MUA. Even if you make the footer look like HTML, it will be in a text/plain part of the message so it won't be rendered as HTML. -- Mark Sapiro [EMAIL PROTECTED] The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] How hard is it to spoof an email?
Jp Possenti wrote: I have a couple of questions regarding that FAQ link: 1. Setting the max_num_recipients to 1 will mean that any time I make a newsletter to the public, I need to login and approve that request, correct? Maybe. See below. I am just confused about the wording of the command. Does that mean that the message will go through but just to 1 person in the list and the other say 499 people will not receive it? No, it means that any message that is sent to the list with more than 0 (1 or more) addresses in the To: and Cc: headers combined, that message will be held for moderator approval unless it contains an Approved: header. Note that it is quite possible to send a message with 0 addresses in To: and Cc: which is why if you choose this option, you need to also set require_explicit_destination to Yes so that posts with 0 recipients will be held too. 2. For setting everyone's moderation bit on, I can figure that out as it's an option under General - Additional settings. Actually that's emergency moderation. Normally what you do is set default_member_moderation to Yes on Privacy options...-Sender filters so ne members are moderated and then set all existing members moderated under Additional Member Tasks on Membership Management...-Membership List. But for the second part regarding posting using an approved:header I don't see that option anywhere. This works with either option above. It is not a list setting. In order to bypass moderation of a post that would normally be held for any of the above reasons, you can put a header Approved: list_password in the message you send to the list. You can also put this in the first line of the body of the post (as long as it's plain text). The header will be removed, and as long as the list_password is correct, the post will bypass the hold and will be delivered directly to the list. -- Mark Sapiro [EMAIL PROTECTED] The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Why are footers sent as attachments?
Jp Possenti wrote: If I decide to do the one that is like this: [EMAIL PROTECTED] The command goes in the subject or body? In this case unsubscribe would be in which? Or does it not matter? The '-request' processing processes the Subject: and the first mm_cfg.DEFAULT_MAIL_COMMANDS_MAX_LINES (default value = 25) lines of the body. If the subject is not a valid command, it is ignored. After that, the first line which is not a vaild command stops the process. So the short answer is it doesn't matter. send the command help to the -request address for documentation of the available commands. -- Mark Sapiro [EMAIL PROTECTED] The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Verifying posts
Brad Knowles wrote: At 1:28 AM +0900 2006-01-30, Stephen J. Turnbull wrote: There was a thread about this in the fairly recent past, perhaps it was on mailman-developers, though. IIRC the consensus was making this more trouble than it's worth is not going to be easy. There is a FAQ entry on how to integrate Mailman with TMDA. IIRC, it is one of the longest, most extensive, and most complex FAQ entries. Yeah, I was trying to avoid that here too. TDMA is overkill for what I described. In the interest of preempting a flamewar, let me note here that challenge-response systems are a hot button for at least one of the frequent posters on this list, and it would be a good idea to review past threads and be prepared for those arguments. I can't speak for anyone else, but I'm pretty violently opposed to TMDA in general. I am too for the most part, but I do see the need to periodically validate a poster's intention. I see lists all the time where people who never would post (receive only) mistakenly hit Reply-All and send personal comments to the whole list. This feature would be a good thing for *them* (I'm not solely looking at this from my perspective) There was another thread on mailman-developers about a month ago regarding the idea of weeding out unused addresses, although the policy proposed there was significantly more aggressive. I'm not sure I would be opposed to a feature where posts to a list that result in moderation would require a confirmation before being displayed in the moderation queue (thus eliminating most spam where the sender's address is forged), but that's about as far as I would go. That would work too, although I would then want to be able to auto-mod posters who don't post frequently. ;-) -Jim P. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] any info on this reported exploit?
Brad Knowles wrote: At 2:11 PM -0500 2006-01-28, Jim Popovitch wrote: The whole reason for me waxing so passionately on this thread is the earlier suggestion that Diana shouldn't have even emailed mailman-users, but rather mailman-security and kept it quiet thereafter (this after it was already released over at securityfocus.com). Correct. See FAQ 1.27. That is the official Security Policy of this mailing list, and that information is included in the footer of every single mail message which passes through this list. But, Diana wasn't emailing sensitive info. She was asking a very important question about something that was already public. You then told her that she should have gone to the secret-handshake club. Are you suggesting that all Hey, has this been fixed yet questions should be off list and only one-on-one with mailman-security? In this case, no harm was done, since the bug had already been fixed through the work that Tokio had done in creating the next release of the code, and the real problem was the disconnect in what we were calling the bug and what they were calling it. But the potential was certainly there. But if you can't adhere to the official Security Policy of this mailing list, then you shouldn't be posting here, and you shouldn't be subscribed. er, Right (the elitism really shines through Brad). -Jim P. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] How hard is it to spoof an email?
Jp Possenti wrote: I have a couple of questions regarding that FAQ link: 1. Setting the max_num_recipients to 1 will mean that any time I make a newsletter to the public, I need to login and approve that request, correct? The number of recipients is the number of addresses in the email you compose. When you sent this message (that I'm replying to), you addressed it to mailman-users@python.org which is just ONE recipient. (To the mailman server, this message had only one recipient.) If you had sent this message to mailman-users@python.org and also to the author of the message you were replying to (via To or CC), then to the mailman server this message would have had two recipients. The max_num setting is used to help prevent users from sending messages addressed to (or cc) many different addresses in a single message. In most case such messages are not messages you want distributed to your list. This setting is usually used for discussion lists and the default is left alone for announcement lists because you control who and how the posts go to your list by using moderation and approved passwords, rather than by limiting the number of recipients in the initial email. I am just confused about the wording of the command. Does that mean that the message will go through but just to 1 person in the list and the other say 499 people will not receive it? No, it does not do that and there is no setting to do that. 2. For setting everyone's moderation bit on, I can figure that out as it's an option under General - Additional settings. But for the second part regarding posting using an approved:header I don't see that option anywhere. How would this work? I just updated the announcement list FAQ: http://www.python.org/cgi-bin/faqw-mm.py?query=approved+headerquerytype=simplecasefold=yesreq=search to include: The approved header or first line has the following format: Approved: password If you are using this on the first line of your post, follow it with a blank line. Mailman will recognize it as the header and remove it from the body. Follow it with a blank line because the line following the Approved: line is removed too (in Mailman 2.1.4 anyway). I don't know how HTML formatting and other email client oddities may affect using the approved header in the first line of your post so I can't be certain that this will work perfectly for you on your first try. I've seen it happen where someone got confused, didn't use the approved header as a first line correctly, then approved the message using the web interface only to discover their message distributed to the whole list with the password included in the message. So it's usually a good idea to use a test list with 2 or 3 subscribers and practice using the first line of your post approved password system a few times so you can be sure that it works as you expect before you try to use it on a large distribution list. jc -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] How hard is it to spoof an email?
Jp Possenti wrote: How hard would it be for someone to maliciously start sending all the users in my list emails or start deleting people from it by sending bounce errors It's not hard at all. In fact it's quite easy. This is because the raw archive data is available to the public. See this FAQ: http://www.python.org/cgi-bin/faqw-mm.py?req=showfile=faq04.066.htp or by spoofing the admin email and start emailing everyone on the list? That's not hard at all either, although you probably shouldn't have your admin email as a list member. Of course, the spammer could just use any of your subscribers email addresses including the valid ones that haven't posted in 4 years (*cough*, *cough*). See the recent Verifying posts thread. Is this a common problem, or is mailman secure about it? What are some ways to help avoid any problems? Use an MTA that supports DKIM and/or SPF. These standards help to verify who the sender is. So if [EMAIL PROTECTED] posts to your list, SPF will verify that the email came from an approved aol.com server, not something like 24.16.8.101-home.dsl.cox.net. DKIM takes it a step further and adds an encrypted email header key that is carried with the email during it's entire journey through multiple servers. This key enables every hop to validate the email, whereas SPF is just point-to-point validation based on email header info (which can very easily be modified in transit). Please explain carefully and with plenty of details as I am still figuring things out. Heck, that should be SOP for everyone. ;-) -Jim P. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] How hard is it to spoof an email?
So basically what you are saying is that Mailman is very insecure? (in short) You say I should not have my admin email as a list member. By that you mean [EMAIL PROTECTED] which is the default address as the admin? If so then what am I supposed to create, and why would creating one make a difference? Also which email clients support the KIM and/or SPF standards? Kind regards, Jp Possenti -Original Message- From: Jim Popovitch [mailto:[EMAIL PROTECTED] Sent: Sunday, January 29, 2006 4:31 PM To: [EMAIL PROTECTED] Cc: mailman-users@python.org Subject: Re: [Mailman-Users] How hard is it to spoof an email? Jp Possenti wrote: How hard would it be for someone to maliciously start sending all the users in my list emails or start deleting people from it by sending bounce errors It's not hard at all. In fact it's quite easy. This is because the raw archive data is available to the public. See this FAQ: http://www.python.org/cgi-bin/faqw-mm.py?req=showfile=faq04.066.htp or by spoofing the admin email and start emailing everyone on the list? That's not hard at all either, although you probably shouldn't have your admin email as a list member. Of course, the spammer could just use any of your subscribers email addresses including the valid ones that haven't posted in 4 years (*cough*, *cough*). See the recent Verifying posts thread. Is this a common problem, or is mailman secure about it? What are some ways to help avoid any problems? Use an MTA that supports DKIM and/or SPF. These standards help to verify who the sender is. So if [EMAIL PROTECTED] posts to your list, SPF will verify that the email came from an approved aol.com server, not something like 24.16.8.101-home.dsl.cox.net. DKIM takes it a step further and adds an encrypted email header key that is carried with the email during it's entire journey through multiple servers. This key enables every hop to validate the email, whereas SPF is just point-to-point validation based on email header info (which can very easily be modified in transit). Please explain carefully and with plenty of details as I am still figuring things out. Heck, that should be SOP for everyone. ;-) -Jim P. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] How hard is it to spoof an email?
Jp Possenti wrote: So basically what you are saying is that Mailman is very insecure? (in short) :-) Honestly, NO. Mailman is much more secure, in deed very secure, than most software I see.The integrity of Mailman depends highly on the security of your OS, your MTA and your webserver. You say I should not have my admin email as a list member. By that you mean [EMAIL PROTECTED] which is the default address as the admin? Your admin email would be [EMAIL PROTECTED] That address doesn't belong in the subscribers list, nor does [EMAIL PROTECTED] If so then what am I supposed to create, and why would creating one make a difference? There is nothing in Mailman that you can create or do to combat email spoofing. Spoofing is not a Mailman problem as Mailman relies on your MTA to authenticate email senders (which is correct). This is a good thing as Mailman could get really bloated (more bloated?) if it tried to incorporate authenticating senders. Also which email clients support the KIM and/or SPF standards? DKIM and SPF are email server technologies, not client technologies. They can help to validate the email traffic coming into your email server. -Jim P. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] How hard is it to spoof an email?
Jim Popovitch wrote: It's not hard at all. In fact it's quite easy. This is because the raw archive data is available to the public. See this FAQ: http://www.python.org/cgi-bin/faqw-mm.py?req=showfile=faq04.066.htp Only if the list has public archives. If there are no archives, there obviously isn't any archive data, and if the archives are private, all archive data including .txt and .mbox files are only available to list members or someone who knows a listmember address and password. -- Mark Sapiro [EMAIL PROTECTED] The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] How hard is it to spoof an email?
Jim Popovitch wrote: You say I should not have my admin email as a list member. By that you mean [EMAIL PROTECTED] which is the default address as the admin? Your admin email would be [EMAIL PROTECTED] That address doesn't belong in the subscribers list, nor does [EMAIL PROTECTED] To clarify: The address [EMAIL PROTECTED] doesn't go to a human in Mailman 2.1.x. It is a synonym for [EMAIL PROTECTED] The generic address to reach the owners (admins/moderators) is [EMAIL PROTECTED] I don't think Jim was saying that address ([EMAIL PROTECTED]) should not be a list member. It shouldn't, but I think what Jim was saying is that the actual admin/owner email address(es) - i.e. the ones that appear on the bottom of the listinfo page as XYZ list run by jdoe at example.com should not be list members (or at least not unmoderated members) because otherwise you are advertising an address that can be spoofed to post to the list. -- Mark Sapiro [EMAIL PROTECTED] The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] How hard is it to spoof an email?
If I may, Mark -;). You say I should not have my admin email as a list member. By that you mean [EMAIL PROTECTED] which is the default address as the admin? I don't think that's correct?? If so then what am I supposed to create, and why would creating one make a difference? Even tho I only have 4 Lists with not even a total of 200 folks I have an alias on each one. I have a seperate file folder with a Rule that puts List Mail there. That, although somewhat of a PITA, I KNOW things are working correctly. When I get one post in Reg mail and non is alias folder OR vice versa, I know something is wrong. Newbie Ed -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
[Mailman-Users] Newbie question regarding multiple domains with one Mailman installation
Hi folks, Apologies if this is covered in the Mailman docs or the FAQs, but I'm having problems finding any concrete information. I've installed Mailman via the FreeBSD ports collection on my FreeBSD server (running 4.7). My MTA is Exim 4.22, and my web server is Apache 1.3.x. I currently have mailman in /usr/local/mailman, and my web server has a virtual host at http://lists.dom.ain/ that points at this installation. My lists therefore have addresses like [EMAIL PROTECTED] I run a number of different virtual domains from my server, and would like to be able to run mailing lists for each of them, but using their domain names. I don't care about the limitation that they can't use the same list name -- the number of lists will be small, and that's an avoidable problem. So what do I need to do to run e.g. [EMAIL PROTECTED] and [EMAIL PROTECTED] from the same Mailman installation on my server? Any pointers very gratefully received! Thanks, Daniel -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Newbie question regarding multiple domains with oneMailman installation
Daniel Spreadbury wrote: Apologies if this is covered in the Mailman docs or the FAQs, but I'm having problems finding any concrete information. Searching the FAQ wizard at Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py for virtual will return some relevant information including FAQs 4.29. 4.47 and 4.62. I've installed Mailman via the FreeBSD ports collection on my FreeBSD server (running 4.7). My MTA is Exim 4.22, and my web server is Apache 1.3.x. Mailman version? :-) I currently have mailman in /usr/local/mailman, and my web server has a virtual host at http://lists.dom.ain/ that points at this installation. My lists therefore have addresses like [EMAIL PROTECTED] I run a number of different virtual domains from my server, and would like to be able to run mailing lists for each of them, but using their domain names. I don't care about the limitation that they can't use the same list name -- the number of lists will be small, and that's an avoidable problem. So what do I need to do to run e.g. [EMAIL PROTECTED] and [EMAIL PROTECTED] from the same Mailman installation on my server? Either put the Mailman specific alias and scriptalias, etc stuff in each virtual host section in the web server config, or put it somewhere where it will apply to all hosts. Put directives like: add_virtualhost('dom.ain', 'dom.ain') add_virtualhost('another.domain','another.domain') in mm_cfg.py. This assumes you will access the web pages via http://dom.ain/..., as well as emailing [EMAIL PROTECTED], i.e., that the web domain and the email domain are the same for the hosts. If not, the generic form is add_virtualhost('web.dom.ain', 'email.dom.ain') Then when you create lists for these domains, they will only appear on listinfo and admin overview pages accessed from that domain and web links and email addresses for those lists will all use the list's domain. And read the FAQs mentioned above. -- Mark Sapiro [EMAIL PROTECTED] The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Is there a workaround to this?
At 1:53 PM -0500 2006-01-29, Jp Possenti wrote: I have been reading throughout the web and it seems that when one is reading a mailing list in Outlook, Mailman does something like this: http://www.washington.edu/computing/mailman/faqs/mailman.header.html Is there a work-around to that yet? Have you fixed your MUA yet? It's an MUA problem, and can only be fixed in the MUA. Until the MUA is fixed, then this situation will persist. -- Brad Knowles, [EMAIL PROTECTED] Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin (1706-1790), reply of the Pennsylvania Assembly to the Governor, November 11, 1755 LOPSA member since December 2005. See http://www.lopsa.org/. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] How hard is it to spoof an email?
At 1:56 PM -0500 2006-01-29, Jp Possenti wrote: How hard would it be for someone to maliciously start sending all the users in my list emails or start deleting people from it by sending bounce errors or by spoofing the admin email and start emailing everyone on the list? It's trivially easy to spoof e-mail addresses. Mailman works around that by allowing you to configure your list to be more secure and require confirmations for certain commands, or by sending its own confirmation e-mail once an action has taken place. The attacker may be able to spoof your e-mail address, but unless they can also access your mailbox, they can't see the unique confirmation string that they have to duplicate before the system will take the action in question, or to delete the notice that Mailman sends to the recipient. Is this a common problem, or is mailman secure about it? What are some ways to help avoid any problems? It all depends on how secure you want your list to be. Part of the problem is that the more security features of this sort that you turn on, the more cumbersome it will be for people to post or subscribe to the list, change their address once subscribed, etc You want to strike a balance here between securing your system against spoofing and making it too difficult to use. Please explain carefully and with plenty of details as I am still figuring things out. I'm not sure how much more I can explain, or precisely which part it is that you're most concerned about. -- Brad Knowles, [EMAIL PROTECTED] Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin (1706-1790), reply of the Pennsylvania Assembly to the Governor, November 11, 1755 LOPSA member since December 2005. See http://www.lopsa.org/. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Why are footers sent as attachments?
At 2:24 PM -0500 2006-01-29, Jp Possenti wrote: Why is it that when I set Mailman to apply a footer with some info, Outlook detects it as an attachment? Is this yet another problem with just outlook? Outlook and certain other MUAs, yes. Also does the footer in mailman support HTML? Nope. I want to make it so at the bottom of every email I can include a reply to address for them to unsubscribe. Like we do for this mailing list? This sort of leads me to my next question. To have a user unsubscribe without seeing the web interface and just by email, which would be the right command? [EMAIL PROTECTED] [EMAIL PROTECTED] More like the header we put on every message that passes through this list: List-Unsubscribe: http://mail.python.org/mailman/listinfo/mailman-users, mailto:[EMAIL PROTECTED] Or are there more? Also does anything need to be written in the subject line? If not, what if someone writes something or writes something that is not right, will it still unsubscribe them? I would like to state that if they want to be removed, to please click here to send an email to unsubscribe. You can't write your own HTML there, so no click here type language is going to work. You can do the same sorts of things that you see in the messages which pass through this list, however -- try taking a closer look at the copies you receive. -- Brad Knowles, [EMAIL PROTECTED] Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin (1706-1790), reply of the Pennsylvania Assembly to the Governor, November 11, 1755 LOPSA member since December 2005. See http://www.lopsa.org/. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] any info on this reported exploit?
At 4:10 PM -0500 2006-01-29, Jim Popovitch wrote: But, Diana wasn't emailing sensitive info. She was asking a very important question about something that was already public. You then told her that she should have gone to the secret-handshake club. Are you suggesting that all Hey, has this been fixed yet questions should be off list and only one-on-one with mailman-security? I don't care about the content of this most recent incident. I care that the process we specified in FAQ 1.27 wasn't followed. In this case, no harm was done. But in the previous case where someone did something like this, a great deal of harm was caused. I care that the proper procedures be followed. It's like playing Russian Roulette. This time, the chamber was empty. Next time, it might not be. er, Right (the elitism really shines through Brad). If we insist that everyone follow the proper procedure every time, then we shouldn't have any problems. But if you can't (or won't) follow the proper procedures, then I think it's perfectly reasonable to ask that you go somewhere else. -- Brad Knowles, [EMAIL PROTECTED] Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin (1706-1790), reply of the Pennsylvania Assembly to the Governor, November 11, 1755 LOPSA member since December 2005. See http://www.lopsa.org/. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] How hard is it to spoof an email?
At 4:31 PM -0500 2006-01-29, Jim Popovitch wrote: DKIM takes it a step further and adds an encrypted email header key that is carried with the email during it's entire journey through multiple servers. This key enables every hop to validate the email, whereas SPF is just point-to-point validation based on email header info (which can very easily be modified in transit). If you're going to use DKIM, make sure that you are using Mailman 2.1.7 (or later), with the most recent patches applied. Prior versions of Mailman did not scrub the DKIM headers from messages as they were passing through, which meant that the signatures would be invalid for the recipients of the mailing lists. This was fixed in 2.1.7, but this version also introduced some other issues with archives (among others), which have since been patched by Tokio and Mark. -- Brad Knowles, [EMAIL PROTECTED] Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin (1706-1790), reply of the Pennsylvania Assembly to the Governor, November 11, 1755 LOPSA member since December 2005. See http://www.lopsa.org/. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] How hard is it to spoof an email?
At 4:50 PM -0500 2006-01-29, Jp Possenti wrote: So basically what you are saying is that Mailman is very insecure? (in short) No, not Mailman. At least, not Mailman per se. No, *ALL* SMTP e-mail is inherently insecure -- unless you add stuff to it to make it secure. HTTP is inherently insecure for the web, which is why you use SSL to encrypt the connection and make it safe to transmit sensitive information. For e-mail, if you care that much about security, you would need to encrypt every message you send to the list (e.g., using PGP), the list software would need to de-crypt it and then re-encrypt it for all of the list recipients. If you're not so worried about hiding your message from prying eyes but you still want to be certain as to who sent which message, then you would need to add a cryptographic signature to all your e-mail, and you would need to make sure that this signature survives all message transit points and doesn't get munged along the way (a common problem with mailing list managers). -- Brad Knowles, [EMAIL PROTECTED] Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin (1706-1790), reply of the Pennsylvania Assembly to the Governor, November 11, 1755 LOPSA member since December 2005. See http://www.lopsa.org/. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] any info on this reported exploit?
If we insist that everyone follow the proper procedure every time, then we shouldn't have any problems. But if you can't (or won't) follow the proper procedures, then I think it's perfectly reasonable to ask that you go somewhere else. THANK you, Brad!! I think all Admins/Owners have same prob at one time or another-;( Ed -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] any info on this reported exploit?
Jim == Jim Popovitch [EMAIL PROTECTED] writes: Jim She was asking a very important question about something that Jim was already public. What important question? It's an easy to execute exploit (in fact, it occasionally happens due to ordinary mail, that's why it was found and fixed before anybody asked about the DoS aspect) of very low interest to black hats and small threat to a well-run site in most cases. IIRC, it's been discussed on the list (though not as a security threat). The only interesting thing that happened was that somebody sensationalized that problem by labelling it a potential DoS attack. That doesn't make it important, except to Diana and others following that channel. Anybody who hadn't noticed would never notice. So what is the scenario if Diana posts to mailman-security? She gets an answer and nobody ever notices. And if three people ask on mailman-security? There's a short post to mailman-users, and it ends up in the faq, because it's a PITA for the developers to keep answering it. What's wrong with that? Jim Are you suggesting that all Hey, has this been fixed yet Jim questions should be off list and only one-on-one with Jim mailman-security? No, only for those defects that are not going to affect users unless deliberately exploited. For such security holes, yes, discuss only with mailman-security is announced policy. Jim er, Right (the elitism really shines through Brad). Please watch your language. Elitism means restricting something to a select group because of their personal qualifications. The security policy, and everything Brad has posted on the matter, says discussion about potential exploits should be restricted to those with need to know, which is defined as the ability to fix the problem and/or the authority to distribute 'official' fixes. This is a functional, not a personal, qualification. You're welcome to advocate a different definition of need-to-know, one which includes large numbers of users who cannot contribute code or distribute fixes, but the restrictive one above the one in common use in the developer community. To my knowledge nobody (in the open source community) likes the implications for information dissemination. I admit that this is my personal interpretation of the discussions that have gone on (in the Mailman community and elsewhere), but it is the best I can come up with and honestly intended. Barry, Tokio, and Mark are welcome to jointly or severally repudiate it. :-) -- School of Systems and Information Engineering http://turnbull.sk.tsukuba.ac.jp University of TsukubaTennodai 1-1-1 Tsukuba 305-8573 JAPAN Ask not how you can do free software business; ask what your business can do for free software. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] any info on this reported exploit?
Stephen J. Turnbull wrote: Jim == Jim Popovitch [EMAIL PROTECTED] writes: Jim She was asking a very important question about something that Jim was already public. What important question? I quote Diana from her original email that sparked this thread: The notice suggests all versions are vulnerable, is this the case? If so, suggested workaround? Patch/upgrade coming? It's an easy to execute exploit (in fact, it occasionally happens due to ordinary mail, that's why it was found and fixed before anybody asked about the DoS aspect) of very low interest to black hats and small threat to a well-run site in most cases. IIRC, it's been discussed on the list (though not as a security threat). The only interesting thing that happened was that somebody sensationalized that problem by labelling it a potential DoS attack. That doesn't make it important, except to Diana and others following that channel. Anybody who hadn't noticed would never notice. So what is the scenario if Diana posts to mailman-security? She gets an answer and nobody ever notices. ... and nobody else ever hears of the issue either. Why is this? It is Because it appears that the current Mailman policy is to suppress not just information, but also questions, about situations like this. And if three people ask on mailman-security? There's a short post to mailman-users, and it ends up in the faq, because it's a PITA for the developers to keep answering it. What's wrong with that? Nothing, assuming: A) Makes it into the FAQ in a timely fashion for it to benefit site admins B) There is some means to notify site admins so that they don't have to parse through mailman-users to get info on security issues. I've been subscribed to mailman-announce for 5+ years. I don't recall ever seeing anything such as: FAQ XYZ has been updated, let alone info on potential vulnerabilities that I should be aware of. Jim Are you suggesting that all Hey, has this been fixed yet Jim questions should be off list and only one-on-one with Jim mailman-security? No, only for those defects that are not going to affect users unless deliberately exploited. For such security holes, yes, discuss only with mailman-security is announced policy. And that is good. Diana's case doesn't seem to meet that measure, yet that is the advice Brad gave her. Was that an attempt to suppress this info from other site admins? Jim er, Right (the elitism really shines through Brad). Please watch your language. Elitism means restricting something to a select group because of their personal qualifications. Possibly, in a narrowly defined sense. I meant it as the rest of the world uses it: http://www.answers.com/elitism BTW, just who are the members of mailman-security? The security policy, and everything Brad has posted on the matter, says discussion about potential exploits should be restricted to those with need to know, which is defined as the ability to fix the problem and/or the authority to distribute 'official' fixes. This is a functional, not a personal, qualification. And how does that apply to Diana's question? Clearly she was inquiring about a fixed issue, right? If not, shouldn't the answer given to her also be seen by others in similar situations? You're welcome to advocate a different definition of need-to-know, one which includes large numbers of users who cannot contribute code or distribute fixes, but the restrictive one above the one in common use in the developer community. To my knowledge nobody (in the open source community) likes the implications for information dissemination. Well it seems to there are two extremes in the Mailman group of interested folks. Those that want to know everything, but don't want anyone else to know it. And those that are expected to not know anything until Barry/Tokio/Mark/ etc., tell them to know it. I just think there is room for some middle ground. There is more to Mailman than just users and developers. There are those that are responsible for Mailman systems but they aren't the day-to-day admins of the mailing lists. I think it is totally irresponsible to expect that site admins find out on their own if there are insecurities in the sites they run. If I am running a Mailman 2.1.6 site, I expect to be informed of vulnerabilities and security concerns sometime before 2.1.7 is fully released, not just have to read it in the CHANGES file of 2.1.7. -Jim P. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] New Lists not getting emails from internal domain
Just realized Mark The other lists are actually fine,,,I'm only having problems with the newly created list. I'm not sure if there's a typo on the aliases. What else could I check ? Thanks, Neilrey -Original Message- From: Mark Sapiro [mailto:[EMAIL PROTECTED] Sent: Sunday, January 29, 2006 2:14 PM To: Neilrey Espino; mailman-users@python.org Subject: Re: [Mailman-Users] New Lists not getting emails from internal domain Neilrey Espino wrote: I have successfully migrated our Mailman to a new server. All seem to work perfectly on the existing Lists. However when, I created a new list, somehow emails coming from the internet are being accepted/relayed and bounced properly but email coming from my own domain indicates unknown user. This appears to be an issue with how your incoming MTA treats mail from your own domain (localhost?) vs. the internet. That would be an MTA configuration issue which would be better addressed on a list or other resource specific to your MTA. -- Mark Sapiro [EMAIL PROTECTED] The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] any info on this reported exploit?
Brad Knowles wrote: If we insist that everyone follow the proper procedure every time, then we shouldn't have any problems. Well, I disagree with the current procedure, which based on past emails, suggests that no one is kept informed about security concerns, and only those that hear about one on their own can get a private response by emailing mailman-security. But if you can't (or won't) follow the proper procedures, then I think it's perfectly reasonable to ask that you go somewhere else. Thanks, I'll think more of you because you think I should go. sigh Perhaps I am not the stumbling block here. -Jim P. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] New Lists not getting emails from internal domain
Neilrey Espino wrote: Just realized Mark The other lists are actually fine,,,I'm only having problems with the newly created list. I'm not sure if there's a typo on the aliases. If mail from the internet reaches the list, then it would seem the aliases would be OK. If not, there might be a problem with the aliases or the new aliases may not have been installed properly for the MTA. You could look for clues at whatever logs the MTA produces. If old lists are fine, both locally and from the internet, and the new list is fine from the internet but not locally, then I still think it's an MTA issue and that the aliases for this new list must somehow be installed incompletely or differently from the others. -- Mark Sapiro [EMAIL PROTECTED] The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp