Re: [Mailman-Users] Major problems with privacy and mailman lists and harvesters

2008-05-23 Thread Bill Christensen 
When creating archives for one of the lists I run (until recently 
with another listserv software) I wrote a relatively simple 
find/replace grep which replaces the domain names so that email 
addresses become [EMAIL PROTECTED]  In this case, the list itself is by 
invitation only but the archives are open to all, so the list members 
can figure out who the posters are easily enough and some non 
listmembers may as well, but the spammers won't have a clue.


Having just moved over to Mailman recently I have yet to implement 
that fix on my lists but I hope to do so in the fairly near future.


Another trick that I've used with our web databases is to assign an 
ID to a user and create a spam-resistant mail form which doesn't 
display the email address in the source code, but instead retrieves 
it via the ID behind the scenes when the email is sent.  It's 
probably similar to the Topica method that Michael Welch posted 
about, and it works fairly well for us (though in the last couple of 
weeks someone found their way around it.  I still need to figure out 
the hole and plug it up).


The big problem I see with implementing most of the anti-spam tricks 
I employ as a relatively small web developer on as large a scale as 
incorporating them into Mailman is that with enough motivation and a 
little research a spammer could still script around them and exploit 
Mailman lists, either by harvesting or direct sending.   They're 
typically not overly motivated to do so for our little market, but 
with all the Mailman lists out there it would certainly be a target.



At 11:03 AM -0600 5/23/08, Steve Murphy wrote:

Content-Type: multipart/signed; micalg=sha1;
protocol="application/x-pkcs7-signature";
boundary="=-xE9PbKG5Tri4f0crMNni"

Hello!

I'm quite concerned about what I'm seeing in mailman installations,
and the amount of spam I've been getting because I participate in
mailman based lists!

I'm not talking about halting spam that gets submitted to the list
for mailing. I'm not talking about spambots automatically joining
the lists and submitting spam.

What I'm concerned about is the fact that email harvesters are being
given so much information.

I've noticed in the mailman-users archives, that if I view info
by thread (using the mailman archives as an example,)
which site is 2.1.10 based,
that all email addresses are present, but with a simple obfuscation.
(the "@" has been changed to " at ".) I can't help but to think
that this simple obfuscation is a joke. Any harvester written in the
past number of years would be smart enough to capture such accurately.

When viewing the developer's archives, I note that when a message is
displayed singly, it is common to see [EMAIL PROTECTED]. This is
much nicer, but I notice that in both archives, a button is provided
at the bottom of the letter, that submits a form, and gets back
both a "Found" page, with a mailto: url, and a redirect to a mailto...
so, an anonymous user can easily get/harvest email addresses by simply
analyzing the html form.

The gzip'd archives by month for both lists both show all email
addresses, with the " at " obfuscation.

It seems inconsistent, funny even, that display by thread will show
individual messages with [EMAIL REMOVED], but the gzip'd archives
of the same message reveal, really, everything.

And worse... If I really wanted to collect up-to-date juicy email
addresses, I'd simply subscribe to all the mailman lists I possibly
could, and
route all the incoming messages to harvesters. In **This** case,
the harvest is bountiful, as most messages arrive totally unfiltered,
from  headers galore bearing bounteous harvests of email addresses
(for example, the From header), to the user sigs at the ends, with
reply quotation headers mentioning the source addresses in between.

Within MINUTES of my first posting on asterisk-users, I was getting spam
on an email address that was brand-new. Since then, the spam volume
on that email addr just keeps growing.

I keep wondering, which way did they get my email addr?
But, it doesn't matter. I can't help to think that 'targeted'
spam mailers both spider the archives and subscribe to the
lists.The bigger the list's subscription, hotter an item it is.

So, please, can we apply the [EMAIL PROTECTED] tech to the archives,
and the outgoing messages, and drop this silly notion that
the " at " obfuscation is useful? Really, it's totally transparent.
NO OBFUSCATION is safe in mailman. There's simply too much
Can we drop the buttons from the archives whose HTML says:







Reply via email to



from which spam harvesters can almost instantly be updated to 
harvest "[EMAIL PROTECTED]"

(modified from the orig to save the innocent author from a deluge of spam, at
least on **my** account), without even submitting the form!

We need to rethink how we can adequately keep emails out of spammers hands.
And, yes, it's kinda unhandy not read a message and not be able to 
fire an email
off to the author di

Re: [Mailman-Users] Major problems with privacy and mailman lists and harvesters

2008-05-23 Thread Michael Welch 
Steve Murphy wrote at 10:03 AM 5/23/2008:
 
>I've noticed in the mailman-users archives, that if I view info by thread 
>(using the mailman archives as an example,) which site is 2.1.10 based, that 
>all email addresses are present, but with a simple obfuscation. (the "@" has 
>been changed to " at ".) I can't help but to think that this simple 
>obfuscation is a joke. Any harvester written in the past number of years would 
>be smart enough to capture such accurately.

I think the Topica listserver had a great way to deal with email addresses in 
archives. You could see a semblance of the email address, but no way could you 
deduce the real address. If you are logged into the site, each is still 
obscured, but is a live link that opens up an email-like dialog box -- with the 
real address still obscured. But it does send an email to the real address for 
the obscured address.

Pretty good way of dealing with the problem, but I have no idea if something 
like this could be coded into Mailman archives.  

- - - - - - - - - - - -
Michael Welch, volunteer
Redwood Alliance
PO Box 293
Arcata, CA 95518
707-822-7884
[EMAIL PROTECTED]
www.redwoodalliance.org

--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp

[Mailman-Users] high memory usage and long running time for mailman Python process

2008-05-23 Thread Terrence Brannon 
Hello, I am running Debian/etch and the user "list" has a Python process 
which takes up 83.2% of my memory and has been running for more than 40 
minutes.


My suspicion is that some sort of queue of moderator messages is very 
large.


In fact, /var/lib/mailman/ is very large... I cannot access the 
administrator interface via the web:


6733./qfiles
21551   ./messages
60071   ./lists/asciidoc-discuss
60093   ./lists
288500  ./data
380881  .


In looking through archives, I discovered I have more than 60,000 held 
messages for one mailing list:


[EMAIL PROTECTED]:/var/lib/mailman/data$ ls -l | wc -l
64688

but for some reason attempting to discard even one is not working... it 
just sits there and hangs:


[EMAIL PROTECTED]:/var/lib/mailman/data$ sudo ../bin/discard 
heldmsg-asciidoc-discuss-59527.pck

Password:

(no return to shell after 5 minutes)

--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp

Re: [Mailman-Users] Major problems with privacy and mailman lists andharvesters

2008-05-23 Thread Andrew Hodgson 
Steve Murphy wrote:

>I'm quite concerned about what I'm seeing in mailman installations, and
the amount of spam I've been getting >because I participate in mailman
based lists!

>What I'm concerned about is the fact that email harvesters are being
given so much information.

>I've noticed in the mailman-users archives, that if I view info by
thread (using the mailman archives as an >example,) which site is 2.1.10
based, that all email addresses are present, but with a simple
obfuscation.
>(the "@" has been changed to " at ".) I can't help but to think that
this simple obfuscation is a joke. Any >harvester written in the past
number of years would be smart enough to capture such accurately.

When we were looking for a list software package, we came up against
this problem.  I think the issue here is that the archives are open to
anyone (aka public archives), and there is no real way of allowing
people to contact anyone off list if the email addresses are protected.
That said, there are a number of external archiving solutions around
that will do this already, such as MHonArc http://www.mhonarc.org/.

>>When viewing the developer's archives, I note that when a message is
displayed singly, it is common to see >[EMAIL PROTECTED]. This is much
nicer, but I notice that in both archives, a button is provided at the
bottom >of the letter, that submits a form, and gets back both a "Found"
page, with a mailto: url, and a redirect to a >mailto... 
>so, an anonymous user can easily get/harvest email addresses by simply
analyzing the html form.

The email form is done by mail-archive.com, and they are running several
honeypots to monitor spam coming in via this method.  The FAQ which
explains this is at http://www.mail-archive.com/faq.html.

[...]

>It seems inconsistent, funny even, that display by thread will show
individual messages with [EMAIL REMOVED], >but the gzip'd archives of
the same message reveal, really, everything.

Are you sure you are viewing the same archives?

>And worse... If I really wanted to collect up-to-date juicy email
addresses, I'd simply subscribe to all the >mailman lists I possibly
could, and route all the incoming messages to harvesters. In **This**
case, the >harvest is bountiful, as most messages arrive totally
unfiltered, from  headers galore bearing bounteous >harvests of email
addresses (for example, the From header), to the user sigs at the ends,
with reply quotation >headers mentioning the source addresses in
between.

This is a problem with email not Mailman.  Do you see Freelists,
YahooGroups or Google Groups doing similar?

>Within MINUTES of my first posting on asterisk-users, I was getting
spam on an email address that was brand->new. Since then, the spam
volume on that email addr just keeps growing.

That is interesting as I have subscribed to several lists using a list
account at work which are on Mailman - namely RedHat and LUG user
groups, and I haven't had spam to that address in ages.  Contrast this
with my main work address, which I use to sign up for email newsletters
(when evaluating products), use as sales contacts, fill in web forms
etc, where I get around 40-50 spams a day.

>I keep wondering, which way did they get my email addr? 
>But, it doesn't matter. I can't help to think that 'targeted'
>spam mailers both spider the archives and subscribe to the lists.The
bigger the list's subscription, hotter an >item it is.

Maybe you should post this to one of the mail-archive lists, to see if
the people controlling the honeypots are finding similar.  

>So, please, can we apply the [EMAIL PROTECTED] tech to the archives,
and the outgoing messages, and drop this >silly notion that the " at "
obfuscation is useful? Really, it's totally transparent.

Possibly agreeing with you viz the archiving via the web, but I for one
would never use such a feature as email protection on any of my lists
for email subscribers.

Andrew.
--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp

Re: [Mailman-Users] Major problems with privacy and mailman lists and harvesters

2008-05-23 Thread Jim Popovitch 
On Fri, May 23, 2008 at 1:03 PM, Steve Murphy <[EMAIL PROTECTED]> wrote:
> Within MINUTES of my first posting on asterisk-users, I was getting spam
> on an email address that was brand-new.

How do you know that it was your archived post that the spammers
picked up on?It is also possible that the harvester is an address
subscribed to asterisk-users.

IMHO, obfuscating the archives achieves little effect other than a
false sense of hope.   The fact is spammers don't want stale archived
email addresses, they want fresh active (i.e. poster's) addresses.

Welcome to 2008, ;-)

-Jim P.
--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp

Re: [Mailman-Users] Help! "Recipient list too long" message is held for approval

2008-05-23 Thread Bill Christensen 

The acceptable number of recipients can be adjusted at:

http:///mailman/admin//privacy/recipient

Ceiling on acceptable number of recipients for a posting.
(Details for max_num_recipients)

Defaults to 10



At 8:48 AM -0700 5/23/08, Knabe, Troy wrote:

On 5/23/08 8:14 AM, "webct" <[EMAIL PROTECTED]> wrote:

Hi,

We are using mailman which comes with Mac OS X server 10.5.  I think,
I have set it up correctly for most of the part but there is one
lingering issue with sending a message with other email addresses.

I get "Recipient list too long" error message and the email is held
for moderator's approval.  How do I make mailman remember to send
messages across with long list of recipients.

Thanks.
fuzbuz.



Under "Privacy Optionis" and "Recipient Filters" there is a "Ceiling 
on acceptable number of recipients for a posting".  I believe the 
default value is 10.  This has nothing to do with the number of list 
members, but the number of other addresses in the To:, CC:, and BCC: 
fields of the email that causes this be invoked.


-Troy



--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/knabe%404j.lane.edu


Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp


--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/billc_lists%40greenbuilder.com


Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp



--
Bill Christensen


Green Building Professionals Directory: 
Sustainable Building Calendar: 
Green Real Estate: 
Straw Bale Registry: 
Books/videos/software: 
--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp

Re: [Mailman-Users] Major problems with privacy and mailman lists and harvesters

2008-05-23 Thread Brad Knowles 

Steve Murphy wrote:

I've noticed in the mailman-users archives, that if I view info 
by thread (using the mailman archives as an example,) 
which site is 2.1.10 based,

that all email addresses are present, but with a simple obfuscation.
(the "@" has been changed to " at ".) I can't help but to think
that this simple obfuscation is a joke. Any harvester written in the
past number of years would be smart enough to capture such accurately.


This is a well-known weakness.  Please feel free to upload a suggested patch 
to , 
or at least file a Request For Enhancement at 
.



When viewing the developer's archives, I note that when a message is
displayed singly, it is common to see [EMAIL PROTECTED].


That's the external searchable archives provided by mail-archive.com, which 
is actually available for both mailman-users and mailman-developers.



The gzip'd archives by month for both lists both show all email
addresses, with the " at " obfuscation.


Yup.  That's part of the standard internal pipermail archiving process.


Within MINUTES of my first posting on asterisk-users, I was getting spam
on an email address that was brand-new. Since then, the spam volume
on that email addr just keeps growing.


We've known that this weakness was a potential issue for years.  However, I 
don't recall our ever hearing a specific case where this weakness was 
actually being exploited.


If you look at those "patches" and "RFE" pages, you'll note that there are a 
large number of things that people want from Mailman (200-300 things or more 
per category), and since this is a 100% volunteer-supported project, our 
developers have limited time and resources to be able to devote to fixing 
each and every little thing that people have asked for.



We need to rethink how we can adequately keep emails out of spammers hands.


Even with better obfuscation, the spammers will always be able to silently 
subscribe to the lists and harvest addresses that way.  There's no way to 
stop them from doing that.



And, yes, it's kinda unhandy not read a message and not be able to fire an email
off to the author directly. But to make it easy for list subscribers, is to 
make it easy
for spammers, who probably have already joined the list, and are delighted
to get email addresses, any which way they can.


We can't obscure messages that we send out.  Otherwise, they wouldn't get 
delivered.  You do have to have some basic understanding of how Internet 
e-mail works before you can talk intelligently about what could or should be 
done.



We need to lock down mailman, or at least make it an option! Simply put,
in messages sent to users, the only email that should be found anywhere
in a recieved message, is the recipient's.


If a list admin chooses, they can always enable anonymization.  But there's 
a reason why no one wants to do this.  Go talk to the people running 
anonymized lists to understand that problem more fully.


On a more general note, the more you break Internet e-mail in order to try 
to stop the spammers, the more the bastards win.


You're continuing to make the critical mistake that everyone else does, 
which is that you're trying to solve an inherently non-technical problem 
with technical means.  And that is a recipe for guaranteed disaster.



Spam is just another form of con job.  And if the "oldest profession" is 
prostitute, then the second oldest profession has to be "con artist".  Con 
jobs have been going on for thousands of years, and there's no evidence that 
they will ever stop being perpetrated, at least not so long as our species 
continues to have at least one member still alive.


So, you're not *EVER* going to get rid of spam.  Give that fight up right 
now.  The best you can do is to try to cut it down to a dull roar, and make 
sure that you're not one of the lower-hanging fruit.


Then always keep in the back of your mind that a sufficiently determined 
attacker can get through the deepest and most powerful defenses -- if they 
can assassinate presidents and other government leaders, then they can 
certainly get through any defenses that people like you and me can afford to 
create.


--
Brad Knowles <[EMAIL PROTECTED]>
Member of the Python.org Postmaster Team & Co-Moderator of the
mailman-users and mailman-developers mailing lists
--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp

Re: [Mailman-Users] Major problems with privacy and mailman lists and harvesters

2008-05-23 Thread Gadi Evron 
Hi Steve. Thank you for your email, it is well researched and conveys your 
point of view.


Your points on inconsistency in protecting email addresses in the archives 
are interesting. Also, I am no lover of spammers.


That said, can you break down your suggestions to those relevant to the 
inherent FUBAR state of SMTP, mailing list administration choices and 
policies, and mailman? I don't see how you can prevent a person or bot 
from subscribing to an open mailing list and harvesting it.


Some locking down is not possible, some not wanted, and some not 
necessary. I find, as I mentioned,  the archives point for example very 
interesting, if anyone was willing to spend the time on making it happen.


Gadi.



On Fri, 23 May 2008, Steve Murphy wrote:


Hello!

I'm quite concerned about what I'm seeing in mailman installations,
and the amount of spam I've been getting because I participate in
mailman based lists!

I'm not talking about halting spam that gets submitted to the list
for mailing. I'm not talking about spambots automatically joining
the lists and submitting spam.

What I'm concerned about is the fact that email harvesters are being
given so much information.

I've noticed in the mailman-users archives, that if I view info
by thread (using the mailman archives as an example,)
which site is 2.1.10 based,
that all email addresses are present, but with a simple obfuscation.
(the "@" has been changed to " at ".) I can't help but to think
that this simple obfuscation is a joke. Any harvester written in the
past number of years would be smart enough to capture such accurately.

When viewing the developer's archives, I note that when a message is
displayed singly, it is common to see [EMAIL PROTECTED]. This is
much nicer, but I notice that in both archives, a button is provided
at the bottom of the letter, that submits a form, and gets back
both a "Found" page, with a mailto: url, and a redirect to a mailto...
so, an anonymous user can easily get/harvest email addresses by simply
analyzing the html form.

The gzip'd archives by month for both lists both show all email
addresses, with the " at " obfuscation.

It seems inconsistent, funny even, that display by thread will show
individual messages with [EMAIL REMOVED], but the gzip'd archives
of the same message reveal, really, everything.

And worse... If I really wanted to collect up-to-date juicy email
addresses, I'd simply subscribe to all the mailman lists I possibly
could, and
route all the incoming messages to harvesters. In **This** case,
the harvest is bountiful, as most messages arrive totally unfiltered,
from  headers galore bearing bounteous harvests of email addresses
(for example, the From header), to the user sigs at the ends, with
reply quotation headers mentioning the source addresses in between.

Within MINUTES of my first posting on asterisk-users, I was getting spam
on an email address that was brand-new. Since then, the spam volume
on that email addr just keeps growing.

I keep wondering, which way did they get my email addr?
But, it doesn't matter. I can't help to think that 'targeted'
spam mailers both spider the archives and subscribe to the
lists.The bigger the list's subscription, hotter an item it is.

So, please, can we apply the [EMAIL PROTECTED] tech to the archives,
and the outgoing messages, and drop this silly notion that
the " at " obfuscation is useful? Really, it's totally transparent.
NO OBFUSCATION is safe in mailman. There's simply too much
Can we drop the buttons from the archives whose HTML says:






Reply via email to



from which spam harvesters can almost instantly be updated to harvest "[EMAIL 
PROTECTED]"
(modified from the orig to save the innocent author from a deluge of spam, at
least on **my** account), without even submitting the form!

We need to rethink how we can adequately keep emails out of spammers hands.
And, yes, it's kinda unhandy not read a message and not be able to fire an email
off to the author directly. But to make it easy for list subscribers, is to 
make it easy
for spammers, who probably have already joined the list, and are delighted
to get email addresses, any which way they can.

Most discussion on mailing lists do not require any address other than
the the mailing list itself. To take a discussion "offline", I propose a
few ideas:

1. the mailing list allows the users to specify a phone-number,
an irc channel and identity that they can be reached by, or some other
method to contact the author, that is NOT an email address. This info
is kept private, and the button at the bottom of the archived letters
could give you this info. The person wanting to privately discuss the
letter could then call the user or contact them via irc/jabber/whatever,
and either discuss the matter there and then, or the author could
voluntarily give the other party his email address at that time. Or
file a list message, and ask the author to contact him, and give out a
phone number, whatever.

I t

[Mailman-Users] Major problems with privacy and mailman lists and harvesters

2008-05-23 Thread Steve Murphy 
Hello!

I'm quite concerned about what I'm seeing in mailman installations,
and the amount of spam I've been getting because I participate in
mailman based lists!

I'm not talking about halting spam that gets submitted to the list
for mailing. I'm not talking about spambots automatically joining
the lists and submitting spam. 

What I'm concerned about is the fact that email harvesters are being
given so much information.

I've noticed in the mailman-users archives, that if I view info 
by thread (using the mailman archives as an example,) 
which site is 2.1.10 based,
that all email addresses are present, but with a simple obfuscation.
(the "@" has been changed to " at ".) I can't help but to think
that this simple obfuscation is a joke. Any harvester written in the
past number of years would be smart enough to capture such accurately.

When viewing the developer's archives, I note that when a message is
displayed singly, it is common to see [EMAIL PROTECTED]. This is
much nicer, but I notice that in both archives, a button is provided
at the bottom of the letter, that submits a form, and gets back 
both a "Found" page, with a mailto: url, and a redirect to a mailto... 
so, an anonymous user can easily get/harvest email addresses by simply 
analyzing the html form.

The gzip'd archives by month for both lists both show all email
addresses, with the " at " obfuscation.

It seems inconsistent, funny even, that display by thread will show
individual messages with [EMAIL REMOVED], but the gzip'd archives
of the same message reveal, really, everything.

And worse... If I really wanted to collect up-to-date juicy email
addresses, I'd simply subscribe to all the mailman lists I possibly
could, and
route all the incoming messages to harvesters. In **This** case,
the harvest is bountiful, as most messages arrive totally unfiltered,
from  headers galore bearing bounteous harvests of email addresses
(for example, the From header), to the user sigs at the ends, with
reply quotation headers mentioning the source addresses in between.

Within MINUTES of my first posting on asterisk-users, I was getting spam
on an email address that was brand-new. Since then, the spam volume
on that email addr just keeps growing.

I keep wondering, which way did they get my email addr? 
But, it doesn't matter. I can't help to think that 'targeted'
spam mailers both spider the archives and subscribe to the
lists.The bigger the list's subscription, hotter an item it is.

So, please, can we apply the [EMAIL PROTECTED] tech to the archives,
and the outgoing messages, and drop this silly notion that 
the " at " obfuscation is useful? Really, it's totally transparent. 
NO OBFUSCATION is safe in mailman. There's simply too much 
Can we drop the buttons from the archives whose HTML says:






Reply via email to



from which spam harvesters can almost instantly be updated to harvest "[EMAIL 
PROTECTED]"
(modified from the orig to save the innocent author from a deluge of spam, at
least on **my** account), without even submitting the form!

We need to rethink how we can adequately keep emails out of spammers hands.
And, yes, it's kinda unhandy not read a message and not be able to fire an email
off to the author directly. But to make it easy for list subscribers, is to 
make it easy
for spammers, who probably have already joined the list, and are delighted
to get email addresses, any which way they can.

Most discussion on mailing lists do not require any address other than
the the mailing list itself. To take a discussion "offline", I propose a
few ideas: 

1. the mailing list allows the users to specify a phone-number,
an irc channel and identity that they can be reached by, or some other
method to contact the author, that is NOT an email address. This info
is kept private, and the button at the bottom of the archived letters
could give you this info. The person wanting to privately discuss the
letter could then call the user or contact them via irc/jabber/whatever,
and either discuss the matter there and then, or the author could
voluntarily give the other party his email address at that time. Or
file a list message, and ask the author to contact him, and give out a 
phone number, whatever.

I thought about integrating spamgourmet throw-away email addresses,
but really, that wouldn't help. Spammers could simply request, get
the throw-away, spam it, and toss it. The user himself is the only
one who can usefully hand out throw-away addresses.

If you think mailman doesn't have to worry about this sort of thing,
keep in mind that mailman has swiftly become probably the top mailing
list software on the web. That spammers would not be interested in
mining mailing lists for their tens of thousands of valid addresses
is foolhardy thinking. That thinking the options that mailman provides
now is adequate to keep spammers from harvesting email addrs, is just
plain wrong. That datamining and de-obfuscation are NOT being done
specifically
for mailman lis

Re: [Mailman-Users] Help! "Recipient list too long" message is held for approval

2008-05-23 Thread Knabe, Troy 


On 5/23/08 8:14 AM, "webct" <[EMAIL PROTECTED]> wrote:

Hi,

We are using mailman which comes with Mac OS X server 10.5.  I think,
I have set it up correctly for most of the part but there is one
lingering issue with sending a message with other email addresses.

I get "Recipient list too long" error message and the email is held
for moderator's approval.  How do I make mailman remember to send
messages across with long list of recipients.

Thanks.
fuzbuz.



Under "Privacy Optionis" and "Recipient Filters" there is a "Ceiling on 
acceptable number of recipients for a posting".  I believe the default value is 
10.  This has nothing to do with the number of list members, but the number of 
other addresses in the To:, CC:, and BCC: fields of the email that causes this 
be invoked.

-Troy



--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/knabe%404j.lane.edu

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp

--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp

[Mailman-Users] Help! "Recipient list too long" message is held for approval

2008-05-23 Thread webct 

Hi,

We are using mailman which comes with Mac OS X server 10.5.  I think,  
I have set it up correctly for most of the part but there is one  
lingering issue with sending a message with other email addresses.


I get "Recipient list too long" error message and the email is held  
for moderator's approval.  How do I make mailman remember to send  
messages across with long list of recipients.


Thanks.
fuzbuz.

--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp

Re: [Mailman-Users] Mailman 2.1.10 has been released

2008-05-23 Thread Barry Finkel 
On April 23 Mark Sapiro wrote:

>| I am happy to announce the release of Mailman 2.1.10.
>
>
>I have discovered a few problems with the release. None is a major show
>stopper, but the most significant so far is that I broke cmd_subscribe
>so that email subscribe to the -subscribe or -join address or the
>- -request address with a bare 'subscribe' command results in the message
>being shunted. A patch for this is attached, but I plan to make a patch
>release probably next week.

Has there been a patch release, other than the one -subscribe patch
included in that posting?  Thanks.
--
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory  Phone:+1 (630) 252-7277
9700 South Cass Avenue   Facsimile:+1 (630) 252-4601
Building 222, Room D209  Internet: [EMAIL PROTECTED]
Argonne, IL   60439-4828 IBMMAIL:  I1004994

--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp