Re: [Mailman-Users] Mod_Security
On 1 Aug 2018 at 17:30, Andrew Hodgson wrote: > Can you provide steps of how you set up Mailman on the different > providers since it looks like you are using some type of packaged or > managed service which is providing features that are not part of the > stock Mailman and may get in the way of what you are trying to do. It > is difficult to provide support on here especially if there are other > modules being used to provide extra site protection etc. I have no way to determine that -- I'm just a user with no admin privs, so I can't actually look at the mailman installation -- all I can do is try to use it /b\ Bernie Cosell ber...@fantasyfarm.com -- Too many people; too few sheep -- -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Mod_Security
On 08/01/2018 09:43 AM, Bernie Cosell wrote: > > And I tried my program on the Bluehost version and I was greeted with > > Not Acceptable!Not > Acceptable!An appropriate representation of the requested > resource could not be found on this server. This error was generated by > Mod_Security.< This definitely looks like something in the web server at Bluehost rejecting your POST before it ever gets to Mailman. Mod_Security is a web server firewall. Does Bluehost require HTTPS and if so, are you POSTing via HTTPS? -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Mod_Security
Hi, Can you provide steps of how you set up Mailman on the different providers since it looks like you are using some type of packaged or managed service which is providing features that are not part of the stock Mailman and may get in the way of what you are trying to do. It is difficult to provide support on here especially if there are other modules being used to provide extra site protection etc. Andrew. -Original Message- From: Mailman-Users On Behalf Of Bernie Cosell Sent: 01 August 2018 17:44 To: mailman-users@python.org Subject: [Mailman-Users] Mod_Security I'm still working on the auto-submission stuff. I set up another test mailing list, this one on Bluehost. First, I compared the HTML of the members/unsubscribe page and they are *identical* [except for having different URLs for the links to the various pages]. And I tried my program on the Bluehost version and I was greeted with Not Acceptable!Not Acceptable!An appropriate representation of the requested resource could not be found on this server. This error was generated by Mod_Security.< OK, next step is to do a complete packet-capture of the transactions with Dreamhost and wireshark it to see what is strange versus what my program is doing... and mailman's forms seemed so simple...:o) /b\ Bernie Cosell ber...@fantasyfarm.com -- Too many people; too few sheep -- -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/andrew%40hodgson.io -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
[Mailman-Users] Mod_Security
I'm still working on the auto-submission stuff. I set up another test mailing list, this one on Bluehost. First, I compared the HTML of the members/unsubscribe page and they are *identical* [except for having different URLs for the links to the various pages]. And I tried my program on the Bluehost version and I was greeted with Not Acceptable!Not Acceptable!An appropriate representation of the requested resource could not be found on this server. This error was generated by Mod_Security.< OK, next step is to do a complete packet-capture of the transactions with Dreamhost and wireshark it to see what is strange versus what my program is doing... and mailman's forms seemed so simple...:o) /b\ Bernie Cosell ber...@fantasyfarm.com -- Too many people; too few sheep -- -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] ARC
Jordan Brown writes: > Wasn't this in the context of signature-checking schemes that detect > forged origin metadata? Context, yes. The question is did Intuit need extreme accuracy for that? Maybe they did, but I see no evidence for that need. Intuit was not a financial intermediary. It sent bills, it did not collect payments AFAIK (if it did, that would be a different matter). The reason it got into billing is that it has the invoice data anyway, since it was doing accounting and tax preparation for these businesses (Intuit is the company that sells TurboTax). So you receive a bill from Intuit, your response is not to click on a link in the bill, it's to go to your banking site and authorize a transfer to the vendor. You could argue that the bad guys could find some way to abuse the system because the From address isn't aligned with Intuit's DKIM signature (I thought of two while typing this sentence), but as far as I know they haven't implemented yet. They did implement spear- spamming "from" Yahoo! and AOL customers. Doesn't prove there's no profitable way to exploit Intuit, but it's suggestive. > So the vendor has to notify their customers who they use to do > their billing, and every time that they change billing vendors? Probably not. My guess is that Intuit did, in a footer. Again, this works well enough as long as Intuit isn't collecting money for the vendor, and the vendor's customers are expecting to use a different channel already set up to make payment. I don't think these folks would change billing vendors very often, since that probably implies changing accountants and tax preparer, too. > Ofttimes, the goal is that the billing vendor is completely > invisible to the end customer. Sure. But it can't be completely invisible here. Remember, these are businesses that don't have their own domains or are so technically clueless that they're billing from yahoo.com, not their own domain. I doubt very many customers (of the vendors using Intuit) paid any attention to who was sending the bills, vs who was asking for money. > Having your billing vendor be visible is, like having your company > e-mail address be @gmail.com Exactly (but it was @yahoo.com. :-) There are many people out there who don't think very hard about these things. The only thing they fear enough to buy help for is the IRS. Therefore, Intuit. > Not anywhere near as hard as it is for a full-scale e-mail vendor. > Google secures a database of millions of users' secrets, and must > have internal and external controls that keep the wrong people from > sending mail that pretends to come from those users. It's unfair to refer to Google and ignore Yahoo! and AOL here. My point is that if I were Intuit's CISO, I would want to be securing customers' accounting and tax records, not their mail service. One doesn't want to have to expend Google-like resources for a service one doesn't need to provide. -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] bounce notification to owner from non members?
Reply-To set to Mailman-Developers. Please clean up your header if you use Reply-All. Richard Damon writes: > It would be nice if Mailman could tell the MTA as it was receiving the > message that it wasn't acceptable so it could be rejected then, but > since it generally can't, you need to discard spam, not reject it. Since Mailman3 uses LTMP, I *think* it would be possible for Mailman to reject it in such a way as to pass the rejection up the chain. RFE submitted (https://gitlab.com/mailman/mailman/issues/498) and assigned to yours truly. Discussion to Mailman-Developers or me personally, or on the issue, as you see fit. -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
