[Mailman-Users] I did not submit a request to unsubscribe from mailman-users
I received three unsubscribe confirmations over night. I did not initiate these. The source IP's resolve to India and Sri Lanka. Is it just me or is this happening to other subscribers? -- Gary Kalbfleisch -- Director of Technology Support Services -- Shoreline Community College -- (206) 546-5813 -- (206) 546-6943 Fax -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] I did not submit a request to unsubscribe from mailman-users
Sounds familiar. Please see the thread Automated Subscription Bots Inundating List Owners With Subscription Requests if you haven't already. -- Gary Kalbfleisch -- Director of Technology Support Services -- Shoreline Community College -- (206) 546-5813 -- (206) 546-6943 Fax -Original Message- From: Mailman-Users [mailto:mailman-users-bounces+garyk=shoreline@python.org] On Behalf Of Ralf Hildebrandt Sent: Tuesday, October 30, 2012 6:52 AM To: mailman-users@python.org Subject: Re: [Mailman-Users] I did not submit a request to unsubscribe from mailman-users * Kalbfleisch, Gary ga...@shoreline.edu: I received three unsubscribe confirmations over night. I did not initiate these. The source IP's resolve to India and Sri Lanka. Is it just me or is this happening to other subscribers? Not to me, but we're also seeing subscription requests that are reported as spam by the victims at yahoo. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/garyk%40shoreline.edu -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Automated Subscription Bots Inundating List Owners With Subscription Requests
I like to stick with packages when possible because it makes maintenance much easier. This is really a non-issue since the current version of Mailman does not have a fix for this problem. Thank you, -- Gary Kalbfleisch -- Director of Technology Support Services -- Shoreline Community College -- (206) 546-5813 -- (206) 546-6943 Fax -Original Message- From: Mailman-Users [mailto:mailman-users- bounces+garyk=shoreline@python.org] On Behalf Of Lindsay Haisley Sent: Monday, October 29, 2012 11:25 AM To: mailman-users@python.org Subject: Re: [Mailman-Users] Automated Subscription Bots Inundating List Owners With Subscription Requests On Thu, 2012-10-18 at 23:53 +, Kalbfleisch, Gary wrote: I am running 2.1.9 because that is the latest version available from Redhat as a package. It's relatively simple to install Mailman from the source package, but one thing that would help a great deal with this would be default inclusion in the built package of a standard text or script that would contain, or issue, the arguments provided to configure during the build process. There are several critical parameters including the prefix, the var-prefix and of course the mail- gid which ought to be readily available for this purpose. If you've already built Mailman from source, this information is of course available in the config.log, but for people installing Mailman from an outdated package from a distribution, and wanting to catch up with the latest improvements or security fixes, having this information available as part of the distributed end product would be a big help. This is already done for many large and complex packages, would be a big help in making the transition from a pre-built Mailman package to a source- based update. Maybe this information is already available. I only spent about 5 minutes looking for it outside of the source tree and couldn't find it. -- Lindsay Haisley | Behold! Our way lies through a FMP Computer Services |dark wood whence in which 512-259-1190 | weirdness may wallow!” http://www.fmp.com| --Beauregard -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail- archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman- users/garyk%40shoreline.edu -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Automated Subscription Bots Inundating List Owners With Subscription Requests
Don't assume that I don't have the skills. I have been building the linux os from source since long before most people even heard of the Internet. I manage my time very carefully, and mailman is a very small part of what I do. The newest version of mailman does not resolve any of the issues that I have been expiriencing if you have read my posts. I have implemented the security measures required using other means until such a time that they are resolved in mailman. Regards Gary Kalbfleisch Sent from my iPod On Oct 29, 2012, at 8:37 PM, Lindsay Haisley fmouse-mail...@fmp.com wrote: On Mon, 2012-10-29 at 21:04 +, Kalbfleisch, Gary wrote: I like to stick with packages when possible because it makes maintenance much easier. As do I. There are times, however, when mission-critical packages in a distribution are outdated, or absent, or broken and building from source is the only option. IMHO, having the knowledge and the tools on one's system to do builds from the upstream source is an important system administration skill. I always seem to have one or two packages on any box that end up being built from source. Mailman is one of them, because I have a number of patches for it that I've developed, and because building and installing it from source is very easy. Juggling packages vs. upstream source is something you get used to. All package management system that I know of have ways of freezing packages at a certain level or version so that your custom builds don't get crosswise of package management. -- Lindsay Haisley | Real programmers use butterflies FMP Computer Services | 512-259-1190 | - xkcd http://www.fmp.com| -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/garyk%40shoreline.edu -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Automated Subscription Bots Inundating List Owners With Subscription Requests
Note that for the majority of what I have seen in this attack it is the return email messages that the exploiters desire. I have seen some subscriptions actually get through but I have not seen them exploited in any way other than to add to the flood of emails to the subscriber. I have seen some evidence that these accounts may have been used in an attempt to harvest email address. I have of course deleted all of these accounts so I won't have the opportunity to observe how else they might be used. As a result of this activity I have changed all lists so that confirmation is required for all subscriptions, and only list owners can view the list of subscribers. The confirmations don't actually solve the email bombing problem but it will keep bogus subscriptions to a minimum. I have implemented some iptables filters as noted previously but I have not yet opened up the web interface externally. I have been monitoring traffic directed to port 80 on my Mailman server and it has gone down significantly since I put up the block. I may open it up again next week to see how my iptables filters work. -- Gary Kalbfleisch -- Director of Technology Support Services -- Shoreline Community College -- (206) 546-5813 -- (206) 546-6943 Fax -Original Message- From: Mailman-Users [mailto:mailman-users- bounces+garyk=shoreline@python.org] On Behalf Of jdd Sent: Tuesday, October 23, 2012 8:42 AM To: mailman-users@python.org Subject: Re: [Mailman-Users] Automated Subscription Bots Inundating List Owners With Subscription Requests Le 23/10/2012 17:17, Carl Zwanzig a écrit : I've used a similar method for help email to places like yahoo. At the bottom of the text I ask Please tell me your favorite color so I know I'm working with a real person. Seems to work. yes I also have public passwd on a wiki. By the way the pas is not on the wiki page but on the mail I send to user. that said there are some real human paid to catch web site, and against that no luck :-( jdd -- http://www.dodin.org http://jddtube.dodin.org/20120616-52-highway_v1115 -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail- archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman- users/garyk%40shoreline.edu -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Too many recipients
Am I understanding correctly that the list itself is a member of the list? Sounds like an email loop to me. What are you trying to do? -- Gary Kalbfleisch -- Director of Technology Support Services -- Shoreline Community College -- (206) 546-5813 -- (206) 546-6943 Fax -Original Message- From: Mailman-Users [mailto:mailman-users- bounces+garyk=shoreline@python.org] On Behalf Of Rodrigo Abrantes Antunes Sent: Tuesday, October 23, 2012 9:19 AM To: mailman-users@python.org Subject: Re: [Mailman-Users] Too many recipients Citando Rodrigo Abrantes Antunes rodrigoantu...@pelotas.ifsul.edu.br: Hi, when I try to send an e-mail to my list (only one recipient, the list itself), I get these: In mailman's smtp logs: Oct 22 13:26:17 2012 (22940) xxx smtp to contas for 828 recips, completed in 1.705 seconds In mailman's post logs: Oct 22 13:26:17 2012 (22940) post to contas from xxx@, size=3620, message-id=xxx, 450 failures In mailman's smtp-failure logs: Oct 22 13:26:17 2012 (22940) delivery to xxx@x failed with code 452: 4.5.3 Error: too many recipients In my mm_cfg.py I have this: DEFAULT_MAX_NUM_RECIPIENTS = 0 Any ideas? Searching google I found that this error isn't related to the number of users in the list, it occurs because the total number of addresses in the To: and Cc: headers of the post equals or exceeds max_num_recipients. But in documentation is said that if this option is set to 0 it has no limit. And my post have only one recipient in To:, the list itself. So what may be causing this? -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail- archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman- users/garyk%40shoreline.edu -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Automated Subscription Bots Inundating List Owners With Subscription Requests
Hi Stephen, Thank you for your reply. My responses are below -Original Message- From: Stephen J. Turnbull [mailto:step...@xemacs.org] Sent: Friday, October 19, 2012 9:20 PM To: Kalbfleisch, Gary Cc: mailman-users@python.org Subject: [Mailman-Users] Automated Subscription Bots Inundating List Owners With Subscription Requests Kalbfleisch, Gary originally writes: inundated with confirmation request messages, and you cannot delete them all at once on the Tend to pending moderator requests screen. You have to select Discard for each of them individually. I don't know if this has been changed yet. Stephen J. Turnbull writes: As far as I can see, these are batchable (you only need to click Submit once -- version 2.1.15, but I doubt this has changed in many years). Is your issue that the moderator has to tick each box? I really don't think that should change; otherwise you would lose valid subscription requests when being attacked in this way. Is the issue that lists get so many requests that it overflows the screen, and you can only do (say) 20 at once? Kalbfleisch, Gary responds: Messages are batchable, but administrative tasks are not. As you noted you must tick each box, and yes I'm talking pages and pages of bogus subscription requests. Quite tedious. I think these too should be batchable but perhaps separately. What I would like to be able to do is to change all administrative messages to discard (or whatever) with one click, then go back and change the legitimate subscription requests back to accept. I had to block access to the web interface from off site at our router to stop the deluge of messages. I think this is the best way to handle it. There really ought to be a way for a host to request that a service be firewalled programmatically, although it would have to be designed *very* carefully. After analyzing the httpd logs I have identified three primary sources of the bogus subscription requests, the most predominant being associated with http://mailbait.info. If you list admins out there are not familiar with mailbait.info you should check it out. It is a service (I use that term loosely here) for filling up your inbox. People submit hosts that send out email messages via web forms which are exploited for this purpose. If you run it (and you can do this without filling in the email address field so you can see how it works) you will see that it skips from one Mailman site to another submitting bogus subscription requests. As per the Mailbait FAQ, MailBait does not condone using other people's email address with this service., however they make no efforts to prevent it. You cannot filter on IP addresses because the source address is that of the person that runs it, not Mailbait itself. I created an iptables filter that looks for the string mailbait.info, which appears in the Referer field of most of the packets. I investigated creating a filter utilizing the iptables recent directive, which filters on the number of consecutive hits per time period, but the hits are spread out between each host sufficiently to make this ineffective. This is true for the other two sources (not associated with Mailbait) I identified as well, which I traced to ISP DHCP ranges. I have seen this starting to occur at some other Mailman sites as well. Anyone else seeing this or have any ideas about how best to handle this? I have it under control for now but it is changing the way we use our lists. Sadly, I don't see how that can be avoided. The problem is the SMTP and HTTP protocols themselves, which have no easily used provision for authentication or authorization of clients. (How many students do you know who walk around with a personal X.509 certificate?) If you have suggestions for the admin interface, that would be very helpful. Even if you don't have a lot of confidence in them, this is a hard problem that requires wild ideas. CAPTCHA for subscription requests would go a long way in preventing this type of exploitation. Thank you, -- Gary Kalbfleisch -- Director of Technology Support Services -- Shoreline Community College -- (206) 546-5813 -- (206) 546-6943 Fax -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Automated Subscription Bots Inundating List Owners With Subscription Requests
I personally don't care for CAPTCHA but it exists for a reason. If anyone can suggest a better solution I would love to here it. Right now Mailman is being exploited to email bomb individuals and DOS email systems. This cannot continue. Gary Kalbfleisch Sent from my iPod On Oct 22, 2012, at 6:08 PM, Brad Knowles b...@shub-internet.org wrote: On Oct 22, 2012, at 5:40 PM, Stephen J. Turnbull turnb...@sk.tsukuba.ac.jp wrote: I'm dubious about the net value of CAPTCHAs. Personally, I generally take a CAPTCHA as a NO TRESPASSING -- THIS MEANS YOU! sign, and don't go back. CAPTCHAs are already at the point where advanced code can apply statistical methods and solve them faster and better than many humans. Moreover, they have been problematic for a long time -- see http://www.tkachenko.com/blog/archives/000537.html, http://ezinearticles.com/?Captchas-Considered-Harmful---Why-Captchas-Are-Bad-And-How-You-Can-Do-Betterid=1104207, and http://coding.smashingmagazine.com/2011/03/04/in-search-of-the-perfect-captcha/, among others. IMO, CAPTCHAs have already jumped the shark. -- Brad Knowles b...@shub-internet.org LinkedIn Profile: http://tinyurl.com/y8kpxu -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
[Mailman-Users] Automated Subscription Bots Inundating List Owners With Subscription Requests
For the past couple days my Mailman server has been hammered with automated subscription requests. I've always seen a few here and there but nothing like this. Thousands of them, exploiting the web interface and replying to confirmation email messages. Many of our lists were open subscription and so some got through. Not a lot though. What's most annoying is that list owners are being inundated with confirmation request messages, and you cannot delete them all at once on the Tend to pending moderator requests screen. You have to select Discard for each of them individually. I don't know if this has been changed yet. I am running 2.1.9 because that is the latest version available from Redhat as a package. I had to block access to the web interface from off site at our router to stop the deluge of messages. I have seen this starting to occur at some other Mailman sites as well. Anyone else seeing this or have any ideas about how best to handle this? I have it under con trol for now but it is changing the way we use our lists. -- Gary Kalbfleisch -- Director of Technology Support Services -- Shoreline Community College -- (206) 546-5813 -- (206) 546-6943 Fax -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org