[Post by list member from an unsubscribed address]
On Nov 18, 2012 4:07 AM, Petersen, Kirsten J - NET
kirsten.peter...@oregonstate.edu wrote:
Gary, et al:
The Mailman lists at Oregon State University have been receiving
excessive request for subscriptions since mid-October as well. Our list
Ben Cooksley writes:
If Mailman were to implement basic CSRF protection for all POST requests
that would also slow the attackers down I suspect (as they would have to
make a GET request first and parse it).
It might slow a human down, but as soon as it becomes a feature of
Mailman, the
Gary, et al:
The Mailman lists at Oregon State University have been receiving excessive
request for subscriptions since mid-October as well. Our list administrators
were suspicious because often the names on the requests did not match the email
addresses. Also, many lists that had been
On Oct 29, 2012, at 02:14 PM, Lindsay Haisley wrote:
Such an enhancement would obviously not help anyone using a currently
older Mailman package, but going forward, say into MM3, it might be a
good idea to make this information available in some such way. I use
courier as a MTA, and courier has
On Tue, 2012-10-30 at 04:56 +, Kalbfleisch, Gary wrote:
Don't assume that I don't have the skills.
I don't. Please accept my apology if you thought that I implied this.
I have been building the linux os from source since long before most
people even heard of the Internet. I manage my
On Thu, 2012-10-18 at 23:53 +, Kalbfleisch, Gary wrote:
I am running 2.1.9 because that is the latest version available from
Redhat as a package.
It's relatively simple to install Mailman from the source package, but
one thing that would help a great deal with this would be default
On 10/29/2012 11:25 AM, Lindsay Haisley wrote:
On Thu, 2012-10-18 at 23:53 +, Kalbfleisch, Gary wrote:
I am running 2.1.9 because that is the latest version available from
Redhat as a package.
It's relatively simple to install Mailman from the source package, but
one thing that would
On Mon, 2012-10-29 at 11:43 -0700, Mark Sapiro wrote:
See http://wiki.list.org/x/KYCB and the Mailman-Developers post linked
therefrom. It's probably out of date and does not directly address the
issue of making this information available as part of the 3rd party
package, but it is probably
On Mon, 2012-10-29 at 14:14 -0500, Lindsay Haisley wrote:
On Mon, 2012-10-29 at 11:43 -0700, Mark Sapiro wrote:
See http://wiki.list.org/x/KYCB and the Mailman-Developers post linked
therefrom. It's probably out of date and does not directly address the
issue of making this information
] Automated Subscription Bots Inundating List
Owners With Subscription Requests
On Thu, 2012-10-18 at 23:53 +, Kalbfleisch, Gary wrote:
I am running 2.1.9 because that is the latest version available from
Redhat as a package.
It's relatively simple to install Mailman from the source
On Mon, 2012-10-29 at 21:04 +, Kalbfleisch, Gary wrote:
I like to stick with packages when possible because it makes
maintenance much easier.
As do I. There are times, however, when mission-critical packages in a
distribution are outdated, or absent, or broken and building from source
is
Don't assume that I don't have the skills. I have been building the linux os
from source since long before most people even heard of the Internet. I manage
my time very carefully, and mailman is a very small part of what I do. The
newest version of mailman does not resolve any of the
Lindsay Haisley writes:
On the other hand, most people get spam, and hate it, and can
appreciate that their own interests are served by having to jump
through a hoop or two to make sure that they're entering a bot-free
zone.
Sure, all of that is true, except for the implication that
* Brad Knowles b...@shub-internet.org:
On Oct 22, 2012, at 5:40 PM, Stephen J. Turnbull turnb...@sk.tsukuba.ac.jp
wrote:
I'm dubious about the net value of CAPTCHAs. Personally, I generally
take a CAPTCHA as a NO TRESPASSING -- THIS MEANS YOU! sign, and
don't go back.
CAPTCHAs are
On 10/22/2012 11:55 PM, Ralf Hildebrandt wrote:
I recently got 30 new comments on my blog, all of which were spam.
And of course I'm using a CAPTCHA there. So Brad's point is probably
valid.
I don't like captcha's either, and one of their problems is that they're so
easy to see
Le 23/10/2012 17:17, Carl Zwanzig a écrit :
I've used a similar method for help email to places like yahoo. At the
bottom of the text I ask Please tell me your favorite color so I know
I'm working with a real person. Seems to work.
yes I also have public passwd on a wiki. By the way the pas
: [Mailman-Users] Automated Subscription Bots Inundating List
Owners With Subscription Requests
Le 23/10/2012 17:17, Carl Zwanzig a écrit :
I've used a similar method for help email to places like yahoo. At the
bottom of the text I ask Please tell me your favorite color so I know
I'm working
On Oct 23, 2012, at 8:41 AM, jdd jdani...@free.fr wrote:
that said there are some real human paid to catch web site, and against that
no luck :-(
There's an old axiom in the security business that no defense can stop a
sufficiently motivated attacker with sufficient resources. The US Secret
On Oct 23, 2012, at 9:28 AM, Kalbfleisch, Gary ga...@shoreline.edu wrote:
As a result of this activity I have changed all lists so that confirmation is
required for all subscriptions, and only list owners can view the list of
subscribers. The confirmations don't actually solve the email
Lindsay Haisley writes:
Take a look at http://areyouahuman.com/.
I just tried their sample. I'd rather face a CAPTCHA! And their
twitter feed reads like spam -- same comments, same apparent author,
different avatar. Not a great start if they want to captcha my lists!
;-)
Seriously, I can
Kalbfleisch, Gary writes:
Note that for the majority of what I have seen in this attack it
is the return email messages that the exploiters desire.
Yes, this is the most important point for Mailman developers, in
fact. Thank you for reiterating it.
I have seen some evidence that these
On Wed, 2012-10-24 at 11:57 +0900, Stephen J. Turnbull wrote:
Lindsay Haisley writes:
Take a look at http://areyouahuman.com/.
I just tried their sample. I'd rather face a CAPTCHA! And their
twitter feed reads like spam -- same comments, same apparent author,
different avatar. Not a
Hi Stephen,
Thank you for your reply. My responses are below
-Original Message-
From: Stephen J. Turnbull [mailto:step...@xemacs.org]
Sent: Friday, October 19, 2012 9:20 PM
To: Kalbfleisch, Gary
Cc: mailman-users@python.org
Subject: [Mailman-Users] Automated Subscription Bots
Kalbfleisch, Gary writes:
Kalbfleisch, Gary responds:
Messages are batchable, but administrative tasks are not. As you
noted you must tick each box, and yes I'm talking pages and pages
of bogus subscription requests. Quite tedious.
This would be a bigger problem than losing valid
I personally don't care for CAPTCHA but it exists for a reason. If anyone can
suggest a better solution I would love to here it. Right now Mailman is being
exploited to email bomb individuals and DOS email systems. This cannot
continue.
Gary Kalbfleisch
Sent from my iPod
On Oct 22,
Kalbfleisch, Gary writes:
I personally don't care for CAPTCHA but it exists for a reason.
Sure, the eternal search for easy solutions to difficult problems.
If anyone can suggest a better solution I would love to here it.
Right now Mailman is being exploited to email bomb individuals and
On Tue, 2012-10-23 at 01:31 +, Kalbfleisch, Gary wrote:
I personally don't care for CAPTCHA but it exists for a reason. If
anyone can suggest a better solution I would love to here it. Right
now Mailman is being exploited to email bomb individuals and DOS email
systems. This cannot
For the past couple days my Mailman server has been hammered with automated
subscription requests. I've always seen a few here and there but nothing like
this. Thousands of them, exploiting the web interface and replying to
confirmation email messages. Many of our lists were open
Kalbfleisch, Gary writes:
inundated with confirmation request messages, and you cannot delete
them all at once on the Tend to pending moderator requests
screen. You have to select Discard for each of them
individually. I don't know if this has been changed yet.
As far as I can see,
29 matches
Mail list logo