Re: [Mailman-Users] Reply-To Munging - Feature Request

2014-05-09 Thread Mark Sapiro 
On 05/08/2014 02:34 PM, Dave Nathanson wrote:
> 
> AFTER DEMARC, using the best settings for us that we can:
> 
> FROM: Author_Name via ListName 
> TO: ListName 
> REPLY-TO: ListName 
> 
> This is *pretty good* except that 
> * I don't like the "via list name" in the from header, even though I 
> understand that is the new reality. 
> * I don't like the lack of an author email address. 
> 
> I also tried: 
> first_strip_reply_to  = No
> But that means a normal reply will go to both the list & the author. So the 
> author will get 2 copies, and I don't feel that is desirable, even though it 
> seems to be the only way to include the author's email address. 


Well then you won't like 2.1.18 because it will put the original From:
in Reply-To: even if first_strip_reply_to = Yes, but the author won't
get 2 copies if the author's "Avoid duplicate copies of messages?"
option (nodups in the admin Membership List) is Yes which is the normal
default. The issue however is the author gets the direct reply, not the
list copy which is the only way it can work, but may not be the copy
she'd prefer to get.


> FEATURE REQUEST: 
> A setting to control the new "From" line. Instead of FROM: Author_Name via 
> ListName 
> I want to request that it offer the option to let the list admin config what 
> goes there after the author's name. I would use this setting to say:
> FROM: Author_Name via Club Name
>   substituted "Club Name" for "List Name", and used 
>   explicit reply_to_address instead of list address. 


I'll consider this. It would help to keep my attention if you would
submit this to the tracker at 

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC and Reply-To lines with from_is_list munging.

2014-05-09 Thread Mark Sapiro 
On 05/09/2014 07:27 PM, Richard Damon wrote:

> But the wrapped message could pass the DMARC DKIM signature check, if it
> will exactly matchs the message that came from Yahoo/AOL. (which the
> phish won't). This says that the List Headers, modified subject, list
> headers and footers should be added to the wrapping message, not the
> wrapped message, which also says that the MUA shouldn't throw this away,
> but combine these with the original message (but in a way that makes it
> clear which is which).


Just for the record, this is how the Wrap Message action is implemented
in Mailman. I.e. all the stuff Richard mentions is done to the outer
message, not to the message/rfc822 part that is the original message.
The one exception that will break DKIM is content filtering which by
necessity is applied to the original message before it's wrapped. This
is a big one, because I suspect almost all messages from Yahoo users are
multipart/alternative to begin with (and has anyone else noticed what a
horrible job Yahoo does in making the text/plain alternative, but I
digress ...), and many lists collapse alternatives so the DKIM sig will
be broken.

That notwithstanding, as Stephen and others have mentioned, the MUAs to
deal with this are not here and are unlikely to be here anytime soon.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC and Reply-To lines with from_is_list munging.

2014-05-09 Thread Stephen J. Turnbull 
Richard Damon writes:
 > On 5/9/14, 10:13 PM, John Levine wrote:

 > > The correct response is either for senders to stop publishing DMARC
 > > policies that don't match the way their users use mail (fat chance),
 > > or for recipient systems to skip the DMARC checks on mail from sources
 > > that are known to send mail that recipients want but that doesn't
 > > match DMARC's narrow authentication model, e.g., mailing lists and the
 > > Wall Street Journal's mail-an-article button.

GMail is already doing this, although we don't know the algorithm
precisely.  If GMail continues and others join, ostracism of providers
who continue to use inflexible bouncing policies instead of smart
filters becomes more plausible.

I know that's not satisfactory for people whose lists are populated by
AOL and Yahoo users, but I don't know what to say to them.  Their
users are DoS'ing their mailing lists with their addresses, even if
they don't know it.

 > But the wrapped message could pass the DMARC DKIM signature check, if it
 > will exactly matchs the message that came from Yahoo/AOL. (which the
 > phish won't). This says that the List Headers, modified subject, list
 > headers and footers should be added to the wrapping message, not the
 > wrapped message, which also says that the MUA shouldn't throw this away,
 > but combine these with the original message (but in a way that makes it
 > clear which is which).

Sure (and that is what I intended when I suggested wrapping in the
first place), but (a) MUAs don't support DMARC yet, and all the signs
say that the yahoos will deliberately delay implementing MUAs that do,
and (b) many MUAs don't support wrapped messages well at all.

As John put it,

 >> Failing that, all we have left is hacks, none of which are
 >> satisfactory.

We'll see how the on-going talks at the IETF go.  Some results should
be forthcoming "shortly" (that's hearsay, and I can't say any more
because that's exactly what I was told by a source close to the center
of the process).

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

[Mailman-Users] Results of testing posts to yahoogroups from AOL

2014-05-09 Thread Stephen J. Turnbull 
Mark Sapiro writes:

 > I finally got around to testing this.

Thanks, Mark!

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC and Reply-To lines with from_is_list munging.

2014-05-09 Thread Stephen J. Turnbull 
Lindsay Haisley writes:

 > A nice fix, albeit probably total pie-in-the-sky, would be the
 > establishment of a MIME Content-Type: multipart/list-post, a variation
 > on (or extension of) mulpart/mixed.  MUAs SHOULD (in the RFC 2119 sense)
 > effectively hide the outermost enclosing MIME envelope with this
 > Content-Type and present the contents according to rules that would
 > apply were the enclosing MIME envelope not there.  As far as the mail
 > system is concerned, the headers on the envelope are the effective ones.
 > As far as the MUA is concerned, for presentation purposes, the envelope
 > content is what counts.

The problem is that the DMARC people don't give a damn about the mail
system (and the PHBs behind the actions at Yahoo and AOL could care
less in both senses, apparently).  They're entirely concerned with
presentation.

And the technicians who designed DMARC are *right* to be concerned
about presentation, because it is presentation that the crooks use to
hook their prey.  In other words, if we come up with a way to present
mail that doesn't bear their signature[1] "as if" it came straight
from one of their domains, that can be abused by the crooks.

When (not if!) that abuse happens, the forces behind DMARC will come
back and say "O no!  You can't do THAT!"  And they (the PHBs,
I mean) will break the system again ... and again ... and again.

So, unfortunately, I think there is *no* fix based on presentation.
The only real fix is users who are sophisticated enough to avoid
spammers, which can't be perfect (some people just aren't, and
everybody slips occasionally), but can certainly be enhanced by better
filters.

Well, there's that other fix, the one that involves lists as we love
them joining the dinosaurs. :-(

All-hail-Dave-Hayes-and-the-AI-newsreader!-ly y'rs,



Footnotes: 
[1]  Any list that isn't a pure address exploder will be unable to
maintain the signature.

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC and Reply-To lines with from_is_list munging.

2014-05-09 Thread Richard Damon 
On 5/9/14, 10:13 PM, John Levine wrote:
>> Arguably, the correct response to DMARC filtering _should_ be the MIME
>> encapsulation of list mail, with appropriate RFC 2369 headers added to
>> the enclosing MIME structure leaving the content un-munged, with all
>> information from the original poster intact.  Arguably, MUAs should be
>> transparent to this.  Arguably, this would have been the best design for
>> the operation of mailing lists in email-space from the git-go.
> Unfortunately, this argument falls over when you note that spammers
> and phishers can encapsulate their paypal.com phishes and add list
> headers, too.  
>
> The correct response is either for senders to stop publishing DMARC
> policies that don't match the way their users use mail (fat chance),
> or for recipient systems to skip the DMARC checks on mail from sources
> that are known to send mail that recipients want but that doesn't
> match DMARC's narrow authentication model, e.g., mailing lists and the
> Wall Street Journal's mail-an-article button.
>
> Failing that, all we have left is hacks, none of which are satisfactory.
>
> R's,
> John
>
But the wrapped message could pass the DMARC DKIM signature check, if it
will exactly matchs the message that came from Yahoo/AOL. (which the
phish won't). This says that the List Headers, modified subject, list
headers and footers should be added to the wrapping message, not the
wrapped message, which also says that the MUA shouldn't throw this away,
but combine these with the original message (but in a way that makes it
clear which is which).

-- 
Richard Damon

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC and Reply-To lines with from_is_list munging.

2014-05-09 Thread John Levine 
>Arguably, the correct response to DMARC filtering _should_ be the MIME
>encapsulation of list mail, with appropriate RFC 2369 headers added to
>the enclosing MIME structure leaving the content un-munged, with all
>information from the original poster intact.  Arguably, MUAs should be
>transparent to this.  Arguably, this would have been the best design for
>the operation of mailing lists in email-space from the git-go.

Unfortunately, this argument falls over when you note that spammers
and phishers can encapsulate their paypal.com phishes and add list
headers, too.  

The correct response is either for senders to stop publishing DMARC
policies that don't match the way their users use mail (fat chance),
or for recipient systems to skip the DMARC checks on mail from sources
that are known to send mail that recipients want but that doesn't
match DMARC's narrow authentication model, e.g., mailing lists and the
Wall Street Journal's mail-an-article button.

Failing that, all we have left is hacks, none of which are satisfactory.

R's,
John

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

[Mailman-Users] Results of testing posts to yahoogroups from AOL

2014-05-09 Thread Mark Sapiro 
I finally got around to testing this. I posted three times to my test
Yahoo group from 'Mark Sapiro '. One post with
the group set to send replies to the group and one post with the group
set to send replies to the sender and one post with the group set to
send replies to the sender and the group.

In all cases, the posts were sent with

From: "Mark Sapiro my_aol_addr...@aol.com [my_yahoo_groupname]"



In the first case (replies to group), there was

Reply-To: 

in the post from the group. This seems correct, and my actual address
was in the display name portion of From:

In the second case, there was no Reply-To: in the message meaning a
simple 'reply' was addressed to the From: address which I suppose is
fairly easy to edit to go to me, but without editing, 'reply' goes to
the group which is wrong.

In the third (reply to both) case there is a

Reply-To: my_yahoo_groupn...@yahoogroups.com,Mark Sapiro


which is correct.

So the bottom line is Yahoo groups does From: header munging when
necessary because of DMARC policies on the From: domain and they manage
Reply-To: well in two cases out of three.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Subscription flood

2014-05-09 Thread Mark Sapiro 
On 05/09/2014 12:12 PM, Bill Christensen wrote:
> 
> Is there a way that I can just have it affect this one problematic
> list?  If I change the name of cgi-bin/subscribe and any references to
> it (at least until the next update), do you think that will make a
> difference?


It seems to me the easiest way to do this is to apply the attached patch
to Mailman/Cgi/subscribe.py. Change problem_list to the actual list name
and if you don't want the logging, remove the syslog line.

But as others have suggested, look at your web server logs (or the
subscribe confirmation emails) to get the IP address(es) that are
submitting them. If they all come from a single IP or netblock, block
that with iptables or whatever firewall you have.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--- subscribe.py2014-05-09 12:30:58.295498380 -0700
+++ subscribex.py   2014-05-09 13:03:34.567535107 -0700
@@ -54,6 +54,15 @@
 return
 
 listname = parts[0].lower()
+if listname = 'problem_list':
+safelistname = Utils.websafe(listname)
+doc.AddItem(Header(2, _("Error")))
+doc.AddItem(Bold(_('Web subscribe not allowed 
%(safelistname)s')))
+# Send this with a 403 status.
+print 'Status: 403 Forbidden'
+print doc.Format()
+syslog('vette', 'subscribe: Forbidden list "%s": %s\n', listname, e)
+return
 try:
 mlist = MailList.MailList(listname, lock=0)
 except Errors.MMListError, e:
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Subscription flood

2014-05-09 Thread Robert Heller 
At Fri, 09 May 2014 14:12:57 -0500 Bill Christensen 
 wrote:

> 
> On 5/9/14 1:25 PM, Mark Sapiro wrote:
> > On 05/09/2014 10:46 AM, Bill Christensen wrote:
> >> I temporarily removed the signup form from the listinfo page in hopes of
> >> stemming the tide, and replaced it with a request to use the site's
> >> contact form so that we can manually add interested subscribers.  I
> >> purposely don't have a subscribe email address set up for this list.
> >> But somehow they're still coming in - another 1300+ since yesterday.
> >
> > They probably aren't using the subscribe form on the listinfo page but
> > rather posting the data directly to the subscribe CGI. Try moving
> > mailman's cgi-bin/subscribe aside to totally disable web subscribe.
> >
> I expect that will affect my other lists as well, no?

Yes.

> 
> Is there a way that I can just have it affect this one problematic 
> list?  If I change the name of cgi-bin/subscribe and any references to 
> it (at least until the next update), do you think that will make a 
> difference?

Maybe.  Maybe not.  If the spammer's are clever enough, they could just go 
back to the form (or the form on one of the other lists served by your server) 
and find the new name for the subscribe script by looking at the  tag.

You *best* option would be to firewall the offending IP address from which the 
attack is comming.  It is *very* likely that these attacks are coming from 
China or someplace where your legit subscriber base is not going to be coming 
from, so blocking the IP address(es) (or subnet(s)) won't affect legit 
subscribion requests.  This is done in the mailman.conf file in the 
/etc/httpd/conf.d/ directory (or possibly in an .htaccess file in Mailman's 
cgibin directory, if AllowOverride is YES).  Or use fail2ban to use iptables 
to block IP addresses that issue too many subscribe requests.  fail2ban is 
very effective at dealing with *any* sort of brute force attach.

> --
> Mailman-Users mailing list Mailman-Users@python.org
> https://mail.python.org/mailman/listinfo/mailman-users
> Mailman FAQ: http://wiki.list.org/x/AgA3
> Security Policy: http://wiki.list.org/x/QIA9
> Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
> Unsubscribe: 
> https://mail.python.org/mailman/options/mailman-users/heller%40deepsoft.com
> 
>   
>

-- 
Robert Heller -- 978-544-6933 / hel...@deepsoft.com
Deepwoods Software-- http://www.deepsoft.com/
()  ascii ribbon campaign -- against html e-mail
/\  www.asciiribbon.org   -- against proprietary attachments


 
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Subscription flood

2014-05-09 Thread Robert Heller 
At Fri, 09 May 2014 12:46:42 -0500 Bill Christensen 
 wrote:

> 
> On 5/8/14 12:02 PM, Mark Sapiro wrote:
> > On 05/08/2014 09:31 AM, Bill Christensen wrote:
> >> Question 1: Is it possible to reverse the order of approval and
> >> confirmation when requiring both?  The admin then can reject all those
> >> with duplicates, only allowing the (presumably real) single subscription
> >> requests to send out a confirmation request.
> >
> > It would require significant code changes.
> >
> >
> >> If so, how would that be done?
> >>
> >> Question 2: Any other suggestions on how to handle this?
> >>
> >> Currently running mailman 2.1.13_0 (Next stop is to MacPorts list to see
> >> if the maintainer will update the port to the latest version)
> >
> > There are mitigations which may help in Mailman 2.1.16. See
> > .
> >
> Ok, great.
> 
> I temporarily removed the signup form from the listinfo page in hopes of 
> stemming the tide, and replaced it with a request to use the site's 
> contact form so that we can manually add interested subscribers.  I 
> purposely don't have a subscribe email address set up for this list.  
> But somehow they're still coming in - another 1300+ since yesterday.
> 
> What other holes can I plug?

If you can determine the originating IP address (hint: look in Apache's
access_log), you can edit the mailman.conf file in /etc/http/conf.d and add in
a  container with 'DENY *ip address*' lines -- the ip address given to
DENY can be a CIDR expression (w.x.y.z/n), allowing you to block whole
subnets (often the spammers just jump from machine to machine when one IP 
address is blocked or sometimes just have a cluster of machines pounding on 
the 'victim'). 

Also, it might make sense to install fail2ban and set up a filter for these 
requests and have fail2ban firewall the offensive IP addresses.

These spammers are not actually using the signup form -- removing the form has
no meaningful effect, once someone has gonked the CGI parameters and action
URL and since Mailman is open source, the CGI parameters and action URL are
published info and they just need to plug in your hostname and the list name
-- there is probably a program out there that takes these two parameters and
then 'randomly' generates *lots* subscription requests as a form of DDoS
attack. You *could* remove Execute bit from the CGI script / program that
handles that action. This will result in a 500 error from Apache and
effectively kills any possibility for anyone to sign up for any list served by
your server. Yes, extreme, but effective. Still, the best option is to firewall 
the spammers, either with an Apache DENY statement or using fail2ban.  

> 
> Thanks.
> --
> Mailman-Users mailing list Mailman-Users@python.org
> https://mail.python.org/mailman/listinfo/mailman-users
> Mailman FAQ: http://wiki.list.org/x/AgA3
> Security Policy: http://wiki.list.org/x/QIA9
> Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
> Unsubscribe: 
> https://mail.python.org/mailman/options/mailman-users/heller%40deepsoft.com
> 
>   
>  

-- 
Robert Heller -- 978-544-6933 / hel...@deepsoft.com
Deepwoods Software-- http://www.deepsoft.com/
()  ascii ribbon campaign -- against html e-mail
/\  www.asciiribbon.org   -- against proprietary attachments



  
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC and Reply-To lines with from_is_list munging.

2014-05-09 Thread Lindsay Haisley 
On Sat, 2014-05-10 at 04:01 +0900, Stephen J. Turnbull wrote:
> Lindsay Haisley writes:
> 
>  > What goes into an address comment is, or should be, purely
>  > informational on a human level, and ignored on a computational
>  > level.
> 
> Unfortunately, we can't depend on that:

The operational term is "or should be" :/

> DMARC draft, sec. 15.2.  This is discussion of matters outside the
> scope of DMARC itself, not a normative specification, and the document
> itself says there are legitimate uses of email addresses in display
> names (or comments).  But that hasn't stopped the spam-fighters in the
> past; it may not stop them this time.  AFAICS, putting an address from
> a DMARC domain anywhere in the mail leaves you subject to a possible
> DMARC reject unless you satisfy "from alignment" for that domain
> exactly as specified in DMARC.
> 
> That's not implemented by anyone now, and may never be.  And
> obfuscating the address as in the OP may help, but for my previous
> work address that would be
> 
> stephen dot turnbull dot 1 at econ dot ohio-state dot edu
> 
> which is 57 characters.  You pays your money and you takes your
> choice, I guess.

DMARC is ugly, as AOL and Yahoo are using it.  From: header munging is
ugly.  Ugly begets ugly when agreements start to break down.  All we can
do is ride with it and hope that smart people with cool heads and a
sense of the real value of a smoothly working Internet to the larger
community will ultimately prevail.  I'm not overly optimistic at this
point.  AFAICS, this just another aspect of the general abandonment of
net neutrality, one which has come in under the radar of the nightly
news.

A nice fix, albeit probably total pie-in-the-sky, would be the
establishment of a MIME Content-Type: multipart/list-post, a variation
on (or extension of) mulpart/mixed.  MUAs SHOULD (in the RFC 2119 sense)
effectively hide the outermost enclosing MIME envelope with this
Content-Type and present the contents according to rules that would
apply were the enclosing MIME envelope not there.  As far as the mail
system is concerned, the headers on the envelope are the effective ones.
As far as the MUA is concerned, for presentation purposes, the envelope
content is what counts.

-- 
Lindsay Haisley   | "Everything works if you let it"
FMP Computer Services |
512-259-1190  | - The Roadie
http://www.fmp.com|


--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Subscription flood

2014-05-09 Thread Bill Christensen 

On 5/9/14 1:25 PM, Mark Sapiro wrote:

On 05/09/2014 10:46 AM, Bill Christensen wrote:

I temporarily removed the signup form from the listinfo page in hopes of
stemming the tide, and replaced it with a request to use the site's
contact form so that we can manually add interested subscribers.  I
purposely don't have a subscribe email address set up for this list.
But somehow they're still coming in - another 1300+ since yesterday.


They probably aren't using the subscribe form on the listinfo page but
rather posting the data directly to the subscribe CGI. Try moving
mailman's cgi-bin/subscribe aside to totally disable web subscribe.


I expect that will affect my other lists as well, no?

Is there a way that I can just have it affect this one problematic 
list?  If I change the name of cgi-bin/subscribe and any references to 
it (at least until the next update), do you think that will make a 
difference?

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Subscription flood

2014-05-09 Thread Stephen J. Turnbull 
Mark Sapiro writes:

 > They probably aren't using the subscribe form on the listinfo page but
 > rather posting the data directly to the subscribe CGI. Try moving
 > mailman's cgi-bin/subscribe aside to totally disable web subscribe.

Yeah, this seems like a different attack from the last one I heard
about (a CGI on a 3rd party site that would sign the victim up for
about 400 *different* MLs), but that one also hit the subscribe URL
directly.

How hard would it be to use security-by-obscurity, ie, to just move
the subscribe URL to a different location and change the links on the
subscribe pages?
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC and Reply-To lines with from_is_list munging.

2014-05-09 Thread Stephen J. Turnbull 
Lindsay Haisley writes:

 > What goes into an address comment is, or should be, purely
 > informational on a human level, and ignored on a computational
 > level.

Unfortunately, we can't depend on that:

   There are a few possible mechanisms that attempt mitigation of
   [display name] attacks, such as:

   o  If the display name is found to include an email address (as
  specified in [MAIL]), execute the DMARC mechanism on the domain
  name found there rather than the domain name discovered
  originally.

DMARC draft, sec. 15.2.  This is discussion of matters outside the
scope of DMARC itself, not a normative specification, and the document
itself says there are legitimate uses of email addresses in display
names (or comments).  But that hasn't stopped the spam-fighters in the
past; it may not stop them this time.  AFAICS, putting an address from
a DMARC domain anywhere in the mail leaves you subject to a possible
DMARC reject unless you satisfy "from alignment" for that domain
exactly as specified in DMARC.

That's not implemented by anyone now, and may never be.  And
obfuscating the address as in the OP may help, but for my previous
work address that would be

stephen dot turnbull dot 1 at econ dot ohio-state dot edu

which is 57 characters.  You pays your money and you takes your
choice, I guess.

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Subscription flood

2014-05-09 Thread Mark Sapiro 
On 05/09/2014 10:46 AM, Bill Christensen wrote:
> 
> I temporarily removed the signup form from the listinfo page in hopes of
> stemming the tide, and replaced it with a request to use the site's
> contact form so that we can manually add interested subscribers.  I
> purposely don't have a subscribe email address set up for this list. 
> But somehow they're still coming in - another 1300+ since yesterday.


They probably aren't using the subscribe form on the listinfo page but
rather posting the data directly to the subscribe CGI. Try moving
mailman's cgi-bin/subscribe aside to totally disable web subscribe.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Subscription flood

2014-05-09 Thread Bill Christensen 

On 5/8/14 12:02 PM, Mark Sapiro wrote:

On 05/08/2014 09:31 AM, Bill Christensen wrote:

Question 1: Is it possible to reverse the order of approval and
confirmation when requiring both?  The admin then can reject all those
with duplicates, only allowing the (presumably real) single subscription
requests to send out a confirmation request.


It would require significant code changes.



If so, how would that be done?

Question 2: Any other suggestions on how to handle this?

Currently running mailman 2.1.13_0 (Next stop is to MacPorts list to see
if the maintainer will update the port to the latest version)


There are mitigations which may help in Mailman 2.1.16. See
.


Ok, great.

I temporarily removed the signup form from the listinfo page in hopes of 
stemming the tide, and replaced it with a request to use the site's 
contact form so that we can manually add interested subscribers.  I 
purposely don't have a subscribe email address set up for this list.  
But somehow they're still coming in - another 1300+ since yesterday.


What other holes can I plug?

Thanks.
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

[Mailman-Users] Reply-To Munging - Feature Request

2014-05-09 Thread Dave Nathanson 
I appreciate that the MailMan team is awesome & doing the best that can be 
expected given the new DMARC restrictions being forced on us all. Thanks guys! 

FEATURE REQUEST: 
A setting to configure the new "From" line. Instead of 
FROM: Author_Name via ListName 

I want to request that MailMan let the list admin config the text after the 
author's name in the FROM line. I would use this setting to say:
FROM: Author_Name via Club Name
 * substituted test string "Club Name" for "List Name"
 * substituted explicit reply_to_address instead of list address. 

More details: 

DreamHost just installed 2.1.17 so that's what I have to work with. I don't 
know why they didn't go all the way to the newest version this week. 

My email lists are served from a sub-domain that I don't use for anything 
except lists. lists.example.com That is a given, not my option. 

I have things figured out as well as can be for my situation. 
The settings we are going to use are:
   reply_goes_to_list = Explicit address
   reply_to_address = everyb...@example.com  (as opposed to 
everyb...@lists.example.com )
   from_is_list  = Mung From
   first_strip_reply_to  = Yes

The only difference is from_is_list = Mung From. The other settings are the 
same as before DEMARC. 

This makes it almost as good as before Yahoo ruined all mailing lists 
worldwide. 


Differences before & After DEMARC
BEFORE:
FROM: Author_Name 
TO: ListName 
REPLY-TO: ListName 

We liked it like that. Everything was fine. 

AFTER DEMARC, using the best settings for us that we can:

FROM: Author_Name via ListName 
TO: ListName 
REPLY-TO: ListName 

This is *pretty good* except that 
* I don't like the "via list name" in the from header, even though I understand 
that is the new reality. 
* I don't like the lack of an author email address. 

I also tried: 
first_strip_reply_to  = No
But that means a normal reply will go to both the list & the author. So the 
author will get 2 copies, and I don't feel that is desirable, even though it 
seems to be the only way to include the author's email address. 

FEATURE REQUEST: 
A setting to control the new "From" line. Instead of FROM: Author_Name via 
ListName 
I want to request that it offer the option to let the list admin config what 
goes there after the author's name. I would use this setting to say:
FROM: Author_Name via Club Name
  substituted "Club Name" for "List Name", and used 
  explicit reply_to_address instead of list address. 

Best, 
 Dave Nathanson
 Mac Medix

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC and Reply-To lines with from_is_list munging.

2014-05-09 Thread Lindsay Haisley 
On Thu, 2014-05-08 at 15:42 -0400, Glenn Sieb wrote:
> If I felt what my users were asking for was unreasonable, I wouldn't
> have bothered to bring it here. They'd *like* to see who's posting so if
> they *choose* to reply privately they can. In the past, this was easy
> enough. The From: line was there with the OP's email address. Now, as
> far as I can tell, depending on the MUA the *poster* uses, there *might*
> be two Reply-Tos--one with the OP email, one with the list address. But
> that's not reliable, as it doesn't happen for ALL posters.
> 
> Hell, even a munged From: like:
> 
> "ges+lists at wingfoot dot org via Mailman-Users
> "
> 
> would be a vast improvement over:
> 
> "ges+lists--- via Mailman-Users "

I'm not as knowledgeable as Stephen or Mark, but I've been working with
Internet email since the early 90s or so and have read the founding
RFCs.  One of the principles underlying the design of the Internet email
system is that information should never be intentionally abandoned.
Nothing gets dumped into the cosmic bit bucket, neither header
information nor content, and NDRs and DSNs keep the sender appraised of
problems with delivery.  This has been a strong argument against munging
of Reply-To headers going back quite a few years.  Information may be
_added_ by a component in the delivery chain (and generally is) but not
deleted.

Arguably, the correct response to DMARC filtering _should_ be the MIME
encapsulation of list mail, with appropriate RFC 2369 headers added to
the enclosing MIME structure leaving the content un-munged, with all
information from the original poster intact.  Arguably, MUAs should be
transparent to this.  Arguably, this would have been the best design for
the operation of mailing lists in email-space from the git-go.

We're stuck in the Real World, however, where Apple and probably other
MUA authors and designers have cut corners in design and we're forced
into a corner where information loss of some sort is imposed on us.
From: header munging is decidedly ugly!  It's perhaps the least ugly
solution that still works reliably to deliver content to _everyone_ even
though the information loss limits choice on the receiving end.

Your suggested partial solution ("ges+lists at wingfoot dot org via
Mailman-Users ...") is also ugly, but given the situation we're in at
this point, IMHO it has merit and should be worth some consideration in
the design of Mailman.  What goes into an address comment is, or should
be, purely informational on a human level, and ignored on a
computational level.  Whether or not it would would confuse people is
another matter.  It ain't the kinder, gentler Internet I jumped into
back in 1994!

-- 
Lindsay Haisley   | "Everything works if you let it"
FMP Computer Services |
512-259-1190  | - The Roadie
http://www.fmp.com|



--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Private Archives Aren't Private

2014-05-09 Thread Kevin Monceaux 
On Thu, May 08, 2014 at 03:11:51PM -0400, Robert Heller wrote:
 
> Are you logged in as the list admin?  That is, is the cookie that was created 
> the last time you logged in still active?

No.  I had an Alias in my Apache virtual host configuration that was
bypassing the mailman CGI script when accessing the private archives.  I
think it was something I added when trying to figure out a private archive
directory permission problem.  Removing the Alias fixed the problem.



-- 

Kevin
http://www.RawFedDogs.net
http://Lassie.RawFedDogs.net
http://www.WacoAgilityGroup.org
Bruceville, TX

What's the definition of a legacy system? One that works!
Errare humanum est, ignoscere caninum.
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Can Someone Explain This?

2014-05-09 Thread jdd 

Le 09/05/2014 13:36, Larry Stone a écrit :


I assume you are just a user of a list at ibiblio.org? If so, you can’t fix
it. Ibiblio.org has Mailman installed incorrectly. They need to install it
correctly. This problem affects all lists managed by this Mailman
installation so I assume you have also not been receiving any postings from
this list.


ibiblio admins use to be very reactive, open a ticket...

jdd

--
http://www.dodin.org
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Can Someone Explain This?

2014-05-09 Thread Larry Stone 

On May 9, 2014, at 2:08 AM, sherwin  wrote:

> I am recently having trouble posting messages to Ibiblio from my
> AT&T mail account.  There have been issues lately with AOL and
> Yahoo changing their headers, but I was not affected by this.
> 
> My email postings to Ibiblio are being rejected with the following error:

…

> : Command died with status 2:
>"/usr/lib/mailman/mail/mailman post midfex". Command output: Group mismatch
>error.  Mailman expected the mail wrapper script to be executed as group
>"mailman", but the system's mail server executed the mail script as group
>"nobody".  Try tweaking the mail server to run the script as group
>"mailman", or re-run configure,  providing the command line option
>`--with-mail-gid=nobody'.
> 
> How can this be fixed?

I assume you are just a user of a list at ibiblio.org? If so, you can’t fix it. 
Ibiblio.org has Mailman installed incorrectly. They need to install it 
correctly. This problem affects all lists managed by this Mailman installation 
so I assume you have also not been receiving any postings from this list.

-- 
Larry Stone
lston...@stonejongleux.com
http://www.stonejongleux.com/



--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

[Mailman-Users] Can Someone Explain This?

2014-05-09 Thread Stephen J. Turnbull 
sherwin writes:

 > : Command died with status 2:
 >  "/usr/lib/mailman/mail/mailman post midfex". Command output: Group 
 > mismatch
 >  error.  Mailman expected the mail wrapper script to be executed as group
 >  "mailman", but the system's mail server executed the mail script as 
 > group
 >  "nobody".  Try tweaking the mail server to run the script as group
 >  "mailman", or re-run configure,  providing the command line option
 >  `--with-mail-gid=nobody'.

I would bet a week's worth of beer that the Mailman installation has
been upgraded recently, and they forgot to give the wrapper program
sgid privilege and/or forgot to give it group "mailman".

It's also possible that the actual problem is with the mail server,
but usually mail servers are not given sufficient permissions to run
other programs as arbitrary users or groups.

To fix it, run the bin/check_perms program in the Mailman installation
to see if I'm correct.  If I am, run "bin/check_perms -f" to actually
make the necessary changes.

Of course you need to have root permission on the Mailman host to do
this.
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

[Mailman-Users] Can Someone Explain This?

2014-05-09 Thread sherwin 

I am recently having trouble posting messages to Ibiblio from my
AT&T mail account.  There have been issues lately with AOL and
Yahoo changing their headers, but I was not affected by this.

My email postings to Ibiblio are being rejected with the following error:

This is the mail system at host lists.ibiblio.org.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

   The mail system

: Command died with status 2:
"/usr/lib/mailman/mail/mailman post midfex". Command output: Group mismatch
error.  Mailman expected the mail wrapper script to be executed as group
"mailman", but the system's mail server executed the mail script as group
"nobody".  Try tweaking the mail server to run the script as group
"mailman", or re-run configure,  providing the command line option
`--with-mail-gid=nobody'.



Reporting-MTA: dns; lists.ibiblio.org
X-Postfix-Queue-ID: 0CFE6235EE
X-Postfix-Sender: rfc822;sherwi...@att.net
Arrival-Date: Fri,  9 May 2014 02:48:43 -0400 (EDT)

Final-Recipient: rfc822;mid...@lists.ibiblio.org
Action: failed
Status: 5.3.0
Diagnostic-Code: x-unix; Group mismatch error.  Mailman expected the mail
wrapper script to be executed as group "mailman", but the system's mail
server executed the mail script as group "nobody".  Try tweaking the mail
server to run the script as group "mailman", or re-run configure,
providing the command line option `--with-mail-gid=nobody'.


How can this be fixed?

  Sherwin Dubren
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org