Re: [Mailman-Users] How to blocking malicious subscription requests?

[Jay R. Ashworth]

- Original Message -
> From: "Mark Sapiro" 

> On 09/05/2017 09:45 AM, Grant Taylor via Mailman-Users wrote:
>> 
>> Is Mailman aware of user+detail?  Or does is it naively view the entire
>> userpart as distinct?  Thus allowing as many many subscriptions using
>> detail as possible?
>> 
>> I know of at least one very major mail provider (possibly the same one)
>> that removes dots from the user part.  So the following addresses are
>> equivalent.
> 
> 
> Mailman 2.1.x considers all these to be different users. E.g.
> 
> j...@example.com
> joe+mm_l...@example.com
> joe+ot...@example.com
> j...@example.com
> 
> are four distinct users as far as Mailman is concerned.

And, albeit arguably, I think that's the correct behavior.  Plushacking is
a hack specifically to make recipient filtering easier and more reliable;
since you cant expect outsiders to assume it, you have to yourself treat it
as separate mailboxes, and assume they will as well.  As mailman does.

It is, in short, a way to create additional recipient mailboxes when 
the user in question doesn't have administrative permission to do that;
assuming the user's receiving MUA will do the right thing -- but that's 
the only computer it requires you to make an assumption about.

Cheers,
-- jra
-- 
Jay R. Ashworth  Baylink   j...@baylink.com
Designer The Things I Think   RFC 2100
Ashworth & Associates   http://www.bcp38.info  2000 Land Rover DII
St Petersburg FL USA  BCP38: Ask For It By Name!   +1 727 647 1274
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] How to blocking malicious subscription requests?

[Mark Sapiro]

On 09/05/2017 09:45 AM, Grant Taylor via Mailman-Users wrote:
> 
> Is Mailman aware of user+detail?  Or does is it naively view the entire
> userpart as distinct?  Thus allowing as many many subscriptions using
> detail as possible?
> 
> I know of at least one very major mail provider (possibly the same one)
> that removes dots from the user part.  So the following addresses are
> equivalent.


Mailman 2.1.x considers all these to be different users. E.g.

j...@example.com
joe+mm_l...@example.com
joe+ot...@example.com
j...@example.com

are four distinct users as far as Mailman is concerned.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] How to blocking malicious subscription requests?

[Grant Taylor via Mailman-Users]

On 09/05/2017 08:55 AM, Ian Kelling wrote:
There is at least one very major mail provider where 
joe+any_string@domain goes to the inbox of joe by default,


Is Mailman aware of user+detail?  Or does is it naively view the entire 
userpart as distinct?  Thus allowing as many many subscriptions using 
detail as possible?


I know of at least one very major mail provider (possibly the same one) 
that removes dots from the user part.  So the following addresses are 
equivalent.


u.s@example.net
u...@example.net
us...@example.net
...

The same type of thing could be exploited without user+detail.



--
Grant. . . .
unix || die

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] How to blocking malicious subscription requests?

[tlhackque via Mailman-Users]

On 05-Sep-17 10:55, Ian Kelling wrote:
> There is at least one very major mail provider where
> joe+any_string@domain goes to the inbox of joe by default, allowing bad
> people to get my mailman instance to send many subscription mails to
> joe+random_string@domain, messing up joe's inbox, because mailman just
> sees different addresses. Can mailman stop doing this? If not, I'm open
> to an exim rule to block or at least rate limit mailman from doing this
> too.
This is correct behavior by both the mail service provider and by mailman.

The way to address the anti-social behavior described is to implement a
captcha, which
will effectively rate-limit subscription requests by bad actors -
usually to close to zero.

This has been discussed recently on this list.
> Also, is there a way to rate limit subscription requests even for the
> exact same email address? For example, don't allow someone to subscribe
> to list b if they have > 5 unconfirmed subscription requests in the last
> day?
I don't think so, but others more expert may respond.  If not, it seems
like a reasonable
feature request for MM3.  But a captcha will probably have the effect
that you want.

I use reCAPTCHA (now hosted by Google).  It seems to stay ahead of the
captcha-solver bots
most of the time.  It's important to choose one that is accessible to
people with disabilities.
> --
> Ian Kelling | Senior Systems Administrator, Free Software Foundation
> GPG Key: B125 F60B 7B28 7FF6 A2B7  DF8F 170A F0E2 9542 95DF
> https://fsf.org | https://gnu.org
>

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] How to blocking malicious subscription requests?

[David Gibbs]

On 9/5/2017 9:55 AM, Ian Kelling wrote:

There is at least one very major mail provider where
joe+any_string@domain goes to the inbox of joe by default, allowing
bad people to get my mailman instance to send many subscription mails
to joe+random_string@domain, messing up joe's inbox, because mailman
just sees different addresses. Can mailman stop doing this? If not,
I'm open to an exim rule to block or at least rate limit mailman from
doing this too.


You can use BAN_LIST on a list by list basis or GLOBAL_BAN_LIST in the config 
(in MM 2.1.21).

My observation about the attack is that they are doing a GET on the subscribe 
page to retrieve the hidden sub_form_token form field value and then doing a 
post to do the subscribe.

I modified the source for my install of MM to change the hidden field name.

I've had no successful or unsuccessful subscribe attempts since.

david


--
IBM i on Power Systems: For when you can't afford to be out of business!

I'm riding a metric century (100 km / 65 miles) in the American Diabetes 
Association's Tour de Cure to raise money for diabetes research, education, 
advocacy, and awareness.  You can make a tax deductible donation to my ride by 
visiting http://gmane.diabetessucks.net.  My goal is $6000 but any amount is 
appreciated.

You can see where my donations come from by visiting my interactive donation 
map ... http://gmane.diabetessucks.net/map (it's a geeky thing).

I may have diabetes, but diabetes doesn't have me!

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

[Mailman-Users] How to blocking malicious subscription requests?

[Ian Kelling]

There is at least one very major mail provider where
joe+any_string@domain goes to the inbox of joe by default, allowing bad
people to get my mailman instance to send many subscription mails to
joe+random_string@domain, messing up joe's inbox, because mailman just
sees different addresses. Can mailman stop doing this? If not, I'm open
to an exim rule to block or at least rate limit mailman from doing this
too.

Also, is there a way to rate limit subscription requests even for the
exact same email address? For example, don't allow someone to subscribe
to list b if they have > 5 unconfirmed subscription requests in the last
day?

--
Ian Kelling | Senior Systems Administrator, Free Software Foundation
GPG Key: B125 F60B 7B28 7FF6 A2B7  DF8F 170A F0E2 9542 95DF
https://fsf.org | https://gnu.org
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org