Re: [Mailman-Developers] Mailing lists exploited
On 05/15/2017 03:19 PM, Barry Warsaw wrote: > > I'm a little confused by the OP. Is it: > > 1) A message to the posting address From: listname-ow...@example.com is not > being moderated? I would expect it to be since that address is not a member > of the list. > > 2) Emailing To: listname-ow...@example.com directly which would end up > spamming the list owners? I don't think it's either. I think it is scraping the list owner addresses from the LISTNAME run by joe at example.com line on the web UI pages, s/ at /@/ and spoofing that address as the sender of a spam post to the list. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan ___ Mailman-Developers mailing list Mailman-Developers@python.org https://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] Mailing lists exploited
On May 15, 2017, at 11:03 AM, Mark Sapiro wrote:
>It's not done in Mailman 3.
>
>For mailman 2.1, the administrator email addresses are a mailto: link the
>goes to the LISTNAME-owner address, but the email addresses are exposed and
>only mildly obfuscated ('@' -> ' at ').
>
>I would consider adding a configuration option to either obfuscate the
>addresses further (e.g. drop the domain entirely) or replace the text with
>something like "Listname list run by listname-ow...@example.com".
I'm a little confused by the OP. Is it:
1) A message to the posting address From: listname-ow...@example.com is not
being moderated? I would expect it to be since that address is not a member
of the list.
2) Emailing To: listname-ow...@example.com directly which would end up
spamming the list owners?
MM3 doesn't currently moderate messages sent to the list owners, but it
could. Messages to -owners flows through a different, shorter chain of rules
and pipeline, but I've always thought that that would be configurable.
-Barry
___
Mailman-Developers mailing list
Mailman-Developers@python.org
https://mail.python.org/mailman/listinfo/mailman-developers
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives:
http://www.mail-archive.com/mailman-developers%40python.org/
Unsubscribe:
https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org
Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] Mailing lists exploited
On 05/12/2017 05:13 AM, Jonathan Knight wrote:
>
> Maybe listing administrator email addresses needs the be a thing of the
> past.
It's not done in Mailman 3.
For mailman 2.1, the administrator email addresses are a mailto: link
the goes to the LISTNAME-owner address, but the email addresses are
exposed and only mildly obfuscated ('@' -> ' at ').
I would consider adding a configuration option to either obfuscate the
addresses further (e.g. drop the domain entirely) or replace the text
with something like "Listname list run by listname-ow...@example.com".
WDOT?
--
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
___
Mailman-Developers mailing list
Mailman-Developers@python.org
https://mail.python.org/mailman/listinfo/mailman-developers
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives:
http://www.mail-archive.com/mailman-developers%40python.org/
Unsubscribe:
https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org
Security Policy: http://wiki.list.org/x/QIA9
