Re: [Mailman-Developers] Mailing lists exploited
On 05/15/2017 03:19 PM, Barry Warsaw wrote: > > I'm a little confused by the OP. Is it: > > 1) A message to the posting address From: listname-ow...@example.com is not > being moderated? I would expect it to be since that address is not a member > of the list. > > 2) Emailing To: listname-ow...@example.com directly which would end up > spamming the list owners? I don't think it's either. I think it is scraping the list owner addresses from the LISTNAME run by joe at example.com line on the web UI pages, s/ at /@/ and spoofing that address as the sender of a spam post to the list. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan ___ Mailman-Developers mailing list Mailman-Developers@python.org https://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] Mailing lists exploited
On May 15, 2017, at 11:03 AM, Mark Sapiro wrote: >It's not done in Mailman 3. > >For mailman 2.1, the administrator email addresses are a mailto: link the >goes to the LISTNAME-owner address, but the email addresses are exposed and >only mildly obfuscated ('@' -> ' at '). > >I would consider adding a configuration option to either obfuscate the >addresses further (e.g. drop the domain entirely) or replace the text with >something like "Listname list run by listname-ow...@example.com". I'm a little confused by the OP. Is it: 1) A message to the posting address From: listname-ow...@example.com is not being moderated? I would expect it to be since that address is not a member of the list. 2) Emailing To: listname-ow...@example.com directly which would end up spamming the list owners? MM3 doesn't currently moderate messages sent to the list owners, but it could. Messages to -owners flows through a different, shorter chain of rules and pipeline, but I've always thought that that would be configurable. -Barry ___ Mailman-Developers mailing list Mailman-Developers@python.org https://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] Mailing lists exploited
On 05/12/2017 05:13 AM, Jonathan Knight wrote: > > Maybe listing administrator email addresses needs the be a thing of the > past. It's not done in Mailman 3. For mailman 2.1, the administrator email addresses are a mailto: link the goes to the LISTNAME-owner address, but the email addresses are exposed and only mildly obfuscated ('@' -> ' at '). I would consider adding a configuration option to either obfuscate the addresses further (e.g. drop the domain entirely) or replace the text with something like "Listname list run by listname-ow...@example.com". WDOT? -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan ___ Mailman-Developers mailing list Mailman-Developers@python.org https://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9