Re: [Mailman-Developers] Mailing lists exploited

2017-05-16 Thread Mark Sapiro 
On 05/16/2017 08:17 PM, Daniel Kahn Gillmor wrote:
> 
> surely it's easy for an attacker to guess moderation-free sender
> addresses by a quick scan of the list archives as well.


Only if there are public archives.

I realized I am more or less immune from this attack for my several
production lists. The lists are all @example.org (obviously not the real
domain) and the list owner is listmana...@example.org which is a
forwarder to the real list admins and is not a member or authorized
poster of any of the lists.

It was set up this way because we have a number of such forwarders for
various functions and having a generic address for a function is a
convenience that avoids people mailing the wrong people when
responsibilities change, but a side benefit is the address exposed on
web pages can't post without moderation, plus one could add it to
discard_these_nonmembers and never see posts From: that address.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
___
Mailman-Developers mailing list
Mailman-Developers@python.org
https://mail.python.org/mailman/listinfo/mailman-developers
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: 
http://www.mail-archive.com/mailman-developers%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org

Security Policy: http://wiki.list.org/x/QIA9

Re: [Mailman-Developers] Mailing lists exploited

2017-05-16 Thread Daniel Kahn Gillmor 
On Tue 2017-05-16 13:29:21 +0100, Jonathan Knight wrote:

> I think the real name if its available and the list owner address if not.
> If you use the local part (e.g. j.knight) would still make it possible to
> guess the @keele.ac.uk if the mailing lists are all hosted on
> maillists.keele.ac.uk.

surely it's easy for an attacker to guess moderation-free sender
addresses by a quick scan of the list archives as well.  what attackers
are we really trying to defend against here?

--dkg
___
Mailman-Developers mailing list
Mailman-Developers@python.org
https://mail.python.org/mailman/listinfo/mailman-developers
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: 
http://www.mail-archive.com/mailman-developers%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org

Security Policy: http://wiki.list.org/x/QIA9

Re: [Mailman-Developers] [GSoC] Encrypted mailing lists

2017-05-16 Thread Jan Jancar 
Hey Abhilash!

On 05/14/2017 08:18 AM, Abhilash Raj wrote:
>>  - As it was proposed on this list a plugin-like implementation of
>> encrypted mailing lists is really the only way to go forward here,
>> as just pushing in what might end up being a rather niche feature
>> into Mailman Core is not maintainable / wanted.
> 
> I feel like core already has the architecture(interfaces everywhere! :) that
> will make it pretty easy to write plugins. If you feel you need some changes 
> in
> core to support your plugin better or plugins in general, I should be able to
> help you with that part.

Yes, so far it has everything necessary. Some things I noted:

 - A plugin cannot create a Pipeline the same way it creates Handlers or Rules,
   it can only do so in a post_hook. Since the Pipeline classes are enumerated
   when initializing them.
   
https://gitlab.com/mailman/mailman/blob/master/src/mailman/core/pipelines.py#L150
 - And then the issues I outlined in my previous email, which mainly stem from 
   the encrypted lists plugin having some pretty strong requirements on current 
   Mailman features.


>> + Some questions that I had in my original proposal:
>> + Is exposing key management through the REST api and Postorius a good 
>> idea at all? Those have very different level of access control,
>> changing a key on a list requires a signed request + signed confirmation
>> token whereas doing it in Postorius might only require a password.
> 
> True, but there is a lot of trust already there on the password for
> postorius. What if someone un-subscribes from the Postorius and then
> re-subscribes sending along a key not owned by the user?
> 
> I don't know if that did make any sense, because as I understand the
> subscription would be moderated and it would be up to List Admin to not allow
> keys he doesn't recognize to be subscribed? Is there anything else except the
> admin stopping some attacker from doing that?

Sure, subscription will be moderated and the List Admin will have to trust both
the address he is accepting and the key provided. However, this is something
we would like to stop, someone unsubscribing a user from an encrypted mailing
list with just a password and not access to his private key.

This is something that definitely needs comments. What actions should a
subscriber / unsubscribed user be able to do on an encrypted mailing list
with:
 - just a password
 - his private key
and what parts of this should be configurable and in what way / granularity?

I propose the following:
 - all email commands should require a signed confirmation (the same workflow as
subscribe / unsubscribe), to stop replay of commands.
 - posts should require being encrypted and signed, and this should be 
configurable
per list. [require/allow encrypted, require/allow signed]
 - Postorius user operations should also somehow require signed confirmation.


> 
>> + A way of sharing the lists public key that makes the user trust it
>> the most.
> 
> I feel the key signed by the List Owner would be the best way to indentify the
> lists public key. Maybe mandate signing by the Site Owner and List Owner/List
> Owners?

Right, I also think that utilizing PGP web-of-trust the most, is the best
we can do here. Also just recently found out, schleuder (an encrypted mailing 
list
server) supports uploading signed list keys to it a will serve them with the 
signatures
from then on.


>> # What I would like to definitely finish in the Community bonding period:
>>
>>  - Finish SMTPS/STARTTLS support for Mailman Core (really only needs tests 
>> now): https://gitlab.com/J08nY/mailman/tree/mta-smtps-starttls
>>  - Establish real-time communication channels with mentors (text/voice?)
>> and have a meeting to discuss the proposal.
> 
> I am available as maxking on IRC(#mailman). I am a little busy for next week 
> and
> then we have Pycon, but I should be able to meet you anytime after Friday
> 26th. I am not very sure, but I will have some time on 17th too, I will let 
> you
> know?

Sure, I'm in #mailman and I have some questions better suited for irc, so you'll
definitely hear me there.

> 
>>  - Add proper objective milestones to the proposal.
>>  - Change the proposal to reflect movement towards a more plugin-like
>> implementation.
>>
>>
> 
> I hope this summer is fun for you!

I think it will!


Cheers,
-- 
Jan
__
   /\  # PGP: 362056ADA8F2F4E421565EF87F4A448FE68F329D
  /__\  # https://neuromancer.sk
 /\  /\  # Eastern Seaboard Phishing Authority
/__\/__\  # 




signature.asc
Description: OpenPGP digital signature
___
Mailman-Developers mailing list
Mailman-Developers@python.org
https://mail.python.org/mailman/listinfo/mailman-developers
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: 
http://www.mail-archive.com/mailman-developers%40python.org/
Unsubscribe:

[Mailman-Developers] Add information on first line of email

2017-05-16 Thread David Terni 
Hi,
I need to use the text of "description or information filed" used to
describe the mailinglist and put this information in the firsts lines
e-mail. Like the credits but on head of email.

How I can do it?

Thank's a lot
___
Mailman-Developers mailing list
Mailman-Developers@python.org
https://mail.python.org/mailman/listinfo/mailman-developers
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: 
http://www.mail-archive.com/mailman-developers%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org

Security Policy: http://wiki.list.org/x/QIA9

Re: [Mailman-Developers] Mailing lists exploited

2017-05-16 Thread Jonathan Knight 
Hi Barry

I think the real name if its available and the list owner address if not.
If you use the local part (e.g. j.knight) would still make it possible to
guess the @keele.ac.uk if the mailing lists are all hosted on
maillists.keele.ac.uk.

I can't think of a better solution.

Jon.


On 16 May 2017 at 12:58, Barry Warsaw  wrote:

> On May 16, 2017, at 09:29 AM, Jonathan Knight wrote:
>
> >There's not a lot that can be done to protect against that other than
> >changing the "list is run by" so that the administrators real email
> address
> >isn't obvious.
>
> I suppose we should either use the moderator's real name, or just the local
> part of their address.
>
> -Barry
>
> ___
> Mailman-Developers mailing list
> Mailman-Developers@python.org
> https://mail.python.org/mailman/listinfo/mailman-developers
> Mailman FAQ: http://wiki.list.org/x/AgA3
> Searchable Archives: http://www.mail-archive.com/
> mailman-developers%40python.org/
> Unsubscribe: https://mail.python.org/mailman/options/mailman-
> developers/j.knight%40keele.ac.uk
>
> Security Policy: http://wiki.list.org/x/QIA9
>
>


-- 
Jonathan Knight
IT Services
Keele University
___
Mailman-Developers mailing list
Mailman-Developers@python.org
https://mail.python.org/mailman/listinfo/mailman-developers
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: 
http://www.mail-archive.com/mailman-developers%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org

Security Policy: http://wiki.list.org/x/QIA9

Re: [Mailman-Developers] Mailing lists exploited

2017-05-16 Thread Barry Warsaw 
On May 16, 2017, at 09:29 AM, Jonathan Knight wrote:

>There's not a lot that can be done to protect against that other than
>changing the "list is run by" so that the administrators real email address
>isn't obvious.

I suppose we should either use the moderator's real name, or just the local
part of their address.

-Barry


pgpehM40Sb_Gr.pgp
Description: OpenPGP digital signature
___
Mailman-Developers mailing list
Mailman-Developers@python.org
https://mail.python.org/mailman/listinfo/mailman-developers
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: 
http://www.mail-archive.com/mailman-developers%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org

Security Policy: http://wiki.list.org/x/QIA9

Re: [Mailman-Developers] Mailing lists exploited

2017-05-16 Thread Jonathan Knight 
Mark is right.

The spamming process was to scrape the listinfo page and locate the "list
is run by" line and then de-obfuscate the "j.knight at keele.ac.uk" into "
j.kni...@keele.ac.uk".  Then an email was faked using j.kni...@keele.ac.uk
as the sender to see if the list is either unmoderated or whether the
administrator had set their own email address as unmoderated on a moderated
list.

There's not a lot that can be done to protect against that other than
changing the "list is run by" so that the administrators real email address
isn't obvious.

Jon.


On 15 May 2017 at 23:19, Barry Warsaw  wrote:

> On May 15, 2017, at 11:03 AM, Mark Sapiro wrote:
>
> >It's not done in Mailman 3.
> >
> >For mailman 2.1, the administrator email addresses are a mailto: link the
> >goes to the LISTNAME-owner address, but the email addresses are exposed
> and
> >only mildly obfuscated ('@' -> ' at ').
> >
> >I would consider adding a configuration option to either obfuscate the
> >addresses further (e.g. drop the domain entirely) or replace the text with
> >something like "Listname list run by listname-ow...@example.com".
>
> I'm a little confused by the OP.  Is it:
>
> 1) A message to the posting address From: listname-ow...@example.com is
> not
> being moderated?  I would expect it to be since that address is not a
> member
> of the list.
>
> 2) Emailing To: listname-ow...@example.com directly which would end up
> spamming the list owners?
>
> MM3 doesn't currently moderate messages sent to the list owners, but it
> could.  Messages to -owners flows through a different, shorter chain of
> rules
> and pipeline, but I've always thought that that would be configurable.
>
> -Barry
> ___
> Mailman-Developers mailing list
> Mailman-Developers@python.org
> https://mail.python.org/mailman/listinfo/mailman-developers
> Mailman FAQ: http://wiki.list.org/x/AgA3
> Searchable Archives: http://www.mail-archive.com/
> mailman-developers%40python.org/
> Unsubscribe: https://mail.python.org/mailman/options/mailman-
> developers/j.knight%40keele.ac.uk
>
> Security Policy: http://wiki.list.org/x/QIA9
>



-- 
Jonathan Knight
IT Services
Keele University
___
Mailman-Developers mailing list
Mailman-Developers@python.org
https://mail.python.org/mailman/listinfo/mailman-developers
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: 
http://www.mail-archive.com/mailman-developers%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org

Security Policy: http://wiki.list.org/x/QIA9