Re: [Mailman-Developers] Mailing lists exploited
On 05/16/2017 08:17 PM, Daniel Kahn Gillmor wrote: > > surely it's easy for an attacker to guess moderation-free sender > addresses by a quick scan of the list archives as well. Only if there are public archives. I realized I am more or less immune from this attack for my several production lists. The lists are all @example.org (obviously not the real domain) and the list owner is listmana...@example.org which is a forwarder to the real list admins and is not a member or authorized poster of any of the lists. It was set up this way because we have a number of such forwarders for various functions and having a generic address for a function is a convenience that avoids people mailing the wrong people when responsibilities change, but a side benefit is the address exposed on web pages can't post without moderation, plus one could add it to discard_these_nonmembers and never see posts From: that address. -- Mark SapiroThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan ___ Mailman-Developers mailing list Mailman-Developers@python.org https://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] Mailing lists exploited
On Tue 2017-05-16 13:29:21 +0100, Jonathan Knight wrote: > I think the real name if its available and the list owner address if not. > If you use the local part (e.g. j.knight) would still make it possible to > guess the @keele.ac.uk if the mailing lists are all hosted on > maillists.keele.ac.uk. surely it's easy for an attacker to guess moderation-free sender addresses by a quick scan of the list archives as well. what attackers are we really trying to defend against here? --dkg ___ Mailman-Developers mailing list Mailman-Developers@python.org https://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] [GSoC] Encrypted mailing lists
Hey Abhilash! On 05/14/2017 08:18 AM, Abhilash Raj wrote: >> - As it was proposed on this list a plugin-like implementation of >> encrypted mailing lists is really the only way to go forward here, >> as just pushing in what might end up being a rather niche feature >> into Mailman Core is not maintainable / wanted. > > I feel like core already has the architecture(interfaces everywhere! :) that > will make it pretty easy to write plugins. If you feel you need some changes > in > core to support your plugin better or plugins in general, I should be able to > help you with that part. Yes, so far it has everything necessary. Some things I noted: - A plugin cannot create a Pipeline the same way it creates Handlers or Rules, it can only do so in a post_hook. Since the Pipeline classes are enumerated when initializing them. https://gitlab.com/mailman/mailman/blob/master/src/mailman/core/pipelines.py#L150 - And then the issues I outlined in my previous email, which mainly stem from the encrypted lists plugin having some pretty strong requirements on current Mailman features. >> + Some questions that I had in my original proposal: >> + Is exposing key management through the REST api and Postorius a good >> idea at all? Those have very different level of access control, >> changing a key on a list requires a signed request + signed confirmation >> token whereas doing it in Postorius might only require a password. > > True, but there is a lot of trust already there on the password for > postorius. What if someone un-subscribes from the Postorius and then > re-subscribes sending along a key not owned by the user? > > I don't know if that did make any sense, because as I understand the > subscription would be moderated and it would be up to List Admin to not allow > keys he doesn't recognize to be subscribed? Is there anything else except the > admin stopping some attacker from doing that? Sure, subscription will be moderated and the List Admin will have to trust both the address he is accepting and the key provided. However, this is something we would like to stop, someone unsubscribing a user from an encrypted mailing list with just a password and not access to his private key. This is something that definitely needs comments. What actions should a subscriber / unsubscribed user be able to do on an encrypted mailing list with: - just a password - his private key and what parts of this should be configurable and in what way / granularity? I propose the following: - all email commands should require a signed confirmation (the same workflow as subscribe / unsubscribe), to stop replay of commands. - posts should require being encrypted and signed, and this should be configurable per list. [require/allow encrypted, require/allow signed] - Postorius user operations should also somehow require signed confirmation. > >> + A way of sharing the lists public key that makes the user trust it >> the most. > > I feel the key signed by the List Owner would be the best way to indentify the > lists public key. Maybe mandate signing by the Site Owner and List Owner/List > Owners? Right, I also think that utilizing PGP web-of-trust the most, is the best we can do here. Also just recently found out, schleuder (an encrypted mailing list server) supports uploading signed list keys to it a will serve them with the signatures from then on. >> # What I would like to definitely finish in the Community bonding period: >> >> - Finish SMTPS/STARTTLS support for Mailman Core (really only needs tests >> now): https://gitlab.com/J08nY/mailman/tree/mta-smtps-starttls >> - Establish real-time communication channels with mentors (text/voice?) >> and have a meeting to discuss the proposal. > > I am available as maxking on IRC(#mailman). I am a little busy for next week > and > then we have Pycon, but I should be able to meet you anytime after Friday > 26th. I am not very sure, but I will have some time on 17th too, I will let > you > know? Sure, I'm in #mailman and I have some questions better suited for irc, so you'll definitely hear me there. > >> - Add proper objective milestones to the proposal. >> - Change the proposal to reflect movement towards a more plugin-like >> implementation. >> >> > > I hope this summer is fun for you! I think it will! Cheers, -- Jan __ /\ # PGP: 362056ADA8F2F4E421565EF87F4A448FE68F329D /__\ # https://neuromancer.sk /\ /\ # Eastern Seaboard Phishing Authority /__\/__\ # signature.asc Description: OpenPGP digital signature ___ Mailman-Developers mailing list Mailman-Developers@python.org https://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe:
[Mailman-Developers] Add information on first line of email
Hi, I need to use the text of "description or information filed" used to describe the mailinglist and put this information in the firsts lines e-mail. Like the credits but on head of email. How I can do it? Thank's a lot ___ Mailman-Developers mailing list Mailman-Developers@python.org https://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] Mailing lists exploited
Hi Barry I think the real name if its available and the list owner address if not. If you use the local part (e.g. j.knight) would still make it possible to guess the @keele.ac.uk if the mailing lists are all hosted on maillists.keele.ac.uk. I can't think of a better solution. Jon. On 16 May 2017 at 12:58, Barry Warsawwrote: > On May 16, 2017, at 09:29 AM, Jonathan Knight wrote: > > >There's not a lot that can be done to protect against that other than > >changing the "list is run by" so that the administrators real email > address > >isn't obvious. > > I suppose we should either use the moderator's real name, or just the local > part of their address. > > -Barry > > ___ > Mailman-Developers mailing list > Mailman-Developers@python.org > https://mail.python.org/mailman/listinfo/mailman-developers > Mailman FAQ: http://wiki.list.org/x/AgA3 > Searchable Archives: http://www.mail-archive.com/ > mailman-developers%40python.org/ > Unsubscribe: https://mail.python.org/mailman/options/mailman- > developers/j.knight%40keele.ac.uk > > Security Policy: http://wiki.list.org/x/QIA9 > > -- Jonathan Knight IT Services Keele University ___ Mailman-Developers mailing list Mailman-Developers@python.org https://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] Mailing lists exploited
On May 16, 2017, at 09:29 AM, Jonathan Knight wrote: >There's not a lot that can be done to protect against that other than >changing the "list is run by" so that the administrators real email address >isn't obvious. I suppose we should either use the moderator's real name, or just the local part of their address. -Barry pgpehM40Sb_Gr.pgp Description: OpenPGP digital signature ___ Mailman-Developers mailing list Mailman-Developers@python.org https://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] Mailing lists exploited
Mark is right. The spamming process was to scrape the listinfo page and locate the "list is run by" line and then de-obfuscate the "j.knight at keele.ac.uk" into " j.kni...@keele.ac.uk". Then an email was faked using j.kni...@keele.ac.uk as the sender to see if the list is either unmoderated or whether the administrator had set their own email address as unmoderated on a moderated list. There's not a lot that can be done to protect against that other than changing the "list is run by" so that the administrators real email address isn't obvious. Jon. On 15 May 2017 at 23:19, Barry Warsawwrote: > On May 15, 2017, at 11:03 AM, Mark Sapiro wrote: > > >It's not done in Mailman 3. > > > >For mailman 2.1, the administrator email addresses are a mailto: link the > >goes to the LISTNAME-owner address, but the email addresses are exposed > and > >only mildly obfuscated ('@' -> ' at '). > > > >I would consider adding a configuration option to either obfuscate the > >addresses further (e.g. drop the domain entirely) or replace the text with > >something like "Listname list run by listname-ow...@example.com". > > I'm a little confused by the OP. Is it: > > 1) A message to the posting address From: listname-ow...@example.com is > not > being moderated? I would expect it to be since that address is not a > member > of the list. > > 2) Emailing To: listname-ow...@example.com directly which would end up > spamming the list owners? > > MM3 doesn't currently moderate messages sent to the list owners, but it > could. Messages to -owners flows through a different, shorter chain of > rules > and pipeline, but I've always thought that that would be configurable. > > -Barry > ___ > Mailman-Developers mailing list > Mailman-Developers@python.org > https://mail.python.org/mailman/listinfo/mailman-developers > Mailman FAQ: http://wiki.list.org/x/AgA3 > Searchable Archives: http://www.mail-archive.com/ > mailman-developers%40python.org/ > Unsubscribe: https://mail.python.org/mailman/options/mailman- > developers/j.knight%40keele.ac.uk > > Security Policy: http://wiki.list.org/x/QIA9 > -- Jonathan Knight IT Services Keele University ___ Mailman-Developers mailing list Mailman-Developers@python.org https://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9