Re: [Mailman-Developers] UI for Mailman 3.0 update
CAPTCHA resists existing mechanistic software solving, yet can be solved with high probability by a human being. In response, a robust solving ecosystem has emerged, reselling both automated solving technology and real-time human labor to bypass these protections. Thus, CAPTCHAs can increasingly be understood and evaluated in purely economic terms; the market price of a solution vs the monetizable value of the asset being protected. We examine the market-side of this question in depth, analyzing the behavior and dynamics of CAPTCHA-solving service providers, their price performance, and the underlying labor markets driving this economy. So I'm going to disagree with your premise that CAPTCHAs are necessarily annoying to most people unless you give more than anecdotal evidence that that is the case, and I'm going to disagree that they are always or even usually useless for protecting parts of WUIs. (1) it should be configurable per list (and off by default); Agreed. (2) it should need to be enabled by the site admin (and off by default); Agreed, but only to the extent that having it available by default would add a dependency, which is too much of a burden on the MM team. The rationale for this is not just to make it harder to use the feature, but that the site admin is likely to be more expert in general to understand the limitations of the feature, and also some of the benefits and costs accrue to the site rather to the list community, so the site admin should have some input. Definitely agreed. (3) both configuration tools should have documentation indicating that captchas do not provide security; what they do is chase off the frivolous (both bona fide users and would-be abusers). This is a genuine benefit in several ways for many lists; it's just not real security because serious abusers will get through. Disagree. This is like saying that putting a $30 (USD) cable lock on my bike is not security because serious thieves could defeat it with a large pair of bolt cutters. Mind you, I use a ~$100 (USD) chain lock on my bikes, but that doesn't mean the $30 (USD) cable lock is useless, especially if the replacement cost of your bike is $150 (USD). You seem to think that only $100 (USD) chain locks are worth the effort, and that I'm insisting people use cheap locks. That is not the case. Furthermore, I think we may be in part talking past each other because you have seen lots and lots of poorly-done CAPTCHAs, and the entire concept has been spoiled for you by those bad implementations, and you picture us wanting one of those bad implementations on by default in mailman. That is not the case at all; it is also a straw man. CAPTCHA systems (and services such as reCAPTCHA) have improved a lot in the past three years, and nobody wants even the best of these to be used in a silly way within the default MM3 WUI. What I want is the ability to flip a switch and have CAPTCHAs available to me, and then have switches in one or more places (eg. moderator login, user signup) for those CAPTCHAs to be used every time or after the Nth attempt, for example. As I said before, there are several non-CAPTCHA approaches that I'd like to see used by default, too. For example, forcing signups to include a NONCE, rate limiting signups, etc. I don't want to get too hung up on CAPTCHAs in particular, but I also don't want us to completely reject them, since they are in fact useful and good if used properly. I'm very sorry you dislike them so much and have had bad experiences with them, but please let's have a more scientific discussion of the merits of CAPTCHAs. Cheers, -- Cristóbal Palmer ibiblio.org metalab.unc.edu ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] Mailman 3.0 UI Test Server
On Tue, Jun 15, 2010 at 04:31:30PM +0100, Ian Eiloart wrote: The server's address is http://mailman.state-of-mind.de That's so much nicer than Mailman2! Agreed! An earlier reply containing an ascii mockup got rejected, so here is an image of what I was trying to convey: http://dl.dropbox.com/u/2226600/two-column-mm3-mockup.png Basically I want to make sure that the subscribe box always shows up above the fold on the listinfo page. I get a fair number of tickets because things are not above the fold. Please let me know what you think of this idea. Cheers, -- Cristóbal Palmer ibiblio.org metalab.unc.edu ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] UI for Mailman 3.0 update
On Tue, Jun 15, 2010 at 10:44:03PM -0400, Barry Warsaw wrote: Given that all signups require an email validation step, and that we'll rate-limit that to prevent using signups as a spam vector, what additional protection does captcha provide? Are you saying that no scripts/bots can automatically sign up for mailman lists? I get plenty of signups like qneu45...@nanke62w.net that suggest otherwise. I should take the time to log those and send them to you, perhaps? After my masters paper... Most of these numbers are educated guess numbers; if you want real, validated numbers they'll have to wait, again, until I turn in my masters paper. With that... Let's say I have a large list that receives 16 signups a day, and of those two are actually humans and not scripts. The list owner, having had trouble with spammy signups in the past, has set the list to require moderator approval before users can post. What are the human costs? We'll say that the two human signups took 40s each (80s), and the moderator also took 40 seconds per signup (640s), for a total of 720s = 12 minutes. Now let's assume the reCAPTCHA adds 13s[0] to real human signups and cuts down spammy signups to 4 per day and re-run our math. The two people now spend 106s and the moderator spends 160s, or 4.43 minutes. Yes, we've shifted some costs to our subscribers, but they do that once, and the moderator gets back time daily. What's more, we've increased their burden by just over a quarter and almost divided the moderators burden by three. And we haven't even mentioned the increased cost to the spammer, or (in the case of reCAPTCHA) the benefit to society the CAPTCHA solving work. That's the real point of all this: drive up the cost to spammers as much as possible while imposing as little burden as is reasonable on list owners, moderators, subscribers, site admins, etc. We can't exactly follow the metafilter model[0] here, and I think this is as good an idea as I have seen, but I'd love for others to propose something else that imposes less of a burden on subscribers and we know will drive up costs to spammers over a longer-term basis. Again, I don't even propose we turn this on by default. I would just like to see this as a documented, tested option that can be enabled by site admins and cleanly upgraded without extra work. Okay... now that I've put all this energy into this explanation, I'll admit: spam to list owners, especially of the Dear $LISTNAME owner, we at $SITENAME security need you to reset your password. Please find instructions in the attached .zip file... were a much bigger problem a couple of years ago (surprisingly even after implementing SA) until I decided to block .zip and several other mime types at the MTA level. So if y'all have no interest in doing any reCAPTCHA integration, I'll just spend that much more time making anti-spam tweaks at the MTA level, and I'll field one or two more I'm a moderator and I'm dealing with a lot of spam here tickets every now and then. That's another point, come to think of it: I've had plenty of time and experience running a couple of decently-sized mailman installs, but what about the many, many people who have less experience running mailman? The easier we make it for them to make it hard on spammers, the better. A final note: are there any published user studies on mailman? I see your ATEC '03 and LISA '98 presentations in the ACM portal, and I see http://www.gnu.org/software/mailman/otherstuff.html ... but nothing else turns up in google scholar. Please point me to other research on mailman and its user base if it exists. If it doesn't, maybe I need to make that happen Thanks so much for all the work all of you do. It really is a pleasure and a privilege to be involved. Cheers, -- Cristóbal Palmer ibiblio.org metalab.unc.edu [0] http://www.sciencemag.org/cgi/content/full/321/5895/1465 reCAPTCHA: Human-Based Character Recognition via Web Security Measures. Originally published in Science Express on 14 August 2008 Science 12 September 2008: Vol. 321. no. 5895, pp. 1465 - 1468 DOI: 10.1126/science.1160379 Quoting: User testing on our site (http://captcha.net) showed that it took 13.51 s on average (SD = 6.37) for 1000 randomly chosen users to solve a seven-letter conventional CAPTCHA (25th percentile was 8.28 s, median was 12.62 s, and 75th percentile was 17.12 s), whereas it took 13.06 s on average (SD = 7.67) for a different set of 1000 randomly chosen users (also from http://captcha.net) to solve a reCAPTCHA (25th percentile was 5.79 s, median was 12.64 s, and 75th percentile was 18.91 s). [1] Charge five US dollars (paypal) for an account. ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org
Re: [Mailman-Developers] UI for Mailman 3.0 update
On Wed, Jun 16, 2010 at 01:03:20PM +0900, Stephen J. Turnbull wrote: The question is what are they protecting? My claim is that if you're protecting economic resources (bandwidth, accurate counts of real users) they may be more or less useful. If it's a security issue -- including ways of harvesting email addresses that involve subscribing -- though, you're busted. To my mind the main resources we're protecting are moderator time and site owner time, and we're admittedly cost shifting onto subscribers for lists where CAPTCHAs are enabled. Mailman should clearly not provide any CAPTCHA implementation itself, given your claims of rapid progress in the field. Not my claim. Others in the literature. I can do more digging if you don't believe me or don't have institutional access. Regardless, we're in agreement that it should not be the job of the MLM to provide the CAPTCHA. I'd just like a tested, approved way to plug in reCAPTCHA at the moment. I'll do it myself without any help from y'all (after my masters paper), but I think this would benefit the community. and that I'm insisting people use cheap locks. No, that's not my claim. My claim is that it is unethical to make weak locks available for free, without explaining to people their correct use. Ahhh. Very much agree. Also, sorry about your stolen bike. :( The first thing I want to see, then, is documentation that CAPTCHAs are more effective than other methods of confusing the dumb 'bots. http://www.sciencemag.org/cgi/content/full/321/5895/1465 Originally published in Science Express on 14 August 2008 Science 12 September 2008: Vol. 321. no. 5895, pp. 1465 - 1468 DOI: 10.1126/science.1160379 http://recaptcha.net/faq.html Good a place as any take it up with the authors. But think of it this way: if what mailman does is provide a plugin spot for something external to do CAPTCHA or CAPTCHA-like work, then some non-CAPTCHA method could be inserted that doesn't impose user load. For example, people could use a plugin that adds a junk form field that is hidden by CSS, or a simple 1 + 2 math problem, or any number of other things. The point is that we're doing the equivalent of adding braze-ons to the seat stays of a bicycle frame: whether the user adds a sturdy rack, a cheap one, or none at all is up to them. While I'm digging around and thinking of other anti-spam tools, maybe it's worth digging around in here for ideas, since this seems rather popular with WordPress: http://www.bad-behavior.ioerror.us/documentation/ Cheers, -- Cristóbal Palmer ibiblio.org metalab.unc.edu ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] UI for Mailman 3.0 update
On Tue, Jun 08, 2010 at 10:12:18PM -0400, Rich Kulawiec wrote: could have MM3 ship with a CAPTCHA system and/or support for a class of CAPTCHA systems in the default web UI, that would be super. I'd like to re-emphasize the fact that what I would like is some sort of plugin support. Want this kind of CAPTCHA? Take these simple steps But, captchas? Pre-defeated. With all due respect to your experience, I don't think CAPTCHAs as a class have been defeated, in the sense that the goal is not to completely defeat all spam, but rather the goal is to mitigate at relatively low cost to ourselves and at high cost to the spammers, and from personal experience I can say that reCAPTCHA has served that purpose well when I have deployed it. If there's some other non-CAPTCHA approach (or set of approaches) that we could use to help reduce spammy signups, then I'm all for it. I guess my hope is that we'd have something in place that reduces the signups themselves rather than imposing work or workflow changes on moderators or list members after they've joined. If that's necessary, fine, but let's try things that happen at the signup step, too, yes? Even something as simple as requiring a hidden form field NONCE and conservative rate limits on public signups, neither of which require javascript or images Cheers, -- Cristóbal Palmer ibiblio.org metalab.unc.edu ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] UI for Mailman 3.0 update
On Fri, Jun 04, 2010 at 09:58:12AM -0700, Mark Sapiro wrote: As Barry suggests, setting moderation of new members as the default can also thwart the subscribing spammers. The ability to use reCAPTCHA or other CAPTCHA systems as part of the web signup would also significantly reduce spammy signups, so if we could have MM3 ship with a CAPTCHA system and/or support for a class of CAPTCHA systems in the default web UI, that would be super. Is there a good place in the wiki for me to stick this suggestion, or will somebody who knows where it should go do that? Cheers, -- Cristóbal Palmer ibiblio.org metalab.unc.edu ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] Ham, mailing lists, and oddball character sets
On Tue, May 04, 2010 at 12:32:42PM -0600, Philip A. Prindeville wrote: And thereby, it would be trivial to bounce a message sent to an English-language only mailing list that wasn't encoded in USASCII or Latin1 (iso-8859-1) as the charset. But alas they don't. It still wouldn't be trivial even if they did. What about people who put their normal, proper names in their signatures. Maybe they're Greek. Maybe they're Taiwanese Cheers, -- Cristóbal Palmer ibiblio.org metalab.unc.edu ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] Proposal: option for UTF-8 emails without base64 encoding
On Fri, May 01, 2009 at 09:01:32AM +0200, Petr Hroudný wrote: With base64, emails grow in size by 33 % and such emails are getting much higher spam scores since base64 is typically used by spammers to obfuscate the payload. There are of course much more reasons for not using base64 as the primary encoding method for UTF-8 email. +1 for the proposed switch away from base64. This will be a boon for ibiblio lists. Thanks, -- Cristóbal Palmer ibiblio.org systems administrator cdla.unc.edu research assistant ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] MM 2.1.12(rc2) backport for Ubuntu Hardy?
On Wed, Apr 22, 2009 at 01:12:26PM -0400, Barry Warsaw wrote: On Apr 22, 2009, at 1:01 PM, Adam McGreggor wrote: Just a quick query really (and possibly being slightly cheeky asking here...), but have any of you guys backported Mailman 2.1.12 from the Ubuntu Jaunty (or Debian 5) repos - Ubuntu Hardy? Not that one yet, but I have 2.1.11-12~ppa2 here: https://launchpad.net/~cristobalpalmer/+archive/ppa Took me a bit of stumbling to get it done. I wouldn't mind doing it again. providing PPAs for folks who want to run the latest and greatest. I don't have much packaging-fu but if someone wants to volunteer to do the heavily lifting, I'd be happy to twiddle the Launchpad bits. I'm happy to volunteer, but could it please wait until after the 27th? That's my last exam this semester. :) Cheers, -- Cristóbal Palmer ibiblio.org systems administrator cdla.unc.edu research assistant ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] MM3: Content filter rules
On Tue, Mar 03, 2009 at 10:03:35PM -0500, Barry Warsaw wrote: For example, say you wanted a list description for your French list in both French and English, right now you can't do that. I'd like for it to be possible to set those kinds of messages in multiple languages. That would rock! Please let's have that, yes. Cheers, -- Cristóbal Palmer ibiblio.org systems administrator cdla.unc.edu research assistant ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] Web UI
On Thu, Jun 19, 2008 at 01:21:31PM -0400, Terri Oda wrote: My question to everyone is... what options would you deem essential in the simple interface? * Membership management o add/remove members o adjust per-member digest settings o adjust per-member moderation * Moderation o 3 PRESETS: announce-only list vs. moderated discussion vs. open discussion * List Description o web landing page description o footer content * Passwords o brain-dead obvious password reset procedure (we get a lot of tickets requesting a password reset) Thanks for this... Cheers, -- Cristóbal Palmer ibiblio.org systems administrator ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showfile=faq01.027.htp
Re: [Mailman-Developers] Important Mailman 2.1.9 to 2.1.10 upgradenote.
On Tue, Apr 22, 2008 at 11:44:05AM -0700, Mark Sapiro wrote: How about something like a couple of Default config settings like BAD_SHUNT_ARCHIVE_DIRECTORY = None BAD_SHUNT_STALE_AFTER = days(7) With the idea being anything in the 'bad' or 'shunt' queues older than BAD_SHUNT_STALE_AFTER would be discarded or moved to BAD_SHUNT_ARCHIVE_DIRECTORY if it existed. Do people like this idea? +1 -- Cristóbal Palmer ibiblio.org systems administrator ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showfile=faq01.027.htp
Re: [Mailman-Developers] GNU Mailman Site Redesign
On Tue, Apr 08, 2008 at 11:08:57PM -0400, Barry Warsaw wrote: One other question you raise: I would like to move the bug trackers off of SourceForge at some point. I think Jira is no longer a viable option, so we should consider alternatives. Once again, Launchpad seems a natural Launchpad++ Slowness aside, that platform looks like a perfect fit. If people reeelly don't like that idea, I know a certain .org that might host other tracking software for the mailman team Cheers, -- Cristóbal Palmer ibiblio.org systems administrator ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showfile=faq01.027.htp
Re: [Mailman-Developers] [Mailman-i18n] [Mailman-Users] [Mailman-Announce] Updated message catalogs needed for Mailman 2.1.10
On Tue, Apr 08, 2008 at 11:14:12PM -0400, Barry Warsaw wrote: Would anybody out there be willing and able to run a reliable Pootle server for us? ibiblio can very likely host it. Please contact me off-list. Cheers, -- Cristóbal Palmer ibiblio.org systems administrator ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showfile=faq01.027.htp
Re: [Mailman-Developers] Google Summer of Code - Spam Defense
On Sat, Mar 29, 2008 at 01:08:14PM +0900, Stephen J. Turnbull wrote: I don't see anything in this story that couldn't be done just as well with central control via SA at the MTA. Part of this involves the backstory. 500+ lists that have never been in any way filtered, and many vocal list administrators concerned that having something imposed on them that they can't control will break things. Personally, I think it's the MTA's job to reject malformed (eg. bad HELO) mail, it's SA's job to *tag* mail, and whatever the MTA hands off to should make the decision about whether to drop, quarantine, or deliver. That's a philosophical stance, and if it's impractical and I shouldn't think that way, then so be it. I'd like to hear some arguments before I change that view, though. My current solution has the advantage that for any complaining list admin, I can point that administrator to her/his own admin panel and say, Play with these settings. From a sysadmin perspective, I currently have three SA installs that have nearly-identical configs and one repeatedly-tweaked and well-documented mailman install. I'd rather not make one of my SA instances an oddball and drop that on my successor. In an ideal world there'd be only one SA instance, but we're not there yet. If you'd like to donate hardware to ibiblio so we can do that, let me know So basically what I'm saying is that my selfish POV makes me want a mailman that has nice anti-spam policies out of the box. If it requires an admin making decisions about which addresses to protect or whether to do it from within SA, mailman, or something else, then there's a problem. I'm still scratching my head on how this bounced its way into my inbox, for example: http://garp.metalab.unc.edu/backscatter-example.txt How/where do I stop that? Cheers, -- Cristóbal Palmer ibiblio.org systems administrator ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showfile=faq01.027.htp
Re: [Mailman-Developers] Google Summer of Code - Spam Defense
On Sat, Mar 29, 2008 at 01:12:59PM -0500, Robby Griffin wrote: How/where do I stop that? How is that backscatter? Looks like plain old spam to me (addressed to a -owner address, which forwarded to postmaster But it shouldn't go to postmaster! /usr/local/mailman/bin/list_owners cc-co shows me three addresses, all of which are @gmail.com addresses. , which forwarded to you), postmaster does forward to me, yes. and your (three!) SpamAssassins two. One on malecky (the list machine), and one on garp. The third machine doesn't come into play here. let it through. Though one of them did score it high enough to be marked as spam, you don't seem to have anything between the world and your inbox that actually blocks spam... Not true. Mail to lists (but apparently not owners) now gets discarded if it has been tagged as spam. Furthermore, I have procmail rules in place in two places that drop mail above a certain threshold and quarantine a middle batch. If it helps, I have one setup where I have to discard high-scoring spam with procmail on its way into my inbox, and another where I modified SA to add a user-configurable threshold for tagging extreme spam so I could discard it within the MTA. I don't discard anything at the MTA, but otherwise you've got close to what I've got. What I'm missing here is the step where the mail went from going to one of the three list admins (again, all at gmail) to going to me. Where was the forgery? How did mailman (or was it postfix?) get duped? Cheers, -- Cristóbal Palmer ibiblio.org systems administrator ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showfile=faq01.027.htp
Re: [Mailman-Developers] Google Summer of Code - Spam Defense
On Sat, Mar 29, 2008 at 02:37:36PM -0400, Cristóbal Palmer wrote: Where was the forgery? How did mailman (or was it postfix?) get duped? Given an off-list response I got, I should clarify further. An important detail that I left out was that I never got mail like what I linked to before I put SA on the mailing list server. Once I added that, I started seeing mails like this at a rate of two or three per day. Cheers, -- Cristóbal Palmer ibiblio.org systems administrator ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showfile=faq01.027.htp
Re: [Mailman-Developers] Google Summer of Code - Spam Defense
On Thu, Mar 27, 2008 at 07:37:29PM +0100, Martin Schütte wrote: - hold or discard Messages marked as spam: Set up Spam-Filter rules with X-Spam-Flag: YES, X-Spam-Level: \*\*\*\*\*\*\*, or whatever. It is not the most user friendly interface, but certainly the most configurable and flexible one. Back in January I told our 500+ list admins that they could do this: http://lists.ibiblio.org/pipermail/ibiblio-announce/2008-January/000210.html And as of yesterday (27 of March) fewer than 20 had done anything. Yesterday I ran a script that imposed that filtering on all lists because we have been blacklisted by spamcop yet again. The message we were blacklisted for had been tagged as spam by SA on the list server, but still got bounced out to an innocent 3rd party (who then reported us). Anything that makes spam filtering smarter and better-integrated in mailman is a Good Thing (tm). Providing the *option* to have good and sane filtering integration is definitely not enough. Even with hand-holding and encouragement, the vast majority of our list admins are not going to do nearly as good a job as mailman can do if it accepts this GSOC project. I'll be happy to provide whatever feedback or support I can in making that happen. For the curious, the script I ran was based closely on what's in the wiki for changing generic_nonmember_action: #!/bin/bash cd /usr/local/mailman/bin f=`mktemp` echo header_filter_rules = [('^X-Spam-Status: Yes', 3, 0)] $f for list in `cat /root/no-filter-rules.txt` do ./config_list -i $f $list done rm $f where /root/no-filter-rules.txt is a list of lists that had not heeded my advice. Cheers, -- Cristóbal Palmer ibiblio.org systems administrator ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showfile=faq01.027.htp
Re: [Mailman-Developers] before next release: disable backscatter indefault installation
On Wed, Mar 26, 2008 at 12:14:58PM -0700, Jo Rhett wrote: So I'm here, wasting my time, trying to get this solved so that just maybe we won't be forced to all migrate to web forums. Which would suck. Yes, that would suck. I encourage you to please continue engaging this list and the developers, but would caution you that you've already caused at least three people to think you're being overly antagonistic. So far I see documentation and some good scripts for fixing problems on existing systems coming out of this conversation. Please let's make improving that documentation and making 2.2 and 3.0 good by your standards a priority. Jo, would you please be willing to take the lead in improving this wiki page: http://wiki.list.org/display/SEC/Controlling+spam since it looks rather stubbish? If you're willing to lead by example on the documentation and 2.2, your argument would likely come off a bit better. Now, if your goal is a public telling-off of the mailman team, I think you've already made that clear enough. Can we move on? At ibiblio we host 500+ lists, including 41 cc- (creative commons) lists. Jumping from mailman to something else would be incredibly painful. We run on donations and we host sites like etree, groklaw, gutenberg... we could use your help if we're going to continue to do what we do. This open source world is a group effort that runs largely on good will and sharing. Your currency here often isn't valid if it doesn't come with a smile. So please, I *very* much respect what you're trying to do. Your contributions so far have been incredibly valuable. Point your guns at the wiki and 2.2 now, eh? That said, if 2.2 doesn't make progress on the backscatter front, ibiblio will have to re-evaluate its options. Specifically, I'd love to see the aliases and List- headers dealt with, both in terms of the defaults and in terms of providing documentation/tools for helping existing installations get up to snuff. Cheers, -- Cristóbal Palmer ibiblio.org systems administrator ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showfile=faq01.027.htp
[Mailman-Developers] 1-click unsubscribe
On Wed, Mar 05, 2008 at 08:25:49PM -0800, Mark Sapiro wrote: Any objections to changing the URL in the RFC 2369 List-Unsubscribe: header to the above - for 2.1.10? I could probably also suppress the Error: No address given message unless you came from options login page itself. I like this. +1 Cheers, -- Cristóbal Palmer ibiblio.org systems administrator ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showfile=faq01.027.htp
[Mailman-Developers] 1-click unsubscribe
On Sun, Mar 02, 2008 at 11:31:03PM -0500, Dan MacNeil wrote: Since 2005, things have gotten a bit more ruthless on the anti-spam front, Particularly at the large providers so lists.ibiblio.org currently hosts 566 lists. We are constantly having to deal with mail providers who blacklist us because their users find it easier to tag mailing list posts as spam than follow the unsubscribe process. IMHO, moving the unsubscribe or edit options to the top of the listinfo page or making it its own page by default would go a long way towards alleviating this problem. 1-click unsubscribe or some other, more streamlined default would help us quite a bit. Anything to help us reduce abuse reports and improve deliverability. I don't think a potentially-beneficial change should be discarded because it's not a panacea. Mailman hosts will always have to do work educating their list owners and supporting list users who are having trouble. I'm following this thread with interest and look forward to the changes that come out of this discussion. I'd be happy to discuss specific experiences off-list. Cheers, -- Cristóbal Palmer ibiblio.org systems administrator ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showfile=faq01.027.htp
Re: [Mailman-Developers] before next release: disable backscatter indefault installation
On Tue, Mar 04, 2008 at 03:28:22PM -0800, Mark Sapiro wrote: The Defaults.py setting for DEFAULT_GENERIC_NONMEMBER_ACTION has been Hold from the beginning. We've recently set this to 3 (Discard) for new lists. Please explain the argument for keeping the default as Hold for the long term. I believe it should be Discard, but can think of at least one argument for keeping the current default. I'd like to hear development team's line. Perhaps you are thinking of the respond_to_post_requests setting. Do you object to any response at all, or just to responses that include the original message text? If the former, then you must object to DSNs from MTAs as well. If the latter, that is planned to be addressed in Mailman 2.2. Even without the original message text a response is a problem. In the case of backscatter, the many novice users are still likely to tag the message as spam, which will cause the mailman install to be blacklisted if enough users from the same provider take this action. I'm happy to discuss ibiblio's experiences with being blacklisted off-list. Cheers, -- Cristóbal Palmer ibiblio.org systems administrator ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showfile=faq01.027.htp
Re: [Mailman-Developers] before next release: disable backscatter indefault installation
On Wed, Mar 05, 2008 at 02:27:06PM +0900, Stephen J. Turnbull wrote: So the right thing to do is to get 2.1.10 out the door as is, and get started on 2.2. Agreed. I like the README.backscatter proposal, too. Such a document would (ideally) help us and other admins who want to take action *now* change the right settings even for existing lists. ibiblio and many other sites have a long-term investment in mailman's success as a project, so let's please keep the release manager happy. :) Cheers, -- Cristóbal Palmer ibiblio.org systems administrator ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showfile=faq01.027.htp
[Mailman-Developers] [ 1657458 ] feature request: batch deletion of subscription requests
Per http://www.list.org/bugs.html I am sending an email to this list about the feature request I reported at: https://sourceforge.net/tracker/index.php?func=detailaid=1657458group_id=103atid=350103 It basically says that it would be nice to have another tickbox in the admindb page that lets you delete all pending *subscription* *requests* marked /defer/ and not just a tickbox that does that for *messages* since we're getting a fair amount of spam in the form of subscription requests to lists that we manage. Thanks for your attention, -- Cristóbal M. Palmer ibiblio.org system administrator ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showfile=faq01.027.htp