Re: [Mailman-Developers] Remediation for fake member creation
Franck Martin writes: > Can't you send the email subscription request to moderation before > the email confirmation is sent? The option "subscription needs approval" is available, and I use it for my student lists, etc. They're closed lists initially populated with "mass subscribe", but students often want to use cellphone or webmail addresses in addition to or in preference to their university addresses. In general, if the moderator knows the users well, there's often no point in confirmation. Eg, in my case I've almost always received personal mail from the address (it's preferred, or at least frequently used) in question if the student is on my list, so I know it's theirs. There is also an option "confirm and approve". I believe it means "confirm, *then* approve", and I think that's the right order. First, it prevents an attack on the moderator using faked addresses, and makes it a lot more expensive to attack the moderator with real addresses. I have seen such attacks on occasion for going on 25 years now; it's not a nightmare, it's a real problem. Second, moderators are a scarce resource. In many cases the moderator will need to follow up out of band (for example, I recently subscribed to a closed list, and the moderator texted me on Telegram to make sure it was me). In that case, either way the "victim" has to deal with an additional contact -- we can't save them the effort, we can only reduce load for the moderator by asking the user to confirm first. Then if the user drops it on the floor, the moderator has no work to do. Of course there would be cases where the moderator would refuse the request before confirmation, but I think that would depend on the moderator knowing that there were attacks via her list. On balance, I strongly favor protecting the moderator here. Finally, for open lists, which currently are configured confirm-only, I don't see how the moderators would have any idea whether it was a legitimate request or an attack, unless it was repeated to the same list -- and even then it would have to be a memorable address. Bottom line: I see no reason to default "needs approval" on for Mailman as we distribute it, unless we discover that "moderator knows subscribers" is by far the most common case. cPanel might think otherwise for their user base, I don't know. But not the typical open source project or discussion list, which I believe is by far the majority of non-cPanel (etc) Mailman lists. And the option is always available to turn on if you realize your list is being abused that way. Steve ___ Mailman-Developers mailing list Mailman-Developers@python.org https://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] Remediation for fake member creation
- Original Message - > From: "Stephen J. Turnbull" > To: "Franck Martin" > Cc: "Barry Warsaw" , "mailman-developers" > > Sent: Monday, August 22, 2016 9:06:31 PM > Subject: Re: [Mailman-Developers] Remediation for fake member creation > Franck Martin writes: > > > May be a captcha? Or some more modern techniques... > > Captchas aren't applicable to email requests. It will be harder than > that. yes but protecting the web form from non-human subscription is a good step to take > > WDOT? Can't you send the email subscription request to moderation before the email confirmation is sent? Not ideal, but it is kind of like emergency moderation. ___ Mailman-Developers mailing list Mailman-Developers@python.org https://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] Remediation for fake member creation
Franck Martin writes: > May be a captcha? Or some more modern techniques... Captchas aren't applicable to email requests. It will be harder than that. We could turn off subscription by email after user creation so that users would get only one email per email at most. From Mailman's point of view: <== subscribe email to list1 === create user for email ==> OTK to email, says "please visit URL, email operation admits abuse" <== subscribe email to list2 === recognize email, queue this request for user <== visitor arrives ==> You have (2) pending subscription requests: [x] confirm all subscriptions [x] subscribe email to list1 [x] subscribe email to list2 [submit confirmation and login to options] [just submit confirmation] The confirmation page would recommend adding other emails to the user for security and posting convenience. Of course a bot that knows all of a person's email addresses can do <== subscribe email1 to list1 <== subscribe email2 to list2 <== subscribe email3 to list3 resulting in three messages in the inbox, but that's probably orders of magnitude improvement over requesting subscription of one email to all the lists on a large server. For users who can't use/hate the web, I suppose you could allow email reply confirmation, in which case email operations would remain effective until the user explicitly turns them off. Finally, we could keep the users with no subscriptions in the database (at the person's option), preventing the felon from waiting until the subscription requests expire then bombing the person again. WDOT? Steve ___ Mailman-Developers mailing list Mailman-Developers@python.org https://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] Remediation for fake member creation
- Original Message - > From: "Barry Warsaw" > To: "mailman-developers" > Sent: Monday, August 22, 2016 2:43:06 PM > Subject: Re: [Mailman-Developers] Remediation for fake member creation > On Aug 22, 2016, at 01:03 PM, Franck Martin wrote: > >>While mailman does double opt-in, one can still fill a mailbox with account >>confirmations, what are the methods to stop a bot submitting email addresses >>for registration across several lists? > > Mailman 3 will not pend a registration request more than once for an > email/mailing list combination. It's possible to spam every list at least > once though, and I'm not sure what you could do about that. May be a captcha? Or some more modern techniques... ___ Mailman-Developers mailing list Mailman-Developers@python.org https://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] Remediation for fake member creation
On Aug 22, 2016, at 01:03 PM, Franck Martin wrote: >While mailman does double opt-in, one can still fill a mailbox with account >confirmations, what are the methods to stop a bot submitting email addresses >for registration across several lists? Mailman 3 will not pend a registration request more than once for an email/mailing list combination. It's possible to spam every list at least once though, and I'm not sure what you could do about that. Cheers, -Barry ___ Mailman-Developers mailing list Mailman-Developers@python.org https://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
[Mailman-Developers] Remediation for fake member creation
I'm not sure if you have seen the following blog posts: https://wordtothewise.com/2016/08/subscription-bombing-esps-spamhaus/ https://wordtothewise.com/2016/08/spamhaus-comments-on-subscription-attack/ https://wordtothewise.com/2016/08/ongoing-subscription-attack/ While mailman does double opt-in, one can still fill a mailbox with account confirmations, what are the methods to stop a bot submitting email addresses for registration across several lists? ___ Mailman-Developers mailing list Mailman-Developers@python.org https://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9