Re: [Mailman-Users] Challenge/Response
Bob Morse writes: The problem remains, however: How do I prevent spoofing? In this case they have a real fear due to a board member who is soon to be ejected from the board and have organizational membership taken away. They feel he is capable (both emotionally and technically) of major disturbances on one or more of about a dozen mailing lists the organization maintains. Wouldn't moderating non-members and requiring admin approval for subscriptions be enough? Or is he capable of spoofing a member's From address? If not, I've been there (the problem wasn't a board member, more like a stalker). However challenge/response wouldn't help anyway, because it's easy enough to set up an autoresponder for typical C/R systems. If not, and he's determined, he'll just do the C/R dance by hand. What we ended up with was blacklisting the guy's known accounts, hosts, and IP addresses, which caught most of the shrapnel, and human moderation for about a month. He gave up after two weeks of zero success in several hundred attempts to subscribe or otherwise get past the filters. Had he come back they were prepared to cross-check IP addresses from the Received headers against From addresses for the regular posters. Don't know if he would have been capable of getting around that (spoofing both From and Received is easy enough if you know what you're doing), fortunately we didn't have to go to those extremes. Here's hoping you don't have to, either. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Challenge/Response
The problem remains, however: How do I prevent spoofing? In this case they have a real fear due to a board member who is soon to be ejected from the board and have organizational membership taken away. They feel he is capable (both emotionally and technically) of major disturbances on one or more of about a dozen mailing lists the organization maintains. What makes this even more of a challenge¹ is that the account is on a shared server. I think that you're trying to deal with a sociological problem here. I'll presume that the organization is prepared to make a statement about this personnel action. In general, that's a Public Relations issue, not a technological one. I'll also presume that the individual who is involved does not have administrative access (root, etc.) to the Mailman host site. The site administrator(s) need to be informed of the action that is about to take place, and told to secure the site appropriately, etc. So far as handling any fall-out from this action on one or more mail lists, I'll suggest that you have list moderators (list administrator level, but the job is moderation) prepared to weather developments. It would be very wise to have somebody in a list administration role who is prepared to handle Public Relations handling of the fallout from this action. Technically, start with embargoing the individual's known accounts (unsubscribe, or at least put on moderation, and use the Mailman filters to catch probable variations, prevent posting from non-registered addresses, and require moderator review of new subscriptions). Then, wait for developments. Experience with this sort of thing suggests that the problem individual will try to post, and will ultimately succeed, but will have built up such a head of steam that the post will lose whatever support the individual might have had. Mailman has some very good resources a savvy moderator can use effectively for damage control. The ultimate weapon, of course, is putting the entire list on emergency moderation. I won't go into detail here, but the major list I set up a Mailman host site for survived a split between the two co-founders, in which one was fired, about three years ago. The individual who was removed did have several bogey addresses, and once he discovered that his main addresses were moderated, blew a fuse and posted a couple of real flames, some months afterward. Net effect: six resignations (out of 2500 members), and some offlist discussion about if this is the way the guy really is, who needs him? Hank -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
[Mailman-Users] listname-leave - wrong response
On one of my lists, when a subscriber sends a message to listname- [EMAIL PROTECTED], instead of the unsub confirmation, they get back the Sorry, you're not allowed to post to this list message (it's configured as a one-way list). Any idea what could cause this? Thanks, Scot -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] listname-leave - wrong response
Scot Hacker wrote: On one of my lists, when a subscriber sends a message to listname- [EMAIL PROTECTED], instead of the unsub confirmation, they get back the Sorry, you're not allowed to post to this list message (it's configured as a one-way list). Any idea what could cause this? The alias or whatever your MTA uses to get the mail to Mailman for the listname-leave address pipes the mail to /path/to/mail/mailman post listname instead of /path/to/mail/mailman leave listname -- Mark Sapiro [EMAIL PROTECTED] The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Challenge/Response
On Fri, 09 Feb 2007 15:54:59 -0800 Bob Morse [EMAIL PROTECTED] wrote: Thank you all for your insights in the Challenge/Response question. I am convinced this is not the way to go. In fact, I used some of the same arguments to the client when he brought it up. The problem remains, however: How do I prevent spoofing? In this case they have a real fear due to a board member who is soon to be ejected from the board and have organizational membership taken away. They feel he is capable (both emotionally and technically) of major disturbances on one or more of about a dozen mailing lists the organization maintains. What makes this even more of a challenge¹ is that the account is on a shared server. We are dealing with a similar situation now. Some member, or non-member, is spoofing the From: address of members to post to the lists. We have full emergency moderation turned on so all messages are reviewed before posting. And at the MTA we have instituted various other checks that help prevent messages from getting to Mailman. There is no (easy) technology now that can prevent this. If the person is inclined to make trouble, they will. If not through the lists, then by some other means. Fundamentally, its not a technology problem. --Karl -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Challenge/Response
Karl Zander wrote: Fundamentally, its not a technology problem. Agreed, but as others have suggested, technology can help. For example, if the 'bad guy' has a fixed IP, you can set header_filter_rules to discard messages that have that IP in a Received: header. Of course, that may just force him to go to dial-up for posting IF he figures out why his messages don't make it. -- Mark Sapiro [EMAIL PROTECTED] The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Challenge/Response
On Sat, 10 Feb 2007 12:18:26 -0800 Mark Sapiro [EMAIL PROTECTED] wrote: Karl Zander wrote: Fundamentally, its not a technology problem. Agreed, but as others have suggested, technology can help. Yes. I didn't mean to imply it could not. We are using technology to help us manage the situation and its being effective. But you have to be prepared to ride out the emotional part of this. And if you do clamp down the lists, the person may go after softer parts of the organization if they are inclined to make trouble. We have seen our interloper move on to a sister organization's lists. --Karl -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Approved: password
Thanks for the reply. I am using Thunderbird and wanting to send html email to Mailman. I looked through the instructions on how to add a custom header and I am sad to say ... I don't get it. Any chance you can walk me through it? I have opened about:config but I am not sure what I am supposed to put in there and really don't want to screw up the install. Thanks Dave Mark Sapiro wrote: Dave Filchak wrote: I am trying to post to a one way (announce only) list using a user whose moderation bit is set, but am using the method described in the FAQ i.e. adding Approved: password to the first line of the body, with a carriage return and blank line after it. It keeps rejecting it with the standard Sorry, this is an announce only list ...etc etc. Can someone tell me if this still works and how and perhaps how I add this to the header rather than the body? Yes, it works. Possible things that might be wrong are: the password - it must be the list's admin or moderator password; neither the site password nor a member's password will work, and it must not have angle brackets around it. the format of the post - if the post is HTML, the Approved: line in the body won't work. The Approved: line must be the first non-blank line in the first text/plain part of the message. If it is, it is removed from that part and an attempt is made to remove it from all other text parts of the message, but the removal from other parts is not guaranteed to work. In general, if the post is simple plain text, or multipart/alternative with text/plain and text/html alternatives, the Approved: line will work and it will usually be removed from both parts of a multipart/alternative message, but it can be left in the text/html part under some circumstances. If the Approved: line is an actual header rather than a body line, it will always be recognized and removed regardless of the MIME structure of the message. How to add such a header or if it is even possible depends on the user agent (mail client) used to compose and send the mail. You used Thunderbird to send this post. See http://kb.mozillazine.org/Custom_headers for information on adding custom headers with Thunderbird. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] OT Approved: password
Dave Filchak wrote: Thanks for the reply. I am using Thunderbird and wanting to send html email to Mailman. I looked through the instructions on how to add a custom header and I am sad to say ... I don't get it. Any chance you can walk me through it? I have opened about:config but I am not sure what I am supposed to put in there and really don't want to screw up the install. In about:config scroll down to mail.compose.other.header which probably says Status-default, Type-string and Value will be empty. Right-click that line (or control-click if you don't have a multi-button mouse), select 'modify' from the context menu and then enter 'Approved' (without quotes and without a colon) in the dialog box and click OK. Note that there might already be headers listed in the value of mail.compose.other.header if you have added any customized headers to any filters. If this is the case, just add Approved to the end of the list separated by a comma and no spaces. Then, when you are composing mail, if you click the down arrow you use to select To:, Cc:, etc. for addresses, you will be able to select Approved:. Do that and type the password on that line where you would normally type an email address. -- Mark Sapiro [EMAIL PROTECTED] The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] listname-leave - wrong response
On Feb 10, 2007, at 11:06 AM, Mark Sapiro wrote: On one of my lists, when a subscriber sends a message to listname- [EMAIL PROTECTED], instead of the unsub confirmation, they get back the Sorry, you're not allowed to post to this list message (it's configured as a one-way list). Any idea what could cause this? The alias or whatever your MTA uses to get the mail to Mailman for the listname-leave address pipes the mail to /path/to/mail/mailman post listname instead of /path/to/mail/mailman leave listname Hmm... this is a cPanel system, and the entire contents of /etc/ aliases is: mailman-admin: |/usr/local/cpanel/3rdparty/mailman/mail/mailman admin mailman mailman-bounces: |/usr/local/cpanel/3rdparty/mailman/mail/mailman bounces mailman mailman-confirm: |/usr/local/cpanel/3rdparty/mailman/mail/mailman confirm mailman mailman-join: |/usr/local/cpanel/3rdparty/mailman/mail/mailman join mailman mailman-leave: |/usr/local/cpanel/3rdparty/mailman/mail/mailman leave mailman mailman-owner: |/usr/local/cpanel/3rdparty/mailman/mail/mailman owner mailman mailman-request: |/usr/local/cpanel/3rdparty/mailman/mail/mailman request mailman mailman-subscribe: |/usr/local/cpanel/3rdparty/mailman/mail/mailman subscribe mailman mailman-unsubscribe: |/usr/local/cpanel/3rdparty/mailman/mail/ mailman unsubscribe mailman mailman: /dev/null mailman-loopback: /dev/null owner-mailman: mailman-admin In other words, no references to specific lists, or to -leave for any specific list, are in that file. Maybe cPanel keeps a separate aliases file somewhere, but I couldn't locate it if it does. Any cPanel experts have a clue where the equivalent file is? Thanks, Scot -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] OT Approved: password
Thanks very much ... works like a charm. Dave Mark Sapiro wrote: Dave Filchak wrote: Thanks for the reply. I am using Thunderbird and wanting to send html email to Mailman. I looked through the instructions on how to add a custom header and I am sad to say ... I don't get it. Any chance you can walk me through it? I have opened about:config but I am not sure what I am supposed to put in there and really don't want to screw up the install. In about:config scroll down to mail.compose.other.header which probably says Status-default, Type-string and Value will be empty. Right-click that line (or control-click if you don't have a multi-button mouse), select 'modify' from the context menu and then enter 'Approved' (without quotes and without a colon) in the dialog box and click OK. Note that there might already be headers listed in the value of mail.compose.other.header if you have added any customized headers to any filters. If this is the case, just add Approved to the end of the list separated by a comma and no spaces. Then, when you are composing mail, if you click the down arrow you use to select To:, Cc:, etc. for addresses, you will be able to select Approved:. Do that and type the password on that line where you would normally type an email address. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
