Re: [Mailman-Users] more questions about Yahoo feedback loop and abuse complaints
On 2012-06-16 3:54 PM, Ralf Hildebrandt ralf.hildebra...@charite.de wrote: * Terry Earleyte...@fiteyes.com: Maybe VERP is the best solution for AOL and her evil step-sisters if you can stand the overhead? Yep. Is it possible to enable VERP *only* for certain domains (like AOL, Yahoo, etc)? -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] AOL redacts user addresses even with VERP and full personalization enabled
On Jun 16, 2012, at 9:58 PM, Lindsay Haisley wrote: I have no idea why AOL wants to make it difficult for list administrators to unsubscribe people who don't want to be subscribed and who complain to AOL about list posts being spam. I can tell you the reasons that management gave at the time I was working there -- it was all about the privacy of their user. They said that they wanted to protect the privacy of the person who was complaining. In fact, when you sign up for the AOL Feedback Loop (as I did years ago for the lists hosted at python.org), the instructions explicitly state that you may not use any information they give you to determine who the affected user is -- they're simply telling you that you have a problem that you need to fix on your end to keep spam from being generated in the first place, and it is not relevant which AOL user is complaining. Of course, this completely ignores the problem of the AOL user who hits the This is spam button without knowing that they did it, or accidentally includes one of your messages when they hit that button on a whole selection of that they want to complain about. I've even seen people hit the This is spam button on individual personal messages that they got from a member of their own family who was of the opposite political party and who was talking about politics. Imagine your crazy Uncle Joe ranting and raving about some political party member they like/dislike and about whom you feel the opposite, and instead of asking them to stop or just deleting the message, you hit the button that tells AOL that this person spammed you. And yes, AOL knows full well just how stupid their users are. But the customer is always right. They stuck their spear into the soil, and now the shakier the ground that they stand on, the more violently they must hold onto the position that they have committed themselves to. To do otherwise would mean that they were admitting that they were wrong, which would make them culpable in court. So, you and I and everyone else on the planet has to suffer because of their stupid policies. The only explanations that come to mind are very sinister ones, but given the way things are going these days, it may indeed be that AOL is truly trying to break the Internet mail system so that they and their ilk can try to rebuild it according to their own (for profit) model. No, they're much too short-sighted for that. And they're not smart enough for that, either. You should not assume sinister (but intelligent) motives when plain corporate stupidity will suffice. Is there anyone with the Mailman project with sufficiently informed inside contacts at AOL who could find out exactly what's going on with AOL (and Earthlink, which I believe uses the same system) and why they're doing this? All my contacts are outdated. Everyone I knew who worked there has long since moved on. But that doesn't change the reasons that were given at the time, nor the reasons why they continue to follow the same stupid policies. It might be worth noting that one of the several lists I host will not accept subscriptions from AOL addresses because of their problem policies. What with gmail accounts being free and easy to get, AOL is simply cutting themselves out of the loop in the long run with their policies. No loss there! I'm not surprised. AOL doesn't care about those small percentages of loss for that one product. That's trivial compared to the value of the company as a whole if they were to admit that they were wrong with a result of getting their ass dragged into many more court cases. I know the guy who was the SRE for Gmail, and on the technical side they still have some people who care and have a clue. I do feel that Google is the Next Great Evil in this world, but that doesn't change the facts of the technical implementation of their mail system relative to AOL. Of course, that's not saying much…. -- Brad Knowles b...@shub-internet.org LinkedIn Profile: http://tinyurl.com/y8kpxu -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] AOL redacts user addresses even with VERP and full personalization enabled
On Sun, 2012-06-17 at 06:34 -0700, Brad Knowles wrote: I can tell you the reasons that management gave at the time I was working there -- it was all about the privacy of their user. They said that they wanted to protect the privacy of the person who was complaining. So what would be the implications of hacking an extra header into outgoing posts on lists for which personalization is enabled, say X-Subdata, with said header containing a hash of the subscriber address to which the post is directed? This would, in theory, mostly satisfy AOL's privacy concern since a hash is a one-way encryption and no one could determine the address unless they already had access to the name in the form of the subscriber list so that a hash comparison could be made. I'm not asking for a feature from the devs since I can hack this myself, just perhaps some insight into the implications for a list host that handles no more than half a dozen small mailing lists, each with 1000 subscribers or less. Hacking the message ID out of mail logs to identify the subscriber seems somewhat chancier and more difficult, since mail logs roll over and eventually disappear from the system. All this stuff is scripted here, and works unattended to unsubscribe complaining subscribers, so the overhead is in programming, with a minimal amount in execution time. -- Lindsay Haisley | Real programmers use butterflies FMP Computer Services | 512-259-1190 | - xkcd http://www.fmp.com| -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Mailman 2.1.15 final released.
On 6/16/2012 2:04 PM, David wrote: How would I update from the version of Mailman 2.1.14 from Ubuntu's repository (on Ubuntu 12.04)? You can do what I did when I administered a Mailman system running on Ubuntu - I generated my own package from an existing Ubuntu package and the new SourceForge source. --Barry Finkel -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] what effect does mm_cfg.py settingVERP_PERSONALIZED_DELIVERIEShave if personalize (nondigest) is set to NO?
David wrote: On Sun, Jun 17, 2012 at 1:25 AM, Mark Sapiro m...@msapiro.net wrote: David wrote: In mm_cfg.py I have these settings: OWNERS_CAN_ENABLE_PERSONALIZATION=Yes VERP_PERSONALIZED_DELIVERIES=Yes VERP_PASSWORD_REMINDERS = Yes VERP_CONFIRMATIONS = Yes If I set VERP_DELIVERY_INTERVAL = 1 in mm_cfg.py, does that override any list-specific settings, or any of the other settings above? It means that every post and every message to a LIST-owner will be verped regardless of other settings. And, conversely, if VERP_DELIVERY_INTERVAL = 0 (the default value), but Full Personalization is enabled, then every post will also be verped. Correct? Every post from the list(s) with personalize set to Yes or Full Personalization will be VERPed to the regular (non-digest) recipients. -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] more questions about Yahoo feedback loop andabuse complaints
Tanstaafl wrote: Is it possible to enable VERP *only* for certain domains (like AOL, Yahoo, etc)? It would be a somewhat messy hack to Mailman/Handlers/SMTPDirect.py to do it in Mailman. Depending on your MTA, you might be able to do it there if you have the MTA do the VERPing. See https://bugs.launchpad.net/mailman/+bug/558067 for Postfix and https://bugs.launchpad.net/mailman/+bug/558002 for qmail. Note that these only address enabling VERPing in the MTA, not limiting the domains to which it applies. -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] more questions about Yahoo feedback loop andabuse complaints
Is it possible to enable VERP *only* for certain domains (like AOL, Yahoo, etc)? Now that AOL also redacts return path, VERPing alone will not help much for them. Return-Path: redacted-boun...@discuss.fiteyes.com Full Personalization could give you more to trace, since each post is send individually. Terry Earley FitEyes On Sun, Jun 17, 2012 at 4:33 PM, Mark Sapiro m...@msapiro.net wrote: Tanstaafl wrote: Is it possible to enable VERP *only* for certain domains (like AOL, Yahoo, etc)? It would be a somewhat messy hack to Mailman/Handlers/SMTPDirect.py to do it in Mailman. Depending on your MTA, you might be able to do it there if you have the MTA do the VERPing. See https://bugs.launchpad.net/mailman/+bug/558067 for Postfix and https://bugs.launchpad.net/mailman/+bug/558002 for qmail. Note that these only address enabling VERPing in the MTA, not limiting the domains to which it applies. -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/terry%40fiteyes.com -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] more questions about Yahoo feedback loopandabuse complaints
Terry Earley wrote: Is it possible to enable VERP *only* for certain domains (like AOL, Yahoo, etc)? Now that AOL also redacts return path, VERPing alone will not help much for them. Return-Path: redacted-boun...@discuss.fiteyes.com Is that a redact of a VERPed Return-Path:? It doesn't look like it. It looks like Return-Path: listname-boun...@discuss.fiteyes.com was changed to Return-Path: redacted-boun...@discuss.fiteyes.com and doesn't answer the question of what Return-Path: listname-bounces+aol_user=aol@discuss.fiteyes.com would be changed to. Full Personalization could give you more to trace, since each post is send individually. And if Mailman does VERP, messages are sent individually too, and all personalized messages are sent individually, not just fully personalized ones. -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] more questions about Yahoo feedback loopandabuse complaints
On Sun, Jun 17, 2012 at 7:13 PM, Mark Sapiro m...@msapiro.net wrote: Terry Earley wrote: Is it possible to enable VERP *only* for certain domains (like AOL, Yahoo, etc)? Now that AOL also redacts return path, VERPing alone will not help much for them. Return-Path: redacted-boun...@discuss.fiteyes.com Is that a redact of a VERPed Return-Path:? It doesn't look like it. It looks like Return-Path: listname-boun...@discuss.fiteyes.com was changed to Return-Path: redacted-boun...@discuss.fiteyes.com and doesn't answer the question of what Return-Path: listname-bounces+aol_user=aol@discuss.fiteyes.com would be changed to. Here are some example headers. The first is from a message from the list sent to me, as a subscriber to the list. (I could post the entire headers if it would be of interest.) Return-Path: all-bounces+dave=fiteyes@discuss.fiteyes.com Subject: [FitEyes Discussion 715] Re: First self IOP measurement done An AOL member complained about this same message today. The return path in the report from the AOL Feedback Loop gets redacted to: Return-Path: all-bounces+redacted=aol@discuss.fiteyes.com I can paste the entire report from the AOL Feedback Loop if that would be of interest. But they redact everything now, including even items without the receiver's address such as: List-Unsubscribe: http://discuss.fiteyes.com/m/options/all, mailto:all-requ...@discuss.fiteyes.com?subject=unsubscribe which gets changed to: List-Unsubscribe: http://discuss.fiteyes.com/m/options/all, redac...@discuss.fiteyes.com -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] more questions about Yahoo feedback loopandabuse complaints
On 6/17/2012 4:44 PM, David wrote: An AOL member complained about this same message today. The return path in the report from the AOL Feedback Loop gets redacted to: Return-Path: all-bounces+redacted=aol@discuss.fiteyes.com OK, that answers that question, so it would seem that Lindsay Haisley's suggestion of hacking in a custom header with a hash of the user's address that doesn't look like an email address would work, but it would be a violation of the terms of service for the feedback loop according to Brad Knowles: In fact, when you sign up for the AOL Feedback Loop (as I did years ago for the lists hosted at python.org), the instructions explicitly state that you may not use any information they give you to determine who the affected user is ... -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
[Mailman-Users] Personal patch
Can someone give me some feedback on the following patch to SMTPDirect.py - whatever I've overlooked, or done that might be dangerous? The purpose of this patch is to insert a header, X-subdata into VERPed emails which won't be flagged and redacted by AOL's brain-dead Email Feedback Report system, and will continue to allow my local scripts to unsubscribe subscribers who hit the Report Spam button on their AOL mail UI. The content of the header is an MD5 hash of the receiving subscriber's email address - the same information contained in the Sender and Return-path headers, normally munged (redacted) by AOL. The hope is that this hash will address AOL's privacy concerns, and/or else fall beneath the intelligence level of their scrutiny. The address hash can be compared against the list of subscribers to the list, identified in several (improperly redacted or un-redacted) headers. I'm not submitting this as a suggested patch for Mailman, but just asking for some feedback from people who know the code better than I do. --- SMTPDirect.py.orig 2012-06-17 17:16:25.0 -0500 +++ SMTPDirect.py 2012-06-17 21:17:25.0 -0500 @@ -43,6 +43,8 @@ from email.Utils import formataddr from email.Header import Header from email.Charset import Charset +from md5crypt import md5crypt +from random import choice DOT = '.' @@ -307,6 +309,9 @@ 'host' : DOT.join(rdomain), } envsender = '%s@%s' % ((mm_cfg.VERP_FORMAT % d), DOT.join(bdomain)) +saltmarsh = ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrsyuvwxyz1234567890./ +if not msgdata.has_key(X-subdata): +msgcopy[X-Subdata] = md5crypt(rmailbox + @ + DOT.join(rdomain), choice(saltmarsh) + choice(saltmarsh)) if mlist.personalize == 2: # When fully personalizing, we want the To address to point to the # recipient, not to the mailing list -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] AOL redacts user addresses even with VERP and full personalization enabled
On Jun 17, 2012, at 7:27 AM, Lindsay Haisley wrote: So what would be the implications of hacking an extra header into outgoing posts on lists for which personalization is enabled, say X-Subdata, with said header containing a hash of the subscriber address to which the post is directed? You could do this, but the question is whether or not that header would survive through to the complaint you get via their feedback loop. I doubt that it would, but there's only one way to know for sure. I'm not asking for a feature from the devs since I can hack this myself, just perhaps some insight into the implications for a list host that handles no more than half a dozen small mailing lists, each with 1000 subscribers or less. It would be simple enough to write a milter that would work with postfix and sendmail to implement such a feature, and I strongly suspect that someone else has probably already done this. You just need to find it and install it. -- Brad Knowles b...@shub-internet.org LinkedIn Profile: http://tinyurl.com/y8kpxu -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] AOL redacts user addresses even with VERP and full personalization enabled
On Sun, 2012-06-17 at 20:40 -0700, Brad Knowles wrote: You could do this, but the question is whether or not that header would survive through to the complaint you get via their feedback loop. I doubt that it would, but there's only one way to know for sure. My observation has been that the offending message returned by AOL's feedback system contains all headers in the original message, with a rather scattershot number of tokens redacted. I hacked the code and submitted a patch separately for review, if anyone wants to review it. -- Lindsay Haisley | The difference between a duck is because FMP Computer Services |one leg is both the same 512-259-1190 | - Anonymous http://www.fmp.com| -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Personal patch
Lindsay Haisley wrote: Can someone give me some feedback on the following patch to SMTPDirect.py - whatever I've overlooked, or done that might be dangerous? [...] --- SMTPDirect.py.orig 2012-06-17 17:16:25.0 -0500 +++ SMTPDirect.py 2012-06-17 21:17:25.0 -0500 @@ -43,6 +43,8 @@ from email.Utils import formataddr from email.Header import Header from email.Charset import Charset +from md5crypt import md5crypt +from random import choice DOT = '.' @@ -307,6 +309,9 @@ 'host' : DOT.join(rdomain), } envsender = '%s@%s' % ((mm_cfg.VERP_FORMAT % d), DOT.join(bdomain)) +saltmarsh = ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrsyuvwxyz1234567890./ +if not msgdata.has_key(X-subdata): +msgcopy[X-Subdata] = md5crypt(rmailbox + @ + DOT.join(rdomain), choice(saltmarsh) + choice(saltmarsh)) rmailbox + @ + DOT.join(rdomain) just does the inverse of rmailbox, rdomain = Utils.ParseEmail(recip) So why not just make the above +msgcopy[X-Subdata] = md5crypt(recip, choice(saltmarsh) + choice(saltmarsh)) Other than that, it looks OK assuming there is an appropriate md5crypt module in Mailman's path. -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
