[Mailman-Users] iMailModerate 1.1.0
Hi together, a new version of iMailModerate is available. It brings iPhone 5 and iOS 6 support. Also the member-list is now not fully loaded (which can be too slow on big lists), but will be dynamically loaded. I'm preparing a bigger update in the near future. iMailModerate is the best way to moderate mails and manage subscribers on the iPhone. If you don't already own iMailModerate you can get it here: http://cl.ly/DyCl Best regards, Manuel Weiel -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Automated Subscription Bots Inundating List Owners With Subscription Requests
Hi Stephen, Thank you for your reply. My responses are below -Original Message- From: Stephen J. Turnbull [mailto:step...@xemacs.org] Sent: Friday, October 19, 2012 9:20 PM To: Kalbfleisch, Gary Cc: mailman-users@python.org Subject: [Mailman-Users] Automated Subscription Bots Inundating List Owners With Subscription Requests Kalbfleisch, Gary originally writes: inundated with confirmation request messages, and you cannot delete them all at once on the Tend to pending moderator requests screen. You have to select Discard for each of them individually. I don't know if this has been changed yet. Stephen J. Turnbull writes: As far as I can see, these are batchable (you only need to click Submit once -- version 2.1.15, but I doubt this has changed in many years). Is your issue that the moderator has to tick each box? I really don't think that should change; otherwise you would lose valid subscription requests when being attacked in this way. Is the issue that lists get so many requests that it overflows the screen, and you can only do (say) 20 at once? Kalbfleisch, Gary responds: Messages are batchable, but administrative tasks are not. As you noted you must tick each box, and yes I'm talking pages and pages of bogus subscription requests. Quite tedious. I think these too should be batchable but perhaps separately. What I would like to be able to do is to change all administrative messages to discard (or whatever) with one click, then go back and change the legitimate subscription requests back to accept. I had to block access to the web interface from off site at our router to stop the deluge of messages. I think this is the best way to handle it. There really ought to be a way for a host to request that a service be firewalled programmatically, although it would have to be designed *very* carefully. After analyzing the httpd logs I have identified three primary sources of the bogus subscription requests, the most predominant being associated with http://mailbait.info. If you list admins out there are not familiar with mailbait.info you should check it out. It is a service (I use that term loosely here) for filling up your inbox. People submit hosts that send out email messages via web forms which are exploited for this purpose. If you run it (and you can do this without filling in the email address field so you can see how it works) you will see that it skips from one Mailman site to another submitting bogus subscription requests. As per the Mailbait FAQ, MailBait does not condone using other people's email address with this service., however they make no efforts to prevent it. You cannot filter on IP addresses because the source address is that of the person that runs it, not Mailbait itself. I created an iptables filter that looks for the string mailbait.info, which appears in the Referer field of most of the packets. I investigated creating a filter utilizing the iptables recent directive, which filters on the number of consecutive hits per time period, but the hits are spread out between each host sufficiently to make this ineffective. This is true for the other two sources (not associated with Mailbait) I identified as well, which I traced to ISP DHCP ranges. I have seen this starting to occur at some other Mailman sites as well. Anyone else seeing this or have any ideas about how best to handle this? I have it under control for now but it is changing the way we use our lists. Sadly, I don't see how that can be avoided. The problem is the SMTP and HTTP protocols themselves, which have no easily used provision for authentication or authorization of clients. (How many students do you know who walk around with a personal X.509 certificate?) If you have suggestions for the admin interface, that would be very helpful. Even if you don't have a lot of confidence in them, this is a hard problem that requires wild ideas. CAPTCHA for subscription requests would go a long way in preventing this type of exploitation. Thank you, -- Gary Kalbfleisch -- Director of Technology Support Services -- Shoreline Community College -- (206) 546-5813 -- (206) 546-6943 Fax -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Automated Subscription Bots Inundating List Owners With Subscription Requests
Kalbfleisch, Gary writes: Kalbfleisch, Gary responds: Messages are batchable, but administrative tasks are not. As you noted you must tick each box, and yes I'm talking pages and pages of bogus subscription requests. Quite tedious. This would be a bigger problem than losing valid requests if it was frequent. I think these too should be batchable but perhaps separately. What I would like to be able to do is to change all administrative messages to discard (or whatever) with one click, then go back and change the legitimate subscription requests back to accept. I regularly lose posts to mailing lists because of this way of doing things. After analyzing the httpd logs I have identified three primary sources of the bogus subscription requests, the most predominant being associated with http://mailbait.info. Wonderful. Not much Mailman can do about the network-level DoS, but I suppose the web interface could filter on referrers. If mailbait.info is in the Referrer header, return a 404. ;-) If you have suggestions for the admin interface, that would be very helpful. Even if you don't have a lot of confidence in them, this is a hard problem that requires wild ideas. CAPTCHA for subscription requests would go a long way in preventing this type of exploitation. I'm pretty sure there are third-party extensions for this. I'm dubious about the net value of CAPTCHAs. Personally, I generally take a CAPTCHA as a NO TRESPASSING -- THIS MEANS YOU! sign, and don't go back. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Automated Subscription Bots Inundating List Owners With Subscription Requests
I personally don't care for CAPTCHA but it exists for a reason. If anyone can suggest a better solution I would love to here it. Right now Mailman is being exploited to email bomb individuals and DOS email systems. This cannot continue. Gary Kalbfleisch Sent from my iPod On Oct 22, 2012, at 6:08 PM, Brad Knowles b...@shub-internet.org wrote: On Oct 22, 2012, at 5:40 PM, Stephen J. Turnbull turnb...@sk.tsukuba.ac.jp wrote: I'm dubious about the net value of CAPTCHAs. Personally, I generally take a CAPTCHA as a NO TRESPASSING -- THIS MEANS YOU! sign, and don't go back. CAPTCHAs are already at the point where advanced code can apply statistical methods and solve them faster and better than many humans. Moreover, they have been problematic for a long time -- see http://www.tkachenko.com/blog/archives/000537.html, http://ezinearticles.com/?Captchas-Considered-Harmful---Why-Captchas-Are-Bad-And-How-You-Can-Do-Betterid=1104207, and http://coding.smashingmagazine.com/2011/03/04/in-search-of-the-perfect-captcha/, among others. IMO, CAPTCHAs have already jumped the shark. -- Brad Knowles b...@shub-internet.org LinkedIn Profile: http://tinyurl.com/y8kpxu -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Automated Subscription Bots Inundating List Owners With Subscription Requests
Kalbfleisch, Gary writes: I personally don't care for CAPTCHA but it exists for a reason. Sure, the eternal search for easy solutions to difficult problems. If anyone can suggest a better solution I would love to here it. Right now Mailman is being exploited to email bomb individuals and DOS email systems. This cannot continue. It's not obvious there are better solutions. It's pretty obvious that CAPTCHA is at a stage where serious miscreants won't be slowed much by it (there are canned solutions, and even in 2009 they were good enough for automated mischief-making), while it does bother legitimate users. You're right that it can't continue, but I don't really know if there's a way out. It may just not be possible to advertise open- subscription lists without attracting such abuse. One thing we could try is to encourage use of OpenID (which Mailman doesn't support AFAIK, but there may be third-party patches, and I bet Mark (2.1 series) and Barry (Next Generation) would both be happy to see it. I guess mailbomb.com could just automate creation of GMail or Hotmail accounts, so it wouldn't be a permanent solution. But it would be transparent to most users, and some would be actively pleased by it. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Automated Subscription Bots Inundating List Owners With Subscription Requests
On Tue, 2012-10-23 at 01:31 +, Kalbfleisch, Gary wrote: I personally don't care for CAPTCHA but it exists for a reason. If anyone can suggest a better solution I would love to here it. Right now Mailman is being exploited to email bomb individuals and DOS email systems. This cannot continue. Take a look at http://areyouahuman.com/. While this technology may not solve all the problems presented by CAPTCHAs, this is certainly a promising direction in which to look for alternatives. -- Lindsay Haisley | Behold! Our way lies through a FMP Computer Services |dark wood whence in which 512-259-1190 | weirdness may wallow!” http://www.fmp.com| --Beauregard -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org