[Mailman-Users] Mailman Downgrade from 2.1.15 to 2.1.13 possible ?
Hello ! Is a downgrade from Mailman 2.1.15 to 2.1.13 possible ? I know downgrades are not officially supported. If it is possible, what do i have to do ? Thanks. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
[Mailman-Users] POST based subscribe attacks
Hi all, We at KDE are currently experiencing attacks upon our Mailman installation, attempting to subscribe random email addresses (which more often than not are valid unfortunately). These attacks are conducted essentially through performing mass HTTP POST requests to /subscribe/listname with few proceeding GET requests. It seems that the attackers are capitalizing on Mailman's lack of CSRF protection. Does anyone know if there are plans to add CSRF protection into Mailman 2? Alternately, is anyone aware of any form of CAPTCHA protection which can be applied to Mailman? It has gotten to the point where we have had to disable web based subscriptions to our mailing lists due to this abuse. Thanks, Ben Cooksley KDE Sysadmin -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] POST based subscribe attacks
On 10/28/2012 1:27 PM, Ben Cooksley wrote: Alternately, is anyone aware of any form of CAPTCHA protection which can be applied to Mailman? There was a recent thread that discussed this very thing: starting at http://www.mail-archive.com/mailman-users%40python.org/msg61769.html. z! -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
[Mailman-Users] mailan and postfix config problems
I am migrating mailman lists from somedomain.org to lists.somedomain.org I can create new lists for lists.somedomain.org and receive mail from the list but sending mail to lists.somedomain.org results in Recipient address rejected: User unknown; I know this is postfix related but I am follwing the postfix config INSTALL instructions from /var/lib/mailman/bin/postfix-to-mailman.py and I have edited... /etc/postfix/main.cf /etc/postfix/master.cf /etc/postfix/transport /etc/mailman/mm_cfg.py ..as per those instructions. I have also read these guides which provide more or less identical instructions. http://wiki.debian.org/Postfix#Mailman_with_Postfix http://library.linode.com/email/mailman/debian-6-squeeze The relevant section of my /etc/postfix/main.cf looks like this alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases alias_database = hash:/etc/aliases virtual_alias_maps = hash:/etc/postfix/virtual local_recipient_maps = $alias_maps, proxy:unix:passwd.byname relay_domains = $mydestination, lists.somedomain.org relay_recipient_maps = hash:/var/lib/mailman/data/virtual-mailman transport_maps = hash:/etc/postfix/transport mailman_destination_recipient_limit = 1 Something I find odd is that with the above config is that when I create a new list nothing is being written to the file: /var/lib/mailman/data/virtual-mailman I understood that should happen automatically. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] POST based subscribe attacks
Ben Cooksley wrote: It seems that the attackers are capitalizing on Mailman's lack of CSRF protection. Does anyone know if there are plans to add CSRF protection into Mailman 2? It depends what you mean by CSRF protection. If you mean true protection based on something like the addition and validation of some nonce in URLs, then no, there are no plans to do this. However, the admin interface in Mailman 2.1.15 has been somewhat hardened against CSRF. The following is from the 2.1.15 section of the NEWS file The web admin interface has been hardened against CSRF attacks by adding a hidden, encrypted token with a time stamp to form submissions and not accepting authentication by cookie if the token is missing, invalid or older than the new mm_cfg.py setting FORM_LIFETIME which defaults to one hour. Posthumous thanks go to Tokio Kikuchi for this implementation which is only one of his many contributions to Mailman prior to his death from cancer on 14 January 2012. This hardening does not extend to the subscribe form, but I doubt that CSRF is involved there as no authentication is required to POST a subscribe request. Anyone can GET the listinfo page and then post the form data. Otherwise, it wouldn't be very useful as a user subscription request. Also, see the thread at http://mail.python.org/pipermail/mailman-users/2012-October/074213.html referred to in Carl's reply. -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Mailman Downgrade from 2.1.15 to 2.1.13 possible ?
Torsten Giebl wrote: Is a downgrade from Mailman 2.1.15 to 2.1.13 possible ? I know downgrades are not officially supported. If it is possible, what do i have to do ? It should be possible without problems, but why do you want to do this. Perhaps what you want to accomplish can be done by configuration changes in Mailman 2.1.15. Assuming you installed Mailman 2.1.15 from a GNU Mailman project tarball distribution, downgrade would be accomplished by downloading and unpacking the 2.1.13 tarball (See https://launchpad.net/mailman/+download?memo=10start=10), and running configure and make, stopping Mailman and possibly the web server, running make install and starting the stopped services just as you would for an upgrade. Note that make install runs bin/update which will detect the downgrade, issue a warning and do nothing. You can ignore the warning in this case. Not that this process won't work for all downgrades because of irreversable database changes that have occurred, but it should be OK for 2.1.15 - 2.1.13. -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Automated Subscription Bots Inundating List Owners With Subscription Requests
On Thu, 2012-10-18 at 23:53 +, Kalbfleisch, Gary wrote: I am running 2.1.9 because that is the latest version available from Redhat as a package. It's relatively simple to install Mailman from the source package, but one thing that would help a great deal with this would be default inclusion in the built package of a standard text or script that would contain, or issue, the arguments provided to configure during the build process. There are several critical parameters including the prefix, the var-prefix and of course the mail-gid which ought to be readily available for this purpose. If you've already built Mailman from source, this information is of course available in the config.log, but for people installing Mailman from an outdated package from a distribution, and wanting to catch up with the latest improvements or security fixes, having this information available as part of the distributed end product would be a big help. This is already done for many large and complex packages, would be a big help in making the transition from a pre-built Mailman package to a source-based update. Maybe this information is already available. I only spent about 5 minutes looking for it outside of the source tree and couldn't find it. -- Lindsay Haisley | Behold! Our way lies through a FMP Computer Services |dark wood whence in which 512-259-1190 | weirdness may wallow!” http://www.fmp.com| --Beauregard -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] mailan and postfix config problems
soportek wrote: [...] I know this is postfix related but I am follwing the postfix config INSTALL instructions from /var/lib/mailman/bin/postfix-to-mailman.py [...] I have also read these guides which provide more or less identical instructions. http://wiki.debian.org/Postfix#Mailman_with_Postfix http://library.linode.com/email/mailman/debian-6-squeeze The relevant section of my /etc/postfix/main.cf looks like this alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases alias_database = hash:/etc/aliases virtual_alias_maps = hash:/etc/postfix/virtual local_recipient_maps = $alias_maps, proxy:unix:passwd.byname relay_domains = $mydestination, lists.somedomain.org relay_recipient_maps = hash:/var/lib/mailman/data/virtual-mailman transport_maps = hash:/etc/postfix/transport mailman_destination_recipient_limit = 1 Something I find odd is that with the above config is that when I create a new list nothing is being written to the file: /var/lib/mailman/data/virtual-mailman First see the FAQ at http://wiki.list.org/x/OIDD. Then see the results of this Google search http://www.google.com/search?q=site:mail.python.org+inurl%3Amailman-users+%22postfix_to_mailman.py%22; in particular see http://mail.python.org/pipermail/mailman-users/2012-September/074017.html postfix_to_mailman.py is a third-party package which is not distributed by the GNU Mailman project, nor is it officially supported by the GNU Mailman project. It is an alternative to and incompatible with delivery to mailman via aliases and virtual alias maps. -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Automated Subscription Bots Inundating List Owners With Subscription Requests
On 10/29/2012 11:25 AM, Lindsay Haisley wrote: On Thu, 2012-10-18 at 23:53 +, Kalbfleisch, Gary wrote: I am running 2.1.9 because that is the latest version available from Redhat as a package. It's relatively simple to install Mailman from the source package, but one thing that would help a great deal with this would be default inclusion in the built package of a standard text or script that would contain, or issue, the arguments provided to configure during the build process. [...] Maybe this information is already available. I only spent about 5 minutes looking for it outside of the source tree and couldn't find it. See http://wiki.list.org/x/KYCB and the Mailman-Developers post linked therefrom. It's probably out of date and does not directly address the issue of making this information available as part of the 3rd party package, but it is probably still useful to someone trying to upgrade RedHat Mailman from source. -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Automated Subscription Bots Inundating List Owners With Subscription Requests
On Mon, 2012-10-29 at 11:43 -0700, Mark Sapiro wrote: See http://wiki.list.org/x/KYCB and the Mailman-Developers post linked therefrom. It's probably out of date and does not directly address the issue of making this information available as part of the 3rd party package, but it is probably still useful to someone trying to upgrade RedHat Mailman from source. Yes, this article is very informative, and at present may be the best thing available for an old-package to new-source upgrade. And yes, it does not address the issue of making this information available as a default part of the 3rd party package. Such an enhancement would obviously not help anyone using a currently older Mailman package, but going forward, say into MM3, it might be a good idea to make this information available in some such way. I use courier as a MTA, and courier has a courier-config executable in /usr/bin which spits out all sorts of useful build information, including the package creator's build-time configure args. -- Lindsay Haisley | The difference between a duck is because FMP Computer Services |one leg is both the same 512-259-1190 | - Anonymous http://www.fmp.com| -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] POST based subscribe attacks
* Ben Cooksley bcooks...@kde.org: Hi all, We at KDE are currently experiencing attacks upon our Mailman installation, attempting to subscribe random email addresses (which more often than not are valid unfortunately). These attacks are conducted essentially through performing mass HTTP POST requests to /subscribe/listname with few proceeding GET requests. It seems that the attackers are capitalizing on Mailman's lack of CSRF protection. Does anyone know if there are plans to add CSRF protection into Mailman 2? Alternately, is anyone aware of any form of CAPTCHA protection which can be applied to Mailman? It has gotten to the point where we have had to disable web based subscriptions to our mailing lists due to this abuse. Interestingly this could be the cause for the recent onslaught of fake subscription attemps at mail.python.org You definitely get a +1 for me on this one :) -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] POST based subscribe attacks
On Tue, Oct 30, 2012 at 6:40 AM, Mark Sapiro m...@msapiro.net wrote: Ben Cooksley wrote: It seems that the attackers are capitalizing on Mailman's lack of CSRF protection. Does anyone know if there are plans to add CSRF protection into Mailman 2? It depends what you mean by CSRF protection. If you mean true protection based on something like the addition and validation of some nonce in URLs, then no, there are no plans to do this. I mean placing some form of unique token in the form itself on the web page, and validating this token on the server side. However, the admin interface in Mailman 2.1.15 has been somewhat hardened against CSRF. The following is from the 2.1.15 section of the NEWS file That is good news. The web admin interface has been hardened against CSRF attacks by adding a hidden, encrypted token with a time stamp to form submissions and not accepting authentication by cookie if the token is missing, invalid or older than the new mm_cfg.py setting FORM_LIFETIME which defaults to one hour. Posthumous thanks go to Tokio Kikuchi for this implementation which is only one of his many contributions to Mailman prior to his death from cancer on 14 January 2012. This hardening does not extend to the subscribe form, but I doubt that CSRF is involved there as no authentication is required to POST a subscribe request. Anyone can GET the listinfo page and then post the form data. Otherwise, it wouldn't be very useful as a user subscription request. A pity, as the subscription form definitely could do with the same form of protection. The need to retrieve another page, parse the html to get the CSRF token and then generate an appropriate POST request would represent a much larger obstacle than the current Mailman subscription system, which provides no protection. Also, see the thread at http://mail.python.org/pipermail/mailman-users/2012-October/074213.html referred to in Carl's reply. While i'm aware that CAPTCHA's can be broken, it does raise the level of difficulty the spammer must go through to abuse your service. -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan Regards, Ben Cooksley KDE Sysadmin -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Automated Subscription Bots Inundating List Owners With Subscription Requests
On Mon, 2012-10-29 at 14:14 -0500, Lindsay Haisley wrote: On Mon, 2012-10-29 at 11:43 -0700, Mark Sapiro wrote: See http://wiki.list.org/x/KYCB and the Mailman-Developers post linked therefrom. It's probably out of date and does not directly address the issue of making this information available as part of the 3rd party package, but it is probably still useful to someone trying to upgrade RedHat Mailman from source. Yes, this article is very informative, and at present may be the best thing available for an old-package to new-source upgrade. And yes, it does not address the issue of making this information available as a default part of the 3rd party package. Adding this feature would involve only about 6 lines of code :) in configure.in: --- configure.in.orig 2012-10-29 14:37:31.0 -0500 +++ configure.in2012-10-29 14:59:13.0 -0500 @@ -18,7 +18,8 @@ AC_REVISION($Revision: 8122 $) AC_PREREQ(2.0) AC_INIT(src/common.h) - +CONFIGURE_CLI=$0 $@ +AC_SUBST(CONFIGURE_CLI) # /usr/local/mailman is the default installation directory AC_PREFIX_DEFAULT(/usr/local/mailman) @@ -683,6 +684,7 @@ contrib/qmail-to-mailman.py \ contrib/courier-to-mailman.py \ contrib/rotatelogs.py \ +contrib/mm-config \ cron/bumpdigests \ cron/checkdbs \ cron/cull_bad_shunt \ And in the contrib directory, a short script, mm-config, to display this information: #!/usr/bin/python print Mailman was built with the following configuration invocation: %s % (@CONFIGURE_CLI@,) This properly belongs on the mailman-developers list, so please excuse my posting it on the thread here, but I though the discussion might be useful. I also posted it to the developers list. -- Lindsay Haisley | Real programmers use butterflies FMP Computer Services | 512-259-1190 | - xkcd http://www.fmp.com| -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Automated Subscription Bots Inundating List Owners With Subscription Requests
I like to stick with packages when possible because it makes maintenance much easier. This is really a non-issue since the current version of Mailman does not have a fix for this problem. Thank you, -- Gary Kalbfleisch -- Director of Technology Support Services -- Shoreline Community College -- (206) 546-5813 -- (206) 546-6943 Fax -Original Message- From: Mailman-Users [mailto:mailman-users- bounces+garyk=shoreline@python.org] On Behalf Of Lindsay Haisley Sent: Monday, October 29, 2012 11:25 AM To: mailman-users@python.org Subject: Re: [Mailman-Users] Automated Subscription Bots Inundating List Owners With Subscription Requests On Thu, 2012-10-18 at 23:53 +, Kalbfleisch, Gary wrote: I am running 2.1.9 because that is the latest version available from Redhat as a package. It's relatively simple to install Mailman from the source package, but one thing that would help a great deal with this would be default inclusion in the built package of a standard text or script that would contain, or issue, the arguments provided to configure during the build process. There are several critical parameters including the prefix, the var-prefix and of course the mail- gid which ought to be readily available for this purpose. If you've already built Mailman from source, this information is of course available in the config.log, but for people installing Mailman from an outdated package from a distribution, and wanting to catch up with the latest improvements or security fixes, having this information available as part of the distributed end product would be a big help. This is already done for many large and complex packages, would be a big help in making the transition from a pre-built Mailman package to a source- based update. Maybe this information is already available. I only spent about 5 minutes looking for it outside of the source tree and couldn't find it. -- Lindsay Haisley | Behold! Our way lies through a FMP Computer Services |dark wood whence in which 512-259-1190 | weirdness may wallow!” http://www.fmp.com| --Beauregard -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail- archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman- users/garyk%40shoreline.edu -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] mailan and postfix config problems
On 10/29/2012 12:36 PM, Mark Sapiro wrote: soportek wrote: [...] I know this is postfix related but I am follwing the postfix config INSTALL instructions from /var/lib/mailman/bin/postfix-to-mailman.py [...] First see the FAQ at http://wiki.list.org/x/OIDD. Then see the results of this Google search http://www.google.com/search?q=site:mail.python.org+inurl%3Amailman-users+%22postfix_to_mailman.py%22; in particular see http://mail.python.org/pipermail/mailman-users/2012-September/074017.html postfix_to_mailman.py is a third-party package which is not distributed by the GNU Mailman project, nor is it officially supported by the GNU Mailman project. It is an alternative to and incompatible with delivery to mailman via aliases and virtual alias maps. Ah! Sorry I had no idea this script wasn't developed by the GNU Mailman project. I must be the Nth person to bother the list about it. Funny that none of my searches turned up that important detail. Seems like it might be a good idea to recommend against using this script directly in one of the FAQ's on the mailman site or here http://wiki.list.org/display/DOC/Integrating+Mailman+with+postfix -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] POST based subscribe attacks
Ben Cooksley writes: A pity, as the subscription form definitely could do with the same form of protection. Think about what you're saying. Open subscription either means open subscription, or an admin has to do all the work. There's no third way. (Well, there is, but it only applies to lists that don't need to allow subscriptions from outside the firewall, and cannot be implemented in Mailman itself.) While i'm aware that CAPTCHA's can be broken, it does raise the level of difficulty the spammer must go through to abuse your service. No, it doesn't. It's a one-time investment for the spammers, and raises the level of difficulty for the *first* victim. After that, it's all free to them. If you want CAPTCHA, what you *want* to do is to implement it yourself. Once it becomes standard in Mailman, it will be broken (probably weeks before the official release), the exploit will be on sale (ditto), and CAPTCHA will be worthless to you from then on. Personally, I haven't seen any evidence of these attacks. My lists max at less than 1000 users, most are less than a dozen. I suspect this means that these miscreants are going after big lists because they're big. If so, there is probably enough profit in it that they can afford to hire people to solve CAPTCHAs and PlayThru. We need to rethink the whole model. :-( -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Automated Subscription Bots Inundating List Owners With Subscription Requests
On Mon, 2012-10-29 at 21:04 +, Kalbfleisch, Gary wrote: I like to stick with packages when possible because it makes maintenance much easier. As do I. There are times, however, when mission-critical packages in a distribution are outdated, or absent, or broken and building from source is the only option. IMHO, having the knowledge and the tools on one's system to do builds from the upstream source is an important system administration skill. I always seem to have one or two packages on any box that end up being built from source. Mailman is one of them, because I have a number of patches for it that I've developed, and because building and installing it from source is very easy. Juggling packages vs. upstream source is something you get used to. All package management system that I know of have ways of freezing packages at a certain level or version so that your custom builds don't get crosswise of package management. -- Lindsay Haisley | Real programmers use butterflies FMP Computer Services | 512-259-1190 | - xkcd http://www.fmp.com| -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Automated Subscription Bots Inundating List Owners With Subscription Requests
Don't assume that I don't have the skills. I have been building the linux os from source since long before most people even heard of the Internet. I manage my time very carefully, and mailman is a very small part of what I do. The newest version of mailman does not resolve any of the issues that I have been expiriencing if you have read my posts. I have implemented the security measures required using other means until such a time that they are resolved in mailman. Regards Gary Kalbfleisch Sent from my iPod On Oct 29, 2012, at 8:37 PM, Lindsay Haisley fmouse-mail...@fmp.com wrote: On Mon, 2012-10-29 at 21:04 +, Kalbfleisch, Gary wrote: I like to stick with packages when possible because it makes maintenance much easier. As do I. There are times, however, when mission-critical packages in a distribution are outdated, or absent, or broken and building from source is the only option. IMHO, having the knowledge and the tools on one's system to do builds from the upstream source is an important system administration skill. I always seem to have one or two packages on any box that end up being built from source. Mailman is one of them, because I have a number of patches for it that I've developed, and because building and installing it from source is very easy. Juggling packages vs. upstream source is something you get used to. All package management system that I know of have ways of freezing packages at a certain level or version so that your custom builds don't get crosswise of package management. -- Lindsay Haisley | Real programmers use butterflies FMP Computer Services | 512-259-1190 | - xkcd http://www.fmp.com| -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/garyk%40shoreline.edu -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org