Re: [Mailman-Users] postfix MTA - getting smtpd...mailman/data/aliases.db: Permission denied (doh!)
In one word - selinux. Disable it now. Get to work. It is about risk vs. reward. Don old UNIX cap and IMHO - it may someday it may not be so much of a philosophy and usable by the masses - or it may end up like emacs and remain one. Jim Davis -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Export all subsribers
Am Sonntag, den 08.06.2014, 20:11 +0300 schrieb EyeLand: Hello, on mailing list I have many emails on Membership Management... - [Membership List], how I can export all on txt file? Thank you. /usr/sbin/list_members -o filename listname regards Bjoern -- xmpp b...@schafweide.org bjo.nord-west.org | nord-west.org -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Mailman-Users Digest, Vol 124, Issue 8
2014-06-09 13:00 GMT+03:00 mailman-users-requ...@python.org: Message: 3 Date: Sun, 8 Jun 2014 16:40:35 -0400 From: Rich Kulawiec r...@gsp.org To: mailman-users@python.org Subject: Re: [Mailman-Users] Export all subsribers Message-ID: 20140608204035.ga29...@gsp.org Content-Type: text/plain; charset=us-ascii On Sun, Jun 08, 2014 at 08:11:54PM +0300, EyeLand wrote: Hello, on mailing list I have many emails on Membership Management... - [Membership List], how I can export all on txt file? Thank you. From the shell: ~mailman/bin/list_members name-of-mailing-list will put the list on stdout, so you could redirect it to a file if you wish: ~mailman/bin/list_members name-of-mailing-list roster If you have a number of mailing lists and want to dump them all, you could use something along the lines of: #!/bin/csh set filelist = `~mailman/bin/list_lists -b` foreach i ($filelist) ~mailman/bin/list_members $i $i.roster end which will create a series of files whose names consist of the name of each mailing list suffixed with .roster. ---rsk root@vps1:~# ~mailman/bin/list_members mailman -bash: ~mailman/bin/list_members: No such file or directory OR root@vps1:~# ~mailman/bin/list_members mailman@host -bash: ~mailman/bin/list_members: No such file or directory where I can read right name of my mailing list? -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Mailman-Users Digest, Vol 124, Issue 8
2014-06-09 21:42 GMT+03:00 Gerry Grieve gri...@phas.ubc.ca: This complaint is NOT about the list name but about the program name “~mailman/bin/list_members mailman”, ie the shell did not find list_memebers with this path. Use the “locate” command to find your your mailmain/bin directory. ie gt; locate list_members ttfn -- Gerry R. Grieve ph: 604-822-4320 Systems Manager,fax: 604-822-5324 Physics Astronomy, UBC 6224 Agricultural Rd. Vancouver, BC, Canada V6T 1Z1 root@vps1:~# locate list_members /usr/lib/mailman/bin/list_members /usr/sbin/list_members /usr/share/bash-completion/completions/list_members /usr/share/man/man8/list_members.8.gz -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Export all subsribers
On 06/09/2014 11:32 AM, EyeLand wrote: root@vps1:~# ~mailman/bin/list_members mailman -bash: ~mailman/bin/list_members: No such file or directory OR root@vps1:~# ~mailman/bin/list_members mailman@host -bash: ~mailman/bin/list_members: No such file or directory where I can read right name of my mailing list? If this is cPanel, You need to use the cPanel list name of the form mailman_host. I.e., it's usually the list's posting address with the '@' replaced by '_'. In any case, it's the same name as used in URLs like http://HOST/mailman/listinfo/LIST_HOST. (and please don't post with digest subjects.) -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Export all subsribers
On 06/09/2014 12:49 PM, EyeLand wrote: root@vps1:~# locate list_members /usr/lib/mailman/bin/list_members /usr/sbin/list_members Since whatever packaged Mailman this is has put (copies of? links to?) mailman's bin commands in /usr/sbin, as root you can probably just do list_members mailman or you can always do /usr/lib/mailman/bin/list_members mailman (apparently ~mailman doesn't resolve to /usr/lib/mailman) -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Export all subsribers
2014-06-09 22:51 GMT+03:00 Mark Sapiro m...@msapiro.net: If this is cPanel, You need to use the cPanel list name of the form mailman_host. I.e., it's usually the list's posting address with the '@' replaced by '_'. In any case, it's the same name as used in URLs like http://HOST/mailman/listinfo/LIST_HOST. (and please don't post with digest subjects.) url http://vps1.ournet.biz/cgi-bin/mailman/listinfo/mailman email mail...@vps1.ournet.biz control panel ISPConfig https://vps1.ournet.biz:8080/ now I want only to export all emails (10 000) to txt file from that mailman list Since whatever packaged Mailman this is has put (copies of? links to?) mailman's bin commands in /usr/sbin, as root you can probably just do list_members mailman or you can always do /usr/lib/mailman/bin/list_ members mailman (apparently ~mailman doesn't resolve to /usr/lib/mailman) yes I open putty as root -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Export all subsribers
On 06/09/2014 01:16 PM, EyeLand wrote: url http://vps1.ournet.biz/cgi-bin/mailman/listinfo/mailman email mail...@vps1.ournet.biz control panel ISPConfig https://vps1.ournet.biz:8080/ now I want only to export all emails (10 000) to txt file from that mailman list First, do list_members --help to see what all the options are, or based on your earlier reported 'locate' results you could do man list_members Then you may want something like list_members mailman /path/to/output/file if you only want email addresses or maybe list_members mailman -f /path/to/output/file if you want the member's names if available. -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Export all subsribers
On 06/09/2014 01:16 PM, EyeLand wrote: urlhttp://vps1.ournet.biz/cgi-bin/mailman/listinfo/mailman emailmail...@vps1.ournet.biz control panel ISPConfighttps://vps1.ournet.biz:8080/ now I want only to export all emails (10 000) to txt file from that mailman list If I interpret the poster's request, EyeLand wants all of the messages that have been posted to the list in a .txt file. If this is the case, then the list archives in $listname.mbox/$listname.mbox has all of the posted mail messages in mbox format. That is essentially a .txt file with a From email address date line beginning in column 1 at the start of each message in the file. --Barry Finkel -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
[Mailman-Users] Yahoo - what chance of change now?
It's now about 2 months since Yahoo introduced their DMARC reject policy. I'm taking this as a sign that it's unlikely that they'll ever reverse the decision Has anyone heard anything that might indicate otherwise? Or that any mailbox providers other than Yahoo and AOL have started doing it, or have indicated that they ever/never will? Peter Shute -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
[Mailman-Users] Bogus/forged subscription attempts: request for comments and possibly data
If you (Mailman site operators) have a spare moment, please try running this: cut here-- #!/bin/sh cd /var/local/mailman/logs egrep pending [a-z]+ [a-z]+@[a-z]+\.com subscribe \ | egrep -v @gmail.com \ | egrep -v @hotmail.com \ | egrep -v @msn.com \ | egrep -v @aol.com \ | egrep -v @yahoo.com \ | sed -e s/(.*pending// cut here-- This is a first-cut, mildly sloppy script that will try to match some patterns of interest that I've noticed in my subscribe log and that might be in yours. The egrep clauses are in there to throw away data not of interest; the sed snips off the mailing list name and some other irrelevancies. Here is what the last 10 lines of its output look like on my system: Jun 06 00:14:32 2014 ehkfioxlkrr yuj...@zwdxgc.com 62.210.226.131 Jun 06 13:23:16 2014 norchmecn sty...@zdddmk.com 86.51.26.20 Jun 07 02:06:20 2014 eljult qbp...@wabtdh.com 86.51.26.11 Jun 07 13:21:20 2014 dvlevbpj drk...@nlcvek.com 210.14.138.102 Jun 07 15:41:10 2014 sdbdelkv mtp...@ghazhc.com 86.51.26.18 Jun 07 16:17:10 2014 yqrebrgipo ubn...@cgtnki.com 86.51.26.20 Jun 08 06:37:12 2014 cihjwn sou...@bprryw.com 202.143.148.58 Jun 08 06:55:47 2014 ehxvwgrboo iou...@mnaisa.com 86.51.26.21 Jun 08 23:47:58 2014 qqpluym jpb...@qkvfdi.com 190.14.219.166 Jun 09 16:44:15 2014 mloepuj fig...@jjxlcu.com 172.245.142.194 This is forged gibberish, of course. The user real name is always a lowercase alpha string. The email address is also, both LHS and RHS, and the TLD is always .com. (Hence the regexp in the first egrep.) I'm curious. First, is anybody else seeing these? Second, does anyone have a theory as to their purpose? And third, is there any value in combining data to see if patterns emerge? (I have some privacy concerns about that last one, since real email addresses might leak through, so I suspect if we decided to do that, it would be best to remove everything but the timestamp and IP address. I doubt the gibberish has any real explanatory value anyway.) ---rsk -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Bogus/forged subscription attempts: request for comments and possibly data
On 06/09/2014 04:11 PM, Rich Kulawiec wrote: This is a first-cut, mildly sloppy script that will try to match some patterns of interest that I've noticed in my subscribe log and that might be in yours. ... Here is what the last 10 lines of its output look like on my system: Jun 06 00:14:32 2014 ehkfioxlkrr yuj...@zwdxgc.com 62.210.226.131 Jun 06 13:23:16 2014 norchmecn sty...@zdddmk.com 86.51.26.20 Jun 07 02:06:20 2014 eljult qbp...@wabtdh.com 86.51.26.11 Jun 07 13:21:20 2014 dvlevbpj drk...@nlcvek.com 210.14.138.102 Jun 07 15:41:10 2014 sdbdelkv mtp...@ghazhc.com 86.51.26.18 Jun 07 16:17:10 2014 yqrebrgipo ubn...@cgtnki.com 86.51.26.20 Jun 08 06:37:12 2014 cihjwn sou...@bprryw.com 202.143.148.58 Jun 08 06:55:47 2014 ehxvwgrboo iou...@mnaisa.com 86.51.26.21 Jun 08 23:47:58 2014 qqpluym jpb...@qkvfdi.com 190.14.219.166 Jun 09 16:44:15 2014 mloepuj fig...@jjxlcu.com 172.245.142.194 This is forged gibberish, of course. ... I'm curious. First, is anybody else seeing these? Some people are. Second, does2.1.16 or later anyone have a theory as to their purpose? They are spammers attempting to subscribe to your list(s) via POSTs to the web subscribe CGI. Presumably if they successfully subscribe, they will then spam the list. If you have Mailman 2.1.16 or later, you can mitigate this by setting SUBSCRIBE_FORM_SECRET = Some site specific string in mm_cfg.py. See https://bugs.launchpad.net/mailman/+bug/1082746. This is from the NEWS file: There is a new mm_cfg.py setting SUBSCRIBE_FORM_SECRET which will put a dynamically generated, hidden hash in the listinfo subscribe form and check it upon submission. Setting this will prevent automated processes (bots) from successfully POSTing web subscribes without first retrieving and parsing the form from the listinfo page. The form must also be submitted no later than FORM_LIFETIME nor no earlier than SUBSCRIBE_FORM_MIN_TIME after retrieval. Note that enabling this will break any static subscribe forms on your site. See the description in Defaults.py for more info. (LP: #1082746) -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Bogus/forged subscription attempts: request for comments and possibly data
On Mon, 09 Jun 2014 17:01:19 -0700 Mark Sapiro m...@msapiro.net wrote: They are spammers attempting to subscribe to your list(s) via POSTs to the web subscribe CGI. Presumably if they successfully subscribe, they will then spam the list. If you have Mailman 2.1.16 or later, you can mitigate this by setting SUBSCRIBE_FORM_SECRET = Some site specific string Another option might be using fail2ban. Almost all of my attackers come from the same few addresses in Vietnam. A few black hole routes and they were history. I haven't bothered with fail2ban yet, but it probably is a reasonable option. (Mine all have ALLCAPS@ addresses.) Perry -- Perry E. Metzgerpe...@piermont.com -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Bogus/forged subscription attempts: request for comments and possibly data
On Mon, 09 Jun 2014 17:01:19 -0700 Mark Sapiro m...@msapiro.net wrote: They are spammers attempting to subscribe to your list(s) via POSTs to the web subscribe CGI. Presumably if they successfully subscribe, they will then spam the list. BTW, I don't quite understand this. Why would splatting random addresses at you help them? Why not just pick real addresses they control? Successfully subscribing is easy, and generating seemingly random addresses won't get them subscribed since the addresses will never get a confirmation round trip. Perry -- Perry E. Metzgerpe...@piermont.com -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Bogus/forged subscription attempts: request for comments and possibly data
Who said spamming has to be logical? I once read that spammers often use outdated, stolen, spamming software that spams in ways that were obsolete years ago. Peter Shute -Original Message- From: Mailman-Users [mailto:mailman-users-bounces+pshute=nuw.org...@python.org] On Behalf Of Perry E. Metzger Sent: Tuesday, 10 June 2014 11:49 AM To: Mark Sapiro Cc: mailman-users@python.org Subject: Re: [Mailman-Users] Bogus/forged subscription attempts: request for comments and possibly data On Mon, 09 Jun 2014 17:01:19 -0700 Mark Sapiro m...@msapiro.net wrote: They are spammers attempting to subscribe to your list(s) via POSTs to the web subscribe CGI. Presumably if they successfully subscribe, they will then spam the list. BTW, I don't quite understand this. Why would splatting random addresses at you help them? Why not just pick real addresses they control? Successfully subscribing is easy, and generating seemingly random addresses won't get them subscribed since the addresses will never get a confirmation round trip. Perry -- Perry E. Metzger pe...@piermont.com -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/pshute%4 0nuw.org.au -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Bogus/forged subscription attempts: request for comments and possibly data
Perry E. Metzger writes: BTW, I don't quite understand this. Why would splatting random addresses at you help them? Why not just pick real addresses they control? Successfully subscribing is easy, and generating seemingly random addresses won't get them subscribed since the addresses will never get a confirmation round trip. Spammers are generally greedy but not bright? BTW, to answer Rick's question, yes, I'm seeing them too, in the all- lowercase form, on some but not all lists. I'M not sure why they pick the lists they do. -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Bogus/forged subscription attempts: request for comments and possibly data
At Mon, 9 Jun 2014 21:48:38 -0400 Perry E. Metzger pe...@piermont.com wrote: On Mon, 09 Jun 2014 17:01:19 -0700 Mark Sapiro m...@msapiro.net wrote: They are spammers attempting to subscribe to your list(s) via POSTs to the web subscribe CGI. Presumably if they successfully subscribe, they will then spam the list. BTW, I don't quite understand this. Why would splatting random addresses at you help them? Why not just pick real addresses they control? Successfully subscribing is easy, and generating seemingly random addresses won't get them subscribed since the addresses will never get a confirmation round trip. It depends. Some 'spammers' use scripts that seek out form ... method=post .. tags and then issue POST requests to the action= attribute. In some cases this results in 'posting' content of some sort to web sites (eg comment / forum spam). Or it generates E-Mails to someone who might respond to the content. In other cases it is a form of denial of service attack, overwhelming the server. In some cases, it is totally 'mindless', eg generated data using field names as a guide as to what to generate: such as random E-Mail addresses for an field with a name like 'email', and so on. Perry -- Robert Heller -- 978-544-6933 / hel...@deepsoft.com Deepwoods Software-- http://www.deepsoft.com/ () ascii ribbon campaign -- against html e-mail /\ www.asciiribbon.org -- against proprietary attachments -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Yahoo - what chance of change now?
Based on that, it's here forever, but will only spread to other mailbox providers if they experience a surge in spoofing. I'm interested to know what's in store because our current tactic is to reject new Yahoo and AOL subscribers, encourage existing ones to get new addresses, and to forward their messages by hand. This is obviously not going to work if other providers gradually start doing it too. If our cpanel host ever upgrades then we'll be able to decide on a more permanent solution. Peter Shute -Original Message- From: Stephen J. Turnbull [mailto:step...@xemacs.org] Sent: Tuesday, 10 June 2014 12:44 PM To: Peter Shute Cc: 'mailman-users@python.org' Subject: [Mailman-Users] Yahoo - what chance of change now? Peter Shute writes: It's now about 2 months since Yahoo introduced their DMARC reject policy. I'm taking this as a sign that it's unlikely that they'll ever reverse the decision On the DMARC list at IETF, a senior Yahoo! sysadmin said that because the attack based on stolen address book data continues, Yahoo! management sees no option but to continue. Even reducing to p=quarantine is out of the question. The fact that Yahoo! Groups has started to work around DMARC authentication (by moving the author's address into the display name, a tactic explicitly deprecated by the DMARC consortium's own FAQ) suggests they're in it for the long haul. Or that any mailbox providers other than Yahoo and AOL have started doing it, or have indicated that they ever/never will? Comcast made a point of saying in response to a question at a press conference that they have no intention of doing so. It's hardly trustworthy (the DMARC designers can't be happy about the bad press), but both one of the editors of the current draft and a senior IETF engineer whose name pops up all over the email-related RFCs have posted comments that Yahoo! has made no friends for itself. However, according to a graph I saw that described the attack on AOL, spoofing of AOL addresses ballooned to about 5X the volume preceding the attack, and presumably all of the new spoof messages were targeted to acquaintences since the attackers are known to have obtained millions of AOL users' contact lists. Not only is that attack huge, one would suppose it's more effective than broadcast spam or phishing. I would guess that any large provider that has a security breach like those at Yahoo! and AOL would be tempted to publish a p=reject policy, including Comcast. IANAL, but I have to wonder if they're not at substantial legal risk for contributory negligence (since apparently the addresses were stolen from the providers, although they're being coy about that) if they don't do something about this relatively effective form of abuse. -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
[Mailman-Users] Yahoo - what chance of change now?
Peter Shute writes: It's now about 2 months since Yahoo introduced their DMARC reject policy. I'm taking this as a sign that it's unlikely that they'll ever reverse the decision On the DMARC list at IETF, a senior Yahoo! sysadmin said that because the attack based on stolen address book data continues, Yahoo! management sees no option but to continue. Even reducing to p=quarantine is out of the question. The fact that Yahoo! Groups has started to work around DMARC authentication (by moving the author's address into the display name, a tactic explicitly deprecated by the DMARC consortium's own FAQ) suggests they're in it for the long haul. Or that any mailbox providers other than Yahoo and AOL have started doing it, or have indicated that they ever/never will? Comcast made a point of saying in response to a question at a press conference that they have no intention of doing so. It's hardly trustworthy (the DMARC designers can't be happy about the bad press), but both one of the editors of the current draft and a senior IETF engineer whose name pops up all over the email-related RFCs have posted comments that Yahoo! has made no friends for itself. However, according to a graph I saw that described the attack on AOL, spoofing of AOL addresses ballooned to about 5X the volume preceding the attack, and presumably all of the new spoof messages were targeted to acquaintences since the attackers are known to have obtained millions of AOL users' contact lists. Not only is that attack huge, one would suppose it's more effective than broadcast spam or phishing. I would guess that any large provider that has a security breach like those at Yahoo! and AOL would be tempted to publish a p=reject policy, including Comcast. IANAL, but I have to wonder if they're not at substantial legal risk for contributory negligence (since apparently the addresses were stolen from the providers, although they're being coy about that) if they don't do something about this relatively effective form of abuse. -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Yahoo - what chance of change now?
Peter Shute writes: I'm interested to know what's in store because our current tactic is to reject new Yahoo and AOL subscribers, encourage existing ones to get new addresses, and to forward their messages by hand. This is obviously not going to work if other providers gradually start doing it too. Well, Gmail clearly has decided that they know better than Yahoo! which messages need to be rejected. Although the only way to make a computer totally secure is to pull out the plug, I suspect that they are more secure against contact list theft than Yahoo! or AOL. I think their tech staff has more status than the tech staff at Yahoo! and AOL, so they're less likely to roll out new features that can be hacked because of management pressure. It may be a long time before Gmail gets hacked that way. Ditto Microsoft. Google also has their Don't Be Evil baggage to contend with. They may be less likely to make decisions known to involve substantial collateral damage. If our cpanel host ever upgrades then we'll be able to decide on a more permanent solution. Somebody said cPanel has already upgraded to Mailman 2.1.18-1, so at least your host does have an upgrade path. -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org