Re: [Mailman-Users] Mailman Security

[Mark Sapiro]

On 01/19/2017 11:35 AM, Odhiambo Washington wrote:
> On 19 January 2017 at 21:22, Mark Sapiro  wrote:
>>
>> Look at some of the hits from searching at
>>  for
>> global_ban_list.
>>
> 
> 
> Seen that. Usable, but not everything, given that some addresses on my list
> are well-known free mail providers.


You don't want to block entire domains. You want to use regexps that are
tailored to the attacks you are seeing. This means you can't be
proactive in blocking attacks in advance, but if you run some kind of
Mailman log summary such as the mmdsr program distributed with Mailman
in the contrib/ directory, you'll see attacks within a day of when they
start and can react. Some patterns I have used that have been effective
against past attacks are:

  '^[a-z0-9.]{8,}\+[a-z0-9]{4,}@gmail\.com$',
  '^.*k\.*e\.*m\.*o\.*m\.*a\.*r\.*t.*@gmail\.com',
  '^.*s\.*u\.*n\.*i\.*b\.*e\.*e\.*s\.*t\.*a\.*r\.*s.*@gmail\.com',
  '^.*k\.*e\.*z\.*u\.*k\.*a\.*y\.*a.*@gmail\.com',

Also, there is a script at 
(mirrored at ) that is
described as:

Remove an address or all addresses matching a regexp from the
installation. I.e. for every list, if the address is a member, it is
removed. If there are any held posts or (un)subscription requests from
the address, they are removed too. Optionally, any subscription requests
from the address waiting user confirmation are also removed.

that can be used to remove the successful ones.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Mailman Security

[Odhiambo Washington]

On 19 January 2017 at 21:22, Mark Sapiro  wrote:

> On 01/19/2017 08:32 AM, Odhiambo Washington wrote:
> > On 19 January 2017 at 18:55, Brian Carpenter  wrote:
> >
>
> Odhiambo Washington wrote:
> >>>
> >>> Now this got me thinking: Once one has submitted a subscription request
> >> and
> >>> Mailman has dispatched the 'confirm' email, shouldn't mailman decline
> any
> >>> further subscription requests from the same address if they decide to
> >>> submit such, and as such shouldn't send any other confirm/verification
> >>> requests as long as there is one still pending??
>
>
> Perhaps there should be a limit, but not an outright refusal because the
> original confirmation email could have been lost.
>
> In any case, I'm not interested in implementing this.
>
>
>
> >> Subscription spam which is what I think you are experiencing has been
> dealt
> >> with to a certain degree by recent versions of mailman. The following
> two
> >> functions I believe would be of assistance are:
> >>
> >> SUBSCRIBE_FORM_SECRET
> >> GLOBAL_BAN_LIST
> >>
> ...
> > So is it enough to add
> >
> > SUBSCRIBE_FORM_SECRET = 'L1feSuX'
> >
> > to mm_cfg.py and restarting Mailman without doing any other thing??
>
>
> That is sufficient to enable that feature and it will help block robotic
> web subscribes, but there are bots now that are smart enough to mimic
> human behavior in first getting the listinfo page and then waiting
> before posting the subscribe form.
>
>
Thanks for the clarification. Now I'll just wait and see if the smart bots
are involved.



>
> > The GLOBAL_BAN_LIST is self-explanatory when I read it.
>
>
> There are various, widespread attacks of this nature, but none that I've
> seen with the addresses you're seeing. There are several threads on this
> in the archives of this list.
>
> Look at some of the hits from searching at
>  for
> global_ban_list.
>


Seen that. Usable, but not everything, given that some addresses on my list
are well-known free mail providers.


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Mailman Security

[Mark Sapiro]

On 01/19/2017 08:32 AM, Odhiambo Washington wrote:
> On 19 January 2017 at 18:55, Brian Carpenter  wrote:
>

Odhiambo Washington wrote:
>>>
>>> Now this got me thinking: Once one has submitted a subscription request
>> and
>>> Mailman has dispatched the 'confirm' email, shouldn't mailman decline any
>>> further subscription requests from the same address if they decide to
>>> submit such, and as such shouldn't send any other confirm/verification
>>> requests as long as there is one still pending??


Perhaps there should be a limit, but not an outright refusal because the
original confirmation email could have been lost.

In any case, I'm not interested in implementing this.



>> Subscription spam which is what I think you are experiencing has been dealt
>> with to a certain degree by recent versions of mailman. The following two
>> functions I believe would be of assistance are:
>>
>> SUBSCRIBE_FORM_SECRET
>> GLOBAL_BAN_LIST
>>
...
> So is it enough to add
> 
> SUBSCRIBE_FORM_SECRET = 'L1feSuX'
> 
> to mm_cfg.py and restarting Mailman without doing any other thing??


That is sufficient to enable that feature and it will help block robotic
web subscribes, but there are bots now that are smart enough to mimic
human behavior in first getting the listinfo page and then waiting
before posting the subscribe form.


> The GLOBAL_BAN_LIST is self-explanatory when I read it.


There are various, widespread attacks of this nature, but none that I've
seen with the addresses you're seeing. There are several threads on this
in the archives of this list.

Look at some of the hits from searching at
 for
global_ban_list.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Mailman Security

[Odhiambo Washington]

On 19 January 2017 at 18:55, Brian Carpenter  wrote:

> > I have a situation which is a little confusing on a server where I run
> > Mailman. The subscription model is "confirm & approve"
> >
> > When I check the MTA's queue, I find hundreds of mail destined to certain
> > addresses, and one address could have 10 or more same mail destined to
> it.
> > I cleared the queue before checking the contents of these e-mails, but I
> > assume they were those 'confirm your subscription' ones to these
> addresses,
> > because I can see the addresses in in Mailman's subscribe logfile.
> >
> > Now this got me thinking: Once one has submitted a subscription request
> and
> > Mailman has dispatched the 'confirm' email, shouldn't mailman decline any
> > further subscription requests from the same address if they decide to
> > submit such, and as such shouldn't send any other confirm/verification
> > requests as long as there is one still pending??
> >
> > I am talking about a situation leading to a subscribe logfile like the
> one
> > at: http://bit.ly/2iFv5vi
> >
> > Might I be missing something in my list configuration???
>
> Subscription spam which is what I think you are experiencing has been dealt
> with to a certain degree by recent versions of mailman. The following two
> functions I believe would be of assistance are:
>
> SUBSCRIBE_FORM_SECRET
> GLOBAL_BAN_LIST
>
>

> There is some detail information about them in Defaults.py I believe.
>
> Brian Carpenter
> EMWD, Owner
>
> Providing Cloud Services and Mailman hosting for over 18 years.
>
>

Awesome.

So is it enough to add

SUBSCRIBE_FORM_SECRET = 'L1feSuX'

to mm_cfg.py and restarting Mailman without doing any other thing??


The GLOBAL_BAN_LIST is self-explanatory when I read it.


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Mailman Security

[Brian Carpenter]

> I have a situation which is a little confusing on a server where I run
> Mailman. The subscription model is "confirm & approve"
> 
> When I check the MTA's queue, I find hundreds of mail destined to certain
> addresses, and one address could have 10 or more same mail destined to it.
> I cleared the queue before checking the contents of these e-mails, but I
> assume they were those 'confirm your subscription' ones to these
addresses,
> because I can see the addresses in in Mailman's subscribe logfile.
> 
> Now this got me thinking: Once one has submitted a subscription request
and
> Mailman has dispatched the 'confirm' email, shouldn't mailman decline any
> further subscription requests from the same address if they decide to
> submit such, and as such shouldn't send any other confirm/verification
> requests as long as there is one still pending??
> 
> I am talking about a situation leading to a subscribe logfile like the one
> at: http://bit.ly/2iFv5vi
> 
> Might I be missing something in my list configuration???

Subscription spam which is what I think you are experiencing has been dealt
with to a certain degree by recent versions of mailman. The following two
functions I believe would be of assistance are:

SUBSCRIBE_FORM_SECRET
GLOBAL_BAN_LIST

There is some detail information about them in Defaults.py I believe. 

Brian Carpenter
EMWD, Owner

Providing Cloud Services and Mailman hosting for over 18 years.

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

[Mailman-Users] Mailman Security

[Odhiambo Washington]

Okay, maybe the subject is inflammatory/misleading :-)

I have a situation which is a little confusing on a server where I run
Mailman. The subscription model is "confirm & approve"

When I check the MTA's queue, I find hundreds of mail destined to certain
addresses, and one address could have 10 or more same mail destined to it.
I cleared the queue before checking the contents of these e-mails, but I
assume they were those 'confirm your subscription' ones to these addresses,
because I can see the addresses in in Mailman's subscribe logfile.

Now this got me thinking: Once one has submitted a subscription request and
Mailman has dispatched the 'confirm' email, shouldn't mailman decline any
further subscription requests from the same address if they decide to
submit such, and as such shouldn't send any other confirm/verification
requests as long as there is one still pending??

I am talking about a situation leading to a subscribe logfile like the one
at: http://bit.ly/2iFv5vi

Might I be missing something in my list configuration???


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org