[Mailman-Users] Re: protecting the web interface against subscription spam

[Al Brussey]

Yea tried different browsers, let me see if I can get that url manually from 
the server.

> On Mar 5, 2021, at 9:32 PM, Mark Sapiro  wrote:
> 
> On 3/5/21 6:14 PM, Al Brussey wrote:
>> There is nothing between the digest question and the submit button. 
>> 
>> When I submit the form, I get this:
>> 
>> reCAPTCHA validation failed: missing-input-response
> 
> That's the expected response in this case.
> 
> Have you tried different browsers? Is there a firewall or something that
> could be interfering with getting the recaptcha from
> https://www.google.com/recaptcha/api.js?hl=en ?
> 
> -- 
> Mark Sapiro The highway is for gamblers,
> San Francisco Bay Area, Californiabetter use your sense - B. Dylan
> --
> Mailman-Users mailing list -- mailman-users@python.org
> To unsubscribe send an email to mailman-users-le...@python.org
> https://mail.python.org/mailman3/lists/mailman-users.python.org/
> Mailman FAQ: http://wiki.list.org/x/AgA3
> Security Policy: http://wiki.list.org/x/QIA9
> Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
>https://mail.python.org/archives/list/mailman-users@python.org/
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] Re: protecting the web interface against subscription spam

[Mark Sapiro]

On 3/5/21 6:14 PM, Al Brussey wrote:
> There is nothing between the digest question and the submit button. 
> 
> When I submit the form, I get this:
> 
> reCAPTCHA validation failed: missing-input-response

That's the expected response in this case.

Have you tried different browsers? Is there a firewall or something that
could be interfering with getting the recaptcha from
https://www.google.com/recaptcha/api.js?hl=en ?

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] Re: protecting the web interface against subscription spam

[Al Brussey]

There is nothing between the digest question and the submit button. 

When I submit the form, I get this:

reCAPTCHA validation failed: missing-input-response

> On Mar 5, 2021, at 7:38 PM, Mark Sapiro  wrote:
> 
> On 3/5/21 3:35 PM, Al Brussey wrote:
>> Yes they are v2 keys.
>> 
 On Mar 5, 2021, at 5:28 PM, Mark Sapiro  wrote:
>>> 
>>> On 3/5/21 2:10 PM, AJ wrote:
 
 View source of page, i see this, with the correct site key:
 
 This form requires
 JavaScript.>>> src="https://www.google.com/recaptcha/api.js?hl=en";>
 >>> data-sitekey="xxx">
>>> 
>>> 
>>> Are your keys for recaptcha v2 - v3 doesn't work with Mailman
> 
> 
> Well, the relevant code is in the form. This is exactly the same except
> for the data-sitekey value as for example the various lists at
>  and it works there.
> 
> Have you tried different browsers? Do you see anything on the page
> between "Would you like to receive list mail batched in a daily digest?"
> and the Subscribe button? What happens if you submit the form?
> 
> -- 
> Mark Sapiro The highway is for gamblers,
> San Francisco Bay Area, Californiabetter use your sense - B. Dylan
> --
> Mailman-Users mailing list -- mailman-users@python.org
> To unsubscribe send an email to mailman-users-le...@python.org
> https://mail.python.org/mailman3/lists/mailman-users.python.org/
> Mailman FAQ: http://wiki.list.org/x/AgA3
> Security Policy: http://wiki.list.org/x/QIA9
> Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
>https://mail.python.org/archives/list/mailman-users@python.org/
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] Re: Pipermail scrubbing ascii txt to ksh attachment

[Mark Sapiro]

On 3/5/21 2:56 PM, Mark Dale via Mailman-Users wrote:
> 
> 
> I'll pass it on to the list owner to modify their script and see how we
> get on.
> 
> Content-Disposition: inline
> Content-Type: text/plain
> MIME-Version: 1.0
> X-Mailer: MIME::Lite 3.031 (F2.85; T2.17; A2.21; B3.15; Q3.13)


In case the script doesn't get modified, here's a patch I plan to commit
to Scrubber.py which should help.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
=== modified file 'Mailman/Handlers/Scrubber.py'
--- Mailman/Handlers/Scrubber.py2020-06-21 18:45:30 +
+++ Mailman/Handlers/Scrubber.py2021-03-06 01:10:21 +
@@ -90,6 +90,9 @@
 if ctype.lower == 'application/octet-stream':
 # For this type, all[0] is '.obj'. '.bin' is better.
 return '.bin'
+if ctype.lower == 'text/plain':
+# For this type, all[0] is '.ksh'. '.txt' is better.
+return '.txt'
 return all and all[0]
 
 
@@ -196,7 +199,10 @@
 format = part.get_param('format')
 delsp = part.get_param('delsp')
 # TK: if part is attached then check charset and scrub if none
-if part.get('content-disposition') and \
+# MAS: Content-Disposition is not a good test for 'attached'.
+# RFC 2183 sec. 2.10 allows Content-Disposition on the main body.
+# Make it specifically 'attachment'.
+if part.get('content-disposition').lower() == 'attachment' and \
not part.get_content_charset():
 omask = os.umask(002)
 try:

--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] Re: protecting the web interface against subscription spam

[Mark Sapiro]

On 3/5/21 3:35 PM, Al Brussey wrote:
> Yes they are v2 keys.
> 
>> On Mar 5, 2021, at 5:28 PM, Mark Sapiro  wrote:
>>
>> On 3/5/21 2:10 PM, AJ wrote:
>>>
>>> View source of page, i see this, with the correct site key:
>>>
>>>  This form requires
>>> JavaScript.>> src="https://www.google.com/recaptcha/api.js?hl=en";>
>>> >> data-sitekey="xxx">
>>
>>
>> Are your keys for recaptcha v2 - v3 doesn't work with Mailman


Well, the relevant code is in the form. This is exactly the same except
for the data-sitekey value as for example the various lists at
 and it works there.

Have you tried different browsers? Do you see anything on the page
between "Would you like to receive list mail batched in a daily digest?"
and the Subscribe button? What happens if you submit the form?

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] Re: protecting the web interface against subscription spam

[Al Brussey]

Yes they are v2 keys.

> On Mar 5, 2021, at 5:28 PM, Mark Sapiro  wrote:
> 
> On 3/5/21 2:10 PM, AJ wrote:
>> 
>> View source of page, i see this, with the correct site key:
>> 
>>  This form requires
>> JavaScript.> src="https://www.google.com/recaptcha/api.js?hl=en";>
>> > data-sitekey="xxx">
> 
> 
> Are your keys for recaptcha v2 - v3 doesn't work with Mailman
> 
> -- 
> Mark Sapiro The highway is for gamblers,
> San Francisco Bay Area, Californiabetter use your sense - B. Dylan
> --
> Mailman-Users mailing list -- mailman-users@python.org
> To unsubscribe send an email to mailman-users-le...@python.org
> https://mail.python.org/mailman3/lists/mailman-users.python.org/
> Mailman FAQ: http://wiki.list.org/x/AgA3
> Security Policy: http://wiki.list.org/x/QIA9
> Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
>https://mail.python.org/archives/list/mailman-users@python.org/
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] Re: Pipermail scrubbing ascii txt to ksh attachment

[Mark Dale via Mailman-Users]

 Original Message 
From: Mark Sapiro [mailto:m...@msapiro.net]
Sent: Friday, March 5, 2021, 05:08 UTC
To: mailman-users@python.org
Subject: [Mailman-Users] Re: Pipermail scrubbing ascii txt to ksh attachment

> On 3/4/21 8:36 PM, Mark Dale via Mailman-Users wrote:
>>
>> Reading Steve's reply just now makes me look suspiciously at the Perl
>> X-Mailer: MIME::Lite that is sending the email to the list. My
>> understanding is the list owner has scheduled a Perl script to export
>> from a database and post the resulting export.
> 
> 
> I've looked at the code more carefully, and I see there are two
> conditions for the text/plain part to be scrubbed. One is the lack of a
> charset= parameter, but the other is that the part is not the only body
> part or maybe the first part of a multipart body.
> 
> However, the way the code determines if the part is the body vs. being
> an attachment is the presence of a Content-Disposition: header. Your
> message has a Content-Disposition: inline header and while this is
> explicitly allowed by RFC 2183, it is unusual for a single part
> text/plain message.
> 
> If the perl script that generates this message can not include that
> header, I don't thing the part will be scrubbed.
> 

Ahhh -- that's great intel Mark: thank you very much!!! Your diligence
and patience are mind blowing.

I'll pass it on to the list owner to modify their script and see how we
get on.

Content-Disposition: inline
Content-Type: text/plain
MIME-Version: 1.0
X-Mailer: MIME::Lite 3.031 (F2.85; T2.17; A2.21; B3.15; Q3.13)



--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] Re: Pipermail scrubbing ascii txt to ksh attachment

[Mark Sapiro]

On 3/5/21 2:42 PM, Mark Dale via Mailman-Users wrote:
> 
> 
> Here is what the edited scripts/post wrote to file last night.
> 
...
> Content-Disposition: inline
> Content-Type: text/plain
...


So what's triggering the issue is the lack of a charset= on the
Content-Type: text/plain header together with the Content-Disposition:
inline header.

If the script that sends this mail can be altered to either include the
charset= on the Content-Type: text/plain header or not include the
Content-Disposition: inline header or both, that would solve this.

I'll also work on a patch to Scrubber.py and post that when it's done.


-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] Re: Pipermail scrubbing ascii txt to ksh attachment

[Mark Dale via Mailman-Users]

 Original Message 
From: Mark Sapiro [mailto:m...@msapiro.net]
Sent: Friday, March 5, 2021, 04:50 UTC
To: mailman-users@python.org
Subject: [Mailman-Users] Re: Pipermail scrubbing ascii txt to ksh attachment

> On 3/4/21 8:36 PM, Mark Dale via Mailman-Users wrote:
>>
>> Thanks. I've implemented your script patch (LISTNAME needed to be in
>> quotes otherwise the server spat the dummy).
> 
> Sorry about that ...
> 
>> The next scheduled post to
>> the list will be in about 10 hours so I'll have a result to look at then.
> 
> 
> Cool.
> 
> 
>> Reading Steve's reply just now makes me look suspiciously at the Perl
>> X-Mailer: MIME::Lite that is sending the email to the list. My
>> understanding is the list owner has scheduled a Perl script to export
>> from a database and post the resulting export.
>>
>> Anyways, I'll see what the result gets written by scripts/post  in the
>> morning.
> 
> OK.
> 
> I'm just curious, but if the body is scrubbed as an attachment with a
> .txt extension instead of .ksh would that help?
> 


There is no problem opening the .ksh file but the owner of the list
would like to see the archive message display in the message body. The
Namazu text search engine that's incorporated into the list's
archive will then be of use. So having the attachment use .txt wont
really help.

Here is what the edited scripts/post wrote to file last night.

>From noreply@REDACTED  Fri Mar  5 12:03:30 2021
Return-Path: 
X-Original-To: REDACTED@lists.REDACTED
Delivered-To: REDACTED@lists.REDACTED
Received: from alln-iport-3.REDACTED (alln-iport-3.REDACTED [173.37.142.90])
by mailmanlists.network (Postfix) with ESMTPS id EC62F2029E
for ; Fri,  5 Mar 2021 12:03:29 + (UTC)
X-IPAS-Result: =?us-ascii?q?A0DxBADeHEJg/5tdJa1iHAEBAQEBAQcBARIBAQQEAQGCD?=
 =?us-ascii?q?wKCKYIGjXalKAsBAQEPNAQBAYUEgUUCJTkFDQIDAQEBAwIDAQEBAQUBAQECA?=
 =?us-ascii?q?QYEcYVuiTOFWq07AQEBgiaJNoEugTkBix6CIyYcgguBR407GgSTKwGRGJwCh?=
 =?us-ascii?q?EqGc41OhkWDdJ94C4YurF2EHIFsIoFXcIM6TxkNVZwwIwECZwIGCgEBAwmPJ?=
 =?us-ascii?q?gEB?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.81,224,1610409600";
   d="scan'208";a="656493238"
Received: from rcdn-core-4.REDACTED ([173.37.93.155])
  by alln-iport-3.REDACTED with ESMTP/TLS/DHE-RSA-SEED-SHA; 05 Mar 2021
12:03:28 +
Received: from mail.vrt.REDACTED ([10.83.44.69])
by rcdn-core-4.REDACTED (8.15.2/8.15.2) with SMTP id 125C3S2G009788
for ; Fri, 5 Mar 2021 12:03:28 GMT
Message-Id: <202103051203.125C3S2G009788@rcdn-core-4.REDACTED>
Received: from localhost.localdomain (sigmanager.vrt.REDACTED [10.7.89.25])
by mail.vrt.REDACTED (Postfix) with ESMTP id 44C1E463D6
for ; Fri,  5 Mar 2021 12:03:28 + (UTC)
Content-Disposition: inline
Content-Type: text/plain
MIME-Version: 1.0
X-Mailer: MIME::Lite 3.031 (F2.85; T2.17; A2.21; B3.15; Q3.13)
Date: Fri, 5 Mar 2021 07:03:28 -0500
From: noreply@REDACTED
To: REDACTED@lists.REDACTED
Subject: Signatures Published daily - 26099
Content-Transfer-Encoding: quoted-printable
X-Outbound-SMTP-Client: 10.83.44.69, [10.83.44.69]
X-Outbound-Node: rcdn-core-4.REDACTED


REDACTED Publishing Notice

Datefile:   daily
Version:26099
Publisher:  REDACTED
New Sigs:   139
Dropped Sigs:   0
Ignored Sigs:   75


New Detection Signatures:


* Win.Malware.Injects-9838834-0

* Win.Trojan.Generic-9838835-0

* Win.Packed.Razy-9838836-0

* Win.Packed.Razy-9838837-0


--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] Re: protecting the web interface against subscription spam

[Mark Sapiro]

On 3/5/21 2:10 PM, AJ wrote:
> 
> View source of page, i see this, with the correct site key:
> 
>   This form requires
> JavaScript. src="https://www.google.com/recaptcha/api.js?hl=en";>
>  data-sitekey="xxx">


Are your keys for recaptcha v2 - v3 doesn't work with Mailman

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] Re: protecting the web interface against subscription spam

[Chromatest J. Pantsmaker]

Looks like your noscript plugin is blocking javascript

On Fri, Mar 5, 2021 at 3:12 PM AJ  wrote:

> Keys set properly in mm_cfg.py.  I am on Mailman 2.1.34.
>
> mm_cfg.py:
>
> SUBSCRIBE_FORM_SECRET = "xxx"
> BLOCK_SPAMHAUS_LISTED_IP_SUBSCRIBE = Yes
> BLOCK_SPAMHAUS_LISTED_DBL_SUBSCRIBE = Yes
> RECAPTCHA_SITE_KEY = 'xxx'
> RECAPTCHA_SECRET_KEY = 'xxx'
>
>
> View source of page, i see this, with the correct site key:
>
>   This form requires
> JavaScript. src="https://www.google.com/recaptcha/api.js?hl=en";>
>  data-sitekey="xxx">
>
>
>
>
>
>
>
>
>
>
> On Fri, Mar 5, 2021 at 4:38 PM Mark Sapiro  wrote:
>
> > On 3/5/21 1:24 PM, AJ wrote:
> > > I've tried to enable the reCaptcha by setting the keys in mm_cfg.py and
> > the
> > > list subscribe page does not display the reCaptcha checkbox.
> > > This is the case on new and old lists.  I've confirmed the following is
> > > added to templates/en/listinfo.html
> > >
> > >   
> > >   
> > >   
> > >
> > > None of the old lists have custom listinfo.html pages.
> > > Any clue on where else to look?
> >
> >
> > Have you set the keys as
> >
> > RECAPTCHA_SITE_KEY = '...'
> > RECAPTCHA_SECRET_KEY = '...'
> >
> > capitalized and spelled correctly?
> >
> > Is Javascript enabled in your browser? If not, you should see
> >
> > This form requires JavaScript.
> >
> > instead of the recaptcha.
> >
> > Iv you view the source of the page in your browser, what do you see?
> >
> > --
> > Mark Sapiro The highway is for gamblers,
> > San Francisco Bay Area, Californiabetter use your sense - B. Dylan
> > --
> > Mailman-Users mailing list -- mailman-users@python.org
> > To unsubscribe send an email to mailman-users-le...@python.org
> > https://mail.python.org/mailman3/lists/mailman-users.python.org/
> > Mailman FAQ: http://wiki.list.org/x/AgA3
> > Security Policy: http://wiki.list.org/x/QIA9
> > Searchable Archives:
> > https://www.mail-archive.com/mailman-users@python.org/
> > https://mail.python.org/archives/list/mailman-users@python.org/
> >
> --
> Mailman-Users mailing list -- mailman-users@python.org
> To unsubscribe send an email to mailman-users-le...@python.org
> https://mail.python.org/mailman3/lists/mailman-users.python.org/
> Mailman FAQ: http://wiki.list.org/x/AgA3
> Security Policy: http://wiki.list.org/x/QIA9
> Searchable Archives:
> https://www.mail-archive.com/mailman-users@python.org/
> https://mail.python.org/archives/list/mailman-users@python.org/
>
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] Re: protecting the web interface against subscription spam

[AJ]

Keys set properly in mm_cfg.py.  I am on Mailman 2.1.34.

mm_cfg.py:

SUBSCRIBE_FORM_SECRET = "xxx"
BLOCK_SPAMHAUS_LISTED_IP_SUBSCRIBE = Yes
BLOCK_SPAMHAUS_LISTED_DBL_SUBSCRIBE = Yes
RECAPTCHA_SITE_KEY = 'xxx'
RECAPTCHA_SECRET_KEY = 'xxx'


View source of page, i see this, with the correct site key:

  This form requires
JavaScript.https://www.google.com/recaptcha/api.js?hl=en";>











On Fri, Mar 5, 2021 at 4:38 PM Mark Sapiro  wrote:

> On 3/5/21 1:24 PM, AJ wrote:
> > I've tried to enable the reCaptcha by setting the keys in mm_cfg.py and
> the
> > list subscribe page does not display the reCaptcha checkbox.
> > This is the case on new and old lists.  I've confirmed the following is
> > added to templates/en/listinfo.html
> >
> >   
> >   
> >   
> >
> > None of the old lists have custom listinfo.html pages.
> > Any clue on where else to look?
>
>
> Have you set the keys as
>
> RECAPTCHA_SITE_KEY = '...'
> RECAPTCHA_SECRET_KEY = '...'
>
> capitalized and spelled correctly?
>
> Is Javascript enabled in your browser? If not, you should see
>
> This form requires JavaScript.
>
> instead of the recaptcha.
>
> Iv you view the source of the page in your browser, what do you see?
>
> --
> Mark Sapiro The highway is for gamblers,
> San Francisco Bay Area, Californiabetter use your sense - B. Dylan
> --
> Mailman-Users mailing list -- mailman-users@python.org
> To unsubscribe send an email to mailman-users-le...@python.org
> https://mail.python.org/mailman3/lists/mailman-users.python.org/
> Mailman FAQ: http://wiki.list.org/x/AgA3
> Security Policy: http://wiki.list.org/x/QIA9
> Searchable Archives:
> https://www.mail-archive.com/mailman-users@python.org/
> https://mail.python.org/archives/list/mailman-users@python.org/
>
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] Re: protecting the web interface against subscription spam

[Mark Sapiro]

On 3/5/21 1:24 PM, AJ wrote:
> I've tried to enable the reCaptcha by setting the keys in mm_cfg.py and the
> list subscribe page does not display the reCaptcha checkbox.
> This is the case on new and old lists.  I've confirmed the following is
> added to templates/en/listinfo.html
> 
>   
>   
>   
> 
> None of the old lists have custom listinfo.html pages.
> Any clue on where else to look?


Have you set the keys as

RECAPTCHA_SITE_KEY = '...'
RECAPTCHA_SECRET_KEY = '...'

capitalized and spelled correctly?

Is Javascript enabled in your browser? If not, you should see

This form requires JavaScript.

instead of the recaptcha.

Iv you view the source of the page in your browser, what do you see?

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] Re: protecting the web interface against subscription spam

[Brian Carpenter]

On 3/5/21 4:24 PM, AJ wrote:

I've tried to enable the reCaptcha by setting the keys in mm_cfg.py and the
list subscribe page does not display the reCaptcha checkbox.
This is the case on new and old lists.  I've confirmed the following is
added to templates/en/listinfo.html

   
   
   

None of the old lists have custom listinfo.html pages.
Any clue on where else to look?

Thanks
AJ

On Fri, Mar 5, 2021 at 9:44 AM Brian Carpenter 
wrote:


On 3/5/21 9:31 AM, jor...@gmail.com wrote:

currently we get  inundated with abuse complaint mails because our
mailman instance is targeted by spambots who for whatever reason try to
subscribe to the lists at our side with addresses belonging to someone
else, and when mailman sends out the confirmation email, this is
considered spam by the recipient and occasionally reported as abuse.

Athttps://www.ralfj.de/blog/2018/06/02/mailman-subscription-spam.html
I found the hint that in /etc/mailman/mm_cfg.py, one should set
SUBSCRIBE_FORM_SECRET to a random string which will trigger mailman to
embed aCSRF tokeninto the subscription form.

This, unfortunately hasn't helped. The abuse mail complaints kept
coming.

On the same page I found the note that you can also embed a captcha.
However I have not found instructions on how to do this.

If this is really the case, could somebody give me a link to where I
can find the instructions?

Depending upon what version of Mailman 2 you are running, you can add
the following to your mailman_install_dir/Mailman/mm_cfg.py

BLOCK_SPAMHAUS_LISTED_IP_SUBSCRIBE = Yes
RECAPTCHA_SITE_KEY = "recaptcha site key"
RECAPTCHA_SECRET_KEY = "recaptcha secret key"

What version of Mailman 2 are you running?

--
Brian Carpenter
Harmonylists.com
Emwd.com
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives:
https://www.mail-archive.com/mailman-users@python.org/
 https://mail.python.org/archives/list/mailman-users@python.org/


--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
 https://mail.python.org/archives/list/mailman-users@python.org/


What version of Mailman 2 are you running?

--
Brian Carpenter
Harmonylists.com
Emwd.com
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
   https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] Re: protecting the web interface against subscription spam

[AJ]

I've tried to enable the reCaptcha by setting the keys in mm_cfg.py and the
list subscribe page does not display the reCaptcha checkbox.
This is the case on new and old lists.  I've confirmed the following is
added to templates/en/listinfo.html

  
  
  

None of the old lists have custom listinfo.html pages.
Any clue on where else to look?

Thanks
AJ

On Fri, Mar 5, 2021 at 9:44 AM Brian Carpenter 
wrote:

> On 3/5/21 9:31 AM, jor...@gmail.com wrote:
> > currently we get  inundated with abuse complaint mails because our
> > mailman instance is targeted by spambots who for whatever reason try to
> > subscribe to the lists at our side with addresses belonging to someone
> > else, and when mailman sends out the confirmation email, this is
> > considered spam by the recipient and occasionally reported as abuse.
> >
> > Athttps://www.ralfj.de/blog/2018/06/02/mailman-subscription-spam.html
> > I found the hint that in /etc/mailman/mm_cfg.py, one should set
> > SUBSCRIBE_FORM_SECRET to a random string which will trigger mailman to
> > embed aCSRF tokeninto the subscription form.
> >
> > This, unfortunately hasn't helped. The abuse mail complaints kept
> > coming.
> >
> > On the same page I found the note that you can also embed a captcha.
> > However I have not found instructions on how to do this.
> >
> > If this is really the case, could somebody give me a link to where I
> > can find the instructions?
>
> Depending upon what version of Mailman 2 you are running, you can add
> the following to your mailman_install_dir/Mailman/mm_cfg.py
>
> BLOCK_SPAMHAUS_LISTED_IP_SUBSCRIBE = Yes
> RECAPTCHA_SITE_KEY = "recaptcha site key"
> RECAPTCHA_SECRET_KEY = "recaptcha secret key"
>
> What version of Mailman 2 are you running?
>
> --
> Brian Carpenter
> Harmonylists.com
> Emwd.com
> --
> Mailman-Users mailing list -- mailman-users@python.org
> To unsubscribe send an email to mailman-users-le...@python.org
> https://mail.python.org/mailman3/lists/mailman-users.python.org/
> Mailman FAQ: http://wiki.list.org/x/AgA3
> Security Policy: http://wiki.list.org/x/QIA9
> Searchable Archives:
> https://www.mail-archive.com/mailman-users@python.org/
> https://mail.python.org/archives/list/mailman-users@python.org/
>
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] Re: Change moderator or admin password (random) different for each list they were an admin or moderator for - Mailman 2.1

[Mark Sapiro]

On 3/4/21 10:35 PM, Stephen J. Turnbull wrote:
> Hi, Daniel
> 
> Mark Sapiro writes:
>  > 
>  > You need to
>  > generate a password within the script.
> 
> I think
> 
> newpassword = subprocess.run(["pwgen", "-sB", "15", "1"],
>  capture_output=True,
>  text=True).stdout
> 
> will do the trick (be careful about text=True, though; you may want
> the default text=False so that stdout will be bytes instead of str).

Except that's Python 3 and this is Mailman 2.1 withlist so the script
needs to be Python 2. For that we would want

newpassword = subprocess.check_output(
  ["pwgen", "-sB", "15", "1"]).strip()


The .strip() is to remove a trailing newline.

https://docs.python.org/2.7/library/subprocess.html#subprocess.check_output

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] Re: protecting the web interface against subscription spam (solved)

[Brian Carpenter]

On 3/5/21 10:01 AM, jor...@gmail.com wrote:

Am Freitag, dem 05.03.2021 um 09:41 -0500 schrieb Brian Carpenter:



Depending upon what version of Mailman 2 you are running, you can add
the following to your mailman_install_dir/Mailman/mm_cfg.py

BLOCK_SPAMHAUS_LISTED_IP_SUBSCRIBE = Yes
RECAPTCHA_SITE_KEY = "recaptcha site key"
RECAPTCHA_SECRET_KEY = "recaptcha secret key"

Thanks! Indeed that works! Thanks so much!

Caveat: only recaptcha v2 works (for me)

Cheers,

Johannes


--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
 https://mail.python.org/archives/list/mailman-users@python.org/


You're welcome and I am glad to be of assistance.

--
Brian Carpenter
Harmonylists.com
Emwd.com
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
   https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] Re: protecting the web interface against subscription spam

[jorohr]

Am Freitag, dem 05.03.2021 um 09:41 -0500 schrieb Brian Carpenter:


> 
> Depending upon what version of Mailman 2 you are running, you can add
> the following to your mailman_install_dir/Mailman/mm_cfg.py
> 
> BLOCK_SPAMHAUS_LISTED_IP_SUBSCRIBE = Yes
> RECAPTCHA_SITE_KEY = "recaptcha site key"
> RECAPTCHA_SECRET_KEY = "recaptcha secret key"

Thanks! Indeed that works! Thanks so much! 

Caveat: only recaptcha v2 works (for me)

Cheers,

Johannes


--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] Re: protecting the web interface against subscription spam

[Brian Carpenter]

On 3/5/21 9:31 AM, jor...@gmail.com wrote:

currently we get  inundated with abuse complaint mails because our
mailman instance is targeted by spambots who for whatever reason try to
subscribe to the lists at our side with addresses belonging to someone
else, and when mailman sends out the confirmation email, this is
considered spam by the recipient and occasionally reported as abuse.

Athttps://www.ralfj.de/blog/2018/06/02/mailman-subscription-spam.html  
I found the hint that in /etc/mailman/mm_cfg.py, one should set

SUBSCRIBE_FORM_SECRET to a random string which will trigger mailman to
embed aCSRF tokeninto the subscription form.

This, unfortunately hasn't helped. The abuse mail complaints kept
coming.

On the same page I found the note that you can also embed a captcha.
However I have not found instructions on how to do this.

If this is really the case, could somebody give me a link to where I
can find the instructions?


Depending upon what version of Mailman 2 you are running, you can add 
the following to your mailman_install_dir/Mailman/mm_cfg.py


BLOCK_SPAMHAUS_LISTED_IP_SUBSCRIBE = Yes
RECAPTCHA_SITE_KEY = "recaptcha site key"
RECAPTCHA_SECRET_KEY = "recaptcha secret key"

What version of Mailman 2 are you running?

--
Brian Carpenter
Harmonylists.com
Emwd.com
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
   https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] protecting the web interface against subscription spam

[jorohr]

Dear all,

currently we get  inundated with abuse complaint mails because our
mailman instance is targeted by spambots who for whatever reason try to
subscribe to the lists at our side with addresses belonging to someone
else, and when mailman sends out the confirmation email, this is
considered spam by the recipient and occasionally reported as abuse.

At https://www.ralfj.de/blog/2018/06/02/mailman-subscription-spam.html 
I found the hint that in /etc/mailman/mm_cfg.py, one should set
SUBSCRIBE_FORM_SECRET to a random string which will trigger mailman to
embed aCSRF tokeninto the subscription form.

This, unfortunately hasn't helped. The abuse mail complaints kept
coming.

On the same page I found the note that you can also embed a captcha.
However I have not found instructions on how to do this. 

If this is really the case, could somebody give me a link to where I
can find the instructions?

Thanks so much!

Johannes

P.S.: I guess, mailman3 has better spam protection, but up to now, I
have been too intimidated to actually do it...

--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/