Re: [Mailman-Users] Spam avoidance, revisited: best practices?
* Matt England: I'm also considering adding these capabilities (which may or may not be implicit in the above description) to combat spam: * Don't allow email from non-subscribers * Moderate email from new subscribers some period of time (probably a day to a week) I've compiled a few instructions for setting up Exim and Mailman such that Exim rejects non-members at the SMTP level: http://www.enyo.de/fw/software/exim/mailman-smtp-reject.html Once you've got a way to query the subscriber list from Exim, you can configure different actions, of course (such as greylisting, if you like that). -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] security heads up - path traversal with 2.1.5
* Chuq Von Rospach: my position is simple (and unchanged): if it's not your project, don't make strategic decisions about it. Unfortunately, the crackers that began to attack Mailman sites in January didn't respect your wishes. Who has a say in the disclosure of a security bug? The person who discovers it? The bad guy who exploits it? The person who discovers evidence of a break-in? The site administrator who discovers the exploit used by the bad guy? The security team which is contacted by the site adminsitrator? The author who wrote the software? The vendors who make money distributing the product? Site administrators who have been attacked and don't know about it yet?[1] Site administrators who might be attacked in the future? You're trying to establish something like ownership of security bugs. This might work if all parties cooperate in a process that ensure secrecy (including your users, who might as well switch to different software because they don't trust you because you're hding critical bugs from them). It breaks down as soon as someone doesn't play by your rules, as it happened in this case. [1] full-disclosure was not the first mailing list that was attacked. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] security heads up - path traversal with 2.1.5
* Brad Knowles: At 1:24 PM +0100 2005-02-14, Florian Weimer wrote: Who has a say in the disclosure of a security bug? In terms of who can post such things to this list? Well, as one of the core developers for Mailman, Chuq is one of the very few people who can have an absolute say in that. The underlying assumption seems to be that Mailman security bugs can only be disclosed by posting them on the Mailman lists. This is just not true, there are plenty of different ways of disseminating security bugs (includign selling it to CERT/CC or iDefense). I can't really understand your apparent intent to prevent discussions about bugs which were disclosed elsewhere. I simply fail to see any benefits for you or your users. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
[Mailman-Users] Sender: header considered harmful (sort of)
Is it possible to remove the sender header from answers to administrative requests sent out by Mailman? There's some broken software out there which uses a Sender: header for replies if it's present, and this software is widely used by some audiences. :-/ -- Florian Weimer[EMAIL PROTECTED] University of Stuttgart http://cert.uni-stuttgart.de/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898 -- Mailman-Users maillist - [EMAIL PROTECTED] http://mail.python.org/mailman/listinfo/mailman-users
Re: [Mailman-Users] How do I get the from address?
John W Baxter [EMAIL PROTECTED] writes: Or one can look at Mastering Regular Expressions page 316 which contains, in highly compressed micro type, a 6,598 byte (he says) regular expression for matching email addresses. Something has to be wrong. The mail address syntax described in RFC 822 in is definitely not regular, that's why a regular expression matching mail addresses does not exist. -- Mailman-Users maillist - [EMAIL PROTECTED] http://www.python.org/mailman/listinfo/mailman-users