Re: [Mailman-Users] Feature request: Emergency Broadcast

2009-11-23 Thread Gadi Evron

Bill Catambay wrote:

1. Mailman aliases not working (like in my case)
2. Unable to access my email, but have access to web (which is common 
for those of us behind corporate firewalls)

3. My email is broken, but my internet it still working

However, even with these reasons, I wouldn't consider it a big deal, 
especially if it's difficult to implement.  After my list is working 
again, I'll probably forget all about it.  :)


Yes, but are list admins always mailman admins or have access to the 
machine?


The only questions which seem relevant are:
1. Is this useful enough?
2. Does it fit with Mailman's vision?
3. How difficult is it to implement?






At 5:48 PM +0900 on 11/23/09, Stephen J. Turnbull wrote:



Gadi Evron writes:

 > crappy providers aside, do you think this might be a useful
 > feature?

I think that, as Mark alludes to, this feature would be harder to
implement usefully than you'd think.  It sounds easy, but remember, in
a very large share cases where it would be useful *your mail system is
already broken*.  A trivial example: most of the cases where I've
wanted something like it, the host was crashed, and simply not
available.  In other cases, it seems that Mailman is for some reason
unable to send mail; why would it be more able to send mail received
via HTTP than mail received by SMTP?






--
Gadi Evron,
g...@linuxbox.org.

Blog: http://gevron.livejournal.com/
--
Mailman-Users mailing list Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org


Re: [Mailman-Users] Feature request: Emergency Broadcast

2009-11-23 Thread Gadi Evron

Stephen J. Turnbull wrote:

Gadi Evron writes:

 > crappy providers aside, do you think this might be a useful
 > feature?

I think that, as Mark alludes to, this feature would be harder to
implement usefully than you'd think.  It sounds easy, but remember, in
a very large share cases where it would be useful *your mail system is
already broken*.  A trivial example: most of the cases where I've
wanted something like it, the host was crashed, and simply not
available.  In other cases, it seems that Mailman is for some reason
unable to send mail; why would it be more able to send mail received
via HTTP than mail received by SMTP?



Actually, I spoke of a possible _announcement_ feature, not an emergency 
feature.


--
Mailman-Users mailing list Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org


Re: [Mailman-Users] Feature request: Emergency Broadcast

2009-11-22 Thread Gadi Evron

Brad Knowles wrote:

At the very least, you should find a different provider where they actually 
give you the support you require.


Brad, crappy providers aside, do you think this might be a useful feature?

I remember a few occasion when I needed to grab the subscribers list and
email everyone personally. Doing it from the main interface could be
useful as an "announcement" feature, although I am unsure if it fits
with what the vision of mailman is.




--
Brad Knowles 
LinkedIn Profile: <http://tinyurl.com/y8kpxu>

--
Mailman-Users mailing list Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/ge%40linuxbox.org




--
Gadi Evron,
g...@linuxbox.org.

Blog: http://gevron.livejournal.com/

--
Mailman-Users mailing list Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org


[Mailman-Users] honeypot lists Re: mailman servers coordination: find spammers

2008-07-14 Thread Gadi Evron

On Mon, 14 Jul 2008, Krystal Zipfel wrote:
The problem I see with this is much like the DNSBLs and Block lists 
(spamhaus?).


As Jason put it, one person's spam could very much be another person's ham, 
so mail starts getting rejected by those who outright trust such a database 
and it is hell trying to get removed from those said lists.


Not to mention, there is so much forgery and many changes to spam tricks that 
even SA has to keep up with it. :-(


Personally, I think spam filtering/watching/fighting should be done per 
server, per user, etc. Would be real nice if the ISP's would start doing 
that...


My opinion. :-)


Well, one immediate solution that helps is starting another list or two, 
as a honeypot, and seeing who subscribes.


Gadi.



Jason Pruim wrote:

First, I think it would have better luck on the developers mailing list :)

But as for the idea, I think it could work, but someone would have to 
provide the hosting for the database that would hold all the info. And we 
would have to figure out who would be a "trusted" source to report the 
spam My spam might be your ham... I need lunch hehe


In general though I like the idea and would love to hear from others on it 
as well :)



On Jul 14, 2008, at 1:25 PM, Gadi Evron wrote:

I often see addresses popping up and subscribing to all visible lists on 
my servers.


Sometimes they're a curious individual, and most times they are spammers 
harversting addresses (as these are open only to admin).


I wonder what the coding "price" would be, if it can even work with 
mailman, to create a central trusted DB which watched subscription trends?


1. It could be used for security.
2. It could fight spammers on the mailman front.
3. If we deal with the security and privacy implications of the first two, 
or want a constructive cause--collect cool trends and provide with a 
mailing lists index by tag words and activity. Think technorati..


This of course, is just a neat idea. Thoughts?

Thanks,

Gadi.
--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: 
http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/japruim%40raoset.com 


Security Policy: http://wiki.list.org/x/QIA9



--

Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
11287 James St
Holland, MI 49424
www.raoset.com
[EMAIL PROTECTED]




--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: 
http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/zipfel%40greenacrestechnology.com 


Security Policy: http://wiki.list.org/x/QIA9



--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/ge%40linuxbox.org


Security Policy: http://wiki.list.org/x/QIA9


--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: http://wiki.list.org/x/QIA9


[Mailman-Users] mailman servers coordination: find spammers

2008-07-14 Thread Gadi Evron
I often see addresses popping up and subscribing to all visible lists on 
my servers.


Sometimes they're a curious individual, and most times they are spammers 
harversting addresses (as these are open only to admin).


I wonder what the coding "price" would be, if it can even work with 
mailman, to create a central trusted DB which watched subscription trends?


1. It could be used for security.
2. It could fight spammers on the mailman front.
3. If we deal with the security and privacy implications of the first 
two, or want a constructive cause--collect cool trends and provide with a 
mailing lists index by tag words and activity. Think technorati..


This of course, is just a neat idea. Thoughts?

Thanks,

Gadi.
--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: http://wiki.list.org/x/QIA9


Re: [Mailman-Users] Major problems with privacy and mailman lists and harvesters

2008-05-23 Thread Gadi Evron
Hi Steve. Thank you for your email, it is well researched and conveys your 
point of view.


Your points on inconsistency in protecting email addresses in the archives 
are interesting. Also, I am no lover of spammers.


That said, can you break down your suggestions to those relevant to the 
inherent FUBAR state of SMTP, mailing list administration choices and 
policies, and mailman? I don't see how you can prevent a person or bot 
from subscribing to an open mailing list and harvesting it.


Some locking down is not possible, some not wanted, and some not 
necessary. I find, as I mentioned,  the archives point for example very 
interesting, if anyone was willing to spend the time on making it happen.


Gadi.



On Fri, 23 May 2008, Steve Murphy wrote:


Hello!

I'm quite concerned about what I'm seeing in mailman installations,
and the amount of spam I've been getting because I participate in
mailman based lists!

I'm not talking about halting spam that gets submitted to the list
for mailing. I'm not talking about spambots automatically joining
the lists and submitting spam.

What I'm concerned about is the fact that email harvesters are being
given so much information.

I've noticed in the mailman-users archives, that if I view info
by thread (using the mailman archives as an example,)
which site is 2.1.10 based,
that all email addresses are present, but with a simple obfuscation.
(the "@" has been changed to " at ".) I can't help but to think
that this simple obfuscation is a joke. Any harvester written in the
past number of years would be smart enough to capture such accurately.

When viewing the developer's archives, I note that when a message is
displayed singly, it is common to see [EMAIL PROTECTED]. This is
much nicer, but I notice that in both archives, a button is provided
at the bottom of the letter, that submits a form, and gets back
both a "Found" page, with a mailto: url, and a redirect to a mailto...
so, an anonymous user can easily get/harvest email addresses by simply
analyzing the html form.

The gzip'd archives by month for both lists both show all email
addresses, with the " at " obfuscation.

It seems inconsistent, funny even, that display by thread will show
individual messages with [EMAIL REMOVED], but the gzip'd archives
of the same message reveal, really, everything.

And worse... If I really wanted to collect up-to-date juicy email
addresses, I'd simply subscribe to all the mailman lists I possibly
could, and
route all the incoming messages to harvesters. In **This** case,
the harvest is bountiful, as most messages arrive totally unfiltered,
from  headers galore bearing bounteous harvests of email addresses
(for example, the From header), to the user sigs at the ends, with
reply quotation headers mentioning the source addresses in between.

Within MINUTES of my first posting on asterisk-users, I was getting spam
on an email address that was brand-new. Since then, the spam volume
on that email addr just keeps growing.

I keep wondering, which way did they get my email addr?
But, it doesn't matter. I can't help to think that 'targeted'
spam mailers both spider the archives and subscribe to the
lists.The bigger the list's subscription, hotter an item it is.

So, please, can we apply the [EMAIL PROTECTED] tech to the archives,
and the outgoing messages, and drop this silly notion that
the " at " obfuscation is useful? Really, it's totally transparent.
NO OBFUSCATION is safe in mailman. There's simply too much
Can we drop the buttons from the archives whose HTML says:






Reply via email to



from which spam harvesters can almost instantly be updated to harvest "[EMAIL 
PROTECTED]"
(modified from the orig to save the innocent author from a deluge of spam, at
least on **my** account), without even submitting the form!

We need to rethink how we can adequately keep emails out of spammers hands.
And, yes, it's kinda unhandy not read a message and not be able to fire an email
off to the author directly. But to make it easy for list subscribers, is to 
make it easy
for spammers, who probably have already joined the list, and are delighted
to get email addresses, any which way they can.

Most discussion on mailing lists do not require any address other than
the the mailing list itself. To take a discussion "offline", I propose a
few ideas:

1. the mailing list allows the users to specify a phone-number,
an irc channel and identity that they can be reached by, or some other
method to contact the author, that is NOT an email address. This info
is kept private, and the button at the bottom of the archived letters
could give you this info. The person wanting to privately discuss the
letter could then call the user or contact them via irc/jabber/whatever,
and either discuss the matter there and then, or the author could
voluntarily give the other party his email address at that time. Or
file a list message, and ask the author to contact him, and give out a
phone number, whatever.

I t

Re: [Mailman-Users] excessive bounce notifications..

2008-05-18 Thread Gadi Evron

On Sun, 18 May 2008, Bill Christensen wrote:

At 7:48 AM -0700 5/18/08, Mark Sapiro wrote:

Stefan Förster wrote:


* Khalil Abbas <[EMAIL PROTECTED]> wrote:

 I recieve over 2000 messages from mailman-bounces every day with
 subject: Uncaught bounce notification.. and when opening any message
 it's nothing but another Spam Ad about pills or shoes or other
 stuff.. how can I stop these ADs from being sent to my Admin email?
 it's becoming a real pain as it takes forever to download to the
 inbox.. on the other hand, I don't want to disable the notification
 because sometimes it might be a bounce that mailman couldn't detect
 so I remove it manually from the list ..


If you do not wan't to disable those notifications in Mailman, the
easiest way seems to filter the messages bevor they are delivered to
mailman. This probably involves some configuration in your MTA - but
have you tried out the "Spam Filtering" options in your admin
webinterface?



Mailman's spam filters only apply to mail to the list and list-owner
addresses. They don't apply to mail to -bounces.

The remainder of Stefan's advice is good.



If the original mail was sent to the list address by a non-member and bounced 
with an autoreply, would the spam filter have been applied?  Is the filter 
only applied after the message passes a member/non-member test?


My guess is that there's message rejection going on: the spam is coming to 
the list address, bouncing out as being from non member addresses, and 
bouncing back to the -bounce address.   If that's the case, stop autoreplying 
to non member mail - or teach your moderators to discard rather than reject.


Spam filtering before it gets to Mailman is still probably the best choice.


Unrelated, I auto-delete bounces these days as to deteremine which is 
useful and which isn't, type-wise, takes me opening and examining the 
email.







--
Bill Christensen


Green Building Professionals Directory: 
Sustainable Building Calendar: 
Green Real Estate: 
Straw Bale Registry: 
Books/videos/software: 
--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/ge%40linuxbox.org


Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp
--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp

[Mailman-Users] email notifications verbosity [was: Stop all -owner mail]

2007-11-16 Thread Gadi Evron
On Thu, 15 Nov 2007, Mark Sapiro wrote:
> Nate Rudd wrote:
>
>> As, I forgot that I would like the e-mails from the Mailman system to
>> still reach me, would there be anything I am missing if I set a rule
>> in my e-mail program that says:
>>
>> Any mail not from "mailman-bounces" to "*-owner" -> Delete or Mark as
>> Junk
>
>
> As you note, some (most) Mailman generated notices to the
> owners/moderators are sent to the listname-owner address first and
> then resent to the owners/moderators.
>
> They do not all come from mailman-bounces. Some such as held post
> notifications come from listname-bounces, so you'd have to pass that
> sender too.

What would really help me is some verbosity, such as difference in 
subject lines between administrative notes and spam sent to -bounces.

Also, if a user gets unsubscribed, did they do it? Were they bouncing?

How, if possible, do I set that?

Gadi.
--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp


Re: [Mailman-Users] Load-balancing mailman between two servers

2006-11-28 Thread Gadi Evron
Is this in the FAQ anywhere?

On Tue, 28 Nov 2006, Brad Knowles wrote:

> At 6:30 PM -0500 11/28/06, Barry Warsaw wrote:
> 
> >  Of course, if machine 1 went down, all the messages in its hash
> >  slices would sit unprocessed, but it would be a fairly simple matter
> >  to reconfigure machine 2 to handle machine 1's slices, or to bring up
> >  a fallback machine to handle those slices in the meantime.
> 
> Ahh, okay.  Cool.  I knew that there was a hashing scheme, but I had 
> thought the intent was to use that for allowing multiple queue 
> runners for each queue, on a single machine.  I wasn't aware that the 
> same mechanism would be used for splitting the queues across servers 
> via NFS -- allowing you to avoid the locking problems I mentioned 
> earlier.
> 
> Cool.
> 
> -- 
> Brad Knowles, <[EMAIL PROTECTED]>
> 
> Trend Micro has announced that they will cancel the stop.mail-abuse.org
> mail forwarding service as of 15 November 2006.  If you have an old
> e-mail account for me at this domain, please make sure you correct that
> with the current address.
> --
> Mailman-Users mailing list
> Mailman-Users@python.org
> http://mail.python.org/mailman/listinfo/mailman-users
> Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
> Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
> Unsubscribe: 
> http://mail.python.org/mailman/options/mailman-users/ge%40linuxbox.org
> 
> Security Policy: 
> http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp
> 

--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp


Re: [Mailman-Users] Banning members

2006-11-10 Thread Gadi Evron
On Fri, 10 Nov 2006, Martin Dennett wrote:
> On a totally different tack, is there any list available for future 
> "wants" for the software? I have a couple of things that I think may be 
> useful, and would like to know if there's anyway I can make them known?

Actually, we are all thankful for mailman. But we are users "in the
trenches" using mailman.

Maybe we should post a survey to the list for the 3 most desired
funciotnality wishes, and then post the results in "ten most
requested" poll yet again, to the public.

Let the public vote on what it needs? :)

Gadi.

--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp


Re: [Mailman-Users] spam, spamcop and mailman moderation

2006-11-10 Thread Gadi Evron
On Fri, 10 Nov 2006, Dragon wrote:
> Gadi Evron wrote:
> 
> >I cannot afford to spam filter some mailing lists. That's my problem.
> >With those I do, a lot still comes through and I am pretty good at it.
> >
> >Sending the messages back is causing a lot of problem, and should be
> >considered again if it should remain ON by default.
>  End original message. -
> 
> This begs the question, why can you NOT afford to filter some lists?
> 
> I personally cannot imagine a situation where this would be so.

Look at it as business which don't filter as they fear to lose
clients/business email.

That is a secondary problem to me. Lists I can't filter I will suffer
for. :)

These lists' main posts are reports of phishing scams, spam or malware,
which filtering kind of disturbs, but I am not complaining about them.

Gadi.

--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp


Re: [Mailman-Users] spam, spamcop and mailman moderation

2006-11-10 Thread Gadi Evron
On Fri, 10 Nov 2006, Carl Zwanzig wrote:
> I'm not sure how this fails a reality test. Are any anti-spam measures
> in place currently?  If not, mailman is certainly not the place to 
> start. That place is the incoming mail MTA.  (If you run your own servers,
> installing spamassassin shoundn't take too much time. If you're using a
> hosting server, then they should already have spam filters in place. If
> they don't/can't you might consider a service that does.)
> 
> Once the MTA filters out what it can, and tags the suspect spam as such,
> -then- creating mailman filters does become an almost trivial task.
> 
> Please search the mailman user's list archives, there have been many
> discussions about spam handling.
> 
> z!
> 

I cannot afford to spam filter some mailing lists. That's my problem.
With those I do, a lot still comes through and I am pretty good at it.

Sending the messages back is causing a lot of problem, and should be
considered again if it should remain ON by default.

Gadi.

--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp


Re: [Mailman-Users] spam, spamcop and mailman moderation

2006-11-10 Thread Gadi Evron
On Fri, 10 Nov 2006, Patrick Bogen wrote:
> I'm not entirely sure what the point of this message was.
> 
> Bearing that in mind, you shouldn't be using moderation as a
> first-line anti-spam defense. Your MTA should be tagging emails as
> spam (e.g., using Spamassassin, or something better suited to your
> particular configuration), greylisting, etc. With a properly
> configured setup, the spam that actually reaches the moderation
> interface should be minimal; most of it should be discarded (not
> rejected) by mailman, at the very least.
> 
> This is fairly trivial to implement; just set up your MTA to pass mail
> through spamassassin, and then add a check for the headers it adds to
> mailman's list configuration, if nothing else.

That fails the test of reality on lists I run which can be filtered. The
problem is so big now simple filtering doesn't do that much good. On those
lists that can't (security related with a lot of false positives) not
practical.

> If I'm understanding your concern, the key here is for you to
> configure your mailman installation to discard known spam messages
> rather than rejecting them. This is, in fact, one of the options on
> the moderation screen (you may choose to Accept, Defer, Reject, or
> Discard messages).

Auto-discarding may be an option, but it isn't in this case, as I need to
approve a lot of non-subscribed posts.

> Additionally, as far as I know, you CAN moderate non-members
> differently; although perhaps I don't have the same understanding of
> that phrase as you do. You can set messages from non-members to be
> automatically discarded or rejected, as you wish. See Privacy Options
> > Sender Filters > generic_nonmember_action

Moderate them differently and still have a choice? Going through modding
subscribers and seeing 2-3 posts, and going through non-subscribers and
seeing hundreds, simply isn't the same when on the same screen.

> -- 
> - Patrick Bogen
> 

--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp


Re: [Mailman-Users] deleting "pending for approval" from command line

2006-11-10 Thread Gadi Evron
On Fri, 10 Nov 2006, Gerardo Herzig wrote:
> Hi all. I have a user who does not check "pending for approvals" so 
> long, and now the mailman web interface trows an error (an timeout or 
> resources issue, not shure). The thing is: Can i delete those pending 
> messages from command line? Can i delete or blank a simple file? (its ok 
> if i delete ALL the pending messages)

I have a similar issue with a mailing list with over 5K unmoderated
messages I need to sift through, and can't load the web interface for it.

Gadi.

> 
> Thanks!!
> 
> Mailman 2.1.4
> --
> Mailman-Users mailing list
> Mailman-Users@python.org
> http://mail.python.org/mailman/listinfo/mailman-users
> Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
> Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
> Unsubscribe: 
> http://mail.python.org/mailman/options/mailman-users/ge%40linuxbox.org
> 
> Security Policy: 
> http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp
> 

--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp


[Mailman-Users] spam, spamcop and mailman moderation

2006-11-10 Thread Gadi Evron
[x-posted to an anti-spam list]

Hi.

This is not specific to mailman, but I had a lot of trouble with it. I am
sure I am not the only one, so I figured I'll share.

In recent months the problem of moderation, especially with large lists,
has become even more significant.

The amounts of spam which reach the uncomfortable moderation page is
staggering.. but this email is not about the very inconvinient way of
mailman moderation (even small changes such as letting me moderate
non-members differently would have been amazing!).

This email is about spamcop.
Spamcop is blacklisting server swhich relay mailing list bounces
containing spam. Mailing list bounces are some of the only acceptable
bounces left on the Internet, but now that's no longer true.

These bounces contain mostly spam and phishing, and bounced back to fake
addresses belonging to real people. Therefore, even if Spamcop is
especially evil in this case and annoy us to hell and back - they are
right.

Bouncing back a message which tells a user his original message is held
for moderation is now a bad idea if we want to stay out of the black list
of spamcop, not to mention to not turn our servers to willing spam
conduits (as discussed a few months ago).

Gadi.

--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp


Re: [Mailman-Users] Serious Performance issue

2006-10-17 Thread Gadi Evron
On Tue, 17 Oct 2006, Peter Kofod wrote:
> Hi Everyone:
> 
> I am new to this list having just implemented mailman for an
> announce-list we host.  In short, the performance is horrible.  The list
> has approx 40,000 subscribers and the avg message going out is about 40K
> (some embedded imagery).  I know we can do better with lazy html etc.,
> but the system has become unresponsive.

Generally, mailman does not really cope with *very* large lists too
well. It is still my system of choice.

> Here are the specifics:
> 
> Fedora Core 5
> Mailman, Postfix (FC 5 releases), Apache, Sendmail

Are you running spamassasin and similar? Looking at the header, do you see
a significant time lapse between certain hops?
 
> It has gotten to the point where we can't even manage the system via the
> web interface (keep getting a 500 Internal Server error).  I am
> obviously no mailman or postfix guru, so any pointers on where I should
> look in the logs and make changes would be helpful.
> 
> Thanks,
> 
> Pete
> --
> Mailman-Users mailing list
> Mailman-Users@python.org
> http://mail.python.org/mailman/listinfo/mailman-users
> Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
> Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
> Unsubscribe: 
> http://mail.python.org/mailman/options/mailman-users/ge%40linuxbox.org
> 
> Security Policy: 
> http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp
> 

--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp


Re: [Mailman-Users] Google Code Search

2006-10-08 Thread Gadi Evron
On Sun, 8 Oct 2006, Patrick Bogen wrote:
> On 10/8/06, Gadi Evron <[EMAIL PROTECTED]> wrote:
> > I searched for TBD and then TBD security. The very first hit is from
> > mailman 2.0.9:
> >   * TBD: This file needs a security audit.
> 2.0.9? Mailman is currently 2.1.9. I'm not sure if this still applies.
> 
> > Just thought I'd share. If mailman is in need of volunteers, please let us
> > know.
> Also, the proper place for your message would probably be
> mailman-developers, rather than mailman-users.
> 

Thanks. I'm a user though, and thought I'd ask.

> 
> -- 
> - Patrick Bogen
> 

--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp


[Mailman-Users] Google Code Search

2006-10-08 Thread Gadi Evron
Hi guys. I've been playing a lot with Google's new code search, collecting
a lot of search strings relating to security.

I searched for TBD and then TBD security. The very first hit is from
mailman 2.0.9:

38:   *
  * TBD: This file needs a security audit.
  */

Just thought I'd share. If mailman is in need of volunteers, please let us
know.

Gadi.

--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp


Re: [Mailman-Users] HELP!!!

2006-06-21 Thread Gadi Evron
On Wed, 21 Jun 2006, Kane STERLING wrote:
> I sent a mail out to one of my lists and it's sent over 50 of the same
> mail to it! How can I stop it immediately?!
> Kane

Clear the queue?
Kill the server?

How IMMEDIATE do you want it? These would also lose potentially other
messages.

>  
> Kane Sterling
> Contracts and Procurement Executive
> Accommodation & Procurement Team
> Corporate Strategy Division
> 6th Floor
> Riverwalk House
> 157-161 Millbank
> London 
> SW1P 4RR
> (T) 0207 217 3352
> (F) 0207 217 3501
>  
> Government Office for London - Representing Central Government across
> the Capital
>  
>  
> 
> 
> The original of this email was scanned for viruses by Government Secure 
> Intranet (GSi)  virus scanning service supplied exclusively by Cable & 
> Wireless in partnership with MessageLabs.
> On leaving the GSI this email was certified virus free.
> The MessageLabs Anti Virus Service is the first managed service to achieve 
> the CSIA Claims Tested Mark (CCTM Certificate Number 2006/04/0007), the UK 
> Government quality mark initiative for information security products and 
> services.  For more information about this please visit www.cctmark.gov.uk

--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp


Re: [Mailman-Users] Totally unmoderated user???

2006-03-16 Thread Gadi Evron
On Thu, 16 Mar 2006, Mark Sapiro wrote:
> Daniel Hawker wrote:
> >
> >I would like to have a couple of my members to be able to be completely
> >unmoderated and hence be able to bypass this limit. I trust they won't
> >send anything truly silly, however they send out regular information
> >packs (around 2-300k) that obviously get caught by the system.
> 
> 
> There is no way to do this via list configuration. You can set a
> moderator password if there isn't one already, and give the password
> to these people. If you don't want them to receive regular
> 'moderation' notices, you don't have to add them to the moderator list.
> 
> Once these people have the password, they can approve their own posts
> or they can pre-approve them by putting an Approved: header or first
> body line in the post they send to the list.
> 
> Of course, they can also approve/reject/discard any other pending
> moderator requests via the admindb interface.

I've been looking for a way to do this for a while, what I came up with
using current Mailman functionality is bascally moderating everyone
except who you want to be able to talk. In most cases a broken solution,
but hey - it works.

One could argue though that letting anything be automatically unmoderated
on a moderated list is a bad idea, as email spoofing is one of the main
vulnerabilities in Mailman, as well as.. erm.. SMTP? :)

In other words, I agree with Mark but it is *possible* if you are ready
for some pain.

Gadi.

> -- 
> Mark Sapiro <[EMAIL PROTECTED]>   The highway is for gamblers,
> San Francisco Bay Area, Californiabetter use your sense - B. Dylan
> 
> --
> Mailman-Users mailing list
> Mailman-Users@python.org
> http://mail.python.org/mailman/listinfo/mailman-users
> Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
> Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
> Unsubscribe: 
> http://mail.python.org/mailman/options/mailman-users/ge%40linuxbox.org
> 
> Security Policy: 
> http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp
> 

--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp


Re: [Mailman-Users] relaying spam using mailing lists

2006-03-15 Thread Gadi Evron
Brad Knowles wrote:
> At 11:35 AM -0800 2006-03-15, Heather Madrone wrote:
> 
>>  Don't relay mail to Mailman that you don't want Mailman to receive.
>>  Install good spam filters and tune your MDA so that it won't deliver
>>  scattershot messages to Mailman.
> 
> 
> We've gone through this discussion before.  There are lots of 
> decisions that are made inside of Mailman that the MTA cannot possibly 
> know anything about.

Further, I honestly believe that despite that extra moderation work, 
using spam filters for mailing lists is a bad idea.. at least in my 
experience and to my preference.

Gadi.
--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp


[Mailman-Users] relaying spam using mailing lists

2006-03-15 Thread Gadi Evron
A friend of mine just wrote about what happened to an ezmlm mailing list 
he runs, and how it was recently used to relay spam (quoted below).

All mailing list managers return bounces of some sort, for 
subscriptions, unsubscriptions, moderation, etc. (*configuration 
dependent*), some just quote the subject line though, as an example.

Do we risk blocking by black lists for allowing mailing list bounces?

Do we in blacklists block spam in bounces?

We all see spam bouncing off our lists, how do we distinguish what's 
what? Especially if these are bounces themselves?

How would mailman be vulnerable, if at all?

Thanks go to Ellen from spamcop for the help.

-
People tend to think of SPAMers are a bunch of monkeys, i.e. know 
nothing, utilize off the shelf tools, and completely un-imaginative. I 
tend to differ, especially after what I saw happen…

It began about 3 months ago, our ezmlm mailing list was starting to get 
a lot of bounces, and when I say a lot, I mean a lot. The number quickly 
risen to more than 100 per hour, all of them bounces caused by malformed 
ezmlm requests. These bounces weren’t ordinary, their body was composed 
of a SPAMed email.

You would ask your self, why would someone use ezmlm to bounce emails? 
well you take our security oriented mailing-list, which has its 
credibility (both the IP address of the mail server’s credibility and 
the email address’s credibility) and you utilize it for your spamming needs.

In addition, ezmlm will bounce almost any email it receives without 
thinking, and not only bounce it, but also include the entire incoming 
email, in our case the SPAM content. Making it a nice to use SPAM relay.

After several weeks, our mail server was starting to get blocked by 
SpamCop, and others which regard bouncing email SPAM as regular SPAM. 
Several days ago, we decided to put an end to this shenanigan, we 
patched - yes changed the source code, as ezmlm doesn’t support the 
suppression of bouncing emails - ezmlm to stop it from sending back 
emails whenever something bad has happened, and low and behold a few 
hours after the change was put into place, our ezmlm was no longer being 
used to relay SPAM.

The only option I can conclude from this is that the SPAMers use 
some-kind of technique (maybe even “SPAM” themselves) to detect whether 
it is still useful to use your SPAM relay for their needs, in this case 
our ezmlm configuration, and when it is no longer useful, they 
“conserve” their bandwidth and move on to their next target.
-
http://blogs.securiteam.com/index.php/archives/353

Gadi.
--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp


[Mailman-Users] resent-to possibly gets a message through moderation?

2004-12-30 Thread Gadi Evron
Hello.
I am running several mailing lists using mailman. Latest available 
debian package.

A member of one of my mailing lists got a spam message (it was confirmed 
on several levels).

We are not yet exactly sure how it happened, but the result was him 
re-sending the message to the list, carbon-copied from the spam.

Here is what I suspect caused mailman to accept the message without 
moderation, even though the FROM: address is not subscribed:

Resent-To: [EMAIL PROTECTED]
From: "inquisitorRobbins" <[EMAIL PROTECTED]>
Resent-Message-Id: <[EMAIL PROTECTED]>
Resent-From: "member name" <[EMAIL PROTECTED]>
If it isn't it and I completely mis-understood what happened, or you 
require any further information to find out how mailman let this email 
through, please let me know. I am somewhat worried.

Thank you for your help,
Gadi Evron.
--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/